diff options
Diffstat (limited to 'src/openac')
-rw-r--r-- | src/openac/Makefile.am | 98 | ||||
-rw-r--r-- | src/openac/Makefile.in | 242 | ||||
-rw-r--r-- | src/openac/build.c | 125 | ||||
-rw-r--r-- | src/openac/build.h | 24 | ||||
-rw-r--r-- | src/openac/loglite.c | 295 | ||||
-rw-r--r-- | src/openac/openac.8 | 29 | ||||
-rwxr-xr-x | src/openac/openac.c | 381 |
7 files changed, 366 insertions, 828 deletions
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am index c1e2a593a..4b88d8b2d 100644 --- a/src/openac/Makefile.am +++ b/src/openac/Makefile.am @@ -1,98 +1,8 @@ ipsec_PROGRAMS = openac -openac_SOURCES = openac.c build.c build.h loglite.c - -INCLUDES = \ --I$(top_srcdir)/src/libfreeswan \ --I$(top_srcdir)/src/pluto \ --I$(top_srcdir)/src/libcrypto \ --I$(top_srcdir)/src/whack - -AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" -openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o mp_defs.o fetch.o id.o keys.o lex.o \ - md2.o md5.o ocsp.o oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ - $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a \ - -lgmp - -# This compile option activates dynamic URL fetching using libcurl -if USE_LIBCURL - openac_LDADD += -lcurl -endif - -# This compile option activates smartcard support -if USE_SMARTCARD - openac_LDADD += -ldl -endif - +openac_SOURCES = openac.c build.c build.h dist_man_MANS = openac.8 -PLUTODIR=$(top_srcdir)/src/pluto - -ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h - $(COMPILE) -c -o $@ $< - -asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h - $(COMPILE) -c -o $@ $< - -ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h - $(COMPILE) -c -o $@ $< - -certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h - $(COMPILE) -c -o $@ $< - -constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h - $(COMPILE) -c -o $@ $< - -crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h - $(COMPILE) -c -o $@ $< - -defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) -c -o $@ $< - -mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h - $(COMPILE) -c -o $@ $< - -fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h - $(COMPILE) -c -o $@ $< - -id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h - $(COMPILE) -c -o $@ $< - -keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h - $(COMPILE) -c -o $@ $< - -lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h - $(COMPILE) -c -o $@ $< - -md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h - $(COMPILE) -c -o $@ $< - -md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h - $(COMPILE) -c -o $@ $< - -ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h - $(COMPILE) -c -o $@ $< - -oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h - $(COMPILE) -c -o $@ $< - -pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h - $(COMPILE) -c -o $@ $< - -pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h - $(COMPILE) -c -o $@ $< - -pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h - $(COMPILE) -c -o $@ $< - -rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h - $(COMPILE) -c -o $@ $< - -sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h - $(COMPILE) -c -o $@ $< - -smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h - $(COMPILE) -c -o $@ $< - -x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h - $(COMPILE) -c -o $@ $< +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" +openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index fb295075a..d0f7817dc 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -1,8 +1,8 @@ -# Makefile.in generated by automake 1.9.6 from Makefile.am. +# Makefile.in generated by automake 1.10 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -14,15 +14,11 @@ @SET_MAKE@ -srcdir = @srcdir@ -top_srcdir = @top_srcdir@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ -top_builddir = ../.. am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -INSTALL = @INSTALL@ install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c @@ -37,12 +33,6 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = openac$(EXEEXT) - -# This compile option activates dynamic URL fetching using libcurl -@USE_LIBCURL_TRUE@am__append_1 = -lcurl - -# This compile option activates smartcard support -@USE_SMARTCARD_TRUE@am__append_2 = -ldl subdir = src/openac DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -55,26 +45,22 @@ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) loglite.$(OBJEXT) +am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) openac_OBJECTS = $(am_openac_OBJECTS) -am__DEPENDENCIES_1 = -openac_DEPENDENCIES = ac.o asn1.o ca.o certs.o constants.o crl.o \ - defs.o mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o \ - oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ - $(top_srcdir)/src/libfreeswan/libfreeswan.a \ - $(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) -DEFAULT_INCLUDES = -I. -I$(srcdir) +openac_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la +DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ SOURCES = $(openac_SOURCES) DIST_SOURCES = $(openac_SOURCES) man8dir = $(mandir)/man8 @@ -84,16 +70,12 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ -AMDEP_FALSE = @AMDEP_FALSE@ -AMDEP_TRUE = @AMDEP_TRUE@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ -BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@ -BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -116,10 +98,13 @@ F77 = @F77@ FFLAGS = @FFLAGS@ GPERF = @GPERF@ GREP = @GREP@ +INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@ +IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ @@ -131,6 +116,7 @@ LINUX_HEADERS = @LINUX_HEADERS@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ @@ -146,34 +132,16 @@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ -USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@ -USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@ -USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ -USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ -USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ -USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ -USE_LIBDBUS_FALSE = @USE_LIBDBUS_FALSE@ -USE_LIBDBUS_TRUE = @USE_LIBDBUS_TRUE@ -USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ -USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ -USE_LIBXML_FALSE = @USE_LIBXML_FALSE@ -USE_LIBXML_TRUE = @USE_LIBXML_TRUE@ -USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ -USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ -USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ -USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@ -USE_VENDORID_FALSE = @USE_VENDORID_FALSE@ -USE_VENDORID_TRUE = @USE_VENDORID_TRUE@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ ac_ct_CXX = @ac_ct_CXX@ ac_ct_F77 = @ac_ct_F77@ -am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ -am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ -am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@ -am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -186,6 +154,7 @@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ +builddir = @builddir@ confdir = @confdir@ datadir = @datadir@ datarootdir = @datarootdir@ @@ -223,26 +192,18 @@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -openac_SOURCES = openac.c build.c build.h loglite.c -INCLUDES = \ --I$(top_srcdir)/src/libfreeswan \ --I$(top_srcdir)/src/pluto \ --I$(top_srcdir)/src/libcrypto \ --I$(top_srcdir)/src/whack - -AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" -openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o \ - mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o oid.o \ - pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ - $(top_srcdir)/src/libfreeswan/libfreeswan.a \ - $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp $(am__append_1) \ - $(am__append_2) +openac_SOURCES = openac.c build.c build.h dist_man_MANS = openac.8 -PLUTODIR = $(top_srcdir)/src/pluto +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -DIPSEC_CONFDIR=\"${confdir}\" +openac_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp all: all-am .SUFFIXES: @@ -278,7 +239,7 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)" + test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ if test -f $$p \ @@ -306,7 +267,7 @@ clean-ipsecPROGRAMS: done openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) @rm -f openac$(EXEEXT) - $(LINK) $(openac_LDFLAGS) $(openac_OBJECTS) $(openac_LDADD) $(LIBS) + $(LINK) $(openac_OBJECTS) $(openac_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -315,26 +276,25 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@ .c.o: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ -@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -344,13 +304,9 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs - -distclean-libtool: - -rm -f libtool -uninstall-info-am: install-man8: $(man8_MANS) $(man_MANS) @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ for i in $$l2; do \ @@ -443,22 +399,21 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ - list='$(DISTFILES)'; for file in $$list; do \ - case $$file in \ - $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ - $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ - esac; \ + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test "$$dir" != "$$file" && test "$$dir" != "."; then \ - dir="/$$dir"; \ - $(mkdir_p) "$(distdir)$$dir"; \ - else \ - dir=''; \ - fi; \ if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ fi; \ @@ -474,7 +429,7 @@ check: check-am all-am: Makefile $(PROGRAMS) $(MANS) installdirs: for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ - test -z "$$dir" || $(mkdir_p) "$$dir"; \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am install-exec: install-exec-am @@ -509,7 +464,7 @@ distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ - distclean-libtool distclean-tags + distclean-tags dvi: dvi-am @@ -523,12 +478,20 @@ info-am: install-data-am: install-ipsecPROGRAMS install-man +install-dvi: install-dvi-am + install-exec-am: +install-html: install-html-am + install-info: install-info-am install-man: install-man8 +install-pdf: install-pdf-am + +install-ps: install-ps-am + installcheck-am: maintainer-clean: maintainer-clean-am @@ -549,92 +512,27 @@ ps: ps-am ps-am: -uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man +uninstall-am: uninstall-ipsecPROGRAMS uninstall-man uninstall-man: uninstall-man8 +.MAKE: install-am install-strip + .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ clean-ipsecPROGRAMS clean-libtool ctags distclean \ distclean-compile distclean-generic distclean-libtool \ distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-exec \ - install-exec-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man8 install-strip \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-ipsecPROGRAMS install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-info-am \ - uninstall-ipsecPROGRAMS uninstall-man uninstall-man8 - - -ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h - $(COMPILE) -c -o $@ $< - -asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h - $(COMPILE) -c -o $@ $< - -ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h - $(COMPILE) -c -o $@ $< - -certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h - $(COMPILE) -c -o $@ $< - -constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h - $(COMPILE) -c -o $@ $< - -crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h - $(COMPILE) -c -o $@ $< - -defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h - $(COMPILE) -c -o $@ $< - -mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h - $(COMPILE) -c -o $@ $< - -fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h - $(COMPILE) -c -o $@ $< - -id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h - $(COMPILE) -c -o $@ $< - -keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h - $(COMPILE) -c -o $@ $< - -lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h - $(COMPILE) -c -o $@ $< - -md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h - $(COMPILE) -c -o $@ $< - -md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h - $(COMPILE) -c -o $@ $< - -ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h - $(COMPILE) -c -o $@ $< - -oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h - $(COMPILE) -c -o $@ $< - -pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h - $(COMPILE) -c -o $@ $< - -pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h - $(COMPILE) -c -o $@ $< - -pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h - $(COMPILE) -c -o $@ $< - -rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h - $(COMPILE) -c -o $@ $< - -sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h - $(COMPILE) -c -o $@ $< - -smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h - $(COMPILE) -c -o $@ $< + tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ + uninstall-man uninstall-man8 -x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h - $(COMPILE) -c -o $@ $< # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/openac/build.c b/src/openac/build.c index 0c6a2be3b..d03e73048 100644 --- a/src/openac/build.c +++ b/src/openac/build.c @@ -1,7 +1,7 @@ /* Build a X.509 attribute certificate * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004 Andreas Steffen - * Zuercher Hochschule Winterthur, Switzerland + * Copyright (C) 2004,2007 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,20 +13,17 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: build.c,v 1.14 2005/09/06 11:47:57 as Exp $ + * RCSID $Id: build.c 3270 2007-10-08 20:09:57Z andreas $ */ #include <stdlib.h> #include <string.h> +#include <stdio.h> -#include <freeswan.h> - -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/oid.h" -#include "../pluto/asn1.h" -#include "../pluto/x509.h" -#include "../pluto/log.h" +#include <asn1/oid.h> +#include <asn1/asn1.h> +#include <crypto/ietf_attr_list.h> +#include <utils/identification.h> #include "build.h" @@ -35,15 +32,15 @@ static u_char ASN1_group_oid_str[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04 }; -static const chunk_t ASN1_group_oid = strchunk(ASN1_group_oid_str); +static const chunk_t ASN1_group_oid = chunk_from_buf(ASN1_group_oid_str); static u_char ASN1_authorityKeyIdentifier_oid_str[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; -static const chunk_t ASN1_authorityKeyIdentifier_oid - = strchunk(ASN1_authorityKeyIdentifier_oid_str); +static const chunk_t ASN1_authorityKeyIdentifier_oid = + chunk_from_buf(ASN1_authorityKeyIdentifier_oid_str); static u_char ASN1_noRevAvail_ext_str[] = { 0x30, 0x09, @@ -53,7 +50,7 @@ static u_char ASN1_noRevAvail_ext_str[] = { 0x05, 0x00 }; -static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str); +static const chunk_t ASN1_noRevAvail_ext = chunk_from_buf(ASN1_noRevAvail_ext_str); /** * build directoryName @@ -61,7 +58,7 @@ static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str); static chunk_t build_directoryName(asn1_t tag, chunk_t name) { return asn1_wrap(tag, "m", - asn1_simple_object(ASN1_CONTEXT_C_4, name)); + asn1_simple_object(ASN1_CONTEXT_C_4, name)); } /** @@ -69,12 +66,15 @@ static chunk_t build_directoryName(asn1_t tag, chunk_t name) */ static chunk_t build_holder(void) { + identification_t *issuer = usercert->get_issuer(usercert); + identification_t *subject = usercert->get_subject(usercert); + return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_wrap(ASN1_CONTEXT_C_0, "mm", - build_directoryName(ASN1_SEQUENCE, user->issuer), - asn1_simple_object(ASN1_INTEGER, user->serialNumber) - ), - build_directoryName(ASN1_CONTEXT_C_1, user->subject)); + asn1_wrap(ASN1_CONTEXT_C_0, "mm", + build_directoryName(ASN1_SEQUENCE, issuer->get_encoding(issuer)), + asn1_simple_object(ASN1_INTEGER, usercert->get_serialNumber(usercert)) + ), + build_directoryName(ASN1_CONTEXT_C_1, subject->get_encoding(subject))); } /** @@ -82,8 +82,10 @@ static chunk_t build_holder(void) */ static chunk_t build_v2_form(void) { + identification_t *subject = signercert->get_subject(signercert); + return asn1_wrap(ASN1_CONTEXT_C_0, "m", - build_directoryName(ASN1_SEQUENCE, signer->subject)); + build_directoryName(ASN1_SEQUENCE, subject->get_encoding(subject))); } /** @@ -96,50 +98,6 @@ static chunk_t build_attr_cert_validity(void) timetoasn1(¬After, ASN1_GENERALIZEDTIME)); } -/** - * build attributes - */ -static chunk_t build_ietfAttributes(ietfAttrList_t *list) -{ - chunk_t ietfAttributes; - ietfAttrList_t *item = list; - size_t size = 0; - u_char *pos; - - /* precalculate the total size of all values */ - while (item != NULL) - { - size_t len = item->attr->value.len; - - size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; - item = item->next; - } - pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size); - - while (list != NULL) - { - ietfAttr_t *attr = list->attr; - asn1_t type = ASN1_NULL; - - switch (attr->kind) - { - case IETF_ATTRIBUTE_OCTETS: - type = ASN1_OCTET_STRING; - break; - case IETF_ATTRIBUTE_STRING: - type = ASN1_UTF8STRING; - break; - case IETF_ATTRIBUTE_OID: - type = ASN1_OID; - break; - } - mv_chunk(&pos, asn1_simple_object(type, attr->value)); - - list = list->next; - } - - return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes); -} /** * build attribute type @@ -157,25 +115,26 @@ static chunk_t build_attribute_type(const chunk_t type, chunk_t content) static chunk_t build_attributes(void) { return asn1_wrap(ASN1_SEQUENCE, "m", - build_attribute_type(ASN1_group_oid, - build_ietfAttributes(groups))); + build_attribute_type(ASN1_group_oid, ietfAttr_list_encode(groups))); } /** * build authorityKeyIdentifier */ -static chunk_t build_authorityKeyID(x509cert_t *signer) +static chunk_t build_authorityKeyID(x509_t *signer) { - chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL) - ? empty_chunk - : asn1_simple_object(ASN1_CONTEXT_S_0, - signer->subjectKeyID); + identification_t *issuer = signer->get_issuer(signer); + chunk_t subjectKeyID = signer->get_subjectKeyID(signer); + + chunk_t keyIdentifier = (subjectKeyID.ptr == NULL) + ? chunk_empty + : asn1_simple_object(ASN1_CONTEXT_S_0, subjectKeyID); chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1, - signer->issuer); + issuer->get_encoding(issuer)); chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2, - signer->serialNumber); + signer->get_serialNumber(signer)); return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_authorityKeyIdentifier_oid, @@ -195,7 +154,7 @@ static chunk_t build_authorityKeyID(x509cert_t *signer) static chunk_t build_extensions(void) { return asn1_wrap(ASN1_SEQUENCE, "mc", - build_authorityKeyID(signer), + build_authorityKeyID(signercert), ASN1_noRevAvail_ext); } @@ -215,14 +174,24 @@ static chunk_t build_attr_cert_info(void) build_extensions()); } + /** * build an X.509 attribute certificate */ chunk_t build_attr_cert(void) { + u_char *pos; + chunk_t rawSignature, signatureValue; chunk_t attributeCertificateInfo = build_attr_cert_info(); - chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo, - OID_SHA1, signerkey, TRUE); + + /* build the signature */ + signerkey->build_emsa_pkcs1_signature(signerkey, HASH_SHA1, + attributeCertificateInfo, &rawSignature); + pos = build_asn1_object(&signatureValue, ASN1_BIT_STRING, + 1 + rawSignature.len); + *pos++ = 0x00; + memcpy(pos, rawSignature.ptr, rawSignature.len); + free(rawSignature.ptr); return asn1_wrap(ASN1_SEQUENCE, "mcm", attributeCertificateInfo, diff --git a/src/openac/build.h b/src/openac/build.h index deeddda04..c873c4479 100644 --- a/src/openac/build.h +++ b/src/openac/build.h @@ -1,7 +1,7 @@ /* Build a X.509 attribute certificate * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004 Andreas Steffen - * Zuercher Hochschule Winterthur, Switzerland + * Copyright (C) 2004,2007 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: build.h,v 1.4 2004/11/03 14:28:52 as Exp $ + * RCSID $Id: build.h 3270 2007-10-08 20:09:57Z andreas $ */ #ifndef _BUILD_H @@ -21,22 +21,20 @@ #include <time.h> -#include "../pluto/x509.h" -#include "../pluto/keys.h" -#include "../pluto/ac.h" +#include <library.h> +#include <crypto/x509.h> +#include <crypto/rsa/rsa_private_key.h> +#include <utils/linked_list.h> /* * global variables accessible by both main() and build.c */ -extern x509cert_t *user; -extern x509cert_t *signer; - -extern ietfAttrList_t *groups; -extern struct RSA_private_key *signerkey; - +extern x509_t *usercert; +extern x509_t *signercert; +extern rsa_private_key_t *signerkey; +extern linked_list_t *groups; extern time_t notBefore; extern time_t notAfter; - extern chunk_t serial; /* diff --git a/src/openac/loglite.c b/src/openac/loglite.c deleted file mode 100644 index 4219eb707..000000000 --- a/src/openac/loglite.c +++ /dev/null @@ -1,295 +0,0 @@ -/* error logging functions - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - * - * RCSID $Id: loglite.c,v 1.2 2005/07/11 18:38:16 as Exp $ - */ - -#include <stdio.h> -#include <stdlib.h> -#include <ctype.h> -#include <stdarg.h> -#include <syslog.h> -#include <errno.h> -#include <string.h> -#include <unistd.h> -#include <signal.h> /* used only if MSG_NOSIGNAL not defined */ -#include <libgen.h> -#include <sys/stat.h> -#include <sys/types.h> - -#include <freeswan.h> - -#include <constants.h> -#include <defs.h> -#include <log.h> -#include <whack.h> - -bool - log_to_stderr = FALSE, /* should log go to stderr? */ - log_to_syslog = TRUE; /* should log go to syslog? */ - -void -init_log(const char *program) -{ - if (log_to_stderr) - setbuf(stderr, NULL); - if (log_to_syslog) - openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); -} - -void -close_log(void) -{ - if (log_to_syslog) - closelog(); -} - -void -plog(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); -} - -void -loglog(int mess_no, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "%s\n", m); - if (log_to_syslog) - syslog(LOG_WARNING, "%s", m); -} - -void -log_errno_routine(int e, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); -} - -void -exit_log(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s\n", m); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s", m); - exit(1); -} - -void -exit_log_errno_routine(int e, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); - if (log_to_syslog) - syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); - exit(1); -} - -void -whack_log(int mess_no, const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - fprintf(stderr, "%s\n", m); -} - -/* Build up a diagnostic in a static buffer. - * Although this would be a generally useful function, it is very - * hard to come up with a discipline that prevents different uses - * from interfering. It is intended that by limiting it to building - * diagnostics, we will avoid this problem. - * Juggling is performed to allow an argument to be a previous - * result: the new string may safely depend on the old one. This - * restriction is not checked in any way: violators will produce - * confusing results (without crashing!). - */ -char diag_space[sizeof(diag_space)]; - -err_t -builddiag(const char *fmt, ...) -{ - static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */ - char t[sizeof(diag_space)]; /* build result here first */ - va_list args; - - va_start(args, fmt); - t[0] = '\0'; /* in case nothing terminates string */ - vsnprintf(t, sizeof(t), fmt, args); - va_end(args); - strcpy(diag_space, t); - return diag_space; -} - -/* Debugging message support */ - -#ifdef DEBUG - -void -switch_fail(int n, const char *file_str, unsigned long line_no) -{ - char buf[30]; - - snprintf(buf, sizeof(buf), "case %d unexpected", n); - passert_fail(buf, file_str, line_no); -} - -void -passert_fail(const char *pred_str, const char *file_str, unsigned long line_no) -{ - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str); - abort(); /* exiting correctly doesn't always work */ -} - -lset_t - base_debugging = DBG_NONE, /* default to reporting nothing */ - cur_debugging = DBG_NONE; - -void -pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no) -{ - /* we will get a possibly unplanned prefix. Hope it works */ - loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str); -} - -/* log a debugging message (prefixed by "| ") */ - -void -DBG_log(const char *message, ...) -{ - va_list args; - char m[LOG_WIDTH]; /* longer messages will be truncated */ - - va_start(args, message); - vsnprintf(m, sizeof(m), message, args); - va_end(args); - - if (log_to_stderr) - fprintf(stderr, "| %s\n", m); - if (log_to_syslog) - syslog(LOG_DEBUG, "| %s", m); -} - -/* dump raw bytes in hex to stderr (for lack of any better destination) */ - -void -DBG_dump(const char *label, const void *p, size_t len) -{ -# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */ -# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1) - char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH]; - char *bp; - const unsigned char *cp = p; - - bp = buf; - - if (label != NULL && label[0] != '\0') - { - /* Handle the label. Care must be taken to avoid buffer overrun. */ - size_t llen = strlen(label); - - if (llen + 1 > sizeof(buf)) - { - DBG_log("%s", label); - } - else - { - strcpy(buf, label); - if (buf[llen-1] == '\n') - { - buf[llen-1] = '\0'; /* get rid of newline */ - DBG_log("%s", buf); - } - else if (llen < DUMP_LABEL_WIDTH) - { - bp = buf + llen; - } - else - { - DBG_log("%s", buf); - } - } - } - - do { - int i, j; - - for (i = 0; len!=0 && i!=4; i++) - { - *bp++ = ' '; - for (j = 0; len!=0 && j!=4; len--, j++) - { - static const char hexdig[] = "0123456789abcdef"; - - *bp++ = ' '; - *bp++ = hexdig[(*cp >> 4) & 0xF]; - *bp++ = hexdig[*cp & 0xF]; - cp++; - } - } - *bp = '\0'; - DBG_log("%s", buf); - bp = buf; - } while (len != 0); -# undef DUMP_LABEL_WIDTH -# undef DUMP_WIDTH -} - -#endif /* DEBUG */ diff --git a/src/openac/openac.8 b/src/openac/openac.8 index 8e609a1b1..ed1b8ed6c 100644 --- a/src/openac/openac.8 +++ b/src/openac/openac.8 @@ -1,4 +1,4 @@ -.TH IPSEC_OPENAC 8 "29 September 2005" +.TH IPSEC_OPENAC 8 "22 September 2007" .SH NAME ipsec openac \- Generation of X.509 attribute certificates .SH SYNOPSIS @@ -11,18 +11,13 @@ ipsec openac \- Generation of X.509 attribute certificates ] [ .B \-\-optionsfrom \fIfilename\fP -] [ -.B \-\-quiet ] .br \ \ \ [ -.B \-\-debug\(hyall -] [ -.B \-\-debug\(hyparsing -] [ -.B \-\-debug\(hyraw +.B \-\-quiet ] [ -.B \-\-debug\(hyprivate +.B \-\-debug +\fIlevel\fP ] .br \ \ \ [ @@ -135,19 +130,9 @@ debugging output are prefixed with ``|\ '' to distinguish them from error messag When \fBopenac\fP is invoked, it may be given arguments to specify which classes to output. The current options are: .TP -\fB\-\-debug-raw\fP -show the raw bytes of the parsed user and authorization authority certificates -as well as of the generated X.509 attribute certificate. -.TP -\fB\-\-debug-parsing\fP -show the parsed structure of user and authorization authority certificats -as well as of the generated X.509 attribute certificate. -.TP -\fB\-\-debug-all\fP -all of the above. -.TP -\fB\-\-debug-private\fP -enables debugging output of the authorization authority's private key. +\fB\-\-debug\fP\ \fIlevel\fP +sets the debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private), +the default level being 1. .SH EXIT STATUS .LP The execution of \fBopenac\fP terminates with one of the following two exit codes: diff --git a/src/openac/openac.c b/src/openac/openac.c index e3f92fbd2..075f0039a 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -1,7 +1,14 @@ -/* Generation of X.509 attribute certificates +/** + * @file openac.c + * + * @brief Generation of X.509 attribute certificates. + * + */ + +/* * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler - * Copyright (C) 2004 Andreas Steffen - * Zuercher Hochschule Winterthur, Switzerland + * Copyright (C) 2004,2007 Andreas Steffen + * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -13,66 +20,52 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: openac.c,v 1.18 2006/01/04 21:12:33 as Exp $ + * RCSID $Id: openac.c 3305 2007-10-17 02:55:17Z andreas $ */ #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <syslog.h> #include <unistd.h> #include <getopt.h> #include <ctype.h> #include <time.h> #include <gmp.h> -#include <freeswan.h> +#include <debug.h> +#include <asn1/asn1.h> +#include <asn1/ttodata.h> +#include <crypto/ac.h> +#include <crypto/ietf_attr_list.h> +#include <utils/optionsfrom.h> -#include "../pluto/constants.h" -#include "../pluto/defs.h" -#include "../pluto/mp_defs.h" -#include "../pluto/log.h" -#include "../pluto/asn1.h" -#include "../pluto/certs.h" -#include "../pluto/x509.h" -#include "../pluto/crl.h" -#include "../pluto/keys.h" -#include "../pluto/ac.h" +#ifdef INTEGRITY_TEST +#include <fips/fips.h> +#include <fips_signature.h> +#endif /* INTEGRITY_TEST */ #include "build.h" #define OPENAC_PATH IPSEC_CONFDIR "/openac" #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" -const char openac_version[] = "openac 0.3"; - -/* by default the CRL policy is lenient */ -bool strict_crl_policy = FALSE; - -/* by default pluto does not check crls dynamically */ -long crl_check_interval = 0; - -/* by default pluto logs out after every smartcard use */ -bool pkcs11_keep_state = FALSE; - -static void -usage(const char *mess) +/** + * @brief prints the usage of the program to the stderr + */ +static void usage(const char *message) { - if (mess != NULL && *mess != '\0') + if (message != NULL && *message != '\0') { - fprintf(stderr, "%s\n", mess); + fprintf(stderr, "%s\n", message); } fprintf(stderr, "Usage: openac" " [--help]" " [--version]" " [--optionsfrom <filename>]" " [--quiet]" -#ifdef DEBUG " \\\n\t" - " [--debug-all]" - " [--debug-parsing]" - " [--debug-raw]" - " [--debug-private]" -#endif + " [--debug <level 0..4>]" " \\\n\t" " [--days <days>]" " [--hours <hours>]" @@ -89,7 +82,27 @@ usage(const char *mess) " --out <filename>" "\n" ); - exit(mess == NULL? 0 : 1); +} + + +/** + * convert a chunk into a multi-precision integer + */ +static void chunk_to_mpz(chunk_t chunk, mpz_t number) +{ + mpz_import(number, chunk.len, 1, 1, 1, 0, chunk.ptr); +} + +/** + * convert a multi-precision integer into a chunk + */ +static chunk_t mpz_to_chunk(mpz_t number) +{ + chunk_t chunk; + + chunk.len = 1 + mpz_sizeinbase(number, 2)/BITS_PER_BYTE; + chunk.ptr = mpz_export(NULL, NULL, 1, chunk.len, 1, 0, number); + return chunk; } /** @@ -97,35 +110,35 @@ usage(const char *mess) */ static chunk_t read_serial(void) { - MP_INT number; + mpz_t number; - char buf[BUF_LEN]; - char bytes[BUF_LEN]; + char buf[BUF_LEN], buf1[BUF_LEN]; + chunk_t last_serial = { buf1, BUF_LEN}; + chunk_t serial; FILE *fd = fopen(OPENAC_SERIAL, "r"); - /* serial number defaults to 0 */ - size_t len = 1; - bytes[0] = 0x00; + /* last serial number defaults to 0 */ + *last_serial.ptr = 0x00; + last_serial.len = 1; if (fd) { if (fscanf(fd, "%s", buf)) { - err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len); + err_t ugh = ttodata(buf, 0, 16, last_serial.ptr, BUF_LEN, &last_serial.len); if (ugh != NULL) { - plog(" error reading serial number from %s: %s" - , OPENAC_SERIAL, ugh); + DBG1(" error reading serial number from %s: %s", + OPENAC_SERIAL, ugh); } } fclose(fd); } else { - plog(" file '%s' does not exist yet - serial number set to 01" - , OPENAC_SERIAL); + DBG1(" file '%s' does not exist yet - serial number set to 01", OPENAC_SERIAL); } /** @@ -133,10 +146,11 @@ static chunk_t read_serial(void) * and incrementing it by one * and representing it as a two's complement octet string */ - n_to_mpz(&number, bytes, len); - mpz_add_ui(&number, &number, 0x01); - serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE); - mpz_clear(&number); + mpz_init(number); + chunk_to_mpz(last_serial, number); + mpz_add_ui(number, number, 0x01); + serial = mpz_to_chunk(number); + mpz_clear(number); return serial; } @@ -146,65 +160,91 @@ static chunk_t read_serial(void) */ static void write_serial(chunk_t serial) { - char buf[BUF_LEN]; - FILE *fd = fopen(OPENAC_SERIAL, "w"); if (fd) { - datatot(serial.ptr, serial.len, 16, buf, BUF_LEN); - plog(" serial number is %s", buf); - fprintf(fd, "%s\n", buf); + DBG1(" serial number is %#B", &serial); + fprintf(fd, "%#B\n", &serial); fclose(fd); } else { - plog(" could not open file '%s' for writing", OPENAC_SERIAL); + DBG1(" could not open file '%s' for writing", OPENAC_SERIAL); } } /** * global variables accessible by both main() and build.c */ -x509cert_t *user = NULL; -x509cert_t *signer = NULL; +x509_t *usercert = NULL; +x509_t *signercert = NULL; -ietfAttrList_t *groups = NULL; -struct RSA_private_key *signerkey = NULL; +linked_list_t *groups = NULL; +rsa_private_key_t *signerkey = NULL; -time_t notBefore = 0; -time_t notAfter = 0; +time_t notBefore = UNDEFINED_TIME; +time_t notAfter = UNDEFINED_TIME; chunk_t serial; +static int debug_level = 1; +static bool stderr_quiet = FALSE; + +/** + * openac dbg function + */ +static void openac_dbg(int level, char *fmt, ...) +{ + int priority = LOG_INFO; + va_list args; + + if (level <= debug_level) + { + va_start(args, fmt); + if (!stderr_quiet) + { + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + } + vsyslog(priority, fmt, args); + va_end(args); + } +} + +/** + * @brief openac main program + * + * @param argc number of arguments + * @param argv pointer to the argument values + */ int main(int argc, char **argv) { char *keyfile = NULL; char *certfile = NULL; char *usercertfile = NULL; char *outfile = NULL; + char buf[BUF_LEN]; - cert_t signercert = empty_cert; - cert_t usercert = empty_cert; - - chunk_t attr_cert = empty_chunk; - x509acert_t *ac = NULL; + chunk_t passphrase = { buf, 0 }; + chunk_t attr_cert = chunk_empty; + x509ac_t *ac = NULL; const time_t default_validity = 24*3600; /* 24 hours */ time_t validity = 0; + int status = 1; + + /* enable openac debugging hook */ + dbg = openac_dbg; - prompt_pass_t pass; - - pass.secret[0] = '\0'; - pass.prompt = TRUE; - pass.fd = STDIN_FILENO; + passphrase.ptr[0] = '\0'; + groups = linked_list_create(); - log_to_stderr = TRUE; + openlog("openac", 0, LOG_AUTHPRIV); /* handle arguments */ for (;;) { -# define DBG_OFFSET 256 static const struct option long_opts[] = { /* name, has_arg, flag, val */ { "help", no_argument, NULL, 'h' }, @@ -212,7 +252,7 @@ int main(int argc, char **argv) { "optionsfrom", required_argument, NULL, '+' }, { "quiet", no_argument, NULL, 'q' }, { "cert", required_argument, NULL, 'c' }, - { "key", required_argument, NULL, 'k' }, + { "key", required_argument, NULL, 'k' }, { "password", required_argument, NULL, 'p' }, { "usercert", required_argument, NULL, 'u' }, { "groups", required_argument, NULL, 'g' }, @@ -221,16 +261,11 @@ int main(int argc, char **argv) { "startdate", required_argument, NULL, 'S' }, { "enddate", required_argument, NULL, 'E' }, { "out", required_argument, NULL, 'o' }, -#ifdef DEBUG - { "debug-all", no_argument, NULL, 'A' }, - { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, - { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, - { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, -#endif + { "debug", required_argument, NULL, 'd' }, { 0,0,0,0 } }; - int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL); + int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:d:", long_opts, NULL); /* Note: "breaking" from case terminates loop */ switch (c) @@ -243,33 +278,38 @@ int main(int argc, char **argv) case ':': /* diagnostic already printed by getopt_long */ case '?': /* diagnostic already printed by getopt_long */ - usage(NULL); - break; /* not actually reached */ - case 'h': /* --help */ usage(NULL); - break; /* not actually reached */ + status = 1; + goto end; case 'v': /* --version */ - printf("%s\n", openac_version); - exit(0); - break; /* not actually reached */ + printf("openac (strongSwan %s)\n", VERSION); + status = 0; + goto end; case '+': /* --optionsfrom <filename> */ { char path[BUF_LEN]; if (*optarg == '/') /* absolute pathname */ + { strncpy(path, optarg, BUF_LEN); + } else /* relative pathname */ + { snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); - optionsfrom(path, &argc, &argv, optind, stderr); - /* does not return on error */ + } + if (!optionsfrom(path, &argc, &argv, optind)) + { + status = 1; + goto end; + } } continue; case 'q': /* --quiet */ - log_to_stderr = TRUE; + stderr_quiet = TRUE; continue; case 'c': /* --cert */ @@ -281,8 +321,13 @@ int main(int argc, char **argv) continue; case 'p': /* --key */ - pass.prompt = FALSE; - strncpy(pass.secret, optarg, sizeof(pass.secret)); + if (strlen(optarg) > BUF_LEN) + { + usage("passphrase too long"); + goto end; + } + strncpy(passphrase.ptr, optarg, BUF_LEN); + passphrase.len = min(strlen(optarg), BUF_LEN); continue; case 'u': /* --usercert */ @@ -290,151 +335,179 @@ int main(int argc, char **argv) continue; case 'g': /* --groups */ - decode_groups(optarg, &groups); + ietfAttr_list_create_from_string(optarg, groups); continue; case 'D': /* --days */ if (optarg == NULL || !isdigit(optarg[0])) + { usage("missing number of days"); + goto end; + } + else { char *endptr; long days = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || days <= 0) + { usage("<days> must be a positive number"); + goto end; + } validity += 24*3600*days; } continue; case 'H': /* --hours */ if (optarg == NULL || !isdigit(optarg[0])) + { usage("missing number of hours"); + goto end; + } + else { char *endptr; long hours = strtol(optarg, &endptr, 0); if (*endptr != '\0' || endptr == optarg || hours <= 0) + { usage("<hours> must be a positive number"); + goto end; + } validity += 3600*hours; } continue; case 'S': /* --startdate */ if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + { usage("date format must be YYYYMMDDHHMMSSZ"); + goto end; + } + else { chunk_t date = { optarg, 15 }; + notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME); } continue; case 'E': /* --enddate */ if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + { usage("date format must be YYYYMMDDHHMMSSZ"); + goto end; + } + else { chunk_t date = { optarg, 15 }; notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME); } continue; - case 'o': /* --outt */ + case 'o': /* --out */ outfile = optarg; continue; -#ifdef DEBUG - case 'A': /* --debug-all */ - base_debugging = DBG_ALL; + case 'd': /* --debug */ + debug_level = atoi(optarg); continue; -#endif + default: -#ifdef DEBUG - if (c >= DBG_OFFSET) - { - base_debugging |= c - DBG_OFFSET; - continue; - } -#undef DBG_OFFSET -#endif - bad_case(c); + usage(""); + status = 0; + goto end; } + /* break from loop */ break; } - init_log("openac"); - cur_debugging = base_debugging; - if (optind != argc) + { usage("unexpected argument"); + goto end; + } + + DBG1("starting openac (strongSwan Version %s)", VERSION); + +#ifdef INTEGRITY_TEST + DBG1("integrity test of libstrongswan code"); + if (fips_verify_hmac_signature(hmac_key, hmac_signature)) + { + DBG1(" integrity test passed"); + } + else + { + DBG1(" integrity test failed"); + status = 3; + goto end; + } +#endif /* INTEGRITY_TEST */ /* load the signer's RSA private key */ if (keyfile != NULL) { - err_t ugh = NULL; + signerkey = rsa_private_key_create_from_file(keyfile, &passphrase); - signerkey = alloc_thing(RSA_private_key_t, "RSA private key"); - ugh = load_rsa_private_key(keyfile, &pass, signerkey); - - if (ugh != NULL) + if (signerkey == NULL) { - free_RSA_private_content(signerkey); - pfree(signerkey); - plog("%s", ugh); - exit(1); + goto end; } } /* load the signer's X.509 certificate */ if (certfile != NULL) { - if (!load_cert(certfile, "signer cert", &signercert)) - exit(1); - signer = signercert.u.x509; + signercert = x509_create_from_file(certfile, "signer cert"); + + if (signercert == NULL) + { + goto end; + } } /* load the users's X.509 certificate */ if (usercertfile != NULL) { - if (!load_cert(usercertfile, "user cert", &usercert)) - exit(1); - user = usercert.u.x509; + usercert = x509_create_from_file(usercertfile, "user cert"); + + if (usercert == NULL) + { + goto end; + } } /* compute validity interval */ validity = (validity)? validity : default_validity; - notBefore = (notBefore) ? notBefore : time(NULL); - notAfter = (notAfter) ? notAfter : notBefore + validity; + notBefore = (notBefore == UNDEFINED_TIME) ? time(NULL) : notBefore; + notAfter = (notAfter == UNDEFINED_TIME) ? time(NULL) + validity : notAfter; /* build and parse attribute certificate */ - if (user != NULL && signer != NULL && signerkey != NULL) + if (usercert != NULL && signercert != NULL && signerkey != NULL) { /* read the serial number and increment it by one */ serial = read_serial(); attr_cert = build_attr_cert(); - ac = alloc_thing(x509acert_t, "x509acert"); - *ac = empty_ac; - parse_ac(attr_cert, ac); + ac = x509ac_create_from_chunk(attr_cert); /* write the attribute certificate to file */ - if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE)) - write_serial(serial); + if (chunk_write(attr_cert, outfile, "attribute cert", 0022, TRUE)) + { + write_serial(serial); + status = 0; + } } - /* delete all dynamic objects */ - if (signerkey != NULL) - { - free_RSA_private_content(signerkey); - pfree(signerkey); - } - free_x509cert(signercert.u.x509); - free_x509cert(usercert.u.x509); - free_ietfAttrList(groups); - free_acert(ac); - pfree(serial.ptr); - -#ifdef LEAK_DETECTIVE - report_leaks(); -#endif /* LEAK_DETECTIVE */ - close_log(); - exit(0); +end: + /* delete all dynamically allocated objects */ + DESTROY_IF(signerkey); + DESTROY_IF(signercert); + DESTROY_IF(usercert); + DESTROY_IF(ac); + ietfAttr_list_destroy(groups); + free(serial.ptr); + closelog(); + dbg = dbg_default; + exit(status); } |