summaryrefslogtreecommitdiff
path: root/src/openac
diff options
context:
space:
mode:
Diffstat (limited to 'src/openac')
-rw-r--r--src/openac/Makefile.am98
-rw-r--r--src/openac/Makefile.in624
-rw-r--r--src/openac/build.c242
-rw-r--r--src/openac/build.h47
-rw-r--r--src/openac/loglite.c295
-rw-r--r--src/openac/openac.8180
-rwxr-xr-xsrc/openac/openac.c438
7 files changed, 1924 insertions, 0 deletions
diff --git a/src/openac/Makefile.am b/src/openac/Makefile.am
new file mode 100644
index 000000000..c1e2a593a
--- /dev/null
+++ b/src/openac/Makefile.am
@@ -0,0 +1,98 @@
+ipsec_PROGRAMS = openac
+openac_SOURCES = openac.c build.c build.h loglite.c
+
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o mp_defs.o fetch.o id.o keys.o lex.o \
+ md2.o md5.o ocsp.o oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+ $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a \
+ -lgmp
+
+# This compile option activates dynamic URL fetching using libcurl
+if USE_LIBCURL
+ openac_LDADD += -lcurl
+endif
+
+# This compile option activates smartcard support
+if USE_SMARTCARD
+ openac_LDADD += -ldl
+endif
+
+dist_man_MANS = openac.8
+
+PLUTODIR=$(top_srcdir)/src/pluto
+
+ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h
+ $(COMPILE) -c -o $@ $<
+
+asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+ $(COMPILE) -c -o $@ $<
+
+ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+ $(COMPILE) -c -o $@ $<
+
+certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+ $(COMPILE) -c -o $@ $<
+
+constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+ $(COMPILE) -c -o $@ $<
+
+crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+ $(COMPILE) -c -o $@ $<
+
+defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+ $(COMPILE) -c -o $@ $<
+
+mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+ $(COMPILE) -c -o $@ $<
+
+fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+ $(COMPILE) -c -o $@ $<
+
+id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h
+ $(COMPILE) -c -o $@ $<
+
+keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+ $(COMPILE) -c -o $@ $<
+
+lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+ $(COMPILE) -c -o $@ $<
+
+md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+ $(COMPILE) -c -o $@ $<
+
+md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+ $(COMPILE) -c -o $@ $<
+
+ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+ $(COMPILE) -c -o $@ $<
+
+oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+ $(COMPILE) -c -o $@ $<
+
+pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+ $(COMPILE) -c -o $@ $<
+
+pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+ $(COMPILE) -c -o $@ $<
+
+pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+ $(COMPILE) -c -o $@ $<
+
+rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+ $(COMPILE) -c -o $@ $<
+
+sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+ $(COMPILE) -c -o $@ $<
+
+smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+ $(COMPILE) -c -o $@ $<
+
+x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+ $(COMPILE) -c -o $@ $<
+
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
new file mode 100644
index 000000000..8a2bee51f
--- /dev/null
+++ b/src/openac/Makefile.in
@@ -0,0 +1,624 @@
+# Makefile.in generated by automake 1.9.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+top_builddir = ../..
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+INSTALL = @INSTALL@
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+ipsec_PROGRAMS = openac$(EXEEXT)
+
+# This compile option activates dynamic URL fetching using libcurl
+@USE_LIBCURL_TRUE@am__append_1 = -lcurl
+
+# This compile option activates smartcard support
+@USE_SMARTCARD_TRUE@am__append_2 = -ldl
+subdir = src/openac
+DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
+PROGRAMS = $(ipsec_PROGRAMS)
+am_openac_OBJECTS = openac.$(OBJEXT) build.$(OBJEXT) loglite.$(OBJEXT)
+openac_OBJECTS = $(am_openac_OBJECTS)
+am__DEPENDENCIES_1 =
+openac_DEPENDENCIES = ac.o asn1.o ca.o certs.o constants.o crl.o \
+ defs.o mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o \
+ oid.o pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+ $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+ $(top_srcdir)/src/libcrypto/libcrypto.a $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1)
+DEFAULT_INCLUDES = -I. -I$(srcdir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+SOURCES = $(openac_SOURCES)
+DIST_SOURCES = $(openac_SOURCES)
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(dist_man_MANS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMDEP_FALSE = @AMDEP_FALSE@
+AMDEP_TRUE = @AMDEP_TRUE@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BUILD_EAP_SIM_FALSE = @BUILD_EAP_SIM_FALSE@
+BUILD_EAP_SIM_TRUE = @BUILD_EAP_SIM_TRUE@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+RANLIB = @RANLIB@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+USE_CISCO_QUIRKS_FALSE = @USE_CISCO_QUIRKS_FALSE@
+USE_CISCO_QUIRKS_TRUE = @USE_CISCO_QUIRKS_TRUE@
+USE_LEAK_DETECTIVE_FALSE = @USE_LEAK_DETECTIVE_FALSE@
+USE_LEAK_DETECTIVE_TRUE = @USE_LEAK_DETECTIVE_TRUE@
+USE_LIBCURL_FALSE = @USE_LIBCURL_FALSE@
+USE_LIBCURL_TRUE = @USE_LIBCURL_TRUE@
+USE_LIBLDAP_FALSE = @USE_LIBLDAP_FALSE@
+USE_LIBLDAP_TRUE = @USE_LIBLDAP_TRUE@
+USE_NAT_TRANSPORT_FALSE = @USE_NAT_TRANSPORT_FALSE@
+USE_NAT_TRANSPORT_TRUE = @USE_NAT_TRANSPORT_TRUE@
+USE_SMARTCARD_FALSE = @USE_SMARTCARD_FALSE@
+USE_SMARTCARD_TRUE = @USE_SMARTCARD_TRUE@
+USE_VENDORID_FALSE = @USE_VENDORID_FALSE@
+USE_VENDORID_TRUE = @USE_VENDORID_TRUE@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__fastdepCC_FALSE = @am__fastdepCC_FALSE@
+am__fastdepCC_TRUE = @am__fastdepCC_TRUE@
+am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@
+am__fastdepCXX_TRUE = @am__fastdepCXX_TRUE@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+eapdir = @eapdir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+openac_SOURCES = openac.c build.c build.h loglite.c
+INCLUDES = \
+-I$(top_srcdir)/src/libfreeswan \
+-I$(top_srcdir)/src/pluto \
+-I$(top_srcdir)/src/libcrypto \
+-I$(top_srcdir)/src/whack
+
+AM_CFLAGS = -DDEBUG -DNO_PLUTO -DIPSEC_CONFDIR=\"${confdir}\"
+openac_LDADD = ac.o asn1.o ca.o certs.o constants.o crl.o defs.o \
+ mp_defs.o fetch.o id.o keys.o lex.o md2.o md5.o ocsp.o oid.o \
+ pem.o pgp.o pkcs1.o rnd.o sha1.o smartcard.o x509.o \
+ $(top_srcdir)/src/libfreeswan/libfreeswan.a \
+ $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp $(am__append_1) \
+ $(am__append_2)
+dist_man_MANS = openac.8
+PLUTODIR = $(top_srcdir)/src/pluto
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openac/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/openac/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
+ @$(NORMAL_INSTALL)
+ test -z "$(ipsecdir)" || $(mkdir_p) "$(DESTDIR)$(ipsecdir)"
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ if test -f $$p \
+ || test -f $$p1 \
+ ; then \
+ f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(ipsecPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(ipsecdir)/$$f" || exit 1; \
+ else :; fi; \
+ done
+
+uninstall-ipsecPROGRAMS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
+ echo " rm -f '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ rm -f "$(DESTDIR)$(ipsecdir)/$$f"; \
+ done
+
+clean-ipsecPROGRAMS:
+ @list='$(ipsec_PROGRAMS)'; for p in $$list; do \
+ f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f $$p $$f"; \
+ rm -f $$p $$f ; \
+ done
+openac$(EXEEXT): $(openac_OBJECTS) $(openac_DEPENDENCIES)
+ @rm -f openac$(EXEEXT)
+ $(LINK) $(openac_LDFLAGS) $(openac_OBJECTS) $(openac_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/build.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/loglite.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openac.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ if $(COMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ `$(CYGPATH_W) '$<'`; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Po"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ if $(LTCOMPILE) -MT $@ -MD -MP -MF "$(DEPDIR)/$*.Tpo" -c -o $@ $<; \
+@am__fastdepCC_TRUE@ then mv -f "$(DEPDIR)/$*.Tpo" "$(DEPDIR)/$*.Plo"; else rm -f "$(DEPDIR)/$*.Tpo"; exit 1; fi
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+distclean-libtool:
+ -rm -f libtool
+uninstall-info-am:
+install-man8: $(man8_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ test -z "$(man8dir)" || $(mkdir_p) "$(DESTDIR)$(man8dir)"
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+ else file=$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
+ rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's|.|.|g'`; \
+ list='$(DISTFILES)'; for file in $$list; do \
+ case $$file in \
+ $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+ $(top_srcdir)/*) file=`echo "$$file" | sed "s|^$$topsrcdirstrip/|$(top_builddir)/|"`;; \
+ esac; \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ dir=`echo "$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test "$$dir" != "$$file" && test "$$dir" != "."; then \
+ dir="/$$dir"; \
+ $(mkdir_p) "$(distdir)$$dir"; \
+ else \
+ dir=''; \
+ fi; \
+ if test -d $$d/$$file; then \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(PROGRAMS) $(MANS)
+installdirs:
+ for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+ test -z "$$dir" || $(mkdir_p) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-libtool distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipsecPROGRAMS install-man
+
+install-exec-am:
+
+install-info: install-info-am
+
+install-man: install-man8
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-info-am uninstall-ipsecPROGRAMS uninstall-man
+
+uninstall-man: uninstall-man8
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-ipsecPROGRAMS clean-libtool ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-exec \
+ install-exec-am install-info install-info-am \
+ install-ipsecPROGRAMS install-man install-man8 install-strip \
+ installcheck installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-info-am \
+ uninstall-ipsecPROGRAMS uninstall-man uninstall-man8
+
+
+ac.o : $(PLUTODIR)/ac.c $(PLUTODIR)/ac.h
+ $(COMPILE) -c -o $@ $<
+
+asn1.o : $(PLUTODIR)/asn1.c $(PLUTODIR)/asn1.h
+ $(COMPILE) -c -o $@ $<
+
+ca.o : $(PLUTODIR)/ca.c $(PLUTODIR)/ca.h
+ $(COMPILE) -c -o $@ $<
+
+certs.o : $(PLUTODIR)/certs.c $(PLUTODIR)/certs.h
+ $(COMPILE) -c -o $@ $<
+
+constants.o : $(PLUTODIR)/constants.c $(PLUTODIR)/constants.h
+ $(COMPILE) -c -o $@ $<
+
+crl.o : $(PLUTODIR)/crl.c $(PLUTODIR)/crl.h
+ $(COMPILE) -c -o $@ $<
+
+defs.o : $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
+ $(COMPILE) -c -o $@ $<
+
+mp_defs.o : $(PLUTODIR)/mp_defs.c $(PLUTODIR)/mp_defs.h
+ $(COMPILE) -c -o $@ $<
+
+fetch.o : $(PLUTODIR)/fetch.c $(PLUTODIR)/fetch.h
+ $(COMPILE) -c -o $@ $<
+
+id.o : $(PLUTODIR)/id.c $(PLUTODIR)/id.h
+ $(COMPILE) -c -o $@ $<
+
+keys.o : $(PLUTODIR)/keys.c $(PLUTODIR)/keys.h
+ $(COMPILE) -c -o $@ $<
+
+lex.o : $(PLUTODIR)/lex.c $(PLUTODIR)/lex.h
+ $(COMPILE) -c -o $@ $<
+
+md2.o : $(PLUTODIR)/md2.c $(PLUTODIR)/md2.h
+ $(COMPILE) -c -o $@ $<
+
+md5.o : $(PLUTODIR)/md5.c $(PLUTODIR)/md5.h
+ $(COMPILE) -c -o $@ $<
+
+ocsp.o : $(PLUTODIR)/ocsp.c $(PLUTODIR)/ocsp.h
+ $(COMPILE) -c -o $@ $<
+
+oid.o : $(PLUTODIR)/oid.c $(PLUTODIR)/oid.h
+ $(COMPILE) -c -o $@ $<
+
+pem.o : $(PLUTODIR)/pem.c $(PLUTODIR)/pem.h
+ $(COMPILE) -c -o $@ $<
+
+pgp.o : $(PLUTODIR)/pgp.c $(PLUTODIR)/pgp.h
+ $(COMPILE) -c -o $@ $<
+
+pkcs1.o : $(PLUTODIR)/pkcs1.c $(PLUTODIR)/pkcs1.h
+ $(COMPILE) -c -o $@ $<
+
+rnd.o : $(PLUTODIR)/rnd.c $(PLUTODIR)/rnd.h
+ $(COMPILE) -c -o $@ $<
+
+sha1.o : $(PLUTODIR)/sha1.c $(PLUTODIR)/sha1.h
+ $(COMPILE) -c -o $@ $<
+
+smartcard.o : $(PLUTODIR)/smartcard.c $(PLUTODIR)/smartcard.h
+ $(COMPILE) -c -o $@ $<
+
+x509.o : $(PLUTODIR)/x509.c $(PLUTODIR)/x509.h
+ $(COMPILE) -c -o $@ $<
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/openac/build.c b/src/openac/build.c
new file mode 100644
index 000000000..bd3df6fee
--- /dev/null
+++ b/src/openac/build.c
@@ -0,0 +1,242 @@
+/* Build a X.509 attribute certificate
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2004 Andreas Steffen
+ * Zuercher Hochschule Winterthur, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: build.c,v 1.14 2005/09/06 11:47:57 as Exp $
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/oid.h"
+#include "../pluto/asn1.h"
+#include "../pluto/x509.h"
+#include "../pluto/log.h"
+
+#include "build.h"
+
+static u_char ASN1_group_oid_str[] = {
+ 0x06, 0x08,
+ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0a ,0x04
+};
+
+static const chunk_t ASN1_group_oid = strchunk(ASN1_group_oid_str);
+
+static u_char ASN1_authorityKeyIdentifier_oid_str[] = {
+ 0x06, 0x03,
+ 0x55, 0x1d, 0x23
+};
+
+static const chunk_t ASN1_authorityKeyIdentifier_oid
+ = strchunk(ASN1_authorityKeyIdentifier_oid_str);
+
+static u_char ASN1_noRevAvail_ext_str[] = {
+ 0x30, 0x09,
+ 0x06, 0x03,
+ 0x55, 0x1d, 0x38,
+ 0x04, 0x02,
+ 0x05, 0x00
+};
+
+static const chunk_t ASN1_noRevAvail_ext = strchunk(ASN1_noRevAvail_ext_str);
+
+/*
+ * build directoryName
+ */
+static chunk_t
+build_directoryName(asn1_t tag, chunk_t name)
+{
+ return asn1_wrap(tag, "m"
+ , asn1_simple_object(ASN1_CONTEXT_C_4, name));
+}
+
+/*
+ * build holder
+ */
+static chunk_t
+build_holder(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "mm"
+ , asn1_wrap(ASN1_CONTEXT_C_0, "mm"
+ , build_directoryName(ASN1_SEQUENCE, user->issuer)
+ , asn1_simple_object(ASN1_INTEGER, user->serialNumber)
+ )
+ , build_directoryName(ASN1_CONTEXT_C_1, user->subject));
+}
+
+/*
+ * build v2Form
+ */
+static chunk_t
+build_v2_form(void)
+{
+ return asn1_wrap(ASN1_CONTEXT_C_0, "m"
+ , build_directoryName(ASN1_SEQUENCE, signer->subject));
+}
+
+/*
+ * build attrCertValidityPeriod
+ */
+static chunk_t
+build_attr_cert_validity(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "mm"
+ , timetoasn1(&notBefore, ASN1_GENERALIZEDTIME)
+ , timetoasn1(&notAfter, ASN1_GENERALIZEDTIME));
+}
+
+/*
+ * build attributes
+ */
+static chunk_t
+build_ietfAttributes(ietfAttrList_t *list)
+{
+ chunk_t ietfAttributes;
+ ietfAttrList_t *item = list;
+ size_t size = 0;
+ u_char *pos;
+
+ /* precalculate the total size of all values */
+ while (item != NULL)
+ {
+ size_t len = item->attr->value.len;
+
+ size += 1 + (len > 0) + (len >= 128) + (len >= 256) + (len >= 65536) + len;
+ item = item->next;
+ }
+ pos = build_asn1_object(&ietfAttributes, ASN1_SEQUENCE, size);
+
+ while (list != NULL)
+ {
+ ietfAttr_t *attr = list->attr;
+ asn1_t type = ASN1_NULL;
+
+ switch (attr->kind)
+ {
+ case IETF_ATTRIBUTE_OCTETS:
+ type = ASN1_OCTET_STRING;
+ break;
+ case IETF_ATTRIBUTE_STRING:
+ type = ASN1_UTF8STRING;
+ break;
+ case IETF_ATTRIBUTE_OID:
+ type = ASN1_OID;
+ break;
+ }
+ mv_chunk(&pos, asn1_simple_object(type, attr->value));
+
+ list = list->next;
+ }
+
+ return asn1_wrap(ASN1_SEQUENCE, "m", ietfAttributes);
+}
+
+/*
+ * build attribute type
+ */
+static chunk_t
+build_attribute_type(const chunk_t type, chunk_t content)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , type
+ , asn1_wrap(ASN1_SET, "m", content));
+}
+
+/*
+ * build attributes
+ */
+static chunk_t
+build_attributes(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "m"
+ , build_attribute_type(ASN1_group_oid
+ , build_ietfAttributes(groups)));
+}
+
+/*
+ * build authorityKeyIdentifier
+ */
+static chunk_t
+build_authorityKeyID(x509cert_t *signer)
+{
+ chunk_t keyIdentifier = (signer->subjectKeyID.ptr == NULL)
+ ? empty_chunk
+ : asn1_simple_object(ASN1_CONTEXT_S_0
+ , signer->subjectKeyID);
+
+ chunk_t authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1
+ , signer->issuer);
+
+ chunk_t authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2
+ , signer->serialNumber);
+
+ return asn1_wrap(ASN1_SEQUENCE, "cm"
+ , ASN1_authorityKeyIdentifier_oid
+ , asn1_wrap(ASN1_OCTET_STRING, "m"
+ , asn1_wrap(ASN1_SEQUENCE, "mmm"
+ , keyIdentifier
+ , authorityCertIssuer
+ , authorityCertSerialNumber
+ )
+ )
+ );
+}
+
+/*
+ * build extensions
+ */
+static chunk_t
+build_extensions(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "mc"
+ , build_authorityKeyID(signer)
+ , ASN1_noRevAvail_ext);
+}
+
+/*
+ * build attributeCertificateInfo
+ */
+static chunk_t
+build_attr_cert_info(void)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "cmmcmmmm"
+ , ASN1_INTEGER_1
+ , build_holder()
+ , build_v2_form()
+ , ASN1_sha1WithRSA_id
+ , asn1_simple_object(ASN1_INTEGER, serial)
+ , build_attr_cert_validity()
+ , build_attributes()
+ , build_extensions());
+}
+
+/*
+ * build an X.509 attribute certificate
+ */
+chunk_t
+build_attr_cert(void)
+{
+ chunk_t attributeCertificateInfo = build_attr_cert_info();
+ chunk_t signatureValue = pkcs1_build_signature(attributeCertificateInfo
+ , OID_SHA1, signerkey, TRUE);
+
+ return asn1_wrap(ASN1_SEQUENCE, "mcm"
+ , attributeCertificateInfo
+ , ASN1_sha1WithRSA_id
+ , signatureValue);
+}
diff --git a/src/openac/build.h b/src/openac/build.h
new file mode 100644
index 000000000..deeddda04
--- /dev/null
+++ b/src/openac/build.h
@@ -0,0 +1,47 @@
+/* Build a X.509 attribute certificate
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2004 Andreas Steffen
+ * Zuercher Hochschule Winterthur, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: build.h,v 1.4 2004/11/03 14:28:52 as Exp $
+ */
+
+#ifndef _BUILD_H
+#define _BUILD_H
+
+#include <time.h>
+
+#include "../pluto/x509.h"
+#include "../pluto/keys.h"
+#include "../pluto/ac.h"
+
+/*
+ * global variables accessible by both main() and build.c
+ */
+extern x509cert_t *user;
+extern x509cert_t *signer;
+
+extern ietfAttrList_t *groups;
+extern struct RSA_private_key *signerkey;
+
+extern time_t notBefore;
+extern time_t notAfter;
+
+extern chunk_t serial;
+
+/*
+ * exported functions
+ */
+extern chunk_t build_attr_cert(void);
+
+#endif /* _BUILD_H */
diff --git a/src/openac/loglite.c b/src/openac/loglite.c
new file mode 100644
index 000000000..4219eb707
--- /dev/null
+++ b/src/openac/loglite.c
@@ -0,0 +1,295 @@
+/* error logging functions
+ * Copyright (C) 1997 Angelos D. Keromytis.
+ * Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: loglite.c,v 1.2 2005/07/11 18:38:16 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
+#include <libgen.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <freeswan.h>
+
+#include <constants.h>
+#include <defs.h>
+#include <log.h>
+#include <whack.h>
+
+bool
+ log_to_stderr = FALSE, /* should log go to stderr? */
+ log_to_syslog = TRUE; /* should log go to syslog? */
+
+void
+init_log(const char *program)
+{
+ if (log_to_stderr)
+ setbuf(stderr, NULL);
+ if (log_to_syslog)
+ openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
+}
+
+void
+close_log(void)
+{
+ if (log_to_syslog)
+ closelog();
+}
+
+void
+plog(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
+}
+
+void
+loglog(int mess_no, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "%s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_WARNING, "%s", m);
+}
+
+void
+log_errno_routine(int e, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "ERROR: %s. Errno %d: %s", m, e, strerror(e));
+}
+
+void
+exit_log(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s", m);
+ exit(1);
+}
+
+void
+exit_log_errno_routine(int e, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "FATAL ERROR: %s. Errno %d: %s\n", m, e, strerror(e));
+ if (log_to_syslog)
+ syslog(LOG_ERR, "FATAL ERROR: %s. Errno %d: %s", m, e, strerror(e));
+ exit(1);
+}
+
+void
+whack_log(int mess_no, const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ fprintf(stderr, "%s\n", m);
+}
+
+/* Build up a diagnostic in a static buffer.
+ * Although this would be a generally useful function, it is very
+ * hard to come up with a discipline that prevents different uses
+ * from interfering. It is intended that by limiting it to building
+ * diagnostics, we will avoid this problem.
+ * Juggling is performed to allow an argument to be a previous
+ * result: the new string may safely depend on the old one. This
+ * restriction is not checked in any way: violators will produce
+ * confusing results (without crashing!).
+ */
+char diag_space[sizeof(diag_space)];
+
+err_t
+builddiag(const char *fmt, ...)
+{
+ static char diag_space[LOG_WIDTH]; /* longer messages will be truncated */
+ char t[sizeof(diag_space)]; /* build result here first */
+ va_list args;
+
+ va_start(args, fmt);
+ t[0] = '\0'; /* in case nothing terminates string */
+ vsnprintf(t, sizeof(t), fmt, args);
+ va_end(args);
+ strcpy(diag_space, t);
+ return diag_space;
+}
+
+/* Debugging message support */
+
+#ifdef DEBUG
+
+void
+switch_fail(int n, const char *file_str, unsigned long line_no)
+{
+ char buf[30];
+
+ snprintf(buf, sizeof(buf), "case %d unexpected", n);
+ passert_fail(buf, file_str, line_no);
+}
+
+void
+passert_fail(const char *pred_str, const char *file_str, unsigned long line_no)
+{
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "ASSERTION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+ abort(); /* exiting correctly doesn't always work */
+}
+
+lset_t
+ base_debugging = DBG_NONE, /* default to reporting nothing */
+ cur_debugging = DBG_NONE;
+
+void
+pexpect_log(const char *pred_str, const char *file_str, unsigned long line_no)
+{
+ /* we will get a possibly unplanned prefix. Hope it works */
+ loglog(RC_LOG_SERIOUS, "EXPECTATION FAILED at %s:%lu: %s", file_str, line_no, pred_str);
+}
+
+/* log a debugging message (prefixed by "| ") */
+
+void
+DBG_log(const char *message, ...)
+{
+ va_list args;
+ char m[LOG_WIDTH]; /* longer messages will be truncated */
+
+ va_start(args, message);
+ vsnprintf(m, sizeof(m), message, args);
+ va_end(args);
+
+ if (log_to_stderr)
+ fprintf(stderr, "| %s\n", m);
+ if (log_to_syslog)
+ syslog(LOG_DEBUG, "| %s", m);
+}
+
+/* dump raw bytes in hex to stderr (for lack of any better destination) */
+
+void
+DBG_dump(const char *label, const void *p, size_t len)
+{
+# define DUMP_LABEL_WIDTH 20 /* arbitrary modest boundary */
+# define DUMP_WIDTH (4 * (1 + 4 * 3) + 1)
+ char buf[DUMP_LABEL_WIDTH + DUMP_WIDTH];
+ char *bp;
+ const unsigned char *cp = p;
+
+ bp = buf;
+
+ if (label != NULL && label[0] != '\0')
+ {
+ /* Handle the label. Care must be taken to avoid buffer overrun. */
+ size_t llen = strlen(label);
+
+ if (llen + 1 > sizeof(buf))
+ {
+ DBG_log("%s", label);
+ }
+ else
+ {
+ strcpy(buf, label);
+ if (buf[llen-1] == '\n')
+ {
+ buf[llen-1] = '\0'; /* get rid of newline */
+ DBG_log("%s", buf);
+ }
+ else if (llen < DUMP_LABEL_WIDTH)
+ {
+ bp = buf + llen;
+ }
+ else
+ {
+ DBG_log("%s", buf);
+ }
+ }
+ }
+
+ do {
+ int i, j;
+
+ for (i = 0; len!=0 && i!=4; i++)
+ {
+ *bp++ = ' ';
+ for (j = 0; len!=0 && j!=4; len--, j++)
+ {
+ static const char hexdig[] = "0123456789abcdef";
+
+ *bp++ = ' ';
+ *bp++ = hexdig[(*cp >> 4) & 0xF];
+ *bp++ = hexdig[*cp & 0xF];
+ cp++;
+ }
+ }
+ *bp = '\0';
+ DBG_log("%s", buf);
+ bp = buf;
+ } while (len != 0);
+# undef DUMP_LABEL_WIDTH
+# undef DUMP_WIDTH
+}
+
+#endif /* DEBUG */
diff --git a/src/openac/openac.8 b/src/openac/openac.8
new file mode 100644
index 000000000..8e609a1b1
--- /dev/null
+++ b/src/openac/openac.8
@@ -0,0 +1,180 @@
+.TH IPSEC_OPENAC 8 "29 September 2005"
+.SH NAME
+ipsec openac \- Generation of X.509 attribute certificates
+.SH SYNOPSIS
+.B ipsec
+.B openac
+[
+.B \-\-help
+] [
+.B \-\-version
+] [
+.B \-\-optionsfrom
+\fIfilename\fP
+] [
+.B \-\-quiet
+]
+.br
+\ \ \ [
+.B \-\-debug\(hyall
+] [
+.B \-\-debug\(hyparsing
+] [
+.B \-\-debug\(hyraw
+] [
+.B \-\-debug\(hyprivate
+]
+.br
+\ \ \ [
+.B \-\-days
+\fIdays\fP
+] [
+.B \-\-hours
+\fIhours\fP
+]
+.br
+\ \ \ [
+.B \-\-startdate
+\fIYYYYMMDDHHMMSSZ\fP
+] [
+.B \-\-stopdate
+\fIYYYYMMDDHHMMSSZ\fP
+]
+.br
+.B \ \ \ \-\-cert
+\fIcertfile\fP
+.B \-\-key
+\fIkeyfile\fP
+[
+.B \-\-password
+\fIpassword\fP
+]
+.br
+.B \ \ \ \-\-usercert
+\fIcertfile\fP
+.B \-\-groups
+\fIattr1,attr2,...\fP
+.B \-\-out
+\fIfilename\fP
+.SH DESCRIPTION
+.BR openac
+is intended to be used by an Authorization Authority (AA) to generate and sign
+X.509 attribute certificates. Currently only the inclusion of one ore several group
+attributes is supported. An attribute certificate is linked to a holder by
+including the issuer and serial number of the holder's X.509 certificate.
+.SH OPTIONS
+.TP
+\fB\-\-help\fP
+display the usage message.
+.TP
+\fB\-\-version\fP
+display the version of \fBopenac\fP.
+.TP
+\fB\-\-optionsfrom\fP\ \fIfilename\fP
+adds the contents of the file to the argument list.
+If \fIfilename\fP is a relative path then the file is searched in the directory
+\fI/etc/openac\fP.
+.TP
+\fB\-\-quiet\fP
+By default \fBopenac\fP logs all control output both to syslog and stderr.
+With the \fB\-\-quiet\fP option no output is written to stderr.
+.TP
+\fB\-\-days\fP\ \fIdays\fP
+Validity of the X.509 attribute certificate in days. If neiter the \fB\-\-days\fP\ nor
+the \fB\-\-hours\fP\ option is specified then a default validity interval of 1 day is assumed.
+The \fB\-\-days\fP\ option can be combined with the \fB\-\-hours\fP\ option.
+.TP
+\fB\-\-hours\fP\ \fIhours\fP
+Validity of the X.509 attribute certificate in hours. If neiter the \fB\-\-hours\fP\ nor
+the \fB\-\-days\fP\ option is specified then a default validity interval of 24 hours is assumed.
+The \fB\-\-hours\fP\ option can be combined with the \fB\-\-days\fP\ option.
+.TP
+\fB\-\-startdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
+defines the \fBnotBefore\fP date when the X.509 attribute certificate becomes valid.
+The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
+If the \fB\-\-startdate\fP option is not specified then the current date is taken as a default.
+
+.TP
+\fB\-\-stopdate\fP\ \fIYYYYMMDDHHMMSSZ\fP
+defines the \fBnotAfter\fP date when the X.509 attribute certificate will expire.
+The date \fIYYYYMMDDHHMMSS\fP must be specified in UTC (\fIZ\fPulu time).
+If the \fB\-\-stopdate\fP option is not specified then the default \fBnotAfter\fP value is computed
+by adding the validity interval specified by the \fB\-\-days\fP\ and/or \fB\-\-days\fP\ options
+to the \fBnotBefore\fP date.
+.TP
+\fB\-\-cert\fP\ \fIcertfile\fP
+specifies the file containing the X.509 certificate of the Authorization Authority.
+The certificate is stored either in PEM or DER format.
+.TP
+\fB\-\-key\fP\ \fIkeyfile\fP
+specifies the encrypted file containing the private RSA key of the Authoritzation
+Authority. The private key is stored in PKCS#1 format.
+.TP
+\fB\-\-password\fP\ \fIpassword\fP
+specifies the password with which the private RSA keyfile defined by the
+\fB\-\-key\fP option has been protected. If the option is missing then the
+password is prompted for on the command line.
+.TP
+\fB\-\-usercert\fP\ \fIcertfile\fP
+specifies file containing the X.509 certificate of the user to which the generated attribute
+certificate will apply. The certificate file is stored either in PEM or DER format.
+.TP
+\fB\-\-groups\fP\ \fIattr1,attr2\fP
+specifies a comma-separated list of group attributes that will go into the
+X.509 attribute certificate.
+.TP
+\fB\-\-out\fP\ \fIfilename\fP
+specifies the file where the generated X.509 attribute certificate will be stored to.
+.SS Debugging
+.LP
+\fBopenac\fP produces a prodigious amount of debugging information. To do so,
+it must be compiled with \-DDEBUG. There are several classes of debugging output,
+and \fBopenac\fP may be directed to produce a selection of them. All lines of
+debugging output are prefixed with ``|\ '' to distinguish them from error messages.
+.LP
+When \fBopenac\fP is invoked, it may be given arguments to specify
+which classes to output. The current options are:
+.TP
+\fB\-\-debug-raw\fP
+show the raw bytes of the parsed user and authorization authority certificates
+as well as of the generated X.509 attribute certificate.
+.TP
+\fB\-\-debug-parsing\fP
+show the parsed structure of user and authorization authority certificats
+as well as of the generated X.509 attribute certificate.
+.TP
+\fB\-\-debug-all\fP
+all of the above.
+.TP
+\fB\-\-debug-private\fP
+enables debugging output of the authorization authority's private key.
+.SH EXIT STATUS
+.LP
+The execution of \fBopenac\fP terminates with one of the following two exit codes:
+.TP
+0
+means that the attribute certificate was successfully generated and stored.
+.TP
+1
+means that something went wrong.
+.SH FILES
+\fI/etc/openac/serial\fP\ \ \ serial number of latest attribute certificate
+.SH SEE ALSO
+.LP
+The X.509 attribute certificates generated with \fBopenac\fP can be used to
+enforce group policies defined by \fIipsec.conf\fP(5). Use \fIipsec_auto\fP(8)
+to load and list X.509 attribute certificates.
+.LP
+For more information on X.509 attribute certificates, refer to the following
+IETF RFC:
+.IP
+RFC 3281 An Internet Attribute Certificate Profile for Authorization
+.SH HISTORY
+The \fBopenac\fP program was originally written by Ariane Seiler and Ueli Galizzi.
+The software was recoded by Andreas Steffen using strongSwan's X.509 library and
+the ASN.1 code synthesis functions written by Christoph Gysin and Christoph Zwahlen.
+All authors were with the Zurich University of Applied Sciences in Winterthur,
+Switzerland.
+.LP
+.SH BUGS
+Bugs should be reported to the <users@lists.strongswan.org> mailing list.
diff --git a/src/openac/openac.c b/src/openac/openac.c
new file mode 100755
index 000000000..00f287b3a
--- /dev/null
+++ b/src/openac/openac.c
@@ -0,0 +1,438 @@
+/* Generation of X.509 attribute certificates
+ * Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
+ * Copyright (C) 2004 Andreas Steffen
+ * Zuercher Hochschule Winterthur, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * RCSID $Id: openac.c,v 1.18 2006/01/04 21:12:33 as Exp $
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <time.h>
+#include <gmp.h>
+
+#include <freeswan.h>
+
+#include "../pluto/constants.h"
+#include "../pluto/defs.h"
+#include "../pluto/mp_defs.h"
+#include "../pluto/log.h"
+#include "../pluto/asn1.h"
+#include "../pluto/certs.h"
+#include "../pluto/x509.h"
+#include "../pluto/crl.h"
+#include "../pluto/keys.h"
+#include "../pluto/ac.h"
+
+#include "build.h"
+
+#define OPENAC_PATH IPSEC_CONFDIR "/openac"
+#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
+
+const char openac_version[] = "openac 0.3";
+
+/* by default the CRL policy is lenient */
+bool strict_crl_policy = FALSE;
+
+/* by default pluto does not check crls dynamically */
+long crl_check_interval = 0;
+
+/* by default pluto logs out after every smartcard use */
+bool pkcs11_keep_state = FALSE;
+
+static void
+usage(const char *mess)
+{
+ if (mess != NULL && *mess != '\0')
+ fprintf(stderr, "%s\n", mess);
+ fprintf(stderr
+ , "Usage: openac"
+ " [--help]"
+ " [--version]"
+ " [--optionsfrom <filename>]"
+ " [--quiet]"
+#ifdef DEBUG
+ " \\\n\t"
+ " [--debug-all]"
+ " [--debug-parsing]"
+ " [--debug-raw]"
+ " [--debug-private]"
+#endif
+ " \\\n\t"
+ " [--days <days>]"
+ " [--hours <hours>]"
+ " \\\n\t"
+ " [--startdate <YYYYMMDDHHMMSSZ>]"
+ " [--enddate <YYYYMMDDHHMMSSZ>]"
+ " \\\n\t"
+ " --cert <certfile>"
+ " --key <keyfile>"
+ " [--password <password>]"
+ " \\\n\t"
+ " --usercert <certfile>"
+ " --groups <attr1,attr2,..>"
+ " --out <filename>"
+ "\n"
+ );
+ exit(mess == NULL? 0 : 1);
+}
+
+/*
+ * read the last serial number from file
+ */
+static chunk_t
+read_serial(void)
+{
+ MP_INT number;
+
+ char buf[BUF_LEN];
+ char bytes[BUF_LEN];
+
+ FILE *fd = fopen(OPENAC_SERIAL, "r");
+
+ /* serial number defaults to 0 */
+ size_t len = 1;
+ bytes[0] = 0x00;
+
+ if (fd)
+ {
+ if (fscanf(fd, "%s", buf))
+ {
+ err_t ugh = ttodata(buf, 0, 16, bytes, BUF_LEN, &len);
+
+ if (ugh != NULL)
+ plog(" error reading serial number from %s: %s"
+ , OPENAC_SERIAL, ugh);
+ }
+ fclose(fd);
+ }
+ else
+ plog(" file '%s' does not exist yet - serial number set to 01"
+ , OPENAC_SERIAL);
+
+ /* conversion of read serial number to a multiprecision integer
+ * and incrementing it by one
+ * and representing it as a two's complement octet string
+ */
+ n_to_mpz(&number, bytes, len);
+ mpz_add_ui(&number, &number, 0x01);
+ serial = mpz_to_n(&number, 1 + mpz_sizeinbase(&number, 2)/BITS_PER_BYTE);
+ mpz_clear(&number);
+
+ return serial;
+}
+
+/*
+ * write back the last serial number to file
+ */
+static void
+write_serial(chunk_t serial)
+{
+ char buf[BUF_LEN];
+
+ FILE *fd = fopen(OPENAC_SERIAL, "w");
+
+ if (fd)
+ {
+ datatot(serial.ptr, serial.len, 16, buf, BUF_LEN);
+ plog(" serial number is %s", buf);
+ fprintf(fd, "%s\n", buf);
+ fclose(fd);
+ }
+ else
+ plog(" could not open file '%s' for writing", OPENAC_SERIAL);
+}
+
+/*
+ * global variables accessible by both main() and build.c
+ */
+x509cert_t *user = NULL;
+x509cert_t *signer = NULL;
+
+ietfAttrList_t *groups = NULL;
+struct RSA_private_key *signerkey = NULL;
+
+time_t notBefore = 0;
+time_t notAfter = 0;
+
+chunk_t serial;
+
+
+int
+main(int argc, char **argv)
+{
+ char *keyfile = NULL;
+ char *certfile = NULL;
+ char *usercertfile = NULL;
+ char *outfile = NULL;
+
+ cert_t signercert = empty_cert;
+ cert_t usercert = empty_cert;
+
+ chunk_t attr_cert = empty_chunk;
+ x509acert_t *ac = NULL;
+
+ const time_t default_validity = 24*3600; /* 24 hours */
+ time_t validity = 0;
+
+ prompt_pass_t pass;
+
+ pass.secret[0] = '\0';
+ pass.prompt = TRUE;
+ pass.fd = STDIN_FILENO;
+
+ log_to_stderr = TRUE;
+
+ /* handle arguments */
+ for (;;)
+ {
+# define DBG_OFFSET 256
+ static const struct option long_opts[] = {
+ /* name, has_arg, flag, val */
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, 'v' },
+ { "optionsfrom", required_argument, NULL, '+' },
+ { "quiet", no_argument, NULL, 'q' },
+ { "cert", required_argument, NULL, 'c' },
+ { "key", required_argument, NULL, 'k' },
+ { "password", required_argument, NULL, 'p' },
+ { "usercert", required_argument, NULL, 'u' },
+ { "groups", required_argument, NULL, 'g' },
+ { "days", required_argument, NULL, 'D' },
+ { "hours", required_argument, NULL, 'H' },
+ { "startdate", required_argument, NULL, 'S' },
+ { "enddate", required_argument, NULL, 'E' },
+ { "out", required_argument, NULL, 'o' },
+#ifdef DEBUG
+ { "debug-all", no_argument, NULL, 'A' },
+ { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
+ { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
+ { "debug-private", no_argument, NULL, DBG_PRIVATE + DBG_OFFSET },
+#endif
+ { 0,0,0,0 }
+ };
+
+ int c = getopt_long(argc, argv, "hv+:qc:k:p;u:g:D:H:S:E:o:", long_opts, NULL);
+
+ /* Note: "breaking" from case terminates loop */
+ switch (c)
+ {
+ case EOF: /* end of flags */
+ break;
+
+ case 0: /* long option already handled */
+ continue;
+
+ case ':': /* diagnostic already printed by getopt_long */
+ case '?': /* diagnostic already printed by getopt_long */
+ usage(NULL);
+ break; /* not actually reached */
+
+ case 'h': /* --help */
+ usage(NULL);
+ break; /* not actually reached */
+
+ case 'v': /* --version */
+ printf("%s\n", openac_version);
+ exit(0);
+ break; /* not actually reached */
+
+ case '+': /* --optionsfrom <filename> */
+ {
+ char path[BUF_LEN];
+
+ if (*optarg == '/') /* absolute pathname */
+ strncpy(path, optarg, BUF_LEN);
+ else /* relative pathname */
+ snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg);
+ optionsfrom(path, &argc, &argv, optind, stderr);
+ /* does not return on error */
+ }
+ continue;
+
+ case 'q': /* --quiet */
+ log_to_stderr = TRUE;
+ continue;
+
+ case 'c': /* --cert */
+ certfile = optarg;
+ continue;
+
+ case 'k': /* --key */
+ keyfile = optarg;
+ continue;
+
+ case 'p': /* --key */
+ pass.prompt = FALSE;
+ strncpy(pass.secret, optarg, sizeof(pass.secret));
+ continue;
+
+ case 'u': /* --usercert */
+ usercertfile = optarg;
+ continue;
+
+ case 'g': /* --groups */
+ decode_groups(optarg, &groups);
+ continue;
+
+ case 'D': /* --days */
+ if (optarg == NULL || !isdigit(optarg[0]))
+ usage("missing number of days");
+ {
+ char *endptr;
+ long days = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || days <= 0)
+ usage("<days> must be a positive number");
+ validity += 24*3600*days;
+ }
+ continue;
+
+ case 'H': /* --hours */
+ if (optarg == NULL || !isdigit(optarg[0]))
+ usage("missing number of hours");
+ {
+ char *endptr;
+ long hours = strtol(optarg, &endptr, 0);
+
+ if (*endptr != '\0' || endptr == optarg
+ || hours <= 0)
+ usage("<hours> must be a positive number");
+ validity += 3600*hours;
+ }
+ continue;
+
+ case 'S': /* --startdate */
+ if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
+ usage("date format must be YYYYMMDDHHMMSSZ");
+ {
+ chunk_t date = { optarg, 15 };
+ notBefore = asn1totime(&date, ASN1_GENERALIZEDTIME);
+ }
+ continue;
+
+ case 'E': /* --enddate */
+ if (optarg == NULL || strlen(optarg) != 15 || optarg[14] != 'Z')
+ usage("date format must be YYYYMMDDHHMMSSZ");
+ {
+ chunk_t date = { optarg, 15 };
+ notAfter = asn1totime(&date, ASN1_GENERALIZEDTIME);
+ }
+ continue;
+
+ case 'o': /* --outt */
+ outfile = optarg;
+ continue ;
+
+#ifdef DEBUG
+ case 'A': /* --debug-all */
+ base_debugging = DBG_ALL;
+ continue;
+#endif
+ default:
+#ifdef DEBUG
+ if (c >= DBG_OFFSET)
+ {
+ base_debugging |= c - DBG_OFFSET;
+ continue;
+ }
+#undef DBG_OFFSET
+#endif
+ bad_case(c);
+ }
+ break;
+ }
+
+ init_log("openac");
+ cur_debugging = base_debugging;
+
+ if (optind != argc)
+ usage("unexpected argument");
+
+ /* load the signer's RSA private key */
+ if (keyfile != NULL)
+ {
+ err_t ugh = NULL;
+
+ signerkey = alloc_thing(RSA_private_key_t, "RSA private key");
+ ugh = load_rsa_private_key(keyfile, &pass, signerkey);
+
+ if (ugh != NULL)
+ {
+ free_RSA_private_content(signerkey);
+ pfree(signerkey);
+ plog("%s", ugh);
+ exit(1);
+ }
+ }
+
+ /* load the signer's X.509 certificate */
+ if (certfile != NULL)
+ {
+ if (!load_cert(certfile, "signer cert", &signercert))
+ exit(1);
+ signer = signercert.u.x509;
+ }
+
+ /* load the users's X.509 certificate */
+ if (usercertfile != NULL)
+ {
+ if (!load_cert(usercertfile, "user cert", &usercert))
+ exit(1);
+ user = usercert.u.x509;
+ }
+
+ /* compute validity interval */
+ validity = (validity)? validity : default_validity;
+ notBefore = (notBefore) ? notBefore : time(NULL);
+ notAfter = (notAfter) ? notAfter : notBefore + validity;
+
+ /* build and parse attribute certificate */
+ if (user != NULL && signer != NULL && signerkey != NULL)
+ {
+ /* read the serial number and increment it by one */
+ serial = read_serial();
+
+ attr_cert = build_attr_cert();
+ ac = alloc_thing(x509acert_t, "x509acert");
+ *ac = empty_ac;
+ parse_ac(attr_cert, ac);
+
+ /* write the attribute certificate to file */
+ if (write_chunk(outfile, "attribute cert", attr_cert, 0022, TRUE))
+ write_serial(serial);
+ }
+
+ /* delete all dynamic objects */
+ if (signerkey != NULL)
+ {
+ free_RSA_private_content(signerkey);
+ pfree(signerkey);
+ }
+ free_x509cert(signercert.u.x509);
+ free_x509cert(usercert.u.x509);
+ free_ietfAttrList(groups);
+ free_acert(ac);
+ pfree(serial.ptr);
+
+#ifdef LEAK_DETECTIVE
+ report_leaks();
+#endif /* LEAK_DETECTIVE */
+ close_log();
+ exit(0);
+}