diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 1f2448376..87f33480f 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -456,9 +456,6 @@ static void usage(const char *msg) fprintf(stderr, "Usage: charon\n" " [--help]\n" " [--version]\n" - " [--strictcrlpolicy]\n" - " [--cachecrls]\n" - " [--crlcheckinterval ]\n" " [--use-syslog]\n" " [--debug- ]\n" " : log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n" @@ -474,8 +471,6 @@ static void usage(const char *msg) */ int main(int argc, char *argv[]) { - u_int crl_check_interval = 0; - bool cache_crls = FALSE; bool use_syslog = FALSE; private_daemon_t *private_charon; @@ -512,8 +507,6 @@ int main(int argc, char *argv[]) { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "use-syslog", no_argument, NULL, 'l' }, - { "cachecrls", no_argument, NULL, 'C' }, - { "crlcheckinterval", required_argument, NULL, 'x' }, /* TODO: handle "debug-all" */ { "debug-dmn", required_argument, &signal, DBG_DMN }, { "debug-mgr", required_argument, &signal, DBG_MGR }, @@ -542,12 +535,6 @@ int main(int argc, char *argv[]) case 'l': use_syslog = TRUE; continue; - case 'C': - cache_crls = TRUE; - continue; - case 'x': - crl_check_interval = atoi(optarg); - continue; case 0: /* option is in signal */ levels[signal] = atoi(optarg); diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index 6ce2f8f66..38656b8c5 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -73,6 +73,11 @@ struct private_stroke_cred_t { * mutex to lock lists above */ mutex_t *mutex; + + /** + * cache CRLs to disk? + */ + bool cachecrl; }; /** @@ -527,7 +532,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, */ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) { - if (cert->get_type(cert) == CERT_X509_CRL) + if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl) { /* CRLs get cached to /etc/ipsec.d/crls/authkeyId.der */ crl_t *crl = (crl_t*)cert; @@ -560,6 +565,17 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) } } +/** + * Implementation of stroke_cred_t.cachecrl. + */ +static void cachecrl(private_stroke_cred_t *this, bool enabled) +{ + DBG1(DBG_CFG, "crl caching to %s %s", + CRL_DIR, enabled ? "enabled" : "disabled"); + this->cachecrl = enabled; +} + + /** * Convert a string of characters into a binary secret * A string between single or double quotes is treated as ASCII characters @@ -912,6 +928,7 @@ stroke_cred_t *stroke_cred_create() this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread; this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca; this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer; + this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; this->public.destroy = (void(*)(stroke_cred_t*))destroy; this->certs = linked_list_create(); @@ -922,6 +939,8 @@ stroke_cred_t *stroke_cred_create() load_certs(this); load_secrets(this); + this->cachecrl = FALSE; + return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h index cbfed1175..1b9ef986e 100644 --- a/src/charon/plugins/stroke/stroke_cred.h +++ b/src/charon/plugins/stroke/stroke_cred.h @@ -62,6 +62,13 @@ struct stroke_cred_t { */ certificate_t* (*load_peer)(stroke_cred_t *this, char *filename); + /** + * Enable/Disable CRL caching to disk. + * + * @param enabled TRUE to enable, FALSE to disable + */ + void (*cachecrl)(stroke_cred_t *this, bool enabled); + /** * Destroy a stroke_cred instance. */ diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index 9ee5a2410..03bc470ea 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -355,6 +355,13 @@ static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FI charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level); } +/** + * set various config options + */ +static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) +{ + this->cred->cachecrl(this->cred, msg->config.cachecrl); +} /** * destroy a job context @@ -448,6 +455,9 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_LOGLEVEL: stroke_loglevel(this, msg, out); break; + case STR_CONFIG: + stroke_config(this, msg, out); + break; case STR_LIST: stroke_list(this, msg, out); break; diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index d69b2ced2..23fc95655 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -118,16 +118,6 @@ starter_start_charon (starter_config_t *cfg, bool debug) { arg[argc++] = "--use-syslog"; } - if (cfg->setup.cachecrls) - { - arg[argc++] = "--cachecrls"; - } - if (cfg->setup.crlcheckinterval > 0) - { - snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval); - arg[argc++] = "--crlcheckinterval"; - arg[argc++] = buffer1; - } { /* parse debug string */ char *pos, *level, *buf_pos, type[4]; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index db0ab98a3..335042fb5 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -885,7 +885,7 @@ The currently-accepted names in a .B config .B setup -section are: +section affecting both daemons are: .TP 14 .B cachecrls certificate revocation lists (CRLs) fetched via http or ldap will be cached in @@ -905,11 +905,6 @@ Accepted values are or .BR no . .TP -.B crlcheckinterval -interval in seconds. CRL fetching is enabled if the value is greater than zero. -Asynchronous, periodic checking for fresh CRLs is currently done by the -IKEv1 Pluto daemon only. -.TP .B dumpdir in what directory should things started by \fBipsec starter\fR (notably the Pluto and Charon daemons) be allowed to dump core? @@ -940,11 +935,37 @@ which reverts to if at least one CRL URI is defined and to .B no if no URI is known. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +The IKEv2 daemon also accepts the value +.B replace +wich is identical to +.B yes +and the value +.B keep +to reject new IKE_SA setups and keep the duplicate established earlier. .PP The following .B config section parameters are used by the IKEv1 Pluto daemon only: .TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP .B keep_alive interval in seconds between NAT keep alive packets, the default being 20 seconds. .TP @@ -1035,27 +1056,6 @@ Default is none. .TP .B virtual_private defines private networks using a wildcard notation. -.TP -.B uniqueids -whether a particular participant ID should be kept unique, -with any new (automatically keyed) -connection using an ID from a different IP address -deemed to replace all old ones using that ID; -acceptable values are -.B yes -(the default) -and -.BR no . -Participant IDs normally \fIare\fR unique, -so a new (automatically-keyed) connection using the same ID is -almost invariably intended to replace an old one. -The IKEv2 daemon also accepts the value -.B replace -wich is identical to -.B yes -and the value -.B keep -to reject new IKE_SA setups and keep the duplicate established earlier. .PP The following .B config section diff --git a/src/starter/starter.c b/src/starter/starter.c index af55961e9..c92b2bc59 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -541,6 +541,7 @@ int main (int argc, char **argv) /* schedule next try */ alarm(PLUTO_RESTART_DELAY); } + starter_stroke_configure(cfg); } _action_ &= ~FLAG_ACTION_START_CHARON; } diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index ddac5560b..1ee7ddc60 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -327,4 +327,17 @@ int starter_stroke_del_ca(starter_ca_t *ca) return send_stroke_msg(&msg); } +int starter_stroke_configure(starter_config_t *cfg) +{ + stroke_msg_t msg; + + if (cfg->setup.cachecrls) + { + msg.type = STR_CONFIG; + msg.length = offsetof(stroke_msg_t, buffer); + msg.config.cachecrl = 1; + return send_stroke_msg(&msg); + } + return 0; +} diff --git a/src/starter/starterstroke.h b/src/starter/starterstroke.h index 8d45141ac..5591d1c5a 100644 --- a/src/starter/starterstroke.h +++ b/src/starter/starterstroke.h @@ -25,5 +25,6 @@ extern int starter_stroke_route_conn(starter_conn_t *conn); extern int starter_stroke_initiate_conn(starter_conn_t *conn); extern int starter_stroke_add_ca(starter_ca_t *ca); extern int starter_stroke_del_ca(starter_ca_t *ca); +extern int starter_stroke_configure(starter_config_t *cfg); #endif /* _STARTER_STROKE_H_ */ diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 068f0639f..12df24570 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -169,6 +169,8 @@ struct stroke_msg_t { STR_DEL_CA, /* set a log type to log/not log */ STR_LOGLEVEL, + /* configure global options for stroke */ + STR_CONFIG, /* list various objects */ STR_LIST, /* reread various objects */ @@ -238,6 +240,11 @@ struct stroke_msg_t { char *type; int level; } loglevel; + + /* data for STR_CONFIG */ + struct { + int cachecrl; + } config; /* data for STR_LIST */ struct {