swanctl: Change syntax of secrets to accept identities with special chars
authorMartin Willi <martin@revosec.ch>
Fri, 25 Apr 2014 09:22:45 +0000 (11:22 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 7 May 2014 13:48:16 +0000 (15:48 +0200)
Having identity strings in the settings key is problematic, as the parser can't
handle arbitrary characters in it. Further, the space separation makes it
impossible to define identities with spaces.

The new format uses key prefixes, similar to those used in local/remote auth
sections of connections. The secrets section takes subsections with type
prefixes, and each subsection uses "id" prefixes to define an arbitrary
number of identities.

src/swanctl/commands/load_creds.c
src/swanctl/swanctl.conf

index 52cdfb9..94d31f4 100644 (file)
@@ -273,30 +273,44 @@ static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
 }
 
 /**
- * Load a single secret for ids over VICI
+ * Load a single secret over VICI
  */
-static bool load_secret(vici_conn_t *conn, char *type, char *owners,
-                                               char *value, bool raw)
+static bool load_secret(vici_conn_t *conn, settings_t *cfg,
+                                               char *section, bool raw)
 {
        enumerator_t *enumerator;
        vici_req_t *req;
        vici_res_t *res;
        chunk_t data;
-       char *owner;
+       char *key, *value, buf[128], *type = NULL;
        bool ret = TRUE;
+       int i;
+       char *types[] = {
+               "eap",
+               "xauth",
+               "ike",
+       };
 
-       req = vici_begin("load-shared");
-
-       vici_add_key_valuef(req, "type", "%s", type);
-       vici_begin_list(req, "owners");
-       enumerator = enumerator_create_token(owners, " ", " ");
-       while (enumerator->enumerate(enumerator, &owner))
+       for (i = 0; i < countof(types); i++)
+       {
+               if (strpfx(section, types[i]))
+               {
+                       type = types[i];
+                       break;
+               }
+       }
+       if (!type)
        {
-               vici_add_list_itemf(req, "%s", owner);
+               fprintf(stderr, "ignoring unsupported secret '%s'\n", section);
+               return FALSE;
        }
-       enumerator->destroy(enumerator);
-       vici_end_list(req);
 
+       value = cfg->get_str(cfg, "secrets.%s.secret", NULL, section);
+       if (!value)
+       {
+               fprintf(stderr, "missing secret in '%s', ignored\n", section);
+               return FALSE;
+       }
        if (strcasepfx(value, "0x"))
        {
                data = chunk_from_hex(chunk_from_str(value + 2), NULL);
@@ -309,9 +323,26 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
        {
                data = chunk_clone(chunk_from_str(value));
        }
+
+       req = vici_begin("load-shared");
+
+       vici_add_key_valuef(req, "type", "%s", type);
        vici_add_key_value(req, "data", data.ptr, data.len);
        chunk_clear(&data);
 
+       vici_begin_list(req, "owners");
+       snprintf(buf, sizeof(buf), "secrets.%s", section);
+       enumerator = cfg->create_key_value_enumerator(cfg, buf);
+       while (enumerator->enumerate(enumerator, &key, &value))
+       {
+               if (strpfx(key, "id"))
+               {
+                       vici_add_list_itemf(req, "%s", value);
+               }
+       }
+       enumerator->destroy(enumerator);
+       vici_end_list(req);
+
        res = vici_submit(req, conn);
        if (!res)
        {
@@ -330,38 +361,13 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
        }
        else
        {
-               printf("loaded %s secret for: ", type);
-               enumerator = enumerator_create_token(owners, " ", " ");
-               while (enumerator->enumerate(enumerator, &owner))
-               {
-                       printf("'%s' ", owner);
-               }
-               enumerator->destroy(enumerator);
-               printf("\n");
+               printf("loaded %s secret '%s'\n", type, section);
        }
        vici_free_res(res);
        return ret;
 }
 
 /**
- * Load secrets from settings section
- */
-static void load_secrets(vici_conn_t *conn, settings_t *cfg,
-                                                char *section, bool raw)
-{
-       enumerator_t *enumerator;
-       char buf[64], *key, *value;
-
-       snprintf(buf, sizeof(buf), "secrets.%s", section);
-       enumerator = cfg->create_key_value_enumerator(cfg, buf);
-       while (enumerator->enumerate(enumerator, &key, &value))
-       {
-               load_secret(conn, section, key, value, raw);
-       }
-       enumerator->destroy(enumerator);
-}
-
-/**
  * Clear all currently loaded credentials
  */
 static bool clear_creds(vici_conn_t *conn, bool raw)
@@ -440,7 +446,7 @@ static int load_creds(vici_conn_t *conn)
        enumerator = cfg->create_section_enumerator(cfg, "secrets");
        while (enumerator->enumerate(enumerator, &section))
        {
-               load_secrets(conn, cfg, section, raw);
+               load_secret(conn, cfg, section, raw);
        }
        enumerator->destroy(enumerator);
 
index 7580740..f43d1d4 100644 (file)
@@ -113,10 +113,13 @@ connections {
 }
 
 secrets {
-       eap {
-#              tester = testpassword
-       }
-       ike {
-#              sun.strongswan.org = 0x12345678901234
-       }
+#      eap-tester {
+#              id = tester
+#              secret = test
+#      }
+#      ike-moon {
+#              id-local = sun.strongswan.org
+#              id-remote = mon.strongswan.org
+#              secret = 0x12345678901234
+#      }
 }