vici: flush-certs command flushes certificate cache

When fresh CRLs are released with a high update frequency (e.g. every 24 hours) or OCSP is used then the certificate cache gets quickly filled with stale CRLs or OCSP responses. The new VICI flush-certs command allows to flush e.g. cached CRLs or OCSP responses only. Without the type argument all kind of certificates (e.g. also received end entity and intermediate CA certificates) are purged.
2016-09-08 11:59:02 +02:00 · 2016-09-08 11:59:02 +02:00 · 2c7cfe7630
parent 8efcc78f2b
commit 2c7cfe7630
9 changed files with 160 additions and 1 deletions
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@ -481,6 +481,19 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
 		errmsg = <error string on failure>
 	}

+### flush-certs() ###
+
+Flushes the certificate cache. The optional type argument allows to flush
+only certificates of a given type, e.g. all cached CRLs.
+
+	{
+		type = <certificate type to filter for, X509|X509_AC|X509_CRL|
+												OCSP_RESPONSE|PUBKEY or ANY>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+	}
+
 ### clear-creds() ###

 Clear all loaded certificate, private key and shared key credentials. This
--- a/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/README.pod
@ -560,6 +560,21 @@ print "----- unload-authority -----\n";
 ($res, $errmsg) = $session->unload_authority(Vici::Message->new(\%vars));
 print $res ? "ok\n" : "failed: $errmsg\n";

+=item flush_certs()
+
+flushes the volatile certificate cache. Optionally only a given certificate
+type is flushed.
+
+  my %vars = ( type => 'x509_crl' );
+  my ($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+
+=cut
+
+print "----- flush-certs -----\n";
+%vars = ( type => 'x509_crl' );
+($res, $errmsg) = $session->flush_certs(Vici::Message->new(\%vars));
+print $res ? "ok\n" : "failed: $errmsg\n";
+
 =item clear_creds()

 clears all loaded certificate, private key and shared key credentials. This
--- a/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
+++ b/src/libcharon/plugins/vici/perl/Vici-Session/lib/Vici/Session.pm
@ -96,6 +96,10 @@ sub load_shared {
    return request_vars_res('load-shared', @_);
 }

+sub flush_certs {
+    return request_vars_res('flush-certs', @_);
+}
+
 sub clear_creds {
   return request_res('clear-creds', @_);
 }
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@ -166,6 +166,17 @@ class Session(object):
        """
        self.handler.request("load-shared", secret)

+     def flush_certs(self, filter=None):
+        """Flush the volatile certificate cache.
+
+        Flush the certificate stored temporarily in the cache. The filter
+        allows to flush only a certain type of certificates, e.g. CRLs.
+
+        :param filter: flush only certificates of a given type (optional)
+        :type filter: dict
+        """
+        self.handler.request("flush-certs", filter)
+
    def clear_creds(self):
        """Clear credentials loaded over vici.

--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@ -448,6 +448,12 @@ module Vici
      @transp.request("get-conns").root
    end

+    ##
+    # Flush credential cache.
+    def flush_certs((match = nil)
+      check_success(@transp.request("flush-certs", Message.new(match)))
+    end
+
    ##
    # Clear all loaded credentials.
    def clear_creds()
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@ -287,6 +287,24 @@ CALLBACK(clear_creds, vici_message_t*,
 	return create_reply(NULL);
 }

+CALLBACK(flush_certs, vici_message_t*,
+	private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+	certificate_type_t type = CERT_ANY;
+	x509_flag_t flag = X509_NONE;
+	char *str;
+
+	str = message->get_str(message, NULL, "type");
+	if (str && !enum_from_name(certificate_type_names, str, &type) &&
+			   !vici_cert_info_from_str(str, &type, &flag))
+	{
+		return create_reply("invalid certificate type '%s'", str);
+	}
+	lib->credmgr->flush_cache(lib->credmgr, type);
+
+	return create_reply(NULL);
+}
+
 static void manage_command(private_vici_cred_t *this,
 						   char *name, vici_command_cb_t cb, bool reg)
 {
@ -300,6 +318,7 @@ static void manage_command(private_vici_cred_t *this,
 static void manage_commands(private_vici_cred_t *this, bool reg)
 {
 	manage_command(this, "clear-creds", clear_creds, reg);
+	manage_command(this, "flush-certs", flush_certs, reg);
 	manage_command(this, "load-cert", load_cert, reg);
 	manage_command(this, "load-key", load_key, reg);
 	manage_command(this, "load-shared", load_shared, reg);
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@ -13,6 +13,7 @@ swanctl_SOURCES = \
 	commands/list_certs.c \
 	commands/list_pools.c \
 	commands/list_algs.c \
+	commands/flush_certs.c \
 	commands/load_all.c \
 	commands/load_authorities.h  commands/load_authorities.c \
 	commands/load_conns.c commands/load_conns.h \
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@ -27,7 +27,7 @@
 /**
 * Maximum number of commands (+1).
 */
-#define MAX_COMMANDS 23
+#define MAX_COMMANDS 24

 /**
 * Maximum number of options in a command (+3)
--- a/src/swanctl/commands/flush_certs.c
+++ b/src/swanctl/commands/flush_certs.c
@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "command.h"
+
+static int flush_certs(vici_conn_t *conn)
+{
+	vici_req_t *req;
+	vici_res_t *res;
+	command_format_options_t format = COMMAND_FORMAT_NONE;
+	char *arg, *type = NULL;
+	int ret;
+
+	while (TRUE)
+	{
+		switch (command_getopt(&arg))
+		{
+			case 'h':
+				return command_usage(NULL);
+			case 't':
+				type = arg;
+				continue;
+			case 'P':
+				format |= COMMAND_FORMAT_PRETTY;
+				/* fall through to raw */
+			case 'r':
+				format |= COMMAND_FORMAT_RAW;
+				continue;
+			case EOF:
+				break;
+			default:
+				return command_usage("invalid --flush-certs option");
+		}
+		break;
+	}
+	req = vici_begin("flush-certs");
+
+	if (type)
+	{
+		vici_add_key_valuef(req, "type", "%s", type);
+	}
+	res = vici_submit(req, conn);
+
+	if (!res)
+	{
+		ret = errno;
+		fprintf(stderr, "flush-certs request failed: %s\n", strerror(errno));
+		return ret;
+	}
+	if (format & COMMAND_FORMAT_RAW)
+	{
+		vici_dump(res, "flush-certs reply", format & COMMAND_FORMAT_PRETTY,
+				  stdout);
+	}
+	vici_free_res(res);
+
+	return 0;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+	command_register((command_t) {
+		flush_certs, 'f', "flush-certs", "flush cached certificates",
+		{"[--type x509|x509_ac|x509_crl|ocsp_response|pubkey]",
+		 "[--raw|--pretty]"},
+		{
+			{"help",		'h', 0, "show usage information"},
+			{"type",		't', 1, "filter by certificate type"},
+			{"raw",			'r', 0, "dump raw response message"},
+			{"pretty",		'P', 0, "dump raw response message in pretty print"},
+		}
+	});
+}