From 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 22 Oct 2015 11:43:58 +0200 Subject: Imported Upstream version 5.3.3 --- src/swanctl/Makefile.am | 4 +- src/swanctl/Makefile.in | 12 +- src/swanctl/command.c | 2 +- src/swanctl/command.h | 2 +- src/swanctl/commands/list_authorities.c | 169 +++++++++++++++ src/swanctl/commands/list_certs.c | 5 +- src/swanctl/commands/load_all.c | 8 +- src/swanctl/commands/load_authorities.c | 365 ++++++++++++++++++++++++++++++++ src/swanctl/commands/load_authorities.h | 26 +++ src/swanctl/swanctl.8.in | 8 +- src/swanctl/swanctl.conf | 25 +++ src/swanctl/swanctl.conf.5.main | 37 ++++ src/swanctl/swanctl.opt | 38 ++++ 13 files changed, 694 insertions(+), 7 deletions(-) create mode 100644 src/swanctl/commands/list_authorities.c create mode 100644 src/swanctl/commands/load_authorities.c create mode 100644 src/swanctl/commands/load_authorities.h (limited to 'src/swanctl') diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index f4f9fdf7e..703e5746a 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -7,10 +7,12 @@ swanctl_SOURCES = \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ + commands/list_authorities.c \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ commands/load_all.c \ + commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ commands/load_creds.c commands/load_creds.h \ commands/load_pools.c commands/load_pools.h \ @@ -46,7 +48,7 @@ CLEANFILES = $(man_MANS) swanctl.conf.5.main: swanctl.opt $(AM_V_GEN) \ - $(PYTHON) $(top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $(srcdir)/$@ + cd $(srcdir) && $(PYTHON) $(abs_top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $@ swanctl.conf.5: swanctl.conf.5.head swanctl.conf.5.main swanctl.conf.5.tail $(AM_V_GEN) \ diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in index f981bb1f3..a4d853cb1 100644 --- a/src/swanctl/Makefile.in +++ b/src/swanctl/Makefile.in @@ -107,8 +107,10 @@ am__dirstamp = $(am__leading_dot)dirstamp am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \ commands/terminate.$(OBJEXT) commands/install.$(OBJEXT) \ commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \ + commands/list_authorities.$(OBJEXT) \ commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \ commands/list_pools.$(OBJEXT) commands/load_all.$(OBJEXT) \ + commands/load_authorities.$(OBJEXT) \ commands/load_conns.$(OBJEXT) commands/load_creds.$(OBJEXT) \ commands/load_pools.$(OBJEXT) commands/log.$(OBJEXT) \ commands/version.$(OBJEXT) commands/stats.$(OBJEXT) \ @@ -445,10 +447,12 @@ swanctl_SOURCES = \ commands/install.c \ commands/list_sas.c \ commands/list_pols.c \ + commands/list_authorities.c \ commands/list_conns.c \ commands/list_certs.c \ commands/list_pools.c \ commands/load_all.c \ + commands/load_authorities.h commands/load_authorities.c \ commands/load_conns.c commands/load_conns.h \ commands/load_creds.c commands/load_creds.h \ commands/load_pools.c commands/load_pools.h \ @@ -581,6 +585,8 @@ commands/list_sas.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_pols.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/list_authorities.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/list_conns.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/list_certs.$(OBJEXT): commands/$(am__dirstamp) \ @@ -589,6 +595,8 @@ commands/list_pools.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_all.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) +commands/load_authorities.$(OBJEXT): commands/$(am__dirstamp) \ + commands/$(DEPDIR)/$(am__dirstamp) commands/load_conns.$(OBJEXT): commands/$(am__dirstamp) \ commands/$(DEPDIR)/$(am__dirstamp) commands/load_creds.$(OBJEXT): commands/$(am__dirstamp) \ @@ -619,12 +627,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/swanctl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/initiate.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/install.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_authorities.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_certs.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_conns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_pols.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_pools.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/list_sas.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_all.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_authorities.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_conns.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_creds.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/load_pools.Po@am__quote@ @@ -977,7 +987,7 @@ swanctl.o : $(top_builddir)/config.status swanctl.conf.5.main: swanctl.opt $(AM_V_GEN) \ - $(PYTHON) $(top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $(srcdir)/$@ + cd $(srcdir) && $(PYTHON) $(abs_top_srcdir)/conf/format-options.py -n -f man swanctl.opt > $@ swanctl.conf.5: swanctl.conf.5.head swanctl.conf.5.main swanctl.conf.5.tail $(AM_V_GEN) \ diff --git a/src/swanctl/command.c b/src/swanctl/command.c index 03cd8b959..26c41346c 100644 --- a/src/swanctl/command.c +++ b/src/swanctl/command.c @@ -211,7 +211,7 @@ int command_usage(char *error, ...) { for (i = 0; i < MAX_COMMANDS && cmds[i].cmd; i++) { - fprintf(out, " swanctl --%-15s (-%c) %s\n", + fprintf(out, " swanctl --%-16s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); } } diff --git a/src/swanctl/command.h b/src/swanctl/command.h index ffc319085..0760d1384 100644 --- a/src/swanctl/command.h +++ b/src/swanctl/command.h @@ -27,7 +27,7 @@ /** * Maximum number of commands (+1). */ -#define MAX_COMMANDS 19 +#define MAX_COMMANDS 21 /** * Maximum number of options in a command (+3) diff --git a/src/swanctl/commands/list_authorities.c b/src/swanctl/commands/list_authorities.c new file mode 100644 index 000000000..8bff6f95d --- /dev/null +++ b/src/swanctl/commands/list_authorities.c @@ -0,0 +1,169 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include + +#include "command.h" + +#define LABELED_CRL_URI (1 << 0) +#define LABELED_OCSP_URI (1 << 1) + +CALLBACK(authority_kv, int, + void *null, vici_res_t *res, char *name, void *value, int len) +{ + chunk_t chunk; + + chunk = chunk_create(value, len); + if (chunk_printable(chunk, NULL, ' ')) + { + printf(" %s: %.*s\n", name, len, value); + } + + return 0; +} + + +CALLBACK(authority_list, int, + int *labeled, vici_res_t *res, char *name, void *value, int len) +{ + chunk_t chunk; + + chunk = chunk_create(value, len); + if (chunk_printable(chunk, NULL, ' ')) + { + if (streq(name, "crl_uris")) + { + printf(" %s %.*s\n", + (*labeled & LABELED_CRL_URI) ? " " : "crl_uris: ", + len, value); + *labeled |= LABELED_CRL_URI; + } + if (streq(name, "ocsp_uris")) + { + printf(" %s %.*s\n", + (*labeled & LABELED_OCSP_URI) ? " " : "ocsp_uris:", + len, value); + *labeled %= LABELED_OCSP_URI; + } + } + return 0; +} + +CALLBACK(authorities, int, + void *null, vici_res_t *res, char *name) +{ + int labeled = 0; + + printf("%s:\n", name); + + return vici_parse_cb(res, NULL, authority_kv, authority_list, &labeled); +} + +CALLBACK(list_cb, void, + command_format_options_t *format, char *name, vici_res_t *res) +{ + if (*format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "list-authorities event", *format & COMMAND_FORMAT_PRETTY, + stdout); + } + else + { + if (vici_parse_cb(res, authorities, NULL, NULL, NULL) != 0) + { + fprintf(stderr, "parsing authority event failed: %s\n", + strerror(errno)); + } + } +} + +static int list_authorities(vici_conn_t *conn) +{ + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; + char *arg, *ca_name = NULL;; + int ret = 0; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'n': + ca_name = arg; + continue; + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --list-authorities option"); + } + break; + } + if (vici_register(conn, "list-authority", list_cb, &format) != 0) + { + ret = errno; + fprintf(stderr, "registering for authorities failed: %s\n", + strerror(errno)); + return ret; + } + + req = vici_begin("list-authorities"); + if (ca_name) + { + vici_add_key_valuef(req, "name", "%s", ca_name); + } + res = vici_submit(req, conn); + if (!res) + { + ret = errno; + fprintf(stderr, "list-authorities request failed: %s\n", strerror(errno)); + return ret; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "list-authorities reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + vici_free_res(res); + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + list_authorities, 'B', "list-authorities", + "list loaded authority configurations", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"name", 'n', 1, "filter by authority name"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/list_certs.c b/src/swanctl/commands/list_certs.c index ecb65289a..167f8d848 100644 --- a/src/swanctl/commands/list_certs.c +++ b/src/swanctl/commands/list_certs.c @@ -2,6 +2,9 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your @@ -388,7 +391,7 @@ static void print_crl(crl_t *crl) chunk = chunk_skip_zero(chunk); localtime_r(&ts, &tm); strftime(buf, sizeof(buf), "%F %T", &tm); - printf(" %#B %N %s\n", &chunk, crl_reason_names, reason, buf); + printf(" %#B: %s, %N\n", &chunk, buf, crl_reason_names, reason); count++; } enumerator->destroy(enumerator); diff --git a/src/swanctl/commands/load_all.c b/src/swanctl/commands/load_all.c index f47fee5b4..0010ce140 100644 --- a/src/swanctl/commands/load_all.c +++ b/src/swanctl/commands/load_all.c @@ -22,6 +22,7 @@ #include "command.h" #include "swanctl.h" #include "load_creds.h" +#include "load_authorities.h" #include "load_pools.h" #include "load_conns.h" @@ -71,6 +72,10 @@ static int load_all(vici_conn_t *conn) ret = load_creds_cfg(conn, format, cfg, clear, noprompt); } if (ret == 0) + { + ret = load_authorities_cfg(conn, format, cfg); + } + if (ret == 0) { ret = load_pools_cfg(conn, format, cfg); } @@ -90,7 +95,8 @@ static int load_all(vici_conn_t *conn) static void __attribute__ ((constructor))reg() { command_register((command_t) { - load_all, 'q', "load-all", "load credentials, pools and connections", + load_all, 'q', "load-all", + "load credentials, authorities, pools and connections", {"[--raw|--pretty] [--clear] [--noprompt]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c new file mode 100644 index 000000000..88dde6aaf --- /dev/null +++ b/src/swanctl/commands/load_authorities.c @@ -0,0 +1,365 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include +#include + +#include "command.h" +#include "swanctl.h" +#include "load_authorities.h" + +/** + * Add a vici list from a comma separated string value + */ +static void add_list_key(vici_req_t *req, char *key, char *value) +{ + enumerator_t *enumerator; + char *token; + + vici_begin_list(req, key); + enumerator = enumerator_create_token(value, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + vici_add_list_itemf(req, "%s", token); + } + enumerator->destroy(enumerator); + vici_end_list(req); +} + +/** + * Add a vici certificate blob value given by its file patch + */ +static bool add_file_key_value(vici_req_t *req, char *key, char *value) +{ + chunk_t *map; + char *path, buf[PATH_MAX]; + + if (path_absolute(value)) + { + path = value; + } + else + { + path = buf; + snprintf(path, PATH_MAX, "%s%s%s", + SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, value); + } + map = chunk_map(path, FALSE); + + if (map) + { + vici_add_key_value(req, key, map->ptr, map->len); + chunk_unmap(map); + return TRUE; + } + else + { + fprintf(stderr, "loading ca certificate '%s' failed: %s\n", + path, strerror(errno)); + return FALSE; + } +} + +/** + * Translate sletting key/values from a section into vici key-values/lists + */ +static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section) +{ + enumerator_t *enumerator; + char *key, *value; + bool ret = TRUE; + + enumerator = cfg->create_key_value_enumerator(cfg, section); + while (enumerator->enumerate(enumerator, &key, &value)) + { + /* pool subnet is encoded as key/value, all other attributes as list */ + if (streq(key, "cacert")) + { + ret = add_file_key_value(req, key, value); + } + else if (streq(key, "cert_uri_base")) + { + vici_add_key_valuef(req, key, "%s", value); + } + else + { + add_list_key(req, key, value); + } + if (!ret) + { + break; + } + } + enumerator->destroy(enumerator); + + return ret; +} + +/** + * Load an authority configuration + */ +static bool load_authority(vici_conn_t *conn, settings_t *cfg, + char *section, command_format_options_t format) +{ + vici_req_t *req; + vici_res_t *res; + bool ret = TRUE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%s.%s", "authorities", section); + + req = vici_begin("load-authority"); + + vici_begin_section(req, section); + if (!add_key_values(req, cfg, buf)) + { + vici_free_req(req); + return FALSE; + } + vici_end_section(req); + + res = vici_submit(req, conn); + if (!res) + { + fprintf(stderr, "load-authority request failed: %s\n", strerror(errno)); + return FALSE; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "load-authority reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else if (!streq(vici_find_str(res, "no", "success"), "yes")) + { + fprintf(stderr, "loading authority '%s' failed: %s\n", + section, vici_find_str(res, "", "errmsg")); + ret = FALSE; + } + else + { + printf("loaded authority '%s'\n", section); + } + vici_free_res(res); + return ret; +} + +CALLBACK(list_authority, int, + linked_list_t *list, vici_res_t *res, char *name, void *value, int len) +{ + if (streq(name, "authorities")) + { + char *str; + + if (asprintf(&str, "%.*s", len, value) != -1) + { + list->insert_last(list, str); + } + } + return 0; +} + +/** + * Create a list of currently loaded authorities + */ +static linked_list_t* list_authorities(vici_conn_t *conn, + command_format_options_t format) +{ + linked_list_t *list; + vici_res_t *res; + + list = linked_list_create(); + + res = vici_submit(vici_begin("get-authorities"), conn); + if (res) + { + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "get-authorities reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + vici_parse_cb(res, NULL, NULL, list_authority, list); + vici_free_res(res); + } + return list; +} + +/** + * Remove and free a string from a list + */ +static void remove_from_list(linked_list_t *list, char *str) +{ + enumerator_t *enumerator; + char *current; + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current, str)) + { + list->remove_at(list, enumerator); + free(current); + } + } + enumerator->destroy(enumerator); +} + +/** + * Unload a authority by name + */ +static bool unload_authority(vici_conn_t *conn, char *name, + command_format_options_t format) +{ + vici_req_t *req; + vici_res_t *res; + bool ret = TRUE; + + req = vici_begin("unload-authority"); + vici_add_key_valuef(req, "name", "%s", name); + res = vici_submit(req, conn); + if (!res) + { + fprintf(stderr, "unload-authority request failed: %s\n", strerror(errno)); + return FALSE; + } + if (format & COMMAND_FORMAT_RAW) + { + vici_dump(res, "unload-authority reply", format & COMMAND_FORMAT_PRETTY, + stdout); + } + else if (!streq(vici_find_str(res, "no", "success"), "yes")) + { + fprintf(stderr, "unloading authority '%s' failed: %s\n", + name, vici_find_str(res, "", "errmsg")); + ret = FALSE; + } + vici_free_res(res); + return ret; +} + +/** + * See header. + */ +int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format, + settings_t *cfg) +{ + u_int found = 0, loaded = 0, unloaded = 0; + char *section; + enumerator_t *enumerator; + linked_list_t *authorities; + + authorities = list_authorities(conn, format); + + enumerator = cfg->create_section_enumerator(cfg, "authorities"); + while (enumerator->enumerate(enumerator, §ion)) + { + remove_from_list(authorities, section); + found++; + if (load_authority(conn, cfg, section, format)) + { + loaded++; + } + } + enumerator->destroy(enumerator); + + /* unload all authorities in daemon, but not in file */ + while (authorities->remove_first(authorities, (void**)§ion) == SUCCESS) + { + if (unload_authority(conn, section, format)) + { + unloaded++; + } + free(section); + } + authorities->destroy(authorities); + + if (format & COMMAND_FORMAT_RAW) + { + return 0; + } + if (found == 0) + { + printf("no authorities found, %u unloaded\n", unloaded); + return 0; + } + if (loaded == found) + { + printf("successfully loaded %u authorities, %u unloaded\n", + loaded, unloaded); + return 0; + } + fprintf(stderr, "loaded %u of %u authorities, %u failed to load, " + "%u unloaded\n", loaded, found, found - loaded, unloaded); + return EINVAL; +} + +static int load_authorities(vici_conn_t *conn) +{ + command_format_options_t format = COMMAND_FORMAT_NONE; + settings_t *cfg; + char *arg; + int ret; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 'P': + format |= COMMAND_FORMAT_PRETTY; + /* fall through to raw */ + case 'r': + format |= COMMAND_FORMAT_RAW; + continue; + case EOF: + break; + default: + return command_usage("invalid --load-authorities option"); + } + break; + } + + cfg = settings_create(SWANCTL_CONF); + if (!cfg) + { + fprintf(stderr, "parsing '%s' failed\n", SWANCTL_CONF); + return EINVAL; + } + + ret = load_authorities_cfg(conn, format, cfg); + + cfg->destroy(cfg); + + return ret; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + load_authorities, 'b', + "load-authorities", "(re-)load authority configuration", + {"[--raw|--pretty]"}, + { + {"help", 'h', 0, "show usage information"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, + } + }); +} diff --git a/src/swanctl/commands/load_authorities.h b/src/swanctl/commands/load_authorities.h new file mode 100644 index 000000000..d4be214fb --- /dev/null +++ b/src/swanctl/commands/load_authorities.h @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2015 Andreas Stefffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "command.h" + +/** + * Load all certification authority definitions from configuration file + * + * @param conn vici connection to load to + * @param format output format + * @param cfg configuration to load from + */ +int load_authorities_cfg(vici_conn_t *conn, command_format_options_t format, + settings_t *cfg); diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in index 543c10a67..cd033f91e 100644 --- a/src/swanctl/swanctl.8.in +++ b/src/swanctl/swanctl.8.in @@ -53,9 +53,15 @@ list currently active IKE_SAs .B "\-P, \-\-list\-pols" list currently installed policies .TP +.B "\-b, \-\-load\-authorities" +(re\-)load certification authorities information +.TP .B "\-L, \-\-list\-conns" list loaded configurations .TP +.B "\-B, \-\-list\-authorities" +list loaded certification authorities information +.TP .B "\-x, \-\-list\-certs" list stored certificates .TP @@ -63,7 +69,7 @@ list stored certificates list loaded pool configurations .TP .B "\-q, \-\-load\-all" -(re\-)load credentials, pools and connections +(re\-)load credentials, pools, authorities and connections .TP .B "\-c, \-\-load\-conns" (re\-)load connection configuration diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf index faafecc44..c480ce174 100644 --- a/src/swanctl/swanctl.conf +++ b/src/swanctl/swanctl.conf @@ -180,6 +180,9 @@ # drop). # mode = tunnel + # Whether to install IPsec policies or not. + # policies = yes + # Action to perform on DPD timeout (clear, trap or restart). # dpd_action = clear @@ -316,3 +319,25 @@ # } +# Section defining attributes of certification authorities. +# authorities { + + # Section defining a certification authority with a unique name. + # { + + # CA certificate belonging to the certification authority. + # cacert = + + # Comma-separated list of CRL distribution points + # crl_uris = + + # Comma-separated list of OCSP URIs + # ocsp_uris = + + # Defines the base URI for the Hash and URL feature supported by IKEv2. + # cert_uri_base = + + # } + +# } + diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index a770b28b1..6e3842d8a 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -725,6 +725,11 @@ and are used to install shunt policies, which explicitly bypass the defined traffic from IPsec processing, or drop it, respectively. +.TP +.BR connections..children..policies " [yes]" +Whether to install IPsec policies or not. Disabling this can be useful in some +scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. + .TP .BR connections..children..dpd_action " [clear]" Action to perform for this CHILD_SA on DPD timeout. The default @@ -1022,3 +1027,35 @@ corresponding attribute types. Alternatively, can be a numerical identifier, for which string attribute values are accepted as well. +.TP +.B authorities +.br +Section defining attributes of certification authorities. + +.TP +.B authorities. +.br +Section defining a certification authority with a unique name. + +.TP +.BR authorities..cacert " []" +The certificates may use a relative path from the +.RB "" "swanctl" "" +.RI "" "x509ca" "" +directory, or an absolute path. + +.TP +.BR authorities..crl_uris " []" +Comma\-separated list of CRL distribution points (ldap, http, or file URI) + +.TP +.BR authorities..ocsp_uris " []" +Comma\-separated list of OCSP URIs + +.TP +.BR authorities..cert_uri_base " []" +Defines the base URI for the Hash and URL feature supported by IKEv2. Instead of +exchanging complete certificates, IKEv2 allows one to send an URI that resolves +to the DER encoded certificate. The certificate URIs are built by appending the +SHA1 hash of the DER encoded certificates to this base URI. + diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index b6ef17546..ef38d5d86 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -589,6 +589,12 @@ connections..children..mode = tunnel _pass_ and _drop_ are used to install shunt policies, which explicitly bypass the defined traffic from IPsec processing, or drop it, respectively. +connections..children..policies = yes + Whether to install IPsec policies or not. + + Whether to install IPsec policies or not. Disabling this can be useful in + some scenarios e.g. MIPv6, where policies are not managed by the IKE daemon. + connections..children..dpd_action = clear Action to perform on DPD timeout (_clear_, _trap_ or _restart_). @@ -810,3 +816,35 @@ pools.. = subnets for the corresponding attribute types. Alternatively, **** can be a numerical identifier, for which string attribute values are accepted as well. + +authorities { # } + Section defining attributes of certification authorities. + +authorities. { # } + Section defining a certification authority with a unique name. + +authorities..cacert = + CA certificate belonging to the certification authority. + + The certificates may use a relative path from the **swanctl** _x509ca_ + directory, or an absolute path. + +authorities..crl_uris = + Comma-separated list of CRL distribution points + + Comma-separated list of CRL distribution points (ldap, http, or file URI) + +authorities..ocsp_uris = + Comma-separated list of OCSP URIs + + Comma-separated list of OCSP URIs + +authorities..cert_uri_base = + Defines the base URI for the Hash and URL feature supported by IKEv2. + + Defines the base URI for the Hash and URL feature supported by IKEv2. + Instead of exchanging complete certificates, IKEv2 allows one to send an + URI that resolves to the DER encoded certificate. The certificate URIs are + built by appending the SHA1 hash of the DER encoded certificates to this + base URI. + -- cgit v1.2.3