Merge branch 'flush-certs'

src/libcharon/plugins/vici/README.md

@@ -481,6 +481,19 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}
 
+### flush-certs() ###
+
+Flushes the certificate cache. The optional type argument allows to flush
+only certificates of a given type, e.g. all cached CRLs.
+
+	{
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY or ANY>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### clear-creds() ###
 
 Clear all loaded certificate, private key and shared key credentials. This

src/libcharon/plugins/vici/perl/Vici-Session/README.pod

@@ -560,6 +560,21 @@ print "----- unload-authority -----\n";
 ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
 print $res ? "ok\n" : "failed: $errmsg\n";
 
+=item flush_certs()
+
+flushes the volatile certificate cache. Optionally only a given certificate
+type is flushed.
+
+  my %vars = ( type => 'x509_crl' );
+  my ($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- flush-certs -----\n";
+%vars = ( type => 'x509_crl' );
+($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
 =item clear_creds()
 
 clears all loaded certificate, private key and shared key credentials. This

src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm

@@ -96,6 +96,10 @@ sub load_shared {
     return request_vars_res('load-shared', @_);
 }
 
+sub flush_certs {
+    return request_vars_res('flush-certs', @_);
+}
+
 sub clear_creds {
    return request_res('clear-creds', @_);
 }

src/libcharon/plugins/vici/python/vici/session.py

@@ -166,6 +166,17 @@ class Session(object):
         """
         self.handler.request("load-shared", secret)
 
+     def flush_certs(self, filter=None):
+        """Flush the volatile certificate cache.
+
+        Flush the certificate stored temporarily in the cache. The filter
+        allows to flush only a certain type of certificates, e.g. CRLs.
+
+        :param filter: flush only certificates of a given type (optional)
+        :type filter: dict
+        """
+        self.handler.request("flush-certs", filter)
+
     def clear_creds(self):
         """Clear credentials loaded over vici.
 

src/libcharon/plugins/vici/ruby/lib/vici.rb

@@ -448,6 +448,12 @@ module Vici
       @transp.request("get-conns").root
     end
 
+    ##
+    # Flush credential cache.
+    def flush_certs((match = nil)
+      check_success(@transp.request("flush-certs", Message.new(match)))
+    end
+
     ##
     # Clear all loaded credentials.
     def clear_creds()

src/libcharon/plugins/vici/vici_cred.c

@@ -287,6 +287,24 @@ CALLBACK(clear_creds, vici_message_t*,
 	return create_reply(NULL);
 }
 
+CALLBACK(flush_certs, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	certificate_type_t type = CERT_ANY;
+	x509_flag_t flag = X509_NONE;
+	char *str;
+
+	str = message->get_str(message, NULL, "type");
+	if (str && !enum_from_name(certificate_type_names, str, &type) &&
+			   !vici_cert_info_from_str(str, &type, &flag))
+	{
+		return create_reply("invalid certificate type '%s'", str);
+	}
+	lib->credmgr->flush_cache(lib->credmgr, type);
+
+	return create_reply(NULL);
+}
+
 static void manage_command(private_vici_cred_t *this,
 						   char *name, vici_command_cb_t cb, bool reg)
 {
@@ -300,6 +318,7 @@ static void manage_command(private_vici_cred_t *this,
 static void manage_commands(private_vici_cred_t *this, bool reg)
 {
 	manage_command(this, "clear-creds", clear_creds, reg);
+	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
 	manage_command(this, "load-shared", load_shared, reg);

src/swanctl/Makefile.am

@@ -13,6 +13,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \

src/swanctl/command.h

@@ -27,7 +27,7 @@
 /**
  * Maximum number of commands (+1).
  */
-#define MAX_COMMANDS 23
+#define MAX_COMMANDS 24
 
 /**
  * Maximum number of options in a command (+3)

src/swanctl/commands/flush_certs.c

@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "command.h"
+
+static int flush_certs(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *type = NULL;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				type = arg;
+				continue;
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --flush-certs option");
+		}
+		break;
+	}
+	req = vici_begin("flush-certs");
+
+	if (type)
+	{
+		vici_add_key_valuef(req, "type", "%s", type);
+	}
+	res = vici_submit(req, conn);
+
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "flush-certs request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "flush-certs reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	vici_free_res(res);
+
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		flush_certs, 'f', "flush-certs", "flush cached certificates",
+		{"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "filter by certificate type"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}