diff options
Diffstat (limited to 'src/pluto/rcv_whack.c')
-rw-r--r-- | src/pluto/rcv_whack.c | 204 |
1 files changed, 94 insertions, 110 deletions
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index 013deb446..826a1aa6e 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -33,7 +33,6 @@ #include "constants.h" #include "defs.h" -#include "id.h" #include "ca.h" #include "certs.h" #include "ac.h" @@ -55,16 +54,16 @@ #include "fetch.h" #include "ocsp.h" #include "crl.h" - +#include "myid.h" #include "kernel_alg.h" #include "ike_alg.h" + /* helper variables and function to decode strings from whack message */ static char *next_str , *str_roof; -static bool -unpack_str(char **p) +static bool unpack_str(char **p) { char *end = memchr(next_str, '\0', str_roof - next_str); @@ -103,19 +102,13 @@ struct key_add_continuation { enum key_add_attempt lookingfor; }; -static void -key_add_ugh(const struct id *keyid, err_t ugh) +static void key_add_ugh(identification_t *keyid, err_t ugh) { - char name[BUF_LEN]; /* longer IDs will be truncated in message */ - - (void)idtoa(keyid, name, sizeof(name)); - loglog(RC_NOKEY - , "failure to fetch key for %s from DNS: %s", name, ugh); + loglog(RC_NOKEY, "failure to fetch key for %'Y' from DNS: %s", keyid, ugh); } /* last one out: turn out the lights */ -static void -key_add_merge(struct key_add_common *oc, const struct id *keyid) +static void key_add_merge(struct key_add_common *oc, identification_t *keyid) { if (oc->refCount == 0) { @@ -123,9 +116,12 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid) /* if no success, print all diagnostics */ if (!oc->success) + { for (kaa = ka_TXT; kaa != ka_roof; kaa++) + { key_add_ugh(keyid, oc->diag[kaa]); - + } + } for (kaa = ka_TXT; kaa != ka_roof; kaa++) { free(oc->diag[kaa]); @@ -135,8 +131,7 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid) } } -static void -key_add_continue(struct adns_continuation *ac, err_t ugh) +static void key_add_continue(struct adns_continuation *ac, err_t ugh) { struct key_add_continuation *kc = (void *) ac; struct key_add_common *oc = kc->common; @@ -159,95 +154,87 @@ key_add_continue(struct adns_continuation *ac, err_t ugh) } oc->refCount--; - key_add_merge(oc, &ac->id); + key_add_merge(oc, ac->id); whack_log_fd = NULL_FD; } -static void -key_add_request(const whack_message_t *msg) +static void key_add_request(const whack_message_t *msg) { - struct id keyid; - err_t ugh = atoid(msg->keyid, &keyid, FALSE); + identification_t *key_id; - if (ugh != NULL) + key_id = identification_create_from_string(msg->keyid); + + if (!msg->whack_addkey) { - loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh); + delete_public_keys(key_id, msg->pubkey_alg, NULL, chunk_empty); } - else + if (msg->keyval.len == 0) { - if (!msg->whack_addkey) - delete_public_keys(&keyid, msg->pubkey_alg - , chunk_empty, chunk_empty); + struct key_add_common *oc = malloc_thing(struct key_add_common); + enum key_add_attempt kaa; + err_t ugh; - if (msg->keyval.len == 0) + /* initialize state shared by queries */ + oc->refCount = 0; + oc->whack_fd = dup_any(whack_log_fd); + oc->success = FALSE; + + for (kaa = ka_TXT; kaa != ka_roof; kaa++) { - struct key_add_common *oc = malloc_thing(struct key_add_common); - enum key_add_attempt kaa; + struct key_add_continuation *kc; - /* initialize state shared by queries */ - oc->refCount = 0; - oc->whack_fd = dup_any(whack_log_fd); - oc->success = FALSE; + oc->diag[kaa] = NULL; + oc->refCount++; + kc = malloc_thing(struct key_add_continuation); + kc->common = oc; + kc->lookingfor = kaa; - for (kaa = ka_TXT; kaa != ka_roof; kaa++) + switch (kaa) { - struct key_add_continuation *kc; - - oc->diag[kaa] = NULL; - oc->refCount++; - kc = malloc_thing(struct key_add_continuation); - kc->common = oc; - kc->lookingfor = kaa; - - switch (kaa) - { case ka_TXT: - ugh = start_adns_query(&keyid - , &keyid /* same */ - , T_TXT - , key_add_continue - , &kc->ac); + ugh = start_adns_query(key_id + , key_id /* same */ + , T_TXT + , key_add_continue + , &kc->ac); break; #ifdef USE_KEYRR case ka_KEY: - ugh = start_adns_query(&keyid - , NULL - , T_KEY - , key_add_continue - , &kc->ac); + ugh = start_adns_query(key_id + , NULL + , T_KEY + , key_add_continue + , &kc->ac); break; #endif /* USE_KEYRR */ default: bad_case(kaa); /* suppress gcc warning */ - } - if (ugh != NULL) - { - oc->diag[kaa] = clone_str(ugh); - oc->refCount--; - } } - - /* Done launching queries. - * Handle total failure case. - */ - key_add_merge(oc, &keyid); - } - else - { - if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval, - &pubkeys)) + if (ugh) { - loglog(RC_LOG_SERIOUS, "failed to add public key"); + oc->diag[kaa] = clone_str(ugh); + oc->refCount--; } } + + /* Done launching queries. Handle total failure case. */ + key_add_merge(oc, key_id); + } + else + { + if (!add_public_key(key_id, DAL_LOCAL, msg->pubkey_alg, msg->keyval, + &pubkeys)) + { + loglog(RC_LOG_SERIOUS, "failed to add public key"); + } } + key_id->destroy(key_id); } /* Handle a kernel request. Supposedly, there's a message in * the kernelsock socket. */ -void -whack_handle(int whackctlfd) +void whack_handle(int whackctlfd) { whack_message_t msg; struct sockaddr_un whackaddr; @@ -319,24 +306,26 @@ whack_handle(int whackctlfd) || !unpack_str(&msg.left.ca) /* string 4 */ || !unpack_str(&msg.left.groups) /* string 5 */ || !unpack_str(&msg.left.updown) /* string 6 */ - || !unpack_str(&msg.left.virt) /* string 7 */ - || !unpack_str(&msg.right.id) /* string 8 */ - || !unpack_str(&msg.right.cert) /* string 9 */ - || !unpack_str(&msg.right.ca) /* string 10 */ - || !unpack_str(&msg.right.groups) /* string 11 */ - || !unpack_str(&msg.right.updown) /* string 12 */ - || !unpack_str(&msg.right.virt) /* string 13 */ - || !unpack_str(&msg.keyid) /* string 14 */ - || !unpack_str(&msg.myid) /* string 15 */ - || !unpack_str(&msg.cacert) /* string 16 */ - || !unpack_str(&msg.ldaphost) /* string 17 */ - || !unpack_str(&msg.ldapbase) /* string 18 */ - || !unpack_str(&msg.crluri) /* string 19 */ - || !unpack_str(&msg.crluri2) /* string 20 */ - || !unpack_str(&msg.ocspuri) /* string 21 */ - || !unpack_str(&msg.ike) /* string 22 */ - || !unpack_str(&msg.esp) /* string 23 */ - || !unpack_str(&msg.sc_data) /* string 24 */ + || !unpack_str(&msg.left.sourceip) /* string 7 */ + || !unpack_str(&msg.left.virt) /* string 8 */ + || !unpack_str(&msg.right.id) /* string 9 */ + || !unpack_str(&msg.right.cert) /* string 10 */ + || !unpack_str(&msg.right.ca) /* string 11 */ + || !unpack_str(&msg.right.groups) /* string 12 */ + || !unpack_str(&msg.right.updown) /* string 13 */ + || !unpack_str(&msg.right.sourceip) /* string 14 */ + || !unpack_str(&msg.right.virt) /* string 15 */ + || !unpack_str(&msg.keyid) /* string 16 */ + || !unpack_str(&msg.myid) /* string 17 */ + || !unpack_str(&msg.cacert) /* string 18 */ + || !unpack_str(&msg.ldaphost) /* string 19 */ + || !unpack_str(&msg.ldapbase) /* string 20 */ + || !unpack_str(&msg.crluri) /* string 21 */ + || !unpack_str(&msg.crluri2) /* string 22 */ + || !unpack_str(&msg.ocspuri) /* string 23 */ + || !unpack_str(&msg.ike) /* string 24 */ + || !unpack_str(&msg.esp) /* string 25 */ + || !unpack_str(&msg.sc_data) /* string 26 */ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ { ugh = "message from whack contains bad string"; @@ -372,7 +361,7 @@ whack_handle(int whackctlfd) } else if (!msg.whack_connection) { - struct connection *c = con_by_name(msg.name, TRUE); + connection_t *c = con_by_name(msg.name, TRUE); if (c != NULL) { @@ -424,7 +413,7 @@ whack_handle(int whackctlfd) if (msg.whack_ca && msg.cacert != NULL) add_ca_info(&msg); - + /* process "listen" before any operation that could require it */ if (msg.whack_listen) { @@ -451,22 +440,22 @@ whack_handle(int whackctlfd) if (msg.whack_reread & REREAD_CACERTS) { - load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA); + load_authcerts("ca", CA_CERT_PATH, X509_CA); } if (msg.whack_reread & REREAD_AACERTS) { - load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA); + load_authcerts("aa", AA_CERT_PATH, X509_AA); } if (msg.whack_reread & REREAD_OCSPCERTS) { - load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP); + load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER); } if (msg.whack_reread & REREAD_ACERTS) { - load_acerts(); + ac_load_certs(); } if (msg.whack_reread & REREAD_CRLS) @@ -487,32 +476,27 @@ whack_handle(int whackctlfd) if (msg.whack_list & LIST_CERTS) { - list_certs(msg.whack_utc); + cert_list(msg.whack_utc); } if (msg.whack_list & LIST_CACERTS) { - list_authcerts("CA", AUTH_CA, msg.whack_utc); + list_authcerts("CA", X509_CA, msg.whack_utc); } if (msg.whack_list & LIST_AACERTS) { - list_authcerts("AA", AUTH_AA, msg.whack_utc); + list_authcerts("AA", X509_AA, msg.whack_utc); } if (msg.whack_list & LIST_OCSPCERTS) { - list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc); + list_authcerts("OCSP", X509_OCSP_SIGNER, msg.whack_utc); } if (msg.whack_list & LIST_ACERTS) { - list_acerts(msg.whack_utc); - } - - if (msg.whack_list & LIST_GROUPS) - { - list_groups(msg.whack_utc); + ac_list_certs(msg.whack_utc); } if (msg.whack_list & LIST_CAINFOS) @@ -562,7 +546,7 @@ whack_handle(int whackctlfd) } else { - struct connection *c = con_by_name(msg.name, TRUE); + connection_t *c = con_by_name(msg.name, TRUE); if (c != NULL && c->ikev1) { @@ -588,7 +572,7 @@ whack_handle(int whackctlfd) } else { - struct connection *c = con_by_name(msg.name, TRUE); + connection_t *c = con_by_name(msg.name, TRUE); if (c != NULL && c->ikev1) { |