summaryrefslogtreecommitdiff
path: root/src/pluto/rcv_whack.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/pluto/rcv_whack.c')
-rw-r--r--src/pluto/rcv_whack.c204
1 files changed, 94 insertions, 110 deletions
diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c
index 013deb446..826a1aa6e 100644
--- a/src/pluto/rcv_whack.c
+++ b/src/pluto/rcv_whack.c
@@ -33,7 +33,6 @@
#include "constants.h"
#include "defs.h"
-#include "id.h"
#include "ca.h"
#include "certs.h"
#include "ac.h"
@@ -55,16 +54,16 @@
#include "fetch.h"
#include "ocsp.h"
#include "crl.h"
-
+#include "myid.h"
#include "kernel_alg.h"
#include "ike_alg.h"
+
/* helper variables and function to decode strings from whack message */
static char *next_str
, *str_roof;
-static bool
-unpack_str(char **p)
+static bool unpack_str(char **p)
{
char *end = memchr(next_str, '\0', str_roof - next_str);
@@ -103,19 +102,13 @@ struct key_add_continuation {
enum key_add_attempt lookingfor;
};
-static void
-key_add_ugh(const struct id *keyid, err_t ugh)
+static void key_add_ugh(identification_t *keyid, err_t ugh)
{
- char name[BUF_LEN]; /* longer IDs will be truncated in message */
-
- (void)idtoa(keyid, name, sizeof(name));
- loglog(RC_NOKEY
- , "failure to fetch key for %s from DNS: %s", name, ugh);
+ loglog(RC_NOKEY, "failure to fetch key for %'Y' from DNS: %s", keyid, ugh);
}
/* last one out: turn out the lights */
-static void
-key_add_merge(struct key_add_common *oc, const struct id *keyid)
+static void key_add_merge(struct key_add_common *oc, identification_t *keyid)
{
if (oc->refCount == 0)
{
@@ -123,9 +116,12 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid)
/* if no success, print all diagnostics */
if (!oc->success)
+ {
for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+ {
key_add_ugh(keyid, oc->diag[kaa]);
-
+ }
+ }
for (kaa = ka_TXT; kaa != ka_roof; kaa++)
{
free(oc->diag[kaa]);
@@ -135,8 +131,7 @@ key_add_merge(struct key_add_common *oc, const struct id *keyid)
}
}
-static void
-key_add_continue(struct adns_continuation *ac, err_t ugh)
+static void key_add_continue(struct adns_continuation *ac, err_t ugh)
{
struct key_add_continuation *kc = (void *) ac;
struct key_add_common *oc = kc->common;
@@ -159,95 +154,87 @@ key_add_continue(struct adns_continuation *ac, err_t ugh)
}
oc->refCount--;
- key_add_merge(oc, &ac->id);
+ key_add_merge(oc, ac->id);
whack_log_fd = NULL_FD;
}
-static void
-key_add_request(const whack_message_t *msg)
+static void key_add_request(const whack_message_t *msg)
{
- struct id keyid;
- err_t ugh = atoid(msg->keyid, &keyid, FALSE);
+ identification_t *key_id;
- if (ugh != NULL)
+ key_id = identification_create_from_string(msg->keyid);
+
+ if (!msg->whack_addkey)
{
- loglog(RC_BADID, "bad --keyid \"%s\": %s", msg->keyid, ugh);
+ delete_public_keys(key_id, msg->pubkey_alg, NULL, chunk_empty);
}
- else
+ if (msg->keyval.len == 0)
{
- if (!msg->whack_addkey)
- delete_public_keys(&keyid, msg->pubkey_alg
- , chunk_empty, chunk_empty);
+ struct key_add_common *oc = malloc_thing(struct key_add_common);
+ enum key_add_attempt kaa;
+ err_t ugh;
- if (msg->keyval.len == 0)
+ /* initialize state shared by queries */
+ oc->refCount = 0;
+ oc->whack_fd = dup_any(whack_log_fd);
+ oc->success = FALSE;
+
+ for (kaa = ka_TXT; kaa != ka_roof; kaa++)
{
- struct key_add_common *oc = malloc_thing(struct key_add_common);
- enum key_add_attempt kaa;
+ struct key_add_continuation *kc;
- /* initialize state shared by queries */
- oc->refCount = 0;
- oc->whack_fd = dup_any(whack_log_fd);
- oc->success = FALSE;
+ oc->diag[kaa] = NULL;
+ oc->refCount++;
+ kc = malloc_thing(struct key_add_continuation);
+ kc->common = oc;
+ kc->lookingfor = kaa;
- for (kaa = ka_TXT; kaa != ka_roof; kaa++)
+ switch (kaa)
{
- struct key_add_continuation *kc;
-
- oc->diag[kaa] = NULL;
- oc->refCount++;
- kc = malloc_thing(struct key_add_continuation);
- kc->common = oc;
- kc->lookingfor = kaa;
-
- switch (kaa)
- {
case ka_TXT:
- ugh = start_adns_query(&keyid
- , &keyid /* same */
- , T_TXT
- , key_add_continue
- , &kc->ac);
+ ugh = start_adns_query(key_id
+ , key_id /* same */
+ , T_TXT
+ , key_add_continue
+ , &kc->ac);
break;
#ifdef USE_KEYRR
case ka_KEY:
- ugh = start_adns_query(&keyid
- , NULL
- , T_KEY
- , key_add_continue
- , &kc->ac);
+ ugh = start_adns_query(key_id
+ , NULL
+ , T_KEY
+ , key_add_continue
+ , &kc->ac);
break;
#endif /* USE_KEYRR */
default:
bad_case(kaa); /* suppress gcc warning */
- }
- if (ugh != NULL)
- {
- oc->diag[kaa] = clone_str(ugh);
- oc->refCount--;
- }
}
-
- /* Done launching queries.
- * Handle total failure case.
- */
- key_add_merge(oc, &keyid);
- }
- else
- {
- if (!add_public_key(&keyid, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
- &pubkeys))
+ if (ugh)
{
- loglog(RC_LOG_SERIOUS, "failed to add public key");
+ oc->diag[kaa] = clone_str(ugh);
+ oc->refCount--;
}
}
+
+ /* Done launching queries. Handle total failure case. */
+ key_add_merge(oc, key_id);
+ }
+ else
+ {
+ if (!add_public_key(key_id, DAL_LOCAL, msg->pubkey_alg, msg->keyval,
+ &pubkeys))
+ {
+ loglog(RC_LOG_SERIOUS, "failed to add public key");
+ }
}
+ key_id->destroy(key_id);
}
/* Handle a kernel request. Supposedly, there's a message in
* the kernelsock socket.
*/
-void
-whack_handle(int whackctlfd)
+void whack_handle(int whackctlfd)
{
whack_message_t msg;
struct sockaddr_un whackaddr;
@@ -319,24 +306,26 @@ whack_handle(int whackctlfd)
|| !unpack_str(&msg.left.ca) /* string 4 */
|| !unpack_str(&msg.left.groups) /* string 5 */
|| !unpack_str(&msg.left.updown) /* string 6 */
- || !unpack_str(&msg.left.virt) /* string 7 */
- || !unpack_str(&msg.right.id) /* string 8 */
- || !unpack_str(&msg.right.cert) /* string 9 */
- || !unpack_str(&msg.right.ca) /* string 10 */
- || !unpack_str(&msg.right.groups) /* string 11 */
- || !unpack_str(&msg.right.updown) /* string 12 */
- || !unpack_str(&msg.right.virt) /* string 13 */
- || !unpack_str(&msg.keyid) /* string 14 */
- || !unpack_str(&msg.myid) /* string 15 */
- || !unpack_str(&msg.cacert) /* string 16 */
- || !unpack_str(&msg.ldaphost) /* string 17 */
- || !unpack_str(&msg.ldapbase) /* string 18 */
- || !unpack_str(&msg.crluri) /* string 19 */
- || !unpack_str(&msg.crluri2) /* string 20 */
- || !unpack_str(&msg.ocspuri) /* string 21 */
- || !unpack_str(&msg.ike) /* string 22 */
- || !unpack_str(&msg.esp) /* string 23 */
- || !unpack_str(&msg.sc_data) /* string 24 */
+ || !unpack_str(&msg.left.sourceip) /* string 7 */
+ || !unpack_str(&msg.left.virt) /* string 8 */
+ || !unpack_str(&msg.right.id) /* string 9 */
+ || !unpack_str(&msg.right.cert) /* string 10 */
+ || !unpack_str(&msg.right.ca) /* string 11 */
+ || !unpack_str(&msg.right.groups) /* string 12 */
+ || !unpack_str(&msg.right.updown) /* string 13 */
+ || !unpack_str(&msg.right.sourceip) /* string 14 */
+ || !unpack_str(&msg.right.virt) /* string 15 */
+ || !unpack_str(&msg.keyid) /* string 16 */
+ || !unpack_str(&msg.myid) /* string 17 */
+ || !unpack_str(&msg.cacert) /* string 18 */
+ || !unpack_str(&msg.ldaphost) /* string 19 */
+ || !unpack_str(&msg.ldapbase) /* string 20 */
+ || !unpack_str(&msg.crluri) /* string 21 */
+ || !unpack_str(&msg.crluri2) /* string 22 */
+ || !unpack_str(&msg.ocspuri) /* string 23 */
+ || !unpack_str(&msg.ike) /* string 24 */
+ || !unpack_str(&msg.esp) /* string 25 */
+ || !unpack_str(&msg.sc_data) /* string 26 */
|| str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */
{
ugh = "message from whack contains bad string";
@@ -372,7 +361,7 @@ whack_handle(int whackctlfd)
}
else if (!msg.whack_connection)
{
- struct connection *c = con_by_name(msg.name, TRUE);
+ connection_t *c = con_by_name(msg.name, TRUE);
if (c != NULL)
{
@@ -424,7 +413,7 @@ whack_handle(int whackctlfd)
if (msg.whack_ca && msg.cacert != NULL)
add_ca_info(&msg);
-
+
/* process "listen" before any operation that could require it */
if (msg.whack_listen)
{
@@ -451,22 +440,22 @@ whack_handle(int whackctlfd)
if (msg.whack_reread & REREAD_CACERTS)
{
- load_authcerts("CA cert", CA_CERT_PATH, AUTH_CA);
+ load_authcerts("ca", CA_CERT_PATH, X509_CA);
}
if (msg.whack_reread & REREAD_AACERTS)
{
- load_authcerts("AA cert", AA_CERT_PATH, AUTH_AA);
+ load_authcerts("aa", AA_CERT_PATH, X509_AA);
}
if (msg.whack_reread & REREAD_OCSPCERTS)
{
- load_authcerts("OCSP cert", OCSP_CERT_PATH, AUTH_OCSP);
+ load_authcerts("ocsp", OCSP_CERT_PATH, X509_OCSP_SIGNER);
}
if (msg.whack_reread & REREAD_ACERTS)
{
- load_acerts();
+ ac_load_certs();
}
if (msg.whack_reread & REREAD_CRLS)
@@ -487,32 +476,27 @@ whack_handle(int whackctlfd)
if (msg.whack_list & LIST_CERTS)
{
- list_certs(msg.whack_utc);
+ cert_list(msg.whack_utc);
}
if (msg.whack_list & LIST_CACERTS)
{
- list_authcerts("CA", AUTH_CA, msg.whack_utc);
+ list_authcerts("CA", X509_CA, msg.whack_utc);
}
if (msg.whack_list & LIST_AACERTS)
{
- list_authcerts("AA", AUTH_AA, msg.whack_utc);
+ list_authcerts("AA", X509_AA, msg.whack_utc);
}
if (msg.whack_list & LIST_OCSPCERTS)
{
- list_authcerts("OCSP", AUTH_OCSP, msg.whack_utc);
+ list_authcerts("OCSP", X509_OCSP_SIGNER, msg.whack_utc);
}
if (msg.whack_list & LIST_ACERTS)
{
- list_acerts(msg.whack_utc);
- }
-
- if (msg.whack_list & LIST_GROUPS)
- {
- list_groups(msg.whack_utc);
+ ac_list_certs(msg.whack_utc);
}
if (msg.whack_list & LIST_CAINFOS)
@@ -562,7 +546,7 @@ whack_handle(int whackctlfd)
}
else
{
- struct connection *c = con_by_name(msg.name, TRUE);
+ connection_t *c = con_by_name(msg.name, TRUE);
if (c != NULL && c->ikev1)
{
@@ -588,7 +572,7 @@ whack_handle(int whackctlfd)
}
else
{
- struct connection *c = con_by_name(msg.name, TRUE);
+ connection_t *c = con_by_name(msg.name, TRUE);
if (c != NULL && c->ikev1)
{