stroke: Allow specifying the ipsec.secrets location in strongswan.conf
[strongswan.git] / src / libcharon / plugins / stroke / stroke_cred.c
index 4744178..83431d1 100644 (file)
@@ -17,8 +17,6 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <limits.h>
-#include <libgen.h>
-#include <sys/mman.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
@@ -67,6 +65,11 @@ struct private_stroke_cred_t {
        stroke_cred_t public;
 
        /**
+        * secrets file with credential information
+        */
+       char *secrets_file;
+
+       /**
         * credentials
         */
        mem_cred_t *creds;
@@ -521,7 +524,16 @@ METHOD(stroke_cred_t, cache_cert, void,
 
                        if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
                        {
-                               chunk_write(chunk, buf, "crl", 022, TRUE);
+                               if (chunk_write(chunk, buf, 022, TRUE))
+                               {
+                                       DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+                                                buf, chunk.len);
+                               }
+                               else
+                               {
+                                       DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+                                                buf, strerror(errno));
+                               }
                                free(chunk.ptr);
                        }
                }
@@ -975,8 +987,8 @@ static bool load_private(mem_cred_t *secrets, chunk_t line, int line_nr,
 /**
  * Load a PKCS#12 container
  */
-static bool load_pkcs12(mem_cred_t *secrets, chunk_t line, int line_nr,
-                                               FILE *prompt)
+static bool load_pkcs12(private_stroke_cred_t *this, mem_cred_t *secrets,
+                                               chunk_t line, int line_nr, FILE *prompt)
 {
        enumerator_t *enumerator;
        char path[PATH_MAX];
@@ -1009,7 +1021,7 @@ static bool load_pkcs12(mem_cred_t *secrets, chunk_t line, int line_nr,
                        DBG1(DBG_CFG, "  loaded certificate \"%Y\" from '%s'",
                                 cert->get_subject(cert), path);
                }
-               secrets->add_cert(secrets, TRUE, cert->get_ref(cert));
+               this->creds->add_cert(this->creds, TRUE, cert->get_ref(cert));
        }
        enumerator->destroy(enumerator);
        enumerator = pkcs12->create_key_enumerator(pkcs12);
@@ -1092,46 +1104,24 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr,
 static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
                                                 char *file, int level, FILE *prompt)
 {
-       int line_nr = 0, fd;
-       chunk_t src, line;
-       struct stat sb;
-       void *addr;
+       int line_nr = 0;
+       chunk_t *src, line;
 
        DBG1(DBG_CFG, "loading secrets from '%s'", file);
-       fd = open(file, O_RDONLY);
-       if (fd == -1)
+       src = chunk_map(file, FALSE);
+       if (!src)
        {
                DBG1(DBG_CFG, "opening secrets file '%s' failed: %s", file,
                         strerror(errno));
                return;
        }
-       if (fstat(fd, &sb) == -1)
-       {
-               DBG1(DBG_LIB, "getting file size of '%s' failed: %s", file,
-                        strerror(errno));
-               close(fd);
-               return;
-       }
-       if (sb.st_size == 0)
-       {       /* skip empty files, as mmap() complains */
-               close(fd);
-               return;
-       }
-       addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-       if (addr == MAP_FAILED)
-       {
-               DBG1(DBG_LIB, "mapping '%s' failed: %s", file, strerror(errno));
-               close(fd);
-               return;
-       }
-       src = chunk_create(addr, sb.st_size);
 
        if (!secrets)
        {
                secrets = mem_cred_create();
        }
 
-       while (fetchline(&src, &line))
+       while (fetchline(src, &line))
        {
                chunk_t ids, token;
                shared_key_type_t type;
@@ -1172,8 +1162,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
                        }
                        else
                        {       /* use directory of current file if relative */
-                               dir = strdup(file);
-                               dir = dirname(dir);
+                               dir = path_dirname(file);
 
                                if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
                                {
@@ -1243,7 +1232,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
                }
                else if (match("P12", &token))
                {
-                       if (!load_pkcs12(secrets, line, line_nr, prompt))
+                       if (!load_pkcs12(this, secrets, line, line_nr, prompt))
                        {
                                break;
                        }
@@ -1272,8 +1261,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
                        break;
                }
        }
-       munmap(addr, sb.st_size);
-       close(fd);
+       chunk_unmap(src);
 
        if (level == 0)
        {       /* replace secrets in active credential set */
@@ -1314,7 +1302,7 @@ METHOD(stroke_cred_t, reread, void,
        if (msg->reread.flags & REREAD_SECRETS)
        {
                DBG1(DBG_CFG, "rereading secrets");
-               load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
+               load_secrets(this, NULL, this->secrets_file, 0, prompt);
        }
        if (msg->reread.flags & REREAD_CACERTS)
        {
@@ -1387,6 +1375,9 @@ stroke_cred_t *stroke_cred_create()
                        .cachecrl = _cachecrl,
                        .destroy = _destroy,
                },
+               .secrets_file = lib->settings->get_str(lib->settings,
+                                                               "%s.plugins.stroke.secrets_file", SECRETS_FILE,
+                                                               lib->ns),
                .creds = mem_cred_create(),
        );
 
@@ -1394,10 +1385,10 @@ stroke_cred_t *stroke_cred_create()
 
        this->force_ca_cert = lib->settings->get_bool(lib->settings,
                                                "%s.plugins.stroke.ignore_missing_ca_basic_constraint",
-                                               FALSE, charon->name);
+                                               FALSE, lib->ns);
 
        load_certs(this);
-       load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
+       load_secrets(this, NULL, this->secrets_file, 0, NULL);
 
        return &this->public;
 }