vici: Make PPK related options configurable
authorTobias Brunner <tobias@strongswan.org>
Thu, 26 Jul 2018 15:57:36 +0000 (17:57 +0200)
committerTobias Brunner <tobias@strongswan.org>
Mon, 10 Sep 2018 16:03:02 +0000 (18:03 +0200)
src/libcharon/plugins/vici/vici_config.c
src/libcharon/plugins/vici/vici_query.c
src/swanctl/swanctl.opt

index 8afefaa..10c62dc 100644 (file)
@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015-2017 Tobias Brunner
+ * Copyright (C) 2015-2018 Tobias Brunner
  * Copyright (C) 2015-2018 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -304,6 +304,8 @@ typedef struct {
        bool mobike;
        bool send_certreq;
        bool pull;
+       identification_t *ppk_id;
+       bool ppk_required;
        cert_policy_t send_cert;
        uint64_t dpd_delay;
        uint64_t dpd_timeout;
@@ -403,6 +405,8 @@ static void log_peer_data(peer_data_t *data)
        DBG2(DBG_CFG, "  remote_port = %u", data->remote_port);
        DBG2(DBG_CFG, "  send_certreq = %u", data->send_certreq);
        DBG2(DBG_CFG, "  send_cert = %N", cert_policy_names, data->send_cert);
+       DBG2(DBG_CFG, "  ppk_id = %Y",  data->ppk_id);
+       DBG2(DBG_CFG, "  ppk_required = %u",  data->ppk_required);
        DBG2(DBG_CFG, "  mobike = %u", data->mobike);
        DBG2(DBG_CFG, "  aggressive = %u", data->aggressive);
        DBG2(DBG_CFG, "  dscp = 0x%.2x", data->dscp);
@@ -469,6 +473,7 @@ static void free_peer_data(peer_data_t *data)
        free(data->pools);
        free(data->local_addrs);
        free(data->remote_addrs);
+       DESTROY_IF(data->ppk_id);
 #ifdef ME
        free(data->mediated_by);
        DESTROY_IF(data->peer_id);
@@ -1584,9 +1589,8 @@ CALLBACK(parse_hosts, bool,
        return TRUE;
 }
 
-#ifdef ME
 /**
- * Parse peer ID
+ * Parse peer/ppk ID
  */
 CALLBACK(parse_peer_id, bool,
        identification_t **out, chunk_t v)
@@ -1600,7 +1604,7 @@ CALLBACK(parse_peer_id, bool,
        *out = identification_create_from_string(buf);
        return TRUE;
 }
-#endif /* ME */
+
 
 CALLBACK(cert_kv, bool,
        cert_data_t *cert, vici_message_t *message, char *name, chunk_t value)
@@ -1744,6 +1748,8 @@ CALLBACK(peer_kv, bool,
                { "rekey_time",         parse_time,                     &peer->rekey_time                       },
                { "over_time",          parse_time,                     &peer->over_time                        },
                { "rand_time",          parse_time,                     &peer->rand_time                        },
+               { "ppk_id",                     parse_peer_id,          &peer->ppk_id                           },
+               { "ppk_required",       parse_bool,                     &peer->ppk_required                     },
 #ifdef ME
                { "mediation",          parse_bool,                     &peer->mediation                        },
                { "mediated_by",        parse_string,           &peer->mediated_by                      },
@@ -2480,6 +2486,8 @@ CALLBACK(config_sn, bool,
                .push_mode = !peer.pull,
                .dpd = peer.dpd_delay,
                .dpd_timeout = peer.dpd_timeout,
+               .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL,
+               .ppk_required = peer.ppk_required,
        };
 #ifdef ME
        cfg.mediation = peer.mediation;
index f529902..0b84458 100644 (file)
@@ -787,6 +787,7 @@ CALLBACK(list_conns, vici_message_t*,
        child_cfg_t *child_cfg;
        char *ike, *str, *interface;
        uint32_t manual_prio, dpd_delay, dpd_timeout;
+       identification_t *ppk_id;
        linked_list_t *list;
        traffic_selector_t *ts;
        lifetime_cfg_t *lft;
@@ -849,6 +850,16 @@ CALLBACK(list_conns, vici_message_t*,
                        b->add_kv(b, "dpd_timeout", "%u", dpd_timeout);
                }
 
+               ppk_id = peer_cfg->get_ppk_id(peer_cfg);
+               if (ppk_id)
+               {
+                       b->add_kv(b, "ppk_id", "%Y", ppk_id);
+               }
+               if (peer_cfg->ppk_required(peer_cfg))
+               {
+                       b->add_kv(b, "ppk_required", "yes");
+               }
+
                build_auth_cfgs(peer_cfg, TRUE, b);
                build_auth_cfgs(peer_cfg, FALSE, b);
 
index 5b44c54..82bc424 100644 (file)
@@ -188,6 +188,12 @@ connections.<conn>.send_cert = ifasked
        certificate payloads altogether, _always_ causes certificate payloads to be
        sent unconditionally whenever certificate authentication is used.
 
+connections.<conn>.ppk_id =
+       String identifying the Postquantum Preshared Key (PPK) to be used.
+
+connections.<conn>.ppk_required = no
+       Whether a Postquantum Preshared Key (PPK) is required for this connection.
+
 connections.<conn>.keyingtries = 1
        Number of retransmission sequences to perform during initial connect.