respecting ipsec.conf cachecrls= option
This commit is contained in:
Martin Willi
parent
58126dd295
commit
b360e3933d
|
|
@ -456,9 +456,6 @@ static void usage(const char *msg)
|
|||
fprintf(stderr, "Usage: charon\n"
|
||||
" [--help]\n"
|
||||
" [--version]\n"
|
||||
" [--strictcrlpolicy]\n"
|
||||
" [--cachecrls]\n"
|
||||
" [--crlcheckinterval <interval>]\n"
|
||||
" [--use-syslog]\n"
|
||||
" [--debug-<type> <level>]\n"
|
||||
" <type>: log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
|
||||
|
|
@ -474,8 +471,6 @@ static void usage(const char *msg)
|
|||
*/
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
u_int crl_check_interval = 0;
|
||||
bool cache_crls = FALSE;
|
||||
bool use_syslog = FALSE;
|
||||
|
||||
private_daemon_t *private_charon;
|
||||
|
|
@ -512,8 +507,6 @@ int main(int argc, char *argv[])
|
|||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "version", no_argument, NULL, 'v' },
|
||||
{ "use-syslog", no_argument, NULL, 'l' },
|
||||
{ "cachecrls", no_argument, NULL, 'C' },
|
||||
{ "crlcheckinterval", required_argument, NULL, 'x' },
|
||||
/* TODO: handle "debug-all" */
|
||||
{ "debug-dmn", required_argument, &signal, DBG_DMN },
|
||||
{ "debug-mgr", required_argument, &signal, DBG_MGR },
|
||||
|
|
@ -542,12 +535,6 @@ int main(int argc, char *argv[])
|
|||
case 'l':
|
||||
use_syslog = TRUE;
|
||||
continue;
|
||||
case 'C':
|
||||
cache_crls = TRUE;
|
||||
continue;
|
||||
case 'x':
|
||||
crl_check_interval = atoi(optarg);
|
||||
continue;
|
||||
case 0:
|
||||
/* option is in signal */
|
||||
levels[signal] = atoi(optarg);
|
||||
|
|
|
|||
|
|
@ -73,6 +73,11 @@ struct private_stroke_cred_t {
|
|||
* mutex to lock lists above
|
||||
*/
|
||||
mutex_t *mutex;
|
||||
|
||||
/**
|
||||
* cache CRLs to disk?
|
||||
*/
|
||||
bool cachecrl;
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
@ -527,7 +532,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
|
|||
*/
|
||||
static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
|
||||
{
|
||||
if (cert->get_type(cert) == CERT_X509_CRL)
|
||||
if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
|
||||
{
|
||||
/* CRLs get cached to /etc/ipsec.d/crls/authkeyId.der */
|
||||
crl_t *crl = (crl_t*)cert;
|
||||
|
|
@ -560,6 +565,17 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of stroke_cred_t.cachecrl.
|
||||
*/
|
||||
static void cachecrl(private_stroke_cred_t *this, bool enabled)
|
||||
{
|
||||
DBG1(DBG_CFG, "crl caching to %s %s",
|
||||
CRL_DIR, enabled ? "enabled" : "disabled");
|
||||
this->cachecrl = enabled;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Convert a string of characters into a binary secret
|
||||
* A string between single or double quotes is treated as ASCII characters
|
||||
|
|
@ -912,6 +928,7 @@ stroke_cred_t *stroke_cred_create()
|
|||
this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
|
||||
this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
|
||||
this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
|
||||
this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
|
||||
this->public.destroy = (void(*)(stroke_cred_t*))destroy;
|
||||
|
||||
this->certs = linked_list_create();
|
||||
|
|
@ -922,6 +939,8 @@ stroke_cred_t *stroke_cred_create()
|
|||
load_certs(this);
|
||||
load_secrets(this);
|
||||
|
||||
this->cachecrl = FALSE;
|
||||
|
||||
return &this->public;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -62,6 +62,13 @@ struct stroke_cred_t {
|
|||
*/
|
||||
certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
|
||||
|
||||
/**
|
||||
* Enable/Disable CRL caching to disk.
|
||||
*
|
||||
* @param enabled TRUE to enable, FALSE to disable
|
||||
*/
|
||||
void (*cachecrl)(stroke_cred_t *this, bool enabled);
|
||||
|
||||
/**
|
||||
* Destroy a stroke_cred instance.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -355,6 +355,13 @@ static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FI
|
|||
charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
|
||||
}
|
||||
|
||||
/**
|
||||
* set various config options
|
||||
*/
|
||||
static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
|
||||
{
|
||||
this->cred->cachecrl(this->cred, msg->config.cachecrl);
|
||||
}
|
||||
|
||||
/**
|
||||
* destroy a job context
|
||||
|
|
@ -448,6 +455,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
|
|||
case STR_LOGLEVEL:
|
||||
stroke_loglevel(this, msg, out);
|
||||
break;
|
||||
case STR_CONFIG:
|
||||
stroke_config(this, msg, out);
|
||||
break;
|
||||
case STR_LIST:
|
||||
stroke_list(this, msg, out);
|
||||
break;
|
||||
|
|
|
|||
|
|
@ -118,16 +118,6 @@ starter_start_charon (starter_config_t *cfg, bool debug)
|
|||
{
|
||||
arg[argc++] = "--use-syslog";
|
||||
}
|
||||
if (cfg->setup.cachecrls)
|
||||
{
|
||||
arg[argc++] = "--cachecrls";
|
||||
}
|
||||
if (cfg->setup.crlcheckinterval > 0)
|
||||
{
|
||||
snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
|
||||
arg[argc++] = "--crlcheckinterval";
|
||||
arg[argc++] = buffer1;
|
||||
}
|
||||
|
||||
{ /* parse debug string */
|
||||
char *pos, *level, *buf_pos, type[4];
|
||||
|
|
|
|||
|
|
@ -885,7 +885,7 @@ The currently-accepted
|
|||
names in a
|
||||
.B config
|
||||
.B setup
|
||||
section are:
|
||||
section affecting both daemons are:
|
||||
.TP 14
|
||||
.B cachecrls
|
||||
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
|
||||
|
|
@ -905,11 +905,6 @@ Accepted values are
|
|||
or
|
||||
.BR no .
|
||||
.TP
|
||||
.B crlcheckinterval
|
||||
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
||||
Asynchronous, periodic checking for fresh CRLs is currently done by the
|
||||
IKEv1 Pluto daemon only.
|
||||
.TP
|
||||
.B dumpdir
|
||||
in what directory should things started by \fBipsec starter\fR
|
||||
(notably the Pluto and Charon daemons) be allowed to dump core?
|
||||
|
|
@ -940,11 +935,37 @@ which reverts to
|
|||
if at least one CRL URI is defined and to
|
||||
.B no
|
||||
if no URI is known.
|
||||
.TP
|
||||
.B uniqueids
|
||||
whether a particular participant ID should be kept unique,
|
||||
with any new (automatically keyed)
|
||||
connection using an ID from a different IP address
|
||||
deemed to replace all old ones using that ID;
|
||||
acceptable values are
|
||||
.B yes
|
||||
(the default)
|
||||
and
|
||||
.BR no .
|
||||
Participant IDs normally \fIare\fR unique,
|
||||
so a new (automatically-keyed) connection using the same ID is
|
||||
almost invariably intended to replace an old one.
|
||||
The IKEv2 daemon also accepts the value
|
||||
.B replace
|
||||
wich is identical to
|
||||
.B yes
|
||||
and the value
|
||||
.B keep
|
||||
to reject new IKE_SA setups and keep the duplicate established earlier.
|
||||
.PP
|
||||
The following
|
||||
.B config section
|
||||
parameters are used by the IKEv1 Pluto daemon only:
|
||||
.TP
|
||||
.B crlcheckinterval
|
||||
interval in seconds. CRL fetching is enabled if the value is greater than zero.
|
||||
Asynchronous, periodic checking for fresh CRLs is currently done by the
|
||||
IKEv1 Pluto daemon only.
|
||||
.TP
|
||||
.B keep_alive
|
||||
interval in seconds between NAT keep alive packets, the default being 20 seconds.
|
||||
.TP
|
||||
|
|
@ -1035,27 +1056,6 @@ Default is none.
|
|||
.TP
|
||||
.B virtual_private
|
||||
defines private networks using a wildcard notation.
|
||||
.TP
|
||||
.B uniqueids
|
||||
whether a particular participant ID should be kept unique,
|
||||
with any new (automatically keyed)
|
||||
connection using an ID from a different IP address
|
||||
deemed to replace all old ones using that ID;
|
||||
acceptable values are
|
||||
.B yes
|
||||
(the default)
|
||||
and
|
||||
.BR no .
|
||||
Participant IDs normally \fIare\fR unique,
|
||||
so a new (automatically-keyed) connection using the same ID is
|
||||
almost invariably intended to replace an old one.
|
||||
The IKEv2 daemon also accepts the value
|
||||
.B replace
|
||||
wich is identical to
|
||||
.B yes
|
||||
and the value
|
||||
.B keep
|
||||
to reject new IKE_SA setups and keep the duplicate established earlier.
|
||||
.PP
|
||||
The following
|
||||
.B config section
|
||||
|
|
|
|||
|
|
@ -541,6 +541,7 @@ int main (int argc, char **argv)
|
|||
/* schedule next try */
|
||||
alarm(PLUTO_RESTART_DELAY);
|
||||
}
|
||||
starter_stroke_configure(cfg);
|
||||
}
|
||||
_action_ &= ~FLAG_ACTION_START_CHARON;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -327,4 +327,17 @@ int starter_stroke_del_ca(starter_ca_t *ca)
|
|||
return send_stroke_msg(&msg);
|
||||
}
|
||||
|
||||
int starter_stroke_configure(starter_config_t *cfg)
|
||||
{
|
||||
stroke_msg_t msg;
|
||||
|
||||
if (cfg->setup.cachecrls)
|
||||
{
|
||||
msg.type = STR_CONFIG;
|
||||
msg.length = offsetof(stroke_msg_t, buffer);
|
||||
msg.config.cachecrl = 1;
|
||||
return send_stroke_msg(&msg);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -25,5 +25,6 @@ extern int starter_stroke_route_conn(starter_conn_t *conn);
|
|||
extern int starter_stroke_initiate_conn(starter_conn_t *conn);
|
||||
extern int starter_stroke_add_ca(starter_ca_t *ca);
|
||||
extern int starter_stroke_del_ca(starter_ca_t *ca);
|
||||
extern int starter_stroke_configure(starter_config_t *cfg);
|
||||
|
||||
#endif /* _STARTER_STROKE_H_ */
|
||||
|
|
|
|||
|
|
@ -169,6 +169,8 @@ struct stroke_msg_t {
|
|||
STR_DEL_CA,
|
||||
/* set a log type to log/not log */
|
||||
STR_LOGLEVEL,
|
||||
/* configure global options for stroke */
|
||||
STR_CONFIG,
|
||||
/* list various objects */
|
||||
STR_LIST,
|
||||
/* reread various objects */
|
||||
|
|
@ -238,6 +240,11 @@ struct stroke_msg_t {
|
|||
char *type;
|
||||
int level;
|
||||
} loglevel;
|
||||
|
||||
/* data for STR_CONFIG */
|
||||
struct {
|
||||
int cachecrl;
|
||||
} config;
|
||||
|
||||
/* data for STR_LIST */
|
||||
struct {
|
||||
|
|
|
|||
Loading…
Reference in New Issue