From 518dd33c94e041db0444c7d1f33da363bb8e3faf Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 24 Mar 2016 11:59:32 +0100 Subject: Imported Upstream version 5.4.0 --- src/swanctl/Makefile.am | 8 +- src/swanctl/Makefile.in | 28 +- src/swanctl/command.c | 11 +- src/swanctl/command.h | 4 +- src/swanctl/commands/list_algs.c | 104 +++++++ src/swanctl/commands/list_certs.c | 603 ++++++-------------------------------- src/swanctl/commands/list_sas.c | 13 +- src/swanctl/commands/load_conns.c | 9 +- src/swanctl/commands/load_creds.c | 47 ++- src/swanctl/commands/redirect.c | 132 +++++++++ src/swanctl/commands/stats.c | 12 + src/swanctl/swanctl.8.in | 9 +- src/swanctl/swanctl.conf | 22 +- src/swanctl/swanctl.conf.5.main | 139 +++++++-- src/swanctl/swanctl.h | 18 ++ src/swanctl/swanctl.opt | 99 +++++-- 16 files changed, 676 insertions(+), 582 deletions(-) create mode 100644 src/swanctl/commands/list_algs.c create mode 100644 src/swanctl/commands/redirect.c (limited to 'src/swanctl') diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 703e5746a..fb027149a 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -4,6 +4,7 @@ swanctl_SOURCES = \ command.c command.h \ commands/initiate.c \ commands/terminate.c \ + commands/redirect.c \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ @@ -11,6 +12,7 @@ swanctl_SOURCES = \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ + commands/list_algs.c \ commands/load_all.c \ commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ @@ -24,7 +26,8 @@ swanctl_SOURCES = \ swanctl_LDADD = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(PTHREADLIB) $(DLLIB) swanctl.o : $(top_builddir)/config.status @@ -62,10 +65,13 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true + test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true + test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true + test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index a4d853cb1..94921af6d 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -105,20 +105,24 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \ PROGRAMS = $(sbin_PROGRAMS) am__dirstamp = $(am__leading_dot)dirstamp am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ - commands/terminate.$(OBJEXT) commands/install.$(OBJEXT) \ - commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ + commands/terminate.$(OBJEXT) commands/redirect.$(OBJEXT) \ + commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \ + commands/list_pols.$(OBJEXT) \ commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ - commands/list_pools.$(OBJEXT) commands/load_all.$(OBJEXT) \ + commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \ + commands/load_all.$(OBJEXT) \ commands/load_authorities.$(OBJEXT) \ commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \ commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \ commands/version.$(OBJEXT) commands/stats.$(OBJEXT) \ commands/reload_settings.$(OBJEXT) swanctl.$(OBJEXT) swanctl_OBJECTS = $(am_swanctl_OBJECTS) +am__DEPENDENCIES_1 = swanctl_DEPENDENCIES = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -427,6 +431,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ @@ -444,6 +450,7 @@ swanctl_SOURCES = \ command.c command.h \ commands/initiate.c \ commands/terminate.c \ + commands/redirect.c \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ @@ -451,6 +458,7 @@ swanctl_SOURCES = \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ + commands/list_algs.c \ commands/load_all.c \ commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ @@ -464,7 +472,8 @@ swanctl_SOURCES = \ swanctl_LDADD = \ $(top_builddir)/src/libcharon/plugins/vici/libvici.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(PTHREADLIB) $(DLLIB) AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ @@ -579,6 +588,8 @@ commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/redirect.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/install.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_sas.$(OBJEXT): commands/$(am__dirstamp) \ @@ -593,6 +604,8 @@ commands/list_certs.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/list_algs.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \ @@ -627,6 +640,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_algs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_authorities.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_conns.Po@am__quote@ @@ -639,6 +653,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_creds.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_pools.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/log.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/redirect.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/reload_settings.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/stats.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/terminate.Po@am__quote@ @@ -1001,10 +1016,13 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509" || true test -e "$(DESTDIR)$(swanctldir)/x509ca" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ca" || true test -e "$(DESTDIR)$(swanctldir)/x509aa" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509aa" || true + test -e "$(DESTDIR)$(swanctldir)/x509ocsp" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ocsp" || true test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true + test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true + test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 26c41346c..fd9bc0083 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -176,6 +176,15 @@ void command_register(command_t command) "uri", 'u', 1, "service URI to connect to" }; } + for (i = 0; cmds[registered].line[i]; i++) + { + if (i == MAX_LINES - 1) + { + fprintf(stderr, "command '%s' specifies too many usage summary " + "lines, please increase MAX_LINES\n", command.cmd); + break; + } + } } registered++; } @@ -217,7 +226,7 @@ int command_usage(char *error, ...) } else { - for (i = 0; cmds[active].line[i]; i++) + for (i = 0; i < MAX_LINES && cmds[active].line[i]; i++) { if (i == 0) { diff --git a/src/swanctl/command.h b/src/swanctl/command.h index 0760d1384..8d0a2e6b9 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,12 +27,12 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 21 +#define MAX_COMMANDS 23 /** * Maximum number of options in a command (+3) */ -#define MAX_OPTIONS 32 +#define MAX_OPTIONS 34 /** * Maximum number of usage summary lines (+1) diff --git a/src/swanctl/commands/list_algs.c b/src/swanctl/commands/list_algs.c new file mode 100644 index 000000000..616e6ff75 --- /dev/null +++ b/src/swanctl/commands/list_algs.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "command.h" + +#include + +CALLBACK(algs, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + if (chunk_printable(chunk_create(value, len), NULL, ' ')) + { + printf(" %s[%.*s]\n", name, len, value); + } + return 0; +} + +CALLBACK(types, int, + void *null, vici_res_t *res, char *name) +{ + printf("%s:\n", name); + return vici_parse_cb(res, NULL, algs, NULL, NULL); +} + +static int algorithms(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + char *arg; + command_format_options_t format = COMMAND_FORMAT_NONE; + int ret; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --list-algs option"); + } + break; + } + + req = vici_begin("get-algorithms"); + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "get-algorithms request failed: %s\n", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "get-algorithms reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (vici_parse_cb(res, types, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing get-algorithms reply failed: %s\n", + strerror(errno)); + } + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + algorithms, 'g', "list-algs", "show loaded algorithms", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c index 167f8d848..e9c964771 100644 --- a/src/swanctl/commands/list_certs.c +++ b/src/swanctl/commands/list_certs.c @@ -24,13 +24,16 @@ #include #include #include -#include -#include -#include +#include #include #include "command.h" +/** + * Static certificate printer object + */ +static certificate_printer_t *cert_printer = NULL; + /** * Print PEM encoding of a certificate */ @@ -49,541 +52,99 @@ static void print_pem(certificate_t *cert) } } -/** - * Print public key information - */ -static void print_pubkey(public_key_t *key, bool has_privkey) -{ - chunk_t chunk; - - printf("pubkey: %N %d bits", key_type_names, key->get_type(key), - key->get_keysize(key)); - if (has_privkey) - { - printf(", has private key"); - } - printf("\n"); - if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) - { - printf("keyid: %#B\n", &chunk); - } - if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) - { - printf("subjkey: %#B\n", &chunk); - } -} - -/** - * Print X509 specific certificate information - */ -static void print_x509(x509_t *x509) +CALLBACK(list_cb, void, + command_format_options_t *format, char *name, vici_res_t *res) { - enumerator_t *enumerator; - identification_t *id; - traffic_selector_t *block; - chunk_t chunk; - bool first; - char *uri; - int len, explicit, inhibit; - x509_flag_t flags; - x509_cdp_t *cdp; - x509_cert_policy_t *policy; - x509_policy_mapping_t *mapping; - - chunk = chunk_skip_zero(x509->get_serial(x509)); - printf("serial: %#B\n", &chunk); - - first = TRUE; - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("altNames: "); - first = FALSE; - } - else - { - printf(", "); - } - printf("%Y", id); - } - if (!first) - { - printf("\n"); - } - enumerator->destroy(enumerator); - - flags = x509->get_flags(x509); - printf("flags: "); - if (flags & X509_CA) - { - printf("CA "); - } - if (flags & X509_CRL_SIGN) - { - printf("CRLSign "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_OCSP_SIGNER) - { - printf("OCSP "); - } - if (flags & X509_AA) - { - printf("AA "); - } - if (flags & X509_SERVER_AUTH) - { - printf("serverAuth "); - } - if (flags & X509_CLIENT_AUTH) - { - printf("clientAuth "); - } - if (flags & X509_IKE_INTERMEDIATE) - { - printf("iKEIntermediate "); - } - if (flags & X509_SELF_SIGNED) - { - printf("self-signed "); - } - printf("\n"); - - first = TRUE; - enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &cdp)) - { - if (first) - { - printf("CRL URIs: %s", cdp->uri); - first = FALSE; - } - else - { - printf(" %s", cdp->uri); - } - if (cdp->issuer) - { - printf(" (CRL issuer: %Y)", cdp->issuer); - } - printf("\n"); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_ocsp_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri)) - { - if (first) - { - printf("OCSP URIs: %s\n", uri); - first = FALSE; - } - else - { - printf(" %s\n", uri); - } - } - enumerator->destroy(enumerator); - - len = x509->get_constraint(x509, X509_PATH_LEN); - if (len != X509_NO_CONSTRAINT) - { - printf("pathlen: %d\n", len); - } - - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, TRUE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Permitted NameConstraints:\n"); - first = FALSE; - } - printf(" %Y\n", id); - } - enumerator->destroy(enumerator); - first = TRUE; - enumerator = x509->create_name_constraint_enumerator(x509, FALSE); - while (enumerator->enumerate(enumerator, &id)) - { - if (first) - { - printf("Excluded NameConstraints:\n"); - first = FALSE; - } - printf(" %Y\n", id); - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_cert_policy_enumerator(x509); - while (enumerator->enumerate(enumerator, &policy)) - { - char *oid; - - if (first) - { - printf("CertificatePolicies:\n"); - first = FALSE; - } - oid = asn1_oid_to_string(policy->oid); - if (oid) - { - printf(" %s\n", oid); - free(oid); - } - else - { - printf(" %#B\n", &policy->oid); - } - if (policy->cps_uri) - { - printf(" CPS: %s\n", policy->cps_uri); - } - if (policy->unotice_text) - { - printf(" Notice: %s\n", policy->unotice_text); - - } - } - enumerator->destroy(enumerator); - - first = TRUE; - enumerator = x509->create_policy_mapping_enumerator(x509); - while (enumerator->enumerate(enumerator, &mapping)) - { - char *issuer_oid, *subject_oid; - - if (first) - { - printf("PolicyMappings:\n"); - first = FALSE; - } - issuer_oid = asn1_oid_to_string(mapping->issuer); - subject_oid = asn1_oid_to_string(mapping->subject); - printf(" %s => %s\n", issuer_oid, subject_oid); - free(issuer_oid); - free(subject_oid); - } - enumerator->destroy(enumerator); - - explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); - inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); - len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + certificate_t *cert; + certificate_type_t type; + x509_flag_t flag = X509_NONE; + identification_t *subject = NULL; + time_t not_before = UNDEFINED_TIME; + time_t not_after = UNDEFINED_TIME; + chunk_t t_ch; + bool has_privkey; + char *str; + void *buf; + int len; - if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || - len != X509_NO_CONSTRAINT) + if (*format & COMMAND_FORMAT_RAW) { - printf("PolicyConstraints:\n"); - if (explicit != X509_NO_CONSTRAINT) - { - printf(" requireExplicitPolicy: %d\n", explicit); - } - if (inhibit != X509_NO_CONSTRAINT) - { - printf(" inhibitPolicyMapping: %d\n", inhibit); - } - if (len != X509_NO_CONSTRAINT) - { - printf(" inhibitAnyPolicy: %d\n", len); - } + vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY, + stdout); + return; } - chunk = x509->get_authKeyIdentifier(x509); - if (chunk.ptr) + buf = vici_find(res, &len, "data"); + if (!buf) { - printf("authkeyId: %#B\n", &chunk); + fprintf(stderr, "received incomplete certificate data\n"); + return; } + has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes"); - chunk = x509->get_subjectKeyIdentifier(x509); - if (chunk.ptr) + str = vici_find_str(res, "ANY", "type"); + if (!enum_from_name(certificate_type_names, str, &type) || type == CERT_ANY) { - printf("subjkeyId: %#B\n", &chunk); + fprintf(stderr, "unsupported certificate type '%s'\n", str); + return; } - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + if (type == CERT_X509) { - first = TRUE; - printf("addresses: "); - enumerator = x509->create_ipAddrBlock_enumerator(x509); - while (enumerator->enumerate(enumerator, &block)) + str = vici_find_str(res, "ANY", "flag"); + if (!enum_from_name(x509_flag_names, str, &flag) || flag == X509_ANY) { - if (first) - { - first = FALSE; - } - else - { - printf(", "); - } - printf("%R", block); + fprintf(stderr, "unsupported certificate flag '%s'\n", str); + return; } - enumerator->destroy(enumerator); - printf("\n"); } -} - -/** - * Print CRL specific information - */ -static void print_crl(crl_t *crl) -{ - enumerator_t *enumerator; - time_t ts; - crl_reason_t reason; - chunk_t chunk; - int count = 0; - bool first; - char buf[64]; - struct tm tm; - x509_cdp_t *cdp; - - chunk = chunk_skip_zero(crl->get_serial(crl)); - printf("serial: %#B\n", &chunk); - - if (crl->is_delta_crl(crl, &chunk)) - { - chunk = chunk_skip_zero(chunk); - printf("delta CRL: for serial %#B\n", &chunk); - } - chunk = crl->get_authKeyIdentifier(crl); - printf("authKeyId: %#B\n", &chunk); - - first = TRUE; - enumerator = crl->create_delta_crl_uri_enumerator(crl); - while (enumerator->enumerate(enumerator, &cdp)) + if (type == CERT_TRUSTED_PUBKEY) { - if (first) + str = vici_find_str(res, NULL, "subject"); + if (str) { - printf("freshest: %s", cdp->uri); - first = FALSE; + subject = identification_create_from_string(str); } - else + str = vici_find_str(res, NULL, "not-before"); + if (str) { - printf(" %s", cdp->uri); + t_ch = chunk_from_str(str); + not_before = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME); } - if (cdp->issuer) + str = vici_find_str(res, NULL, "not-after"); + if (str) { - printf(" (CRL issuer: %Y)", cdp->issuer); + t_ch = chunk_from_str(str); + not_after = asn1_to_time(&t_ch, ASN1_GENERALIZEDTIME); } - printf("\n"); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, + BUILD_BLOB_ASN1_DER, chunk_create(buf, len), + BUILD_NOT_BEFORE_TIME, not_before, + BUILD_NOT_AFTER_TIME, not_after, + BUILD_SUBJECT, subject, BUILD_END); + DESTROY_IF(subject); } - enumerator->destroy(enumerator); - - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - count++; - } - enumerator->destroy(enumerator); - - printf("%d revoked certificate%s%s\n", count, - count == 1 ? "" : "s", count ? ":" : ""); - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) - { - chunk = chunk_skip_zero(chunk); - localtime_r(&ts, &tm); - strftime(buf, sizeof(buf), "%F %T", &tm); - printf(" %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason); - count++; - } - enumerator->destroy(enumerator); -} - -/** - * Print AC specific information - */ -static void print_ac(ac_t *ac) -{ - ac_group_type_t type; - identification_t *id; - enumerator_t *groups; - chunk_t chunk; - bool first = TRUE; - - chunk = chunk_skip_zero(ac->get_serial(ac)); - printf("serial: %#B\n", &chunk); - - id = ac->get_holderIssuer(ac); - if (id) - { - printf("hissuer: \"%Y\"\n", id); - } - chunk = chunk_skip_zero(ac->get_holderSerial(ac)); - if (chunk.ptr) + else { - printf("hserial: %#B\n", &chunk); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, + BUILD_BLOB_ASN1_DER, chunk_create(buf, len), + BUILD_END); } - groups = ac->create_group_enumerator(ac); - while (groups->enumerate(groups, &type, &chunk)) + if (cert) { - int oid; - char *str; - - if (first) + if (*format & COMMAND_FORMAT_PEM) { - printf("groups: "); - first = FALSE; + print_pem(cert); } else { - printf(" "); - } - switch (type) - { - case AC_GROUP_TYPE_STRING: - printf("%.*s", (int)chunk.len, chunk.ptr); - break; - case AC_GROUP_TYPE_OID: - oid = asn1_known_oid(chunk); - if (oid == OID_UNKNOWN) - { - str = asn1_oid_to_string(chunk); - if (str) - { - printf("%s", str); - free(str); - } - else - { - printf("OID:%#B", &chunk); - } - } - else - { - printf("%s", oid_names[oid].name); - } - break; - case AC_GROUP_TYPE_OCTETS: - printf("%#B", &chunk); - break; + cert_printer->print_caption(cert_printer, type, flag); + cert_printer->print(cert_printer, cert, has_privkey); } - printf("\n"); - } - groups->destroy(groups); - - chunk = ac->get_authKeyIdentifier(ac); - if (chunk.ptr) - { - printf("authkey: %#B\n", &chunk); - } -} - -/** - * Print certificate information - */ -static void print_cert(certificate_t *cert, bool has_privkey) -{ - time_t now, notAfter, notBefore; - public_key_t *key; - - now = time(NULL); - - printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); - if (cert->get_type(cert) != CERT_X509_CRL) - { - printf("subject: \"%Y\"\n", cert->get_subject(cert)); - } - printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); - - cert->get_validity(cert, &now, ¬Before, ¬After); - printf("validity: not before %T, ", ¬Before, FALSE); - if (now < notBefore) - { - printf("not valid yet (valid in %V)\n", &now, ¬Before); + cert->destroy(cert); } else { - printf("ok\n"); - } - printf(" not after %T, ", ¬After, FALSE); - if (now > notAfter) - { - printf("expired (%V ago)\n", &now, ¬After); - } - else - { - printf("ok (expires in %V)\n", &now, ¬After); - } - - switch (cert->get_type(cert)) - { - case CERT_X509: - print_x509((x509_t*)cert); - break; - case CERT_X509_CRL: - print_crl((crl_t*)cert); - break; - case CERT_X509_AC: - print_ac((ac_t*)cert); - break; - default: - fprintf(stderr, "parsing certificate subtype %N not implemented\n", - certificate_type_names, cert->get_type(cert)); - break; - } - key = cert->get_public_key(cert); - if (key) - { - print_pubkey(key, has_privkey); - key->destroy(key); - } - printf("\n"); -} - -CALLBACK(list_cb, void, - command_format_options_t *format, char *name, vici_res_t *res) -{ - if (*format & COMMAND_FORMAT_RAW) - { - vici_dump(res, "list-cert event", *format & COMMAND_FORMAT_PRETTY, - stdout); - } - else - { - certificate_type_t type; - certificate_t *cert; - void *buf; - int len; - bool has_privkey; - - buf = vici_find(res, &len, "data"); - has_privkey = streq(vici_find_str(res, "no", "has_privkey"), "yes"); - if (enum_from_name(certificate_type_names, - vici_find_str(res, "ANY", "type"), &type) && - type != CERT_ANY && buf) - { - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, - BUILD_BLOB_ASN1_DER, chunk_create(buf, len), - BUILD_END); - if (cert) - { - if (*format & COMMAND_FORMAT_PEM) - { - print_pem(cert); - } - else - { - print_cert(cert, has_privkey); - } - cert->destroy(cert); - } - else - { - fprintf(stderr, "parsing certificate failed\n"); - } - } - else - { - fprintf(stderr, "received incomplete certificate data\n"); - } + fprintf(stderr, "parsing certificate failed\n"); } } @@ -592,7 +153,8 @@ static int list_certs(vici_conn_t *conn) vici_req_t *req; vici_res_t *res; command_format_options_t format = COMMAND_FORMAT_NONE; - char *arg, *subject = NULL, *type = NULL; + char *arg, *subject = NULL, *type = NULL, *flag = NULL; + bool detailed = TRUE, utc = FALSE; int ret; while (TRUE) @@ -607,6 +169,9 @@ static int list_certs(vici_conn_t *conn) case 't': type = arg; continue; + case 'f': + flag = arg; + continue; case 'p': format |= COMMAND_FORMAT_PEM; continue; @@ -616,6 +181,12 @@ static int list_certs(vici_conn_t *conn) case 'r': format |= COMMAND_FORMAT_RAW; continue; + case 'S': + detailed = FALSE; + continue; + case 'U': + utc = TRUE; + continue; case EOF: break; default: @@ -631,19 +202,28 @@ static int list_certs(vici_conn_t *conn) return ret; } req = vici_begin("list-certs"); + if (type) { vici_add_key_valuef(req, "type", "%s", type); } + if (flag) + { + vici_add_key_valuef(req, "flag", "%s", flag); + } if (subject) { vici_add_key_valuef(req, "subject", "%s", subject); } + cert_printer = certificate_printer_create(stdout, detailed, utc); + res = vici_submit(req, conn); if (!res) { ret = errno; fprintf(stderr, "list-certs request failed: %s\n", strerror(errno)); + cert_printer->destroy(cert_printer); + cert_printer = NULL; return ret; } if (format & COMMAND_FORMAT_RAW) @@ -652,6 +232,9 @@ static int list_certs(vici_conn_t *conn) stdout); } vici_free_res(res); + + cert_printer->destroy(cert_printer); + cert_printer = NULL; return 0; } @@ -662,15 +245,19 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { list_certs, 'x', "list-certs", "list stored certificates", - {"[--subject ] [--type X509|X509_AC|X509_CRL] [--pem] " - "[--raw|--pretty]"}, + {"[--subject ] [--pem]", + "[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]", + "[--flag none|ca|aa|ocsp|any] [--raw|--pretty|--short|--utc]"}, { {"help", 'h', 0, "show usage information"}, {"subject", 's', 1, "filter by certificate subject"}, {"type", 't', 1, "filter by certificate type"}, + {"flag", 'f', 1, "filter by X.509 certificate flag"}, {"pem", 'p', 0, "print PEM encoding of certificate"}, {"raw", 'r', 0, "dump raw response message"}, {"pretty", 'P', 0, "dump raw response message in pretty print"}, + {"short", 'S', 0, "omit some certificate details"}, + {"utc", 'U', 0, "use UTC for time fields"}, } }); } diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c index 93dd7ed85..fd080227d 100644 --- a/src/swanctl/commands/list_sas.c +++ b/src/swanctl/commands/list_sas.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -198,16 +201,18 @@ CALLBACK(ike_sa, int, ike->get(ike, "state"), ike->get(ike, "version"), ike->get(ike, "initiator-spi"), ike->get(ike, "responder-spi")); - printf(" local '%s' @ %s", - ike->get(ike, "local-id"), ike->get(ike, "local-host")); + printf(" local '%s' @ %s[%s]", + ike->get(ike, "local-id"), ike->get(ike, "local-host"), + ike->get(ike, "local-port")); if (ike->get(ike, "local-vips")) { printf(" [%s]", ike->get(ike, "local-vips")); } printf("\n"); - printf(" remote '%s' @ %s", - ike->get(ike, "remote-id"), ike->get(ike, "remote-host")); + printf(" remote '%s' @ %s[%s]", + ike->get(ike, "remote-id"), ike->get(ike, "remote-host"), + ike->get(ike, "remote-port")); if (ike->get(ike, "remote-eap-id")) { printf(" EAP: '%s'", ike->get(ike, "remote-eap-id")); diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c index 6ee8b8785..bbc700d5c 100644 --- a/src/swanctl/commands/load_conns.c +++ b/src/swanctl/commands/load_conns.c @@ -59,6 +59,7 @@ static bool is_file_list_key(char *key) char *keys[] = { "certs", "cacerts", + "pubkeys" }; int i; @@ -112,12 +113,18 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value) SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token); token = buf; } - if (streq(key, "cacerts")) + else if (streq(key, "cacerts")) { snprintf(buf, sizeof(buf), "%s%s%s", SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token); token = buf; } + else if (streq(key, "pubkeys")) + { + snprintf(buf, sizeof(buf), "%s%s%s", + SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token); + token = buf; + } } map = chunk_map(token, FALSE); diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index d2ebc22eb..4647934f7 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -27,11 +30,14 @@ #include #include +#include + /** * Load a single certificate over vici */ static bool load_cert(vici_conn_t *conn, command_format_options_t format, - char *dir, char *type, chunk_t data) + char *dir, certificate_type_t type, x509_flag_t flag, + chunk_t data) { vici_req_t *req; vici_res_t *res; @@ -39,7 +45,11 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-cert"); - vici_add_key_valuef(req, "type", "%s", type); + vici_add_key_valuef(req, "type", "%N", certificate_type_names, type); + if (type == CERT_X509) + { + vici_add_key_valuef(req, "flag", "%N", x509_flag_names, flag); + } vici_add_key_value(req, "data", data.ptr, data.len); res = vici_submit(req, conn); @@ -61,7 +71,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, } else { - printf("loaded %s certificate from '%s'\n", type, dir); + printf("loaded certificate from '%s'\n", dir); } vici_free_res(res); return ret; @@ -71,13 +81,17 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format, * Load certficiates from a directory */ static void load_certs(vici_conn_t *conn, command_format_options_t format, - char *type, char *dir) + char *type_str, char *dir) { enumerator_t *enumerator; + certificate_type_t type; + x509_flag_t flag; struct stat st; chunk_t *map; char *path; + vici_cert_info_from_str(type_str, &type, &flag); + enumerator = enumerator_create_directory(dir); if (enumerator) { @@ -88,7 +102,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format, map = chunk_map(path, FALSE); if (map) { - load_cert(conn, format, path, type, *map); + load_cert(conn, format, path, type, flag, *map); chunk_unmap(map); } else @@ -171,6 +185,9 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format, case KEY_ECDSA: loaded = load_key(conn, format, path, "ecdsa", encoding); break; + case KEY_BLISS: + loaded = load_key(conn, format, path, "bliss", encoding); + break; default: fprintf(stderr, "unsupported key type in '%s'\n", path); break; @@ -237,6 +254,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype, { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, + { "bliss", CRED_PRIVATE_KEY, KEY_BLISS, }, { "pkcs12", CRED_CONTAINER, CONTAINER_PKCS12, }, }; int i; @@ -439,7 +457,8 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format, loaded = FALSE; if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding)) { - loaded = load_cert(conn, format, path, "x509", encoding); + loaded = load_cert(conn, format, path, CERT_X509, X509_NONE, + encoding); if (loaded) { fprintf(stderr, " %Y\n", cert->get_subject(cert)); @@ -548,6 +567,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "ike", "rsa", "ecdsa", + "bliss", "pkcs8", "pkcs12", }; @@ -672,14 +692,17 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, } } - load_certs(conn, format, "x509", SWANCTL_X509DIR); - load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); - load_certs(conn, format, "x509aa", SWANCTL_X509AADIR); - load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); - load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR); + load_certs(conn, format, "x509", SWANCTL_X509DIR); + load_certs(conn, format, "x509ca", SWANCTL_X509CADIR); + load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR); + load_certs(conn, format, "x509aa", SWANCTL_X509AADIR); + load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR); + load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); + load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); - load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); + load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); + load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); diff --git a/src/swanctl/commands/redirect.c b/src/swanctl/commands/redirect.c new file mode 100644 index 000000000..6edb936e6 --- /dev/null +++ b/src/swanctl/commands/redirect.c @@ -0,0 +1,132 @@ +/* + * Copyright (C) 2015 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "command.h" + +#include + +static int redirect(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *peer_ip = NULL, *peer_id = NULL, *ike = NULL, *gateway = NULL; + int ret = 0, ike_id = 0; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case 'i': + ike = arg; + continue; + case 'I': + ike_id = atoi(arg); + continue; + case 'p': + peer_ip = arg; + continue; + case 'd': + peer_id = arg; + continue; + case 'g': + gateway = arg; + continue; + case EOF: + break; + default: + return command_usage("invalid --redirect option"); + } + break; + } + req = vici_begin("redirect"); + if (ike) + { + vici_add_key_valuef(req, "ike", "%s", ike); + } + if (ike_id) + { + vici_add_key_valuef(req, "ike-id", "%d", ike_id); + } + if (peer_ip) + { + vici_add_key_valuef(req, "peer-ip", "%s", peer_ip); + } + if (peer_id) + { + vici_add_key_valuef(req, "peer-id", "%s", peer_id); + } + if (gateway) + { + vici_add_key_valuef(req, "gateway", "%s", gateway); + } + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "redirect request failed: %s\n", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "redirect reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (streq(vici_find_str(res, "no", "success"), "yes")) + { + printf("redirect completed successfully\n"); + } + else + { + fprintf(stderr, "redirect failed: %s\n", + vici_find_str(res, "", "errmsg")); + ret = 1; + } + } + vici_free_res(res); + return ret; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + redirect, 'd', "redirect", "redirect an IKE_SA", + {"--ike | --ike-id | --peer-ip ", + "--peer-id | --gateway [--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"ike", 'i', 1, "redirect by IKE_SA name"}, + {"ike-id", 'I', 1, "redirect by IKE_SA unique identifier"}, + {"peer-ip", 'p', 1, "redirect by client IP"}, + {"peer-id", 'd', 1, "redirect by IKE_SA name"}, + {"gateway", 'g', 1, "target gateway (IP or FQDN)"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/stats.c b/src/swanctl/commands/stats.c index a28ca83ba..e734c66ff 100644 --- a/src/swanctl/commands/stats.c +++ b/src/swanctl/commands/stats.c @@ -15,8 +15,17 @@ #include "command.h" +#include + #include +CALLBACK(list, int, + hashtable_t *sa, vici_res_t *res, char *name, void *value, int len) +{ + printf(" %.*s", len, value); + return 0; +} + static int stats(vici_conn_t *conn) { vici_req_t *req; @@ -98,6 +107,9 @@ static int stats(vici_conn_t *conn) vici_find_str(res, "", "mallinfo.used"), vici_find_str(res, "", "mallinfo.free")); } + printf("loaded plugins:"); + vici_parse_cb(res, NULL, NULL, list, NULL); + printf("\n"); } vici_free_res(res); return 0; diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in index cd033f91e..a3074601e 100644 --- a/src/swanctl/swanctl.8.in +++ b/src/swanctl/swanctl.8.in @@ -1,4 +1,4 @@ -.TH SWANCTL 8 "2014-04-28" "@PACKAGE_VERSION@" "strongSwan" +.TH SWANCTL 8 "2015-11-20" "@PACKAGE_VERSION@" "strongSwan" .SH NAME swanctl \- strongSwan configuration, control and monitoring command line interface. .SH SYNOPSIS @@ -41,6 +41,10 @@ initiate a connection \-\-terminate\fR terminate a connection .TP +.B "\-d, \-\-redirect" +\-\-redirect\fR +redirect an IKE_SA +.TP .B "\-p, \-\-install" install a trap or shunt policy .TP @@ -68,6 +72,9 @@ list stored certificates .B "\-A, \-\-list\-pools" list loaded pool configurations .TP +.B "\-g, \-\-list\-algs" +list loaded algorithms and their implementation +.TP .B "\-q, \-\-load\-all" (re\-)load credentials, pools, authorities and connections .TP diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index c480ce174..428be91e7 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -13,7 +13,7 @@ # Remote address(es) to use for IKE communication, comma separated. # remote_addrs = %any - # Local UPD port for IKE communication. + # Local UDP port for IKE communication. # local_port = 500 # Remote UDP port for IKE communication. @@ -43,7 +43,7 @@ # Timeout for DPD checks (IKEV1 only). # dpd_timeout = 0s - # Use IKEv1 UDP packet fragmentation (yes, no or force). + # Use IKE UDP datagram fragmentation. (yes, no or force). # fragmentation = no # Send certificate requests payloads (yes or no). @@ -76,10 +76,19 @@ # Section for a local authentication round. # local { + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + # Comma separated list of certificate candidates to use for # authentication. # certs = + # Comma separated list of raw public key candidates to use for + # authentication. + # pubkeys = + # Authentication to perform locally (pubkey, psk, xauth[-backend] or # eap[-method]). # auth = pubkey @@ -102,6 +111,11 @@ # Section for a remote authentication round. # remote { + # Optional numeric identifier by which authentication rounds are + # sorted. If not specified rounds are ordered by their position in + # the config file/VICI message. + # round = 0 + # IKE identity to expect for authentication round. # id = %any @@ -115,6 +129,10 @@ # authentication. # cacerts = + # Comma separated list of raw public keys to accept for + # authentication. + # pubkeys = + # Certificate revocation policy, (strict, ifuri or relaxed). # revocation = relaxed diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 6e3842d8a..a5b2a731f 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -49,7 +49,7 @@ specified. .TP .BR connections..local_port " [500]" -Local UPD port for IKE communication. By default the port of the socket backend +Local UDP port for IKE communication. By default the port of the socket backend is used, which is usually .RI "" "500" "." If port @@ -62,7 +62,7 @@ use (socket\-dynamic). .TP .BR connections..remote_port " [500]" -Remote UPD port for IKE communication. If the default of port +Remote UDP port for IKE communication. If the default of port .RI "" "500" "" is used, automatic IKE port floating to port 4500 is used to work around NAT issues. @@ -152,17 +152,21 @@ option has no effect on connections using IKE2. .TP .BR connections..fragmentation " [no]" -The default of +Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 +fragmentation). Acceptable values are +.RI "" "yes" "," +.RI "" "force" "" +and .RI "" "no" "" -disables IKEv1 fragmentation mechanism, -.RI "" "yes" "" -enables it if -support has been indicated by the peer. +(the default). +Fragmented IKE messages sent by a peer are always accepted irrespective of the +value of this option. If set to +.RI "" "yes" "," +and the peer supports it, oversized IKE +messages will be sent in fragments. If set to .RI "" "force" "" -enforces fragmentation if -required even before the peer had a chance to indicate support for it. - -IKE fragmentation is currently not supported with IKEv2. +(only supported for +IKEv1) the initial IKE message will already be fragmented if required. .TP .BR connections..send_certreq " [yes]" @@ -310,19 +314,36 @@ as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted. +.TP +.BR connections..local.round " [0]" +Optional numeric identifier by which authentication rounds are sorted. If not +specified rounds are ordered by their position in the config file/VICI message. + .TP .BR connections..local.certs " []" Comma separated list of certificate candidates to use for authentication. The certificates may use a relative path from the .RB "" "swanctl" "" .RI "" "x509" "" -directory, or -an absolute path. +directory or an +absolute path. The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used. +.TP +.BR connections..local.pubkeys " []" +Comma separated list of raw public key candidates to use for authentication. The +public keys may use a relative path from the +.RB "" "swanctl" "" +.RI "" "pubkey" "" +directory or +an absolute path. + +Even though multiple local public keys could be defined in principle, only the +first public key in the list is used for authentication. + .TP .BR connections..local.auth " [pubkey]" Authentication to perform locally. @@ -362,6 +383,31 @@ a specific EAP method name may be appended, separated by a dash. An EAP module implementing the appropriate method is selected to perform the EAP conversation. +If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific +hash algorithms to be used during IKEv2 authentication may be configured. To do +so use +.RI "" "ike:" "" +followed by a trust chain signature scheme constraint (see +description of the +.RB "" "remote" "" +section's +.RB "" "auth" "" +keyword). For example, with +.RI "" "ike:pubkey\-sha384\-sha256" "" +a public key signature scheme with either SHA\-384 or +SHA\-256 would get used for authentication, in that order and depending on the +hash algorithms supported by the peer. If no specific hash algorithms are +configured, the default is to prefer an algorithm that matches or exceeds the +strength of the signature key. If no constraints with +.RI "" "ike:" "" +prefix are +configured any signature scheme constraint (without +.RI "" "ike:" "" +prefix) will also +apply to IKEv2 authentication, unless this is disabled in +.RB "" "strongswan.conf" "(5)." + + .TP .BR connections..local.id " []" IKE identity to use for authentication round. When using certificate @@ -431,6 +477,11 @@ as prefix, and an optional unique suffix. To define a single authentication round, the suffix may be omitted. +.TP +.BR connections..remote.round " [0]" +Optional numeric identifier by which authentication rounds are sorted. If not +specified rounds are ordered by their position in the config file/VICI message. + .TP .BR connections..remote.id " [%any]" IKE identity to expect for authentication round. Refer to the @@ -451,8 +502,8 @@ Comma separated list of certificates to accept for authentication. The certificates may use a relative path from the .RB "" "swanctl" "" .RI "" "x509" "" -directory, or -an absolute path. +directory or an +absolute path. .TP .BR connections..remote.cacerts " []" @@ -460,9 +511,18 @@ Comma separated list of CA certificates to accept for authentication. The certificates may use a relative path from the .RB "" "swanctl" "" .RI "" "x509ca" "" -directory, or +directory or an absolute path. +.TP +.BR connections..remote.pubkeys " []" +Comma separated list of raw public keys to accept for authentication. The public +keys may use a relative path from the +.RB "" "swanctl" "" +.RI "" "x509" "" +directory or an +absolute path. + .TP .BR connections..remote.revocation " [relaxed]" Certificate revocation policy for CRL or OCSP revocation. @@ -486,10 +546,40 @@ i.e. it is explicitly known that it is bad. .BR connections..remote.auth " [pubkey]" Authentication to expect from remote. See the .RB "" "local" "" -sections +section's .RB "" "auth" "" keyword description about the details of supported mechanisms. +To require a trustchain public key strength for the remote side, specify the key +type followed by the minimum strength in bits (for example +.RI "" "ecdsa\-384" "" +or +.RI "" "rsa\-2048\-ecdsa\-256" ")." +To limit the acceptable set of hashing algorithms for +trustchain validation, append hash algorithms to +.RI "" "pubkey" "" +or a key strength +definition (for example +.RI "" "pubkey\-sha1\-sha256" "" +or +.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")." +Unless disabled in +.RB "" "strongswan.conf" "(5)," +or explicit IKEv2 signature constraints are configured +(refer to the description of the +.RB "" "local" "" +section's +.RB "" "auth" "" +keyword for +details), such key types and hash algorithms are also applied as constraints +against IKEv2 signature authentication schemes used by the remote side. + +To specify trust chain constraints for EAP\-(T)TLS, append a colon to the EAP +method, followed by the key type/size and hash algorithm as discussed above +(e.g. +.RI "" "eap\-tls:ecdsa\-384\-sha384" ")." + + .TP .B connections..children. .br @@ -722,8 +812,8 @@ is negotiated if the preferred mode is not available. .RI "" "pass" "" and .RI "" "drop" "" -are used to install shunt policies, which explicitly bypass -the defined traffic from IPsec processing, or drop it, respectively. +are used to install shunt policies which explicitly bypass the +defined traffic from IPsec processing or drop it, respectively. .TP .BR connections..children..policies " [yes]" @@ -856,7 +946,7 @@ which defines the secret type. It is not recommended to define any private key decryption passphrases, as then there is no real security benefit in having encrypted keys. Either store the key -unencrypted, or enter the keys manually when loading credentials. +unencrypted or enter the keys manually when loading credentials. .TP .B secrets.eap @@ -872,7 +962,7 @@ as well. Value of the EAP/XAuth secret. It may either be an ASCII string, a hex encoded string if it has a .RI "" "0x" "" -prefix, or a Base64 encoded string if it has a +prefix or a Base64 encoded string if it has a .RI "" "0s" "" prefix in its value. @@ -907,7 +997,7 @@ prefix. Value of the IKE preshared secret. It may either be an ASCII string, a hex encoded string if it has a .RI "" "0x" "" -prefix, or a Base64 encoded string if it has a +prefix or a Base64 encoded string if it has a .RI "" "0s" "" prefix in its value. @@ -1003,7 +1093,7 @@ Section defining a single pool with a unique name. .TP .BR pools..addrs " []" Subnet or range defining addresses allocated in pool. Accepts a single CIDR -subnet defining the pool to allocate addresses from, or an address range +subnet defining the pool to allocate addresses from or an address range (\-). Pools must be unique and non\-overlapping. .TP @@ -1042,7 +1132,8 @@ Section defining a certification authority with a unique name. The certificates may use a relative path from the .RB "" "swanctl" "" .RI "" "x509ca" "" -directory, or an absolute path. +directory +or an absolute path. .TP .BR authorities..crl_uris " []" diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index cb570cd34..560e89513 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -41,6 +44,11 @@ */ #define SWANCTL_X509AADIR SWANCTLDIR "/x509aa" +/** + * Directory for X.509 OCSP Signer certs + */ +#define SWANCTL_X509OCSPDIR SWANCTLDIR "/x509ocsp" + /** * Directory for X.509 CRLs */ @@ -51,6 +59,11 @@ */ #define SWANCTL_X509ACDIR SWANCTLDIR "/x509ac" +/** + * Directory for raw public keys + */ +#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" + /** * Directory for RSA private keys */ @@ -61,6 +74,11 @@ */ #define SWANCTL_ECDSADIR SWANCTLDIR "/ecdsa" +/** + * Directory for BLISS private keys + */ +#define SWANCTL_BLISSDIR SWANCTLDIR "/bliss" + /** * Directory for PKCS#8 encoded private keys */ diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index ef38d5d86..145fab28d 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -42,9 +42,9 @@ connections..remote_addrs = %any be specified. connections..local_port = 500 - Local UPD port for IKE communication. + Local UDP port for IKE communication. - Local UPD port for IKE communication. By default the port of the socket + Local UDP port for IKE communication. By default the port of the socket backend is used, which is usually _500_. If port _500_ is used, automatic IKE port floating to port 4500 is used to work around NAT issues. @@ -54,7 +54,7 @@ connections..local_port = 500 connections..remote_port = 500 Remote UDP port for IKE communication. - Remote UPD port for IKE communication. If the default of port _500_ is used, + Remote UDP port for IKE communication. If the default of port _500_ is used, automatic IKE port floating to port 4500 is used to work around NAT issues. connections..proposals = default @@ -140,14 +140,15 @@ connections..dpd_timeout = 0s specified; this option has no effect on connections using IKE2. connections..fragmentation = no - Use IKEv1 UDP packet fragmentation (_yes_, _no_ or _force_). + Use IKE UDP datagram fragmentation. (_yes_, _no_ or _force_). - The default of _no_ disables IKEv1 fragmentation mechanism, _yes_ enables - it if support has been indicated by the peer. _force_ enforces - fragmentation if required even before the peer had a chance to indicate - support for it. - - IKE fragmentation is currently not supported with IKEv2. + Use IKE fragmentation (proprietary IKEv1 extension or RFC 7383 IKEv2 + fragmentation). Acceptable values are _yes_, _force_ and _no_ (the + default). Fragmented IKE messages sent by a peer are always accepted + irrespective of the value of this option. If set to _yes_, and the peer + supports it, oversized IKE messages will be sent in fragments. If set to + _force_ (only supported for IKEv1) the initial IKE message will already + be fragmented if required. connections..send_certreq = yes Send certificate requests payloads (_yes_ or _no_). @@ -267,17 +268,32 @@ connections..local {} unique suffix. To define a single authentication round, the suffix may be omitted. +connections..local.round = 0 + Optional numeric identifier by which authentication rounds are sorted. If + not specified rounds are ordered by their position in the config file/VICI + message. + connections..local.certs = Comma separated list of certificate candidates to use for authentication. Comma separated list of certificate candidates to use for authentication. The certificates may use a relative path from the **swanctl** _x509_ - directory, or an absolute path. + directory or an absolute path. The certificate used for authentication is selected based on the received certificate request payloads. If no appropriate CA can be located, the first certificate is used. +connections..local.pubkeys = + Comma separated list of raw public key candidates to use for authentication. + + Comma separated list of raw public key candidates to use for authentication. + The public keys may use a relative path from the **swanctl** _pubkey_ + directory or an absolute path. + + Even though multiple local public keys could be defined in principle, only + the first public key in the list is used for authentication. + connections..local.auth = pubkey Authentication to perform locally (_pubkey_, _psk_, _xauth[-backend]_ or _eap[-method]_). @@ -298,6 +314,19 @@ connections..local.auth = pubkey An EAP module implementing the appropriate method is selected to perform the EAP conversation. + If both peers support RFC 7427 ("Signature Authentication in IKEv2") + specific hash algorithms to be used during IKEv2 authentication may be + configured. To do so use _ike:_ followed by a trust chain signature scheme + constraint (see description of the **remote** section's **auth** keyword). + For example, with _ike:pubkey-sha384-sha256_ a public key signature scheme + with either SHA-384 or SHA-256 would get used for authentication, in that + order and depending on the hash algorithms supported by the peer. If no + specific hash algorithms are configured, the default is to prefer an + algorithm that matches or exceeds the strength of the signature key. + If no constraints with _ike:_ prefix are configured any signature scheme + constraint (without _ike:_ prefix) will also apply to IKEv2 authentication, + unless this is disabled in **strongswan.conf**(5). + connections..local.id = IKE identity to use for authentication round. @@ -350,6 +379,11 @@ connections..remote {} optional unique suffix. To define a single authentication round, the suffix may be omitted. +connections..remote.round = 0 + Optional numeric identifier by which authentication rounds are sorted. If + not specified rounds are ordered by their position in the config file/VICI + message. + connections..remote.id = %any IKE identity to expect for authentication round. @@ -369,14 +403,21 @@ connections..remote.certs = Comma separated list of certificates to accept for authentication. The certificates may use a relative path from the **swanctl** _x509_ - directory, or an absolute path. + directory or an absolute path. connections..remote.cacerts = Comma separated list of CA certificates to accept for authentication. Comma separated list of CA certificates to accept for authentication. The certificates may use a relative path from the **swanctl** _x509ca_ - directory, or an absolute path. + directory or an absolute path. + +connections..remote.pubkeys = + Comma separated list of raw public keys to accept for authentication. + + Comma separated list of raw public keys to accept for authentication. + The public keys may use a relative path from the **swanctl** _x509_ + directory or an absolute path. connections..remote.revocation = relaxed Certificate revocation policy, (_strict_, _ifuri_ or _relaxed_). @@ -397,9 +438,25 @@ connections..remote.auth = pubkey Authentication to expect from remote (_pubkey_, _psk_, _xauth[-backend]_ or _eap[-method]_). - Authentication to expect from remote. See the **local** sections **auth** + Authentication to expect from remote. See the **local** section's **auth** keyword description about the details of supported mechanisms. + To require a trustchain public key strength for the remote side, specify the + key type followed by the minimum strength in bits (for example _ecdsa-384_ + or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms + for trustchain validation, append hash algorithms to _pubkey_ or a key + strength definition (for example _pubkey-sha1-sha256_ or + _rsa-2048-ecdsa-256-sha256-sha384-sha512_). + Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature + constraints are configured (refer to the description of the **local** + section's **auth** keyword for details), such key types and hash algorithms + are also applied as constraints against IKEv2 signature authentication + schemes used by the remote side. + + To specify trust chain constraints for EAP-(T)TLS, append a colon to the + EAP method, followed by the key type/size and hash algorithm as discussed + above (e.g. _eap-tls:ecdsa-384-sha384_). + connections..children. {} CHILD_SA configuration sub-section. @@ -586,8 +643,8 @@ connections..children..mode = tunnel Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_ mode is negotiated if the preferred mode is not available. - _pass_ and _drop_ are used to install shunt policies, which explicitly - bypass the defined traffic from IPsec processing, or drop it, respectively. + _pass_ and _drop_ are used to install shunt policies which explicitly + bypass the defined traffic from IPsec processing or drop it, respectively. connections..children..policies = yes Whether to install IPsec policies or not. @@ -703,7 +760,7 @@ secrets { # } It is not recommended to define any private key decryption passphrases, as then there is no real security benefit in having encrypted keys. Either - store the key unencrypted, or enter the keys manually when loading + store the key unencrypted or enter the keys manually when loading credentials. secrets.eap { # } @@ -724,7 +781,7 @@ secrets.eap.secret = Value of the EAP/XAuth secret. Value of the EAP/XAuth secret. It may either be an ASCII string, a hex - encoded string if it has a _0x_ prefix, or a Base64 encoded string if it + encoded string if it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in its value. secrets.eap.id = @@ -744,7 +801,7 @@ secrets.ike.secret = Value of the IKE preshared secret. Value of the IKE preshared secret. It may either be an ASCII string, - a hex encoded string if it has a _0x_ prefix, or a Base64 encoded string if + a hex encoded string if it has a _0x_ prefix or a Base64 encoded string if it has a _0s_ prefix in its value. secrets.ike.id = @@ -804,7 +861,7 @@ pools..addrs = Addresses allocated in pool. Subnet or range defining addresses allocated in pool. Accepts a single CIDR - subnet defining the pool to allocate addresses from, or an address range + subnet defining the pool to allocate addresses from or an address range (-). Pools must be unique and non-overlapping. pools.. = @@ -827,7 +884,7 @@ authorities..cacert = CA certificate belonging to the certification authority. The certificates may use a relative path from the **swanctl** _x509ca_ - directory, or an absolute path. + directory or an absolute path. authorities..crl_uris = Comma-separated list of CRL distribution points -- cgit v1.2.3