ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Added ipseckey plugin, which provides support for public keys in IPSECKEY RRs

This commit is contained in:
Reto Guadagnini 2012-06-08 11:26:50 +02:00 committed by Tobias Brunner
parent d786cbda5c
commit a77bbc3b8c
9 changed files with 863 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
configure.in
View File

@ -128,6 +128,7 @@ ARG_DISBL_SET([pkcs7], [disable PKCS7 container support plugin.])
ARG_DISBL_SET([pkcs8], [disable PKCS8 private key decoding plugin.])
ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.])
ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.])
ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
ARG_DISBL_SET([pem], [disable PEM decoding plugin.])
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
@ -943,6 +944,7 @@ ADD_PLUGIN([pkcs7], [s scepclient pki])
ADD_PLUGIN([pkcs8], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([pgp], [s charon])
ADD_PLUGIN([dnskey], [s charon])
ADD_PLUGIN([ipseckey], [c charon])
ADD_PLUGIN([pem], [s charon openac scepclient pki scripts manager medsrv attest nm])
ADD_PLUGIN([padlock], [s charon])
ADD_PLUGIN([openssl], [s charon openac scepclient pki scripts manager medsrv attest nm])
@ -1096,6 +1098,7 @@ AM_CONDITIONAL(USE_ANDROID_LOG, test x$android_log = xtrue)
AM_CONDITIONAL(USE_MAEMO, test x$maemo = xtrue)
AM_CONDITIONAL(USE_SMP, test x$smp = xtrue)
AM_CONDITIONAL(USE_SQL, test x$sql = xtrue)
AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
@ -1335,6 +1338,7 @@ AC_CONFIG_FILES([
src/libcharon/plugins/farp/Makefile
src/libcharon/plugins/smp/Makefile
src/libcharon/plugins/sql/Makefile
src/libcharon/plugins/ipseckey/Makefile
src/libcharon/plugins/medsrv/Makefile
src/libcharon/plugins/medcli/Makefile
src/libcharon/plugins/addrblock/Makefile

7
src/libcharon/Makefile.am
View File

@ -212,6 +212,13 @@ if MONOLITHIC
endif
endif
if USE_IPSECKEY
SUBDIRS += plugins/ipseckey
if MONOLITHIC
libcharon_la_LIBADD += plugins/ipseckey/libstrongswan-ipseckey.la
endif
endif
if USE_UPDOWN
SUBDIRS += plugins/updown
if MONOLITHIC

18
src/libcharon/plugins/ipseckey/Makefile.am Normal file
View File

@ -0,0 +1,18 @@
INCLUDES = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra \
-I$(top_srcdir)/src/libcharon
if MONOLITHIC
noinst_LTLIBRARIES = libstrongswan-ipseckey.la
else
plugin_LTLIBRARIES = libstrongswan-ipseckey.la
endif
libstrongswan_ipseckey_la_SOURCES = \
ipseckey_plugin.h ipseckey_plugin.c \
ipseckey_cred.h ipseckey_cred.c \
ipseckey.h ipseckey.c
libstrongswan_ipseckey_la_LDFLAGS = -module -avoid-version

211
src/libcharon/plugins/ipseckey/ipseckey.c Normal file
View File

@ -0,0 +1,211 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "ipseckey.h"
#include <library.h>
#include <utils/debug.h>
#include <bio/bio_reader.h>
typedef struct private_ipseckey_t private_ipseckey_t;
/**
* private data of the ipseckey
*/
struct private_ipseckey_t {
/**
* public functions
*/
ipseckey_t public;
/**
* Precedence
*/
u_int8_t precedence;
/**
* Gateway type
*/
u_int8_t gateway_type;
/**
* Algorithm
*/
u_int8_t algorithm;
/**
* Gateway
*/
chunk_t gateway;
/**
* Public key
*/
chunk_t public_key;
};
METHOD(ipseckey_t, get_precedence, u_int8_t,
private_ipseckey_t *this)
{
return this->precedence;
}
METHOD(ipseckey_t, get_gateway_type, ipseckey_gw_type_t,
private_ipseckey_t *this)
{
return this->gateway_type;
}
METHOD(ipseckey_t, get_algorithm, ipseckey_algorithm_t,
private_ipseckey_t *this)
{
return this->algorithm;
}
METHOD(ipseckey_t, get_gateway, chunk_t,
private_ipseckey_t *this)
{
return this->gateway;
}
METHOD(ipseckey_t, get_public_key, chunk_t,
private_ipseckey_t *this)
{
return this->public_key;
}
METHOD(ipseckey_t, destroy, void,
private_ipseckey_t *this)
{
chunk_free(&this->gateway);
chunk_free(&this->public_key);
free(this);
}
/*
* See header
*/
ipseckey_t *ipseckey_create_frm_rr(rr_t *rr)
{
private_ipseckey_t *this;
bio_reader_t *reader = NULL;
u_int8_t label;
chunk_t tmp;
INIT(this,
.public = {
.get_precedence = _get_precedence,
.get_gateway_type = _get_gateway_type,
.get_algorithm = _get_algorithm,
.get_gateway = _get_gateway,
.get_public_key = _get_public_key,
.destroy = _destroy,
},
);
if (rr->get_type(rr) != RR_TYPE_IPSECKEY)
{
DBG1(DBG_CFG, "unable to create an ipseckey out of a RR "
"whose type is not IPSECKEY");
free(this);
return NULL;
}
/** Parse the content (RDATA field) of the RR */
reader = bio_reader_create(rr->get_rdata(rr));
if (!reader->read_uint8(reader, &this->precedence) ||
!reader->read_uint8(reader, &this->gateway_type) ||
!reader->read_uint8(reader, &this->algorithm))
{
DBG1(DBG_CFG, "ipseckey RR has a wrong format");
reader->destroy(reader);
free(this);
}
switch (this->gateway_type)
{
case IPSECKEY_GW_TP_NOT_PRESENT:
break;
case IPSECKEY_GW_TP_IPV4:
if (!reader->read_data(reader, 4, &this->gateway))
{
DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv4 "
"address as expected");
reader->destroy(reader);
free(this);
return NULL;
}
this->gateway = chunk_clone(this->gateway);
break;
case IPSECKEY_GW_TP_IPV6:
if (!reader->read_data(reader, 16, &this->gateway))
{
DBG1(DBG_CFG, "ipseckey gateway field does not contain an IPv6 "
"address as expected");
reader->destroy(reader);
free(this);
return NULL;
}
this->gateway = chunk_clone(this->gateway);
break;
case IPSECKEY_GW_TP_WR_ENC_DNAME:
/**
* Uncompressed domain name as defined in RFC 1035 chapter 3.
*
* TODO: Currently we ignore wire encoded domain names.
*
*/
while(reader->read_uint8(reader, &label) && label != 0 &&
label < 192)
{
if(!reader->read_data(reader, label, &tmp))
{
DBG1(DBG_CFG, "ipseckey gateway field: Wire encoded "
"domain name has the wrong format");
reader->destroy(reader);
free(this);
return NULL;
}
}
break;
default:
DBG1(DBG_CFG, "ipseckey gateway field: Unable to parse the "
"ipseckey gateway field. The gateway type field "
"indicates an unknown gateway type");
reader->destroy(reader);
free(this);
return NULL;
}
if (!reader->read_data(reader, reader->remaining(reader),
&this->public_key))
{
DBG1(DBG_CFG, "ipseckey public key field: Failure while reading "
"the public key");
reader->destroy(reader);
chunk_free(&this->gateway);
free(this);
return NULL;
}
this->public_key = chunk_clone(this->public_key);
reader->destroy(reader);
return &this->public;
}

149
src/libcharon/plugins/ipseckey/ipseckey.h Normal file
View File

@ -0,0 +1,149 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ipseckey_cred_i ipseckey
* @{ @ingroup ipseckey
*/
#ifndef IPSECKEY_H_
#define IPSECKEY_H_
typedef struct ipseckey_t ipseckey_t;
typedef enum ipseckey_algorithm_t ipseckey_algorithm_t;
typedef enum ipseckey_gw_type_t ipseckey_gw_type_t;
#include <library.h>
/**
* IPSECKEY gateway types as defined in RFC 4025.
*/
enum ipseckey_gw_type_t {
/** No gateway is present */
IPSECKEY_GW_TP_NOT_PRESENT = 0,
/** A 4-byte IPv4 address is present */
IPSECKEY_GW_TP_IPV4 = 1,
/** A 16-byte IPv6 address is present */
IPSECKEY_GW_TP_IPV6 = 2,
/** A wire-encoded domain name is present */
IPSECKEY_GW_TP_WR_ENC_DNAME = 3,
};
/**
* IPSECKEY algorithms as defined in RFC 4025.
*/
enum ipseckey_algorithm_t {
/** No key present */
IPSECKEY_ALGORITHM_NONE = 0,
/** DSA key */
IPSECKEY_ALGORITHM_DSA = 1,
/** RSA key */
IPSECKEY_ALGORITHM_RSA = 2,
};
/**
* An IPSECKEY.
*
* Represents an IPSECKEY as defined in RFC 4025:
*
* 0 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | precedence | gateway type | algorithm | gateway |
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+ +
* ~ gateway ~
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* | /
* / public key /
* / /
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
*
*
* Note: RFC 4025 defines that the algorithm field has a length of 7 bits.
* We use 8 bits instead, because the use of 7 bits is very uncommon
* in internet protocols and might be an error in RFC 4025
* (also the BIND DNS server uses 8 bits for the algorithm field of the
* IPSECKEY resource records).
*
*/
struct ipseckey_t {
/**
* Get the precedence of the IPSECKEY.
*
* @return precedence
*/
u_int8_t (*get_precedence)(ipseckey_t *this);
/**
* Get the type of the gateway.
*
* The "gateway type" determines the format of the gateway field
* of the IPSECKEY.
*
* @return gateway type
*/
ipseckey_gw_type_t (*get_gateway_type)(ipseckey_t *this);
/**
* Get the algorithm.
*
* The "algorithm" determines the format of the public key field
* of the IPSECKEY.
*
* @return algorithm
*/
ipseckey_algorithm_t (*get_algorithm)(ipseckey_t *this);
/**
* Get the content of the gateway field as chunk.
*
* The content is in network byte order and its format depends on the
* gateway type.
*
* The data pointed by the chunk is still owned by the IPSECKEY.
* Clone it if necessary.
*
* @return gateway field as chunk
*/
chunk_t (*get_gateway)(ipseckey_t *this);
/**
* Get the content of the public key field as chunk.
*
* The format of the public key depends on the algorithm type.
*
* The data pointed by the chunk is still owned by the IPSECKEY.
* Clone it if necessary.
*
* @return public key field as chunk
*/
chunk_t (*get_public_key)(ipseckey_t *this);
/**
* Destroy the IPSECKEY.
*/
void (*destroy) (ipseckey_t *this);
};
/**
* Create an ipseckey instance out of a resource record.
*
* @param rr resource record which contains an IPSECKEY
* @return ipseckey, NULL on failure
*/
ipseckey_t *ipseckey_create_frm_rr(rr_t *rr);
#endif /** IPSECKEY_H_ @}*/

278
src/libcharon/plugins/ipseckey/ipseckey_cred.c Normal file
View File

@ -0,0 +1,278 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include "ipseckey_cred.h"
#include "ipseckey.h"
#include <bio/bio_reader.h>
#include <daemon.h>
typedef struct private_ipseckey_cred_t private_ipseckey_cred_t;
/**
* Private data of an ipseckey_cred_t object
*/
struct private_ipseckey_cred_t {
/**
* Public part
*/
ipseckey_cred_t public;
/**
* DNS resolver
*/
resolver_t *res;
};
/**
* enumerator over certificates
*/
typedef struct {
/** implements enumerator interface */
enumerator_t public;
/** inner enumerator (enumerates IPSECKEY resource records) */
enumerator_t *inner;
/** response of the DNS resolver which contains the IPSECKEYs */
resolver_response_t *response;
/* IPSECKEYs are not valid before this point in time */
time_t notBefore;
/* IPSECKEYs are not valid after this point in time */
time_t notAfter;
/* identity to which the IPSECKEY belongs */
identification_t *identity;
} cert_enumerator_t;
METHOD(enumerator_t, cert_enumerator_enumerate, bool,
cert_enumerator_t *this, certificate_t **cert)
{
rr_t *cur_rr = NULL;
ipseckey_t *cur_ipseckey = NULL;
chunk_t pub_key;
public_key_t * key = NULL;
bool supported_ipseckey_found = FALSE;
DBG1(DBG_CFG, "ipseckey_cred: Enumerating over IPSECKEY certificates");
/* Get the next supported IPSECKEY using the inner enumerator. */
while (this->inner->enumerate(this->inner, &cur_rr) &&
!supported_ipseckey_found)
{
supported_ipseckey_found = TRUE;
cur_ipseckey = ipseckey_create_frm_rr(cur_rr);
if (!cur_ipseckey)
{
DBG1(DBG_CFG, "ipseckey_cred: Error while parsing an IPSECKEY. "
"Skipping this key");
supported_ipseckey_found = FALSE;
}
if (cur_ipseckey &&
cur_ipseckey->get_algorithm(cur_ipseckey) != IPSECKEY_ALGORITHM_RSA)
{
DBG1(DBG_CFG, "ipseckey_cred: Skipping an IPSECKEY which uses an "
"unsupported algorithm");
cur_ipseckey->destroy(cur_ipseckey);
supported_ipseckey_found = FALSE;
}
}
if (supported_ipseckey_found)
{
/*
* Wrap the key of the IPSECKEY in a certificate and return this
* certificate.
*/
pub_key = cur_ipseckey->get_public_key(cur_ipseckey);
key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
BUILD_BLOB_DNSKEY, pub_key,
BUILD_END);
if (!key)
{
DBG1(DBG_CFG, "ipseckey_cred: Failed to create a public key "
"from the IPSECKEY");
cur_ipseckey->destroy(cur_ipseckey);
return FALSE;
}
*cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
CERT_TRUSTED_PUBKEY,
BUILD_PUBLIC_KEY, key,
BUILD_SUBJECT, this->identity,
BUILD_NOT_BEFORE_TIME, this->notBefore,
BUILD_NOT_AFTER_TIME, this->notAfter,
BUILD_END);
return TRUE;
}
return FALSE;
}
METHOD(enumerator_t, cert_enumerator_destroy, void,
cert_enumerator_t *this)
{
this->inner->destroy(this->inner);
this->response->destroy(this->response);
free(this);
}
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
private_ipseckey_cred_t *this, certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
char *fqdn = NULL;
resolver_response_t *response = NULL;
rr_set_t *rrset = NULL;
enumerator_t *rrsig_enum = NULL;
rr_t *rrsig = NULL;
bio_reader_t *reader = NULL;
chunk_t ignore;
u_int32_t nBefore, nAfter;
cert_enumerator_t *e;
if (id && id->get_type(id) == ID_FQDN)
{
/** Query the DNS for the required IPSECKEY RRs */
if (0 >= asprintf(&fqdn, "%Y", id))
{
DBG1(DBG_CFG, "ipseckey_cred: ID is empty");
return enumerator_create_empty();
}
DBG1(DBG_CFG, "ipseckey_cred: Performing a DNS query for the IPSECKEY "
"RRs of the domain %s", fqdn);
response = this->res->query(this->res, fqdn, RR_CLASS_IN,
RR_TYPE_IPSECKEY);
if (!response)
{
DBG1(DBG_CFG, "ipseckey_cred: DNS query failed");
free(fqdn);
return enumerator_create_empty();
}
if (!response->has_data(response) ||
!response->query_name_exist(response) ||
!(response->get_security_state(response) == SECURE) )
{
DBG1(DBG_CFG, "ipseckey_cred: Unable to retrieve IPSECKEY RRs "
"for the domain %s from the DNS", fqdn);
response->destroy(response);
free(fqdn);
return enumerator_create_empty();
}
free(fqdn);
/** Determine the validity period of the retrieved IPSECKEYs
*
* We use the "Signature Inception" and "Signature Expiration" field
* of the RRSIG resource record to determine the validity period of the
* IPSECKEY RRs.
*/
rrset = response->get_rr_set(response);
rrsig_enum = rrset->create_rrsig_enumerator(rrset);
if (!rrsig_enum)
{
DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
"period of the RRs, because there are "
"no RRSIGs present");
response->destroy(response);
return enumerator_create_empty();
}
/**
* Currently we use the first RRSIG of the IPSECKEY RRset
* to determine the validity period of the IPSECKEYs.
* TODO: Take multiple RRSIGs into account.
*/
if (!rrsig_enum->enumerate(rrsig_enum, &rrsig))
{
DBG1(DBG_CFG, "ipseckey_cred: Unable to determine the validity "
"period of the IPSECKEY RRs, because there are "
"no RRSIGs present");
rrsig_enum->destroy(rrsig_enum);
response->destroy(response);
return enumerator_create_empty();
}
/**
* Parse the RRSIG for its validity period.
* For the format of a RRSIG see RFC 4034.
*/
reader = bio_reader_create(rrsig->get_rdata(rrsig));
reader->read_data(reader, 8, &ignore);
reader->read_uint32(reader, &nAfter);
reader->read_uint32(reader, &nBefore);
reader->destroy(reader);
/** Create and return an iterator over the retrieved IPSECKEYs */
INIT(e,
.public = {
.enumerate = (void*)_cert_enumerator_enumerate,
.destroy = _cert_enumerator_destroy,
},
.inner = response->get_rr_set(response)->create_rr_enumerator(
response->get_rr_set(response)),
.response = response,
.notBefore = nBefore,
.notAfter = nAfter,
.identity = id,
);
return &e->public;
}
return enumerator_create_empty();
}
METHOD(ipseckey_cred_t, destroy, void,
private_ipseckey_cred_t *this)
{
this->res->destroy(this->res);
free(this);
}
/**
* Described in header.
*/
ipseckey_cred_t *ipseckey_cred_create(resolver_t *res)
{
private_ipseckey_cred_t *this;
INIT(this,
.public = {
.set = {
.create_private_enumerator = (void*)return_null,
.create_cert_enumerator = _create_cert_enumerator,
.create_shared_enumerator = (void*)return_null,
.create_cdp_enumerator = (void*)return_null,
.cache_cert = (void*)nop,
},
.destroy = _destroy,
},
.res = res,
);
return &this->public;
}

57
src/libcharon/plugins/ipseckey/ipseckey_cred.h Normal file
View File

@ -0,0 +1,57 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ipseckey_cred_i ipseckey_cred
* @{ @ingroup ipseckey
*/
#ifndef IPSECKEY_CRED_H_
#define IPSECKEY_CRED_H_
#include <credentials/credential_set.h>
#include <resolver/resolver.h>
typedef struct ipseckey_cred_t ipseckey_cred_t;
/**
* IPSECKEY credential set.
*
* The ipseckey credential set contains IPSECKEYs as certificates of type
* pubkey_cert_t.
*/
struct ipseckey_cred_t {
/**
* Implements credential_set_t interface
*/
credential_set_t set;
/**
* Destroy the ipseckey_cred.
*/
void (*destroy)(ipseckey_cred_t *this);
};
/**
* Create an ipseckey_cred instance which uses the given resolver
* to query the DNS for IPSECKEY resource records.
*
* @param res resolver to use
* @return credential set
*/
ipseckey_cred_t *ipseckey_cred_create(resolver_t *res);
#endif /** IPSECKEY_CRED_H_ @}*/

91
src/libcharon/plugins/ipseckey/ipseckey_plugin.c Normal file
View File

@ -0,0 +1,91 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "ipseckey_plugin.h"
#include <daemon.h>
#include "ipseckey_cred.h"
typedef struct private_ipseckey_plugin_t private_ipseckey_plugin_t;
/**
* private data of the ipseckey plugin
*/
struct private_ipseckey_plugin_t {
/**
* implements plugin interface
*/
ipseckey_plugin_t public;
/**
* DNS resolver instance
*/
resolver_t *res;
/**
* credential set
*/
ipseckey_cred_t *cred;
};
METHOD(plugin_t, get_name, char*,
private_ipseckey_plugin_t *this)
{
return "ipseckey";
}
METHOD(plugin_t, destroy, void,
private_ipseckey_plugin_t *this)
{
lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
this->res->destroy(this->res);
DESTROY_IF(this->cred);
free(this);
}
/*
* see header file
*/
plugin_t *ipseckey_plugin_create()
{
private_ipseckey_plugin_t *this;
INIT(this,
.public = {
.plugin = {
.get_name = _get_name,
.reload = (void*)return_false,
.destroy = _destroy,
},
},
.res = lib->resolver->create(lib->resolver),
);
if (!this->res)
{
DBG1(DBG_CFG, "ipseckey_plugin: Failed to create"
"a DNS resolver instance");
destroy(this);
return NULL;
}
this->cred = ipseckey_cred_create(this->res);
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
return &this->public.plugin;
}

48
src/libcharon/plugins/ipseckey/ipseckey_plugin.h Normal file
View File

@ -0,0 +1,48 @@
/*
* Copyright (C) 2012 Reto Guadagnini
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup ipseckey ipseckey
* @ingroup cplugins
*
* @defgroup ipseckey_plugin ipseckey_plugin
* @{ @ingroup ipseckey
*/
#ifndef IPSECKEY_PLUGIN_H_
#define IPSECKEY_PLUGIN_H_
#include <plugins/plugin.h>
typedef struct ipseckey_plugin_t ipseckey_plugin_t;
/**
* IPSECKEY plugin
*
* The IPSECKEY plugin registers a credential set for IPSECKEYs.
*
* With this credential set it is possible to authenticate tunnel endpoints
* using IPSECKEY resource records which are retrieved from the DNS in a secure
* way (DNSSEC).
*/
struct ipseckey_plugin_t {
/**
* implements plugin interface
*/
plugin_t plugin;
};
#endif /** IPSECKEY_PLUGIN_H_ @}*/