diff options
Diffstat (limited to 'src/openac')
-rw-r--r-- | src/openac/Makefile.am | 98 | ||||
-rw-r--r-- | src/openac/Makefile.in | 624 | ||||
-rw-r--r-- | src/openac/build.c | 242 | ||||
-rw-r--r-- | src/openac/build.h | 47 | ||||
-rw-r--r-- | src/openac/loglite.c | 295 | ||||
-rw-r--r-- | src/openac/openac.8 | 180 | ||||
-rwxr-xr-x | src/openac/openac.c | 438 |
7 files changed, 1924 insertions, 0 deletions
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am new file mode 100644 index 000000000..c1e2a593a --- /dev/null +++ b/src/openac/Makefile.am @@ -0,0 +1,98 @@ +ipsec_PROGRAMS = openac +openac_SOURCES = openac.c build.c build.h loglite.c + +INCLUDES = \ +-I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/pluto \ +-I$(top_srcdir)/src/libcrypto \ +-I$(top_srcdir)/src/whack + +AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" +openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o mp_defs.o fetch.o id.o keys.o lex.o \ + md2.o md5.o ocsp.o oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ + $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a \ + -lgmp + +# This compile option activates dynamic URL fetching using libcurl +if USE_LIBCURL + openac_LDADD += -lcurl +endif + +# This compile option activates smartcard support +if USE_SMARTCARD + openac_LDADD += -ldl +endif + +dist_man_MANS = openac.8 + +PLUTODIR=$(top_srcdir)/src/pluto + +ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h + $(COMPILE) -c -o $@ $< + +asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h + $(COMPILE) -c -o $@ $< + +ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h + $(COMPILE) -c -o $@ $< + +certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h + $(COMPILE) -c -o $@ $< + +constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h + $(COMPILE) -c -o $@ $< + +crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h + $(COMPILE) -c -o $@ $< + +defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h + $(COMPILE) -c -o $@ $< + +mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h + $(COMPILE) -c -o $@ $< + +fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h + $(COMPILE) -c -o $@ $< + +id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h + $(COMPILE) -c -o $@ $< + +keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h + $(COMPILE) -c -o $@ $< + +lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h + $(COMPILE) -c -o $@ $< + +md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h + $(COMPILE) -c -o $@ $< + +md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h + $(COMPILE) -c -o $@ $< + +ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h + $(COMPILE) -c -o $@ $< + +oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h + $(COMPILE) -c -o $@ $< + +pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h + $(COMPILE) -c -o $@ $< + +pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h + $(COMPILE) -c -o $@ $< + +pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h + $(COMPILE) -c -o $@ $< + +rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h + $(COMPILE) -c -o $@ $< + +sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h + $(COMPILE) -c -o $@ $< + +smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h + $(COMPILE) -c -o $@ $< + +x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h + $(COMPILE) -c -o $@ $< + diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in new file mode 100644 index 000000000..8a2bee51f --- /dev/null +++ b/src/openac/Makefile.in @@ -0,0 +1,624 @@ +# Makefile.in generated by automake 1.9.6 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +top_builddir = ../.. +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +INSTALL = @INSTALL@ +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +ipsec_PROGRAMS = openac$(EXEEXT) + +# This compile option activates dynamic URL fetching using libcurl +@USE_LIBCURL_TRUE@am__append_1 = -lcurl + +# This compile option activates smartcard support +@USE_SMARTCARD_TRUE@am__append_2 = -ldl +subdir = src/openac +DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(ipsec_PROGRAMS) +am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) loglite.$(OBJEXT) +openac_OBJECTS = $(am_openac_OBJECTS) +am__DEPENDENCIES_1 = +openac_DEPENDENCIES = ac.o asn1.o ca.o certs.o constants.o crl.o \ + defs.o mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o \ + oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ + $(top_srcdir)/src/libfreeswan/libfreeswan.a \ + $(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I. -I$(srcdir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +SOURCES = $(openac_SOURCES) +DIST_SOURCES = $(openac_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(dist_man_MANS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMDEP_FALSE = @AMDEP_FALSE@ +AMDEP_TRUE = @AMDEP_TRUE@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@ +BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@ +USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@ +USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@ +USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@ +USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@ +USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@ +USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@ +USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@ +USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@ +USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@ +USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@ +USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@ +USE_VENDORID_FALSE = @USE_VENDORID_FALSE@ +USE_VENDORID_TRUE = @USE_VENDORID_TRUE@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__fastdepCC_FALSE = @am__fastdepCC_FALSE@ +am__fastdepCC_TRUE = @am__fastdepCC_TRUE@ +am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@ +am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +confdir = @confdir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +eapdir = @eapdir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +openac_SOURCES = openac.c build.c build.h loglite.c +INCLUDES = \ +-I$(top_srcdir)/src/libfreeswan \ +-I$(top_srcdir)/src/pluto \ +-I$(top_srcdir)/src/libcrypto \ +-I$(top_srcdir)/src/whack + +AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\" +openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o \ + mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o oid.o \ + pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \ + $(top_srcdir)/src/libfreeswan/libfreeswan.a \ + $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp $(am__append_1) \ + $(am__append_2) +dist_man_MANS = openac.8 +PLUTODIR = $(top_srcdir)/src/pluto +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/openac/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-ipsecPROGRAMS: $(ipsec_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)" + @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-ipsecPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \ + rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \ + done + +clean-ipsecPROGRAMS: + @list='$(ipsec_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES) + @rm -f openac$(EXEEXT) + $(LINK) $(openac_LDFLAGS) $(openac_OBJECTS) $(openac_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \ +@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +distclean-libtool: + -rm -f libtool +uninstall-info-am: +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \ + list='$(DISTFILES)'; for file in $$list; do \ + case $$file in \ + $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \ + $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \ + esac; \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test "$$dir" != "$$file" && test "$$dir" != "."; then \ + dir="/$$dir"; \ + $(mkdir_p) "$(distdir)$$dir"; \ + else \ + dir=''; \ + fi; \ + if test -d $$d/$$file; then \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(mkdir_p) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-libtool distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-ipsecPROGRAMS install-man + +install-exec-am: + +install-info: install-info-am + +install-man: install-man8 + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man + +uninstall-man: uninstall-man8 + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-ipsecPROGRAMS clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-exec \ + install-exec-am install-info install-info-am \ + install-ipsecPROGRAMS install-man install-man8 install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-info-am \ + uninstall-ipsecPROGRAMS uninstall-man uninstall-man8 + + +ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h + $(COMPILE) -c -o $@ $< + +asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h + $(COMPILE) -c -o $@ $< + +ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h + $(COMPILE) -c -o $@ $< + +certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h + $(COMPILE) -c -o $@ $< + +constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h + $(COMPILE) -c -o $@ $< + +crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h + $(COMPILE) -c -o $@ $< + +defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h + $(COMPILE) -c -o $@ $< + +mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h + $(COMPILE) -c -o $@ $< + +fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h + $(COMPILE) -c -o $@ $< + +id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h + $(COMPILE) -c -o $@ $< + +keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h + $(COMPILE) -c -o $@ $< + +lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h + $(COMPILE) -c -o $@ $< + +md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h + $(COMPILE) -c -o $@ $< + +md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h + $(COMPILE) -c -o $@ $< + +ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h + $(COMPILE) -c -o $@ $< + +oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h + $(COMPILE) -c -o $@ $< + +pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h + $(COMPILE) -c -o $@ $< + +pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h + $(COMPILE) -c -o $@ $< + +pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h + $(COMPILE) -c -o $@ $< + +rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h + $(COMPILE) -c -o $@ $< + +sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h + $(COMPILE) -c -o $@ $< + +smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h + $(COMPILE) -c -o $@ $< + +x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h + $(COMPILE) -c -o $@ $< +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/openac/build.c b/src/openac/build.c new file mode 100644 index 000000000..bd3df6fee --- /dev/null +++ b/src/openac/build.c @@ -0,0 +1,242 @@ +/* Build a X.509 attribute certificate + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2004 Andreas Steffen + * Zuercher Hochschule Winterthur, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: build.c,v 1.14 2005/09/06 11:47:57 as Exp $ + */ + +#include <stdlib.h> +#include <string.h> + +#include <freeswan.h> + +#include "../pluto/constants.h" +#include "../pluto/defs.h" +#include "../pluto/oid.h" +#include "../pluto/asn1.h" +#include "../pluto/x509.h" +#include "../pluto/log.h" + +#include "build.h" + +static u_char ASN1_group_oid_str[] = { + 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04 +}; + +static const chunk_t ASN1_group_oid = strchunk(ASN1_group_oid_str); + +static u_char ASN1_authorityKeyIdentifier_oid_str[] = { + 0x06, 0x03, + 0x55, 0x1d, 0x23 +}; + +static const chunk_t ASN1_authorityKeyIdentifier_oid + = strchunk(ASN1_authorityKeyIdentifier_oid_str); + +static u_char ASN1_noRevAvail_ext_str[] = { + 0x30, 0x09, + 0x06, 0x03, + 0x55, 0x1d, 0x38, + 0x04, 0x02, + 0x05, 0x00 +}; + +static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str); + +/* + * build directoryName + */ +static chunk_t +build_directoryName(asn1_t tag, chunk_t name) +{ + return asn1_wrap(tag, "m" + , asn1_simple_object(ASN1_CONTEXT_C_4, name)); +} + +/* + * build holder + */ +static chunk_t +build_holder(void) +{ + return asn1_wrap(ASN1_SEQUENCE, "mm" + , asn1_wrap(ASN1_CONTEXT_C_0, "mm" + , build_directoryName(ASN1_SEQUENCE, user->issuer) + , asn1_simple_object(ASN1_INTEGER, user->serialNumber) + ) + , build_directoryName(ASN1_CONTEXT_C_1, user->subject)); +} + +/* + * build v2Form + */ +static chunk_t +build_v2_form(void) +{ + return asn1_wrap(ASN1_CONTEXT_C_0, "m" + , build_directoryName(ASN1_SEQUENCE, signer->subject)); +} + +/* + * build attrCertValidityPeriod + */ +static chunk_t +build_attr_cert_validity(void) +{ + return asn1_wrap(ASN1_SEQUENCE, "mm" + , timetoasn1(¬Before, ASN1_GENERALIZEDTIME) + , timetoasn1(¬After, ASN1_GENERALIZEDTIME)); +} + +/* + * build attributes + */ +static chunk_t +build_ietfAttributes(ietfAttrList_t *list) +{ + chunk_t ietfAttributes; + ietfAttrList_t *item = list; + size_t size = 0; + u_char *pos; + + /* precalculate the total size of all values */ + while (item != NULL) + { + size_t len = item->attr->value.len; + + size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len; + item = item->next; + } + pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size); + + while (list != NULL) + { + ietfAttr_t *attr = list->attr; + asn1_t type = ASN1_NULL; + + switch (attr->kind) + { + case IETF_ATTRIBUTE_OCTETS: + type = ASN1_OCTET_STRING; + break; + case IETF_ATTRIBUTE_STRING: + type = ASN1_UTF8STRING; + break; + case IETF_ATTRIBUTE_OID: + type = ASN1_OID; + break; + } + mv_chunk(&pos, asn1_simple_object(type, attr->value)); + + list = list->next; + } + + return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes); +} + +/* + * build attribute type + */ +static chunk_t +build_attribute_type(const chunk_t type, chunk_t content) +{ + return asn1_wrap(ASN1_SEQUENCE, "cm" + , type + , asn1_wrap(ASN1_SET, "m", content)); +} + +/* + * build attributes + */ +static chunk_t +build_attributes(void) +{ + return asn1_wrap(ASN1_SEQUENCE, "m" + , build_attribute_type(ASN1_group_oid + , build_ietfAttributes(groups))); +} + +/* + * build authorityKeyIdentifier + */ +static chunk_t +build_authorityKeyID(x509cert_t *signer) +{ + chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL) + ? empty_chunk + : asn1_simple_object(ASN1_CONTEXT_S_0 + , signer->subjectKeyID); + + chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1 + , signer->issuer); + + chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2 + , signer->serialNumber); + + return asn1_wrap(ASN1_SEQUENCE, "cm" + , ASN1_authorityKeyIdentifier_oid + , asn1_wrap(ASN1_OCTET_STRING, "m" + , asn1_wrap(ASN1_SEQUENCE, "mmm" + , keyIdentifier + , authorityCertIssuer + , authorityCertSerialNumber + ) + ) + ); +} + +/* + * build extensions + */ +static chunk_t +build_extensions(void) +{ + return asn1_wrap(ASN1_SEQUENCE, "mc" + , build_authorityKeyID(signer) + , ASN1_noRevAvail_ext); +} + +/* + * build attributeCertificateInfo + */ +static chunk_t +build_attr_cert_info(void) +{ + return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm" + , ASN1_INTEGER_1 + , build_holder() + , build_v2_form() + , ASN1_sha1WithRSA_id + , asn1_simple_object(ASN1_INTEGER, serial) + , build_attr_cert_validity() + , build_attributes() + , build_extensions()); +} + +/* + * build an X.509 attribute certificate + */ +chunk_t +build_attr_cert(void) +{ + chunk_t attributeCertificateInfo = build_attr_cert_info(); + chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo + , OID_SHA1, signerkey, TRUE); + + return asn1_wrap(ASN1_SEQUENCE, "mcm" + , attributeCertificateInfo + , ASN1_sha1WithRSA_id + , signatureValue); +} diff --git a/src/openac/build.h b/src/openac/build.h new file mode 100644 index 000000000..deeddda04 --- /dev/null +++ b/src/openac/build.h @@ -0,0 +1,47 @@ +/* Build a X.509 attribute certificate + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2004 Andreas Steffen + * Zuercher Hochschule Winterthur, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: build.h,v 1.4 2004/11/03 14:28:52 as Exp $ + */ + +#ifndef _BUILD_H +#define _BUILD_H + +#include <time.h> + +#include "../pluto/x509.h" +#include "../pluto/keys.h" +#include "../pluto/ac.h" + +/* + * global variables accessible by both main() and build.c + */ +extern x509cert_t *user; +extern x509cert_t *signer; + +extern ietfAttrList_t *groups; +extern struct RSA_private_key *signerkey; + +extern time_t notBefore; +extern time_t notAfter; + +extern chunk_t serial; + +/* + * exported functions + */ +extern chunk_t build_attr_cert(void); + +#endif /* _BUILD_H */ diff --git a/src/openac/loglite.c b/src/openac/loglite.c new file mode 100644 index 000000000..4219eb707 --- /dev/null +++ b/src/openac/loglite.c @@ -0,0 +1,295 @@ +/* error logging functions + * Copyright (C) 1997 Angelos D. Keromytis. + * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: loglite.c,v 1.2 2005/07/11 18:38:16 as Exp $ + */ + +#include <stdio.h> +#include <stdlib.h> +#include <ctype.h> +#include <stdarg.h> +#include <syslog.h> +#include <errno.h> +#include <string.h> +#include <unistd.h> +#include <signal.h> /* used only if MSG_NOSIGNAL not defined */ +#include <libgen.h> +#include <sys/stat.h> +#include <sys/types.h> + +#include <freeswan.h> + +#include <constants.h> +#include <defs.h> +#include <log.h> +#include <whack.h> + +bool + log_to_stderr = FALSE, /* should log go to stderr? */ + log_to_syslog = TRUE; /* should log go to syslog? */ + +void +init_log(const char *program) +{ + if (log_to_stderr) + setbuf(stderr, NULL); + if (log_to_syslog) + openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); +} + +void +close_log(void) +{ + if (log_to_syslog) + closelog(); +} + +void +plog(const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "%s\n", m); + if (log_to_syslog) + syslog(LOG_WARNING, "%s", m); +} + +void +loglog(int mess_no, const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "%s\n", m); + if (log_to_syslog) + syslog(LOG_WARNING, "%s", m); +} + +void +log_errno_routine(int e, const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); + if (log_to_syslog) + syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e)); +} + +void +exit_log(const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "FATAL ERROR: %s\n", m); + if (log_to_syslog) + syslog(LOG_ERR, "FATAL ERROR: %s", m); + exit(1); +} + +void +exit_log_errno_routine(int e, const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e)); + if (log_to_syslog) + syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e)); + exit(1); +} + +void +whack_log(int mess_no, const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + fprintf(stderr, "%s\n", m); +} + +/* Build up a diagnostic in a static buffer. + * Although this would be a generally useful function, it is very + * hard to come up with a discipline that prevents different uses + * from interfering. It is intended that by limiting it to building + * diagnostics, we will avoid this problem. + * Juggling is performed to allow an argument to be a previous + * result: the new string may safely depend on the old one. This + * restriction is not checked in any way: violators will produce + * confusing results (without crashing!). + */ +char diag_space[sizeof(diag_space)]; + +err_t +builddiag(const char *fmt, ...) +{ + static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */ + char t[sizeof(diag_space)]; /* build result here first */ + va_list args; + + va_start(args, fmt); + t[0] = '\0'; /* in case nothing terminates string */ + vsnprintf(t, sizeof(t), fmt, args); + va_end(args); + strcpy(diag_space, t); + return diag_space; +} + +/* Debugging message support */ + +#ifdef DEBUG + +void +switch_fail(int n, const char *file_str, unsigned long line_no) +{ + char buf[30]; + + snprintf(buf, sizeof(buf), "case %d unexpected", n); + passert_fail(buf, file_str, line_no); +} + +void +passert_fail(const char *pred_str, const char *file_str, unsigned long line_no) +{ + /* we will get a possibly unplanned prefix. Hope it works */ + loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str); + abort(); /* exiting correctly doesn't always work */ +} + +lset_t + base_debugging = DBG_NONE, /* default to reporting nothing */ + cur_debugging = DBG_NONE; + +void +pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no) +{ + /* we will get a possibly unplanned prefix. Hope it works */ + loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str); +} + +/* log a debugging message (prefixed by "| ") */ + +void +DBG_log(const char *message, ...) +{ + va_list args; + char m[LOG_WIDTH]; /* longer messages will be truncated */ + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + if (log_to_stderr) + fprintf(stderr, "| %s\n", m); + if (log_to_syslog) + syslog(LOG_DEBUG, "| %s", m); +} + +/* dump raw bytes in hex to stderr (for lack of any better destination) */ + +void +DBG_dump(const char *label, const void *p, size_t len) +{ +# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */ +# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1) + char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH]; + char *bp; + const unsigned char *cp = p; + + bp = buf; + + if (label != NULL && label[0] != '\0') + { + /* Handle the label. Care must be taken to avoid buffer overrun. */ + size_t llen = strlen(label); + + if (llen + 1 > sizeof(buf)) + { + DBG_log("%s", label); + } + else + { + strcpy(buf, label); + if (buf[llen-1] == '\n') + { + buf[llen-1] = '\0'; /* get rid of newline */ + DBG_log("%s", buf); + } + else if (llen < DUMP_LABEL_WIDTH) + { + bp = buf + llen; + } + else + { + DBG_log("%s", buf); + } + } + } + + do { + int i, j; + + for (i = 0; len!=0 && i!=4; i++) + { + *bp++ = ' '; + for (j = 0; len!=0 && j!=4; len--, j++) + { + static const char hexdig[] = "0123456789abcdef"; + + *bp++ = ' '; + *bp++ = hexdig[(*cp >> 4) & 0xF]; + *bp++ = hexdig[*cp & 0xF]; + cp++; + } + } + *bp = '\0'; + DBG_log("%s", buf); + bp = buf; + } while (len != 0); +# undef DUMP_LABEL_WIDTH +# undef DUMP_WIDTH +} + +#endif /* DEBUG */ diff --git a/src/openac/openac.8 b/src/openac/openac.8 new file mode 100644 index 000000000..8e609a1b1 --- /dev/null +++ b/src/openac/openac.8 @@ -0,0 +1,180 @@ +.TH IPSEC_OPENAC 8 "29 September 2005" +.SH NAME +ipsec openac \- Generation of X.509 attribute certificates +.SH SYNOPSIS +.B ipsec +.B openac +[ +.B \-\-help +] [ +.B \-\-version +] [ +.B \-\-optionsfrom +\fIfilename\fP +] [ +.B \-\-quiet +] +.br +\ \ \ [ +.B \-\-debug\(hyall +] [ +.B \-\-debug\(hyparsing +] [ +.B \-\-debug\(hyraw +] [ +.B \-\-debug\(hyprivate +] +.br +\ \ \ [ +.B \-\-days +\fIdays\fP +] [ +.B \-\-hours +\fIhours\fP +] +.br +\ \ \ [ +.B \-\-startdate +\fIYYYYMMDDHHMMSSZ\fP +] [ +.B \-\-stopdate +\fIYYYYMMDDHHMMSSZ\fP +] +.br +.B \ \ \ \-\-cert +\fIcertfile\fP +.B \-\-key +\fIkeyfile\fP +[ +.B \-\-password +\fIpassword\fP +] +.br +.B \ \ \ \-\-usercert +\fIcertfile\fP +.B \-\-groups +\fIattr1,attr2,...\fP +.B \-\-out +\fIfilename\fP +.SH DESCRIPTION +.BR openac +is intended to be used by an Authorization Authority (AA) to generate and sign +X.509 attribute certificates. Currently only the inclusion of one ore several group +attributes is supported. An attribute certificate is linked to a holder by +including the issuer and serial number of the holder's X.509 certificate. +.SH OPTIONS +.TP +\fB\-\-help\fP +display the usage message. +.TP +\fB\-\-version\fP +display the version of \fBopenac\fP. +.TP +\fB\-\-optionsfrom\fP\ \fIfilename\fP +adds the contents of the file to the argument list. +If \fIfilename\fP is a relative path then the file is searched in the directory +\fI/etc/openac\fP. +.TP +\fB\-\-quiet\fP +By default \fBopenac\fP logs all control output both to syslog and stderr. +With the \fB\-\-quiet\fP option no output is written to stderr. +.TP +\fB\-\-days\fP\ \fIdays\fP +Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor +the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed. +The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option. +.TP +\fB\-\-hours\fP\ \fIhours\fP +Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor +the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed. +The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option. +.TP +\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP +defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid. +The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). +If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default. + +.TP +\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP +defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire. +The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time). +If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed +by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options +to the \fBnotBefore\fP date. +.TP +\fB\-\-cert\fP\ \fIcertfile\fP +specifies the file containing the X.509 certificate of the Authorization Authority. +The certificate is stored either in PEM or DER format. +.TP +\fB\-\-key\fP\ \fIkeyfile\fP +specifies the encrypted file containing the private RSA key of the Authoritzation +Authority. The private key is stored in PKCS#1 format. +.TP +\fB\-\-password\fP\ \fIpassword\fP +specifies the password with which the private RSA keyfile defined by the +\fB\-\-key\fP option has been protected. If the option is missing then the +password is prompted for on the command line. +.TP +\fB\-\-usercert\fP\ \fIcertfile\fP +specifies file containing the X.509 certificate of the user to which the generated attribute +certificate will apply. The certificate file is stored either in PEM or DER format. +.TP +\fB\-\-groups\fP\ \fIattr1,attr2\fP +specifies a comma-separated list of group attributes that will go into the +X.509 attribute certificate. +.TP +\fB\-\-out\fP\ \fIfilename\fP +specifies the file where the generated X.509 attribute certificate will be stored to. +.SS Debugging +.LP +\fBopenac\fP produces a prodigious amount of debugging information. To do so, +it must be compiled with \-DDEBUG. There are several classes of debugging output, +and \fBopenac\fP may be directed to produce a selection of them. All lines of +debugging output are prefixed with ``|\ '' to distinguish them from error messages. +.LP +When \fBopenac\fP is invoked, it may be given arguments to specify +which classes to output. The current options are: +.TP +\fB\-\-debug-raw\fP +show the raw bytes of the parsed user and authorization authority certificates +as well as of the generated X.509 attribute certificate. +.TP +\fB\-\-debug-parsing\fP +show the parsed structure of user and authorization authority certificats +as well as of the generated X.509 attribute certificate. +.TP +\fB\-\-debug-all\fP +all of the above. +.TP +\fB\-\-debug-private\fP +enables debugging output of the authorization authority's private key. +.SH EXIT STATUS +.LP +The execution of \fBopenac\fP terminates with one of the following two exit codes: +.TP +0 +means that the attribute certificate was successfully generated and stored. +.TP +1 +means that something went wrong. +.SH FILES +\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate +.SH SEE ALSO +.LP +The X.509 attribute certificates generated with \fBopenac\fP can be used to +enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8) +to load and list X.509 attribute certificates. +.LP +For more information on X.509 attribute certificates, refer to the following +IETF RFC: +.IP +RFC 3281 An Internet Attribute Certificate Profile for Authorization +.SH HISTORY +The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi. +The software was recoded by Andreas Steffen using strongSwan's X.509 library and +the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen. +All authors were with the Zurich University of Applied Sciences in Winterthur, +Switzerland. +.LP +.SH BUGS +Bugs should be reported to the <users@lists.strongswan.org> mailing list. diff --git a/src/openac/openac.c b/src/openac/openac.c new file mode 100755 index 000000000..00f287b3a --- /dev/null +++ b/src/openac/openac.c @@ -0,0 +1,438 @@ +/* Generation of X.509 attribute certificates + * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler + * Copyright (C) 2004 Andreas Steffen + * Zuercher Hochschule Winterthur, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: openac.c,v 1.18 2006/01/04 21:12:33 as Exp $ + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <getopt.h> +#include <ctype.h> +#include <time.h> +#include <gmp.h> + +#include <freeswan.h> + +#include "../pluto/constants.h" +#include "../pluto/defs.h" +#include "../pluto/mp_defs.h" +#include "../pluto/log.h" +#include "../pluto/asn1.h" +#include "../pluto/certs.h" +#include "../pluto/x509.h" +#include "../pluto/crl.h" +#include "../pluto/keys.h" +#include "../pluto/ac.h" + +#include "build.h" + +#define OPENAC_PATH IPSEC_CONFDIR "/openac" +#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" + +const char openac_version[] = "openac 0.3"; + +/* by default the CRL policy is lenient */ +bool strict_crl_policy = FALSE; + +/* by default pluto does not check crls dynamically */ +long crl_check_interval = 0; + +/* by default pluto logs out after every smartcard use */ +bool pkcs11_keep_state = FALSE; + +static void +usage(const char *mess) +{ + if (mess != NULL && *mess != '\0') + fprintf(stderr, "%s\n", mess); + fprintf(stderr + , "Usage: openac" + " [--help]" + " [--version]" + " [--optionsfrom <filename>]" + " [--quiet]" +#ifdef DEBUG + " \\\n\t" + " [--debug-all]" + " [--debug-parsing]" + " [--debug-raw]" + " [--debug-private]" +#endif + " \\\n\t" + " [--days <days>]" + " [--hours <hours>]" + " \\\n\t" + " [--startdate <YYYYMMDDHHMMSSZ>]" + " [--enddate <YYYYMMDDHHMMSSZ>]" + " \\\n\t" + " --cert <certfile>" + " --key <keyfile>" + " [--password <password>]" + " \\\n\t" + " --usercert <certfile>" + " --groups <attr1,attr2,..>" + " --out <filename>" + "\n" + ); + exit(mess == NULL? 0 : 1); +} + +/* + * read the last serial number from file + */ +static chunk_t +read_serial(void) +{ + MP_INT number; + + char buf[BUF_LEN]; + char bytes[BUF_LEN]; + + FILE *fd = fopen(OPENAC_SERIAL, "r"); + + /* serial number defaults to 0 */ + size_t len = 1; + bytes[0] = 0x00; + + if (fd) + { + if (fscanf(fd, "%s", buf)) + { + err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len); + + if (ugh != NULL) + plog(" error reading serial number from %s: %s" + , OPENAC_SERIAL, ugh); + } + fclose(fd); + } + else + plog(" file '%s' does not exist yet - serial number set to 01" + , OPENAC_SERIAL); + + /* conversion of read serial number to a multiprecision integer + * and incrementing it by one + * and representing it as a two's complement octet string + */ + n_to_mpz(&number, bytes, len); + mpz_add_ui(&number, &number, 0x01); + serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE); + mpz_clear(&number); + + return serial; +} + +/* + * write back the last serial number to file + */ +static void +write_serial(chunk_t serial) +{ + char buf[BUF_LEN]; + + FILE *fd = fopen(OPENAC_SERIAL, "w"); + + if (fd) + { + datatot(serial.ptr, serial.len, 16, buf, BUF_LEN); + plog(" serial number is %s", buf); + fprintf(fd, "%s\n", buf); + fclose(fd); + } + else + plog(" could not open file '%s' for writing", OPENAC_SERIAL); +} + +/* + * global variables accessible by both main() and build.c + */ +x509cert_t *user = NULL; +x509cert_t *signer = NULL; + +ietfAttrList_t *groups = NULL; +struct RSA_private_key *signerkey = NULL; + +time_t notBefore = 0; +time_t notAfter = 0; + +chunk_t serial; + + +int +main(int argc, char **argv) +{ + char *keyfile = NULL; + char *certfile = NULL; + char *usercertfile = NULL; + char *outfile = NULL; + + cert_t signercert = empty_cert; + cert_t usercert = empty_cert; + + chunk_t attr_cert = empty_chunk; + x509acert_t *ac = NULL; + + const time_t default_validity = 24*3600; /* 24 hours */ + time_t validity = 0; + + prompt_pass_t pass; + + pass.secret[0] = '\0'; + pass.prompt = TRUE; + pass.fd = STDIN_FILENO; + + log_to_stderr = TRUE; + + /* handle arguments */ + for (;;) + { +# define DBG_OFFSET 256 + static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { "optionsfrom", required_argument, NULL, '+' }, + { "quiet", no_argument, NULL, 'q' }, + { "cert", required_argument, NULL, 'c' }, + { "key", required_argument, NULL, 'k' }, + { "password", required_argument, NULL, 'p' }, + { "usercert", required_argument, NULL, 'u' }, + { "groups", required_argument, NULL, 'g' }, + { "days", required_argument, NULL, 'D' }, + { "hours", required_argument, NULL, 'H' }, + { "startdate", required_argument, NULL, 'S' }, + { "enddate", required_argument, NULL, 'E' }, + { "out", required_argument, NULL, 'o' }, +#ifdef DEBUG + { "debug-all", no_argument, NULL, 'A' }, + { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET }, + { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET }, + { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET }, +#endif + { 0,0,0,0 } + }; + + int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL); + + /* Note: "breaking" from case terminates loop */ + switch (c) + { + case EOF: /* end of flags */ + break; + + case 0: /* long option already handled */ + continue; + + case ':': /* diagnostic already printed by getopt_long */ + case '?': /* diagnostic already printed by getopt_long */ + usage(NULL); + break; /* not actually reached */ + + case 'h': /* --help */ + usage(NULL); + break; /* not actually reached */ + + case 'v': /* --version */ + printf("%s\n", openac_version); + exit(0); + break; /* not actually reached */ + + case '+': /* --optionsfrom <filename> */ + { + char path[BUF_LEN]; + + if (*optarg == '/') /* absolute pathname */ + strncpy(path, optarg, BUF_LEN); + else /* relative pathname */ + snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); + optionsfrom(path, &argc, &argv, optind, stderr); + /* does not return on error */ + } + continue; + + case 'q': /* --quiet */ + log_to_stderr = TRUE; + continue; + + case 'c': /* --cert */ + certfile = optarg; + continue; + + case 'k': /* --key */ + keyfile = optarg; + continue; + + case 'p': /* --key */ + pass.prompt = FALSE; + strncpy(pass.secret, optarg, sizeof(pass.secret)); + continue; + + case 'u': /* --usercert */ + usercertfile = optarg; + continue; + + case 'g': /* --groups */ + decode_groups(optarg, &groups); + continue; + + case 'D': /* --days */ + if (optarg == NULL || !isdigit(optarg[0])) + usage("missing number of days"); + { + char *endptr; + long days = strtol(optarg, &endptr, 0); + + if (*endptr != '\0' || endptr == optarg + || days <= 0) + usage("<days> must be a positive number"); + validity += 24*3600*days; + } + continue; + + case 'H': /* --hours */ + if (optarg == NULL || !isdigit(optarg[0])) + usage("missing number of hours"); + { + char *endptr; + long hours = strtol(optarg, &endptr, 0); + + if (*endptr != '\0' || endptr == optarg + || hours <= 0) + usage("<hours> must be a positive number"); + validity += 3600*hours; + } + continue; + + case 'S': /* --startdate */ + if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + usage("date format must be YYYYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 15 }; + notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME); + } + continue; + + case 'E': /* --enddate */ + if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z') + usage("date format must be YYYYMMDDHHMMSSZ"); + { + chunk_t date = { optarg, 15 }; + notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME); + } + continue; + + case 'o': /* --outt */ + outfile = optarg; + continue ; + +#ifdef DEBUG + case 'A': /* --debug-all */ + base_debugging = DBG_ALL; + continue; +#endif + default: +#ifdef DEBUG + if (c >= DBG_OFFSET) + { + base_debugging |= c - DBG_OFFSET; + continue; + } +#undef DBG_OFFSET +#endif + bad_case(c); + } + break; + } + + init_log("openac"); + cur_debugging = base_debugging; + + if (optind != argc) + usage("unexpected argument"); + + /* load the signer's RSA private key */ + if (keyfile != NULL) + { + err_t ugh = NULL; + + signerkey = alloc_thing(RSA_private_key_t, "RSA private key"); + ugh = load_rsa_private_key(keyfile, &pass, signerkey); + + if (ugh != NULL) + { + free_RSA_private_content(signerkey); + pfree(signerkey); + plog("%s", ugh); + exit(1); + } + } + + /* load the signer's X.509 certificate */ + if (certfile != NULL) + { + if (!load_cert(certfile, "signer cert", &signercert)) + exit(1); + signer = signercert.u.x509; + } + + /* load the users's X.509 certificate */ + if (usercertfile != NULL) + { + if (!load_cert(usercertfile, "user cert", &usercert)) + exit(1); + user = usercert.u.x509; + } + + /* compute validity interval */ + validity = (validity)? validity : default_validity; + notBefore = (notBefore) ? notBefore : time(NULL); + notAfter = (notAfter) ? notAfter : notBefore + validity; + + /* build and parse attribute certificate */ + if (user != NULL && signer != NULL && signerkey != NULL) + { + /* read the serial number and increment it by one */ + serial = read_serial(); + + attr_cert = build_attr_cert(); + ac = alloc_thing(x509acert_t, "x509acert"); + *ac = empty_ac; + parse_ac(attr_cert, ac); + + /* write the attribute certificate to file */ + if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE)) + write_serial(serial); + } + + /* delete all dynamic objects */ + if (signerkey != NULL) + { + free_RSA_private_content(signerkey); + pfree(signerkey); + } + free_x509cert(signercert.u.x509); + free_x509cert(usercert.u.x509); + free_ietfAttrList(groups); + free_acert(ac); + pfree(serial.ptr); + +#ifdef LEAK_DETECTIVE + report_leaks(); +#endif /* LEAK_DETECTIVE */ + close_log(); + exit(0); +} |