ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

implemented rereadcrls rereadcacerts

This commit is contained in:
Andreas Steffen 2006-06-20 06:05:01 +00:00
parent db959e6ea3
commit 21b433c641
4 changed files with 702 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

625
src/charon/config/credentials/credential_store.c Normal file
View File

@ -0,0 +1,625 @@
/**
* @file credential_store.c
*
* @brief Implementation of credential_store_t.
*
*/
/*
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include <sys/stat.h>
#include <dirent.h>
#include <string.h>
#include <pthread.h>
#include "credential_store.h"
#include <utils/lexparser.h>
#include <utils/linked_list.h>
#include <utils/logger_manager.h>
#include <crypto/x509.h>
#include <crypto/crl.h>
#define PATH_BUF 256
typedef struct private_credential_store_t private_credential_store_t;
/**
* Private data of an credential_store_t object
*/
struct private_credential_store_t {
/**
* Public part
*/
credential_store_t public;
/**
* list of key_entry_t's with private keys
*/
linked_list_t *private_keys;
/**
* list of X.509 certificates with public keys
*/
linked_list_t *certs;
/**
* list of X.509 CA certificates with public keys
*/
linked_list_t *ca_certs;
/**
* list of X.509 CRLs
*/
linked_list_t *crls;
/**
* mutex controlling the access to the crls linked list
*/
pthread_mutex_t crls_mutex;
/**
* enforce strict crl policy
*/
bool strict;
/**
* Assigned logger
*/
logger_t *logger;
};
/**
* Implementation of credential_store_t.get_shared_secret.
*/
static status_t get_shared_secret(private_credential_store_t *this, identification_t *id, chunk_t *secret)
{
return FAILED;
}
/**
* Implementation of credential_store_t.get_rsa_public_key.
*/
static rsa_public_key_t * get_rsa_public_key(private_credential_store_t *this, identification_t *id)
{
rsa_public_key_t *found = NULL;
iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
while (iterator->has_next(iterator))
{
x509_t *cert;
iterator->current(iterator, (void**)&cert);
if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
{
found = cert->get_public_key(cert);
break;
}
}
iterator->destroy(iterator);
return found;
}
/**
* Implementation of credential_store_t.get_rsa_private_key.
*/
static rsa_private_key_t* get_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
{
rsa_private_key_t *found = NULL;
rsa_private_key_t *current;
iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
while (iterator->has_next(iterator))
{
iterator->current(iterator, (void**)&current);
if (current->belongs_to(current, pubkey))
{
found = current->clone(current);
break;
}
}
iterator->destroy(iterator);
return found;
}
/**
* Implementation of credential_store_t.has_rsa_private_key.
*/
static bool has_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
{
bool found = FALSE;
rsa_private_key_t *current;
iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
while (iterator->has_next(iterator))
{
iterator->current(iterator, (void**)&current);
if (current->belongs_to(current, pubkey))
{
found = TRUE;
break;
}
}
iterator->destroy(iterator);
return found;
}
/**
* Add a unique certificate to a linked list
*/
static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
{
bool found = FALSE;
iterator_t *iterator = certs->create_iterator(certs, TRUE);
while (iterator->has_next(iterator))
{
x509_t *current_cert;
iterator->current(iterator, (void**)&current_cert);
if (cert->equals(cert, current_cert))
{
found = TRUE;
cert->destroy(cert);
cert = current_cert;
break;
}
}
iterator->destroy(iterator);
if (!found)
{
certs->insert_last(certs, (void*)cert);
}
return cert;
}
/**
* Implements credential_store_t.add_end_certificate
*/
static x509_t* add_end_certificate(private_credential_store_t *this, x509_t *cert)
{
return add_certificate(this->certs, cert);
}
/**
* Implements credential_store_t.add_ca_certificate
*/
static x509_t* add_ca_certificate(private_credential_store_t *this, x509_t *cert)
{
return add_certificate(this->ca_certs, cert);
}
/**
* Implements credential_store_t.log_certificates
*/
static void log_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
{
iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
if (iterator->get_count(iterator))
{
logger->log(logger, CONTROL, "");
logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
logger->log(logger, CONTROL, "");
}
while (iterator->has_next(iterator))
{
x509_t *cert;
bool has_key;
iterator->current(iterator, (void**)&cert);
has_key = has_rsa_private_key(this, cert->get_public_key(cert));
cert->log_certificate(cert, logger, utc, has_key);
}
iterator->destroy(iterator);
}
/**
* Implements credential_store_t.log_ca_certificates
*/
static void log_ca_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
{
iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
if (iterator->get_count(iterator))
{
logger->log(logger, CONTROL, "");
logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
logger->log(logger, CONTROL, "");
}
while (iterator->has_next(iterator))
{
x509_t *cert;
iterator->current(iterator, (void**)&cert);
cert->log_certificate(cert, logger, utc, FALSE);
}
iterator->destroy(iterator);
}
/**
* Implements credential_store_t.log_crls
*/
static void log_crls(private_credential_store_t *this, logger_t *logger, bool utc)
{
iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
pthread_mutex_lock(&(this->crls_mutex));
if (iterator->get_count(iterator))
{
logger->log(logger, CONTROL, "");
logger->log(logger, CONTROL, "List of X.509 CRLs:");
logger->log(logger, CONTROL, "");
}
while (iterator->has_next(iterator))
{
crl_t *crl;
iterator->current(iterator, (void**)&crl);
crl->log_crl(crl, logger, utc, this->strict);
}
pthread_mutex_unlock(&(this->crls_mutex));
iterator->destroy(iterator);
}
/**
* Implements credential_store_t.load_ca_certificates
*/
static void load_ca_certificates(private_credential_store_t *this, const char *path)
{
struct dirent* entry;
struct stat stb;
DIR* dir;
x509_t *cert;
this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", path);
dir = opendir(path);
if (dir == NULL)
{
this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", path);
return;
}
while ((entry = readdir(dir)) != NULL)
{
char file[PATH_BUF];
snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
if (stat(file, &stb) == -1)
{
continue;
}
/* try to parse all regular files */
if (stb.st_mode & S_IFREG)
{
cert = x509_create_from_file(file, "ca certificate");
if (cert)
{
err_t ugh = cert->is_valid(cert, NULL);
if (ugh != NULL)
{
this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
}
if (cert->is_ca(cert))
{
cert = add_certificate(this->ca_certs, cert);
}
else
{
this->logger->log(this->logger, ERROR,
" CA basic constraints flag not set, cert discarded");
cert->destroy(cert);
}
}
}
}
closedir(dir);
}
/**
* Add the latest crl to a linked list
*/
static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
{
bool found = FALSE;
iterator_t *iterator = crls->create_iterator(crls, TRUE);
while (iterator->has_next(iterator))
{
crl_t *current_crl;
iterator->current(iterator, (void**)&current_crl);
if (crl->equals_issuer(crl, current_crl))
{
found = TRUE;
if (crl->is_newer(crl, current_crl))
{
crl_t *old_crl = NULL;
iterator->replace(iterator, (void**)&old_crl, (void*)crl);
if (old_crl != NULL)
{
old_crl->destroy(old_crl);
}
logger->log(logger, CONTROL|LEVEL1, " thisUpdate is newer - existing crl replaced");
}
else
{
crl->destroy(crl);
crl = current_crl;
logger->log(logger, CONTROL|LEVEL1, " thisUpdate is not newer - existing crl retained");
}
break;
}
}
iterator->destroy(iterator);
if (!found)
{
crls->insert_last(crls, (void*)crl);
logger->log(logger, CONTROL|LEVEL1, " crl added");
}
return crl;
}
/**
* Implements credential_store_t.load_crls
*/
static void load_crls(private_credential_store_t *this, const char *path)
{
struct dirent* entry;
struct stat stb;
DIR* dir;
crl_t *crl;
this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", path);
dir = opendir(path);
if (dir == NULL)
{
this->logger->log(this->logger, ERROR, "error opening crl directory %s'", path);
return;
}
while ((entry = readdir(dir)) != NULL)
{
char file[PATH_BUF];
snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
if (stat(file, &stb) == -1)
{
continue;
}
/* try to parse all regular files */
if (stb.st_mode & S_IFREG)
{
crl = crl_create_from_file(file);
if (crl)
{
err_t ugh = crl->is_valid(crl, NULL, this->strict);
if (ugh != NULL)
{
this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
}
pthread_mutex_lock(&(this->crls_mutex));
crl = add_crl(this->crls, crl, this->logger);
pthread_mutex_unlock(&(this->crls_mutex));
}
}
}
closedir(dir);
}
/**
* Implements credential_store_t.load_private_keys
*/
static void load_private_keys(private_credential_store_t *this, const char *secretsfile, const char *defaultpath)
{
FILE *fd = fopen(secretsfile, "r");
if (fd)
{
int bytes;
int line_nr = 0;
chunk_t chunk, src, line;
this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", secretsfile);
fseek(fd, 0, SEEK_END);
chunk.len = ftell(fd);
rewind(fd);
chunk.ptr = malloc(chunk.len);
bytes = fread(chunk.ptr, 1, chunk.len, fd);
fclose(fd);
src = chunk;
while (fetchline(&src, &line))
{
chunk_t ids, token;
line_nr++;
if (!eat_whitespace(&line))
{
continue;
}
if (!extract_token(&ids, ':', &line))
{
this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
goto error;
}
if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
{
this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
goto error;
}
if (match("RSA", &token))
{
char path[PATH_BUF];
chunk_t filename;
err_t ugh = extract_value(&filename, &line);
if (ugh != NULL)
{
this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
goto error;
}
if (filename.len == 0)
{
this->logger->log(this->logger, ERROR,
"line %d: empty filename", line_nr);
goto error;
}
if (*filename.ptr == '/')
{
/* absolute path name */
snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
}
else
{
/* relative path name */
snprintf(path, sizeof(path), "%s/%.*s", defaultpath, filename.len, filename.ptr);
}
rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
if (key)
{
this->private_keys->insert_last(this->private_keys, (void*)key);
}
}
else if (match("PSK", &token))
{
}
else if (match("PIN", &token))
{
}
else
{
this->logger->log(this->logger, ERROR,
"line %d: token must be either RSA, PSK, or PIN",
line_nr, token.len);
goto error;
}
}
error:
free(chunk.ptr);
}
else
{
this->logger->log(this->logger, ERROR, "could not open file '%s'", secretsfile);
}
}
/**
* Implementation of credential_store_t.destroy.
*/
static void destroy(private_credential_store_t *this)
{
x509_t *cert;
crl_t *crl;
rsa_private_key_t *key;
/* destroy cert list */
while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
{
cert->destroy(cert);
}
this->certs->destroy(this->certs);
/* destroy ca cert list */
while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
{
cert->destroy(cert);
}
this->ca_certs->destroy(this->ca_certs);
/* destroy crl list */
pthread_mutex_lock(&(this->crls_mutex));
while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
{
crl->destroy(crl);
}
this->crls->destroy(this->crls);
pthread_mutex_unlock(&(this->crls_mutex));
/* destroy private key list */
while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
{
key->destroy(key);
}
this->private_keys->destroy(this->private_keys);
free(this);
}
/**
* Described in header.
*/
credential_store_t * credential_store_create(bool strict)
{
private_credential_store_t *this = malloc_thing(private_credential_store_t);
this->public.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
this->public.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
this->public.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
this->public.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
this->public.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
this->public.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
this->public.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
this->public.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
this->public.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
this->public.load_ca_certificates = (void(*)(credential_store_t*,const char*))load_ca_certificates;
this->public.load_crls = (void(*)(credential_store_t*,const char*))load_crls;
this->public.load_private_keys = (void(*)(credential_store_t*,const char*, const char*))load_private_keys;
this->public.destroy = (void(*)(credential_store_t*))destroy;
/* initialize mutexes */
pthread_mutex_init(&(this->crls_mutex), NULL);
/* private variables */
this->private_keys = linked_list_create();
this->certs = linked_list_create();
this->ca_certs = linked_list_create();
this->crls = linked_list_create();
this->strict = strict;
this->logger = logger_manager->get_logger(logger_manager, CONFIG);
return (&this->public);
}

44
src/charon/config/credentials/credential_store.h
View File

@ -135,6 +135,39 @@ struct credential_store_t {
*/
void (*log_crls) (credential_store_t *this, logger_t *logger, bool utc);
/**
* @brief Loads trusted CA certificates from a default directory.
*
* Certificates in both DER and PEM format are accepted
*
* @param this calling object
* @param path directory to load certificates from
*/
void (*load_ca_certificates) (credential_store_t *this, const char *path);
/**
* @brief Loads CRLs from a default directory.
*
* Certificates in both DER and PEM format are accepted
*
* @param this calling object
* @param path directory to load crls from
*/
void (*load_crls) (credential_store_t *this, const char *path);
/**
* @brief Loads RSA private keys defined in ipsec.secrets
*
* Currently, all keys must be unencrypted in either DER or PEM format.
* Other formats are ignored. Further, a certificate for the specific private
* key must already be loaded to get the ID from.
*
* @param this calling object
* @param secretsfile file where secrets are stored
* @param path default directory for private keys
*/
void (*load_private_keys) (credential_store_t *this, const char *secretsfile, const char *path);
/**
* @brief Destroys a credential_store_t object.
*
@ -143,4 +176,15 @@ struct credential_store_t {
void (*destroy) (credential_store_t *this);
};
/**
* @brief Creates a credential_store_t instance.
*
* @param strict enforce a strict crl policy
* @return credential store instance.
*
* @ingroup config
*/
credential_store_t *credential_store_create(bool strict);
#endif /*CREDENTIAL_STORE_H_*/

16
src/charon/daemon.c
View File

@ -33,8 +33,8 @@
#include "daemon.h"
#include <types.h>
#include <config/credentials/credential_store.h>
#include <config/connections/local_connection_store.h>
#include <config/credentials/local_credential_store.h>
#include <config/policies/local_policy_store.h>
@ -167,7 +167,7 @@ static void kill_daemon(private_daemon_t *this, char *reason)
*/
static void initialize(private_daemon_t *this, bool strict)
{
local_credential_store_t* cred_store;
credential_store_t* credentials;
this->public.configuration = configuration_create();
this->public.socket = socket_create(IKEV2_UDP_PORT);
@ -177,11 +177,13 @@ static void initialize(private_daemon_t *this, bool strict)
this->public.send_queue = send_queue_create();
this->public.connections = (connection_store_t*)local_connection_store_create();
this->public.policies = (policy_store_t*)local_policy_store_create();
this->public.credentials = (credential_store_t*)(cred_store = local_credential_store_create(strict));
/* load keys & certs */
cred_store->load_ca_certificates(cred_store, CA_CERTIFICATE_DIR);
cred_store->load_private_keys(cred_store, SECRETS_FILE, PRIVATE_KEY_DIR);
this->public.credentials = credential_store_create(strict);
/* load keys, ca certificates and crls */
credentials = this->public.credentials;
credentials->load_ca_certificates(credentials, CA_CERTIFICATE_DIR);
credentials->load_crls(credentials, CRL_DIR);
credentials->load_private_keys(credentials, SECRETS_FILE, PRIVATE_KEY_DIR);
/* start building threads, we are multi-threaded NOW */

27
src/charon/threads/stroke_interface.c
View File

@ -414,7 +414,8 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
proposal = proposal_create_from_string(PROTO_ESP, proposal_string);
if (proposal == NULL)
{
this->logger->log(this->logger, ERROR, "invalid ESP proposal string: %s", msg->add_conn.algorithms.esp);
this->logger->log(this->logger, ERROR,
"invalid ESP proposal string: %s", msg->add_conn.algorithms.esp);
policy->destroy(policy);
connection->destroy(connection);
return;
@ -494,13 +495,15 @@ static void stroke_initiate(private_stroke_t *this, stroke_msg_t *msg)
ike_sas = charon->ike_sa_manager->get_ike_sa_list_by_name(charon->ike_sa_manager, msg->initiate.name);
if (ike_sas->get_count(ike_sas) == 0)
{
this->stroke_logger->log(this->stroke_logger, CONTROL, "initiating connection \"%s\" (see log)...", msg->initiate.name);
this->stroke_logger->log(this->stroke_logger, CONTROL,
"initiating connection \"%s\" (see log)...", msg->initiate.name);
job = initiate_ike_sa_job_create(connection);
charon->job_queue->add(charon->job_queue, (job_t*)job);
}
else
{
this->stroke_logger->log(this->stroke_logger, CONTROL, "connection \"%s\" already up", msg->initiate.name);
this->stroke_logger->log(this->stroke_logger, CONTROL,
"connection \"%s\" already up", msg->initiate.name);
}
while (ike_sas->remove_last(ike_sas, (void**)&ike_sa_id) == SUCCESS)
{
@ -601,6 +604,21 @@ static void stroke_list(private_stroke_t *this, stroke_msg_t *msg)
}
}
/**
* reread various information
*/
static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg)
{
if (msg->reread.flags & REREAD_CACERTS)
{
charon->credentials->load_ca_certificates(charon->credentials, CA_CERTIFICATE_DIR);
}
if (msg->reread.flags & REREAD_CRLS)
{
charon->credentials->load_crls(charon->credentials, CRL_DIR);
}
}
logger_context_t get_context(char *context)
{
if (strcasecmp(context, "ALL") == 0) return ALL_LOGGERS;
@ -797,6 +815,9 @@ static void stroke_receive(private_stroke_t *this)
case STR_LIST:
stroke_list(this, msg);
break;
case STR_REREAD:
stroke_reread(this, msg);
break;
default:
this->logger->log(this->logger, ERROR, "received invalid stroke");
}