lib: All settings use configured namespace
authorTobias Brunner <tobias@strongswan.org>
Tue, 28 Jan 2014 15:38:06 +0000 (16:38 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 12 Feb 2014 13:34:32 +0000 (14:34 +0100)
24 files changed:
man/strongswan.conf.5.in
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/crypto/crypto_factory.c
src/libstrongswan/crypto/crypto_tester.c
src/libstrongswan/crypto/diffie_hellman.c
src/libstrongswan/library.c
src/libstrongswan/networking/host_resolver.c
src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
src/libstrongswan/plugins/ntru/ntru_drbg.c
src/libstrongswan/plugins/ntru/ntru_ke.c
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
src/libstrongswan/plugins/openssl/openssl_plugin.c
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
src/libstrongswan/plugins/random/random_plugin.c
src/libstrongswan/plugins/unbound/unbound_resolver.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/processing/processor.c
src/libstrongswan/utils/leak_detective.c

index 3cfc57e..40df778 100644 (file)
@@ -139,11 +139,15 @@ Plugins to load in ipsec attest tool
 .BR Note :
 Many of these options also apply to \fBcharon\-cmd\fR and other
 \fBcharon\fR derivatives. Just use their respective name (e.g.
-\fIcharon\-cmd\fR) instead of  \fIcharon\fR.
+\fIcharon\-cmd\fR) instead of  \fIcharon\fR. For many options defaults
+can be defined in the \fIlibstrongswan\fR section.
 .TP
 .BR charon.block_threshold " [5]"
 Maximum number of half-open IKE_SAs for a single peer IP
 .TP
+.BR charon.cert_cache " [yes]"
+Whether relations in validated certificate chains should be cached in memory
+.TP
 .BR charon.cisco_unity " [no]
 Send Cisco Unity vendor ID payload (IKEv1 only)
 .TP
@@ -153,6 +157,31 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
 .BR charon.cookie_threshold " [10]"
 Number of half-open IKE_SAs that activate the cookie mechanism
 .TP
+.BR charon.crypto_test.bench " [no]"
+
+.TP
+.BR charon.crypto_test.bench_size " [1024]"
+
+.TP
+.BR charon.crypto_test.bench_time " [50]"
+
+.TP
+.BR charon.crypto_test.on_add " [no]"
+Test crypto algorithms during registration
+.TP
+.BR charon.crypto_test.on_create " [no]"
+Test crypto algorithms on each crypto primitive instantiation
+.TP
+.BR charon.crypto_test.required " [no]"
+Strictly require at least one test vector to enable an algorithm
+.TP
+.BR charon.crypto_test.rng_true " [no]"
+Whether to test RNG with TRUE quality; requires a lot of entropy
+.TP
+.BR charon.dh_exponent_ansi_x9_42 " [yes]"
+Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
+strength
+.TP
 .BR charon.dns1
 .TQ
 .BR charon.dns2
@@ -161,6 +190,9 @@ DNS servers assigned to peer via configuration payload (CP)
 .BR charon.dos_protection " [yes]"
 Enable Denial of Service protection using cookies and aggressiveness checks
 .TP
+.BR charon.ecp_x_coordinate_only " [yes]"
+Compliance with the errata for RFC 4753
+.TP
 .BR charon.filelog
 Section to define file loggers, see LOGGER CONFIGURATION
 .TP
@@ -183,6 +215,12 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
 .BR charon.hash_and_url " [no]"
 Enable hash and URL support
 .TP
+.BR charon.host_resolver.max_threads " [3]"
+Maximum number of concurrent resolver threads (they are terminated if unused)
+.TP
+.BR charon.host_resolver.min_threads " [0]"
+Minimum number of resolver threads to keep around
+.TP
 .BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
 If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
 keys, which is discouraged due to security concerns (offline attacks on the
@@ -225,6 +263,9 @@ Install virtual IP addresses
 The name of the interface on which virtual IP addresses should be installed.
 If not specified the addresses will be installed on the outbound interface.
 .TP
+.BR charon.integrity_test " [no]"
+Check daemon, libstrongswan and plugin integrity at startup
+.TP
 .BR charon.interfaces_ignore
 A comma-separated list of network interfaces that should be ignored, if
 .B charon.interfaces_use
@@ -237,6 +278,15 @@ All other interfaces are ignored.
 .BR charon.keep_alive " [20s]"
 NAT keep alive interval
 .TP
+.BR charon.leak_detective.detailed " [yes]"
+Includes source file names and line numbers in leak detective output
+.TP
+.BR charon.leak_detective.usage_threshold " [10240]"
+Threshold in bytes for leaks to be reported (0 to report all)
+.TP
+.BR charon.leak_detective.usage_threshold_count " [0]"
+Threshold in number of allocations for leaks to be reported (0 to report all)
+.TP
 .BR charon.load
 Plugins to load in the IKEv2 daemon charon
 .TP
@@ -263,6 +313,10 @@ otherwise a random port will be allocated.
 .BR charon.process_route " [yes]"
 Process RTM_NEWROUTE and RTM_DELROUTE events
 .TP
+.BR charon.processor.priority_threads
+Subsection to configure the number of reserved threads per priority class
+see JOB PRIORITY MANAGEMENT
+.TP
 .BR charon.receive_delay " [0]"
 Delay in ms for receiving packets, to simulate larger RTT
 .TP
@@ -327,6 +381,10 @@ might be used as indicator on the number of reserved threads.
 .TP
 .BR charon.user
 Name of the user the daemon changes to after startup
+.TP
+.BR charon.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions
+.
 .SS charon.plugins subsection
 .TP
 .BR charon.plugins.android_log.loglevel " [1]"
@@ -336,6 +394,12 @@ Loglevel for logging to Android specific logger
 Section to specify arbitrary attributes that are assigned to a peer via
 configuration payload (CP)
 .TP
+.BR charon.plugins.attr-sql.database
+Database URI for attr-sql plugin used by charon
+.TP
+.BR charon.plugins.attr-sql.lease_history " [yes]"
+Enable logging of SQL IP pool leases
+.TP
 .BR charon.plugins.certexpire.csv.cron
 Cron style string specifying CSV export times
 .TP
@@ -603,6 +667,9 @@ Request peer authentication based on a client certificate
 .BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]"
 Socket provided by the error-notify plugin
 .TP
+.BR charon.plugins.gcrypt.quick_random " [no]"
+Use faster random numbers in gcrypt; for testing only, produces weak keys!
+.TP
 .BR charon.plugins.ha.autobalance " [0]"
 Interval in seconds to automatically balance handled segments between nodes.
 Set to 0 to disable.
@@ -680,6 +747,51 @@ Section to configure the load-tester plugin, see LOAD TESTS
 .BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]"
 Socket provided by the lookip plugin
 .TP
+.BR charon.plugins.ntru.max_drbg_requests " [4294967294]"
+Number of pseudo-random bit requests from the DRBG before an automatic
+reseeding occurs.
+.TP
+.BR charon.plugins.ntru.parameter_set " [optimum]"
+The following parameter sets are available:
+.BR x9_98_speed ,
+.BR x9_98_bandwidth ,
+.B x9_98_balance
+and
+.BR optimum ,
+the last set not being part of the X9.98 standard but having the best performance.
+.TP
+.BR charon.plugins.openssl.engine_id " [pkcs11]"
+ENGINE ID to use in the OpenSSL plugin
+.TP
+.BR charon.plugins.openssl.fips_mode " [0]"
+Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
+.TP
+.BR charon.plugins.pkcs11.modules
+List of available PKCS#11 modules
+.TP
+.BR charon.plugins.pkcs11.load_certs " [yes]"
+Whether to load certificates from tokens
+.TP
+.BR charon.plugins.pkcs11.reload_certs " [no]"
+Reload certificates from all tokens if charon receives a SIGHUP
+.TP
+.BR charon.plugins.pkcs11.use_dh " [no]"
+Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
+.TP
+.BR charon.plugins.pkcs11.use_ecc " [no]"
+Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
+operations. ECDSA private keys can be used regardless of this option
+.TP
+.BR charon.plugins.pkcs11.use_hasher " [no]"
+Whether the PKCS#11 modules should be used to hash data
+.TP
+.BR charon.plugins.pkcs11.use_pubkey " [no]"
+Whether the PKCS#11 modules should be used for public key operations, even for
+keys not stored on tokens
+.TP
+.BR charon.plugins.pkcs11.use_rng " [no]"
+Whether the PKCS#11 modules should be used as RNG
+.TP
 .BR charon.plugins.radattr.dir
 Directory where RADIUS attributes are stored in client-ID specific files.
 .TP
@@ -687,6 +799,16 @@ Directory where RADIUS attributes are stored in client-ID specific files.
 Attributes are added to all IKE_AUTH messages by default (-1), or only to the
 IKE_AUTH message with the given IKEv2 message ID.
 .TP
+.BR charon.plugins.random.random " [@random_device@]"
+File to read random bytes from, instead of @random_device@
+.TP
+.BR charon.plugins.random.urandom " [@urandom_device@]"
+File to read pseudo random bytes from, instead of @urandom_device@
+.TP
+.BR charon.plugins.random.strong_equals_true " [no]"
+If set to yes the RNG_STRONG class reads random bytes from the same source as
+the RNG_TRUE class.
+.TP
 .BR charon.plugins.resolve.file " [/etc/resolv.conf]"
 File where to add DNS server entries
 .TP
@@ -787,6 +909,20 @@ Name of the strongSwan PDP as contained in the AAA certificate
 .BR charon.plugins.tnc-pdp.timeout
 Timeout in seconds before closing incomplete connections
 .TP
+.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
+File to read DNS resolver configuration from
+.TP
+.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
+File to read DNSSEC trust anchors from (usually root zone KSK). The format of
+the file is the standard DNS Zone file format, anchors can be stored as DS or
+DNSKEY entries in the file.
+.TP
+.BR charon.plugins.unbound.dlv_anchors
+File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
+the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
+is then used as a root trusted DLV, this means that it is a lookaside for
+the root.
+.TP
 .BR charon.plugins.updown.dns_handler " [no]"
 Whether the updown script should handle DNS serves assigned via IKEv1 Mode
 Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@@ -810,142 +946,6 @@ Open/close a PAM session for each active IKE_SA
 .BR charon.plugins.xauth-pam.trim_email " [yes]"
 If an email address is given as an XAuth username, trim it to just the
 username part.
-.SS libstrongswan section
-.TP
-.BR libstrongswan.cert_cache " [yes]"
-Whether relations in validated certificate chains should be cached in memory
-.TP
-.BR libstrongswan.crypto_test.bench " [no]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_size " [1024]"
-
-.TP
-.BR libstrongswan.crypto_test.bench_time " [50]"
-
-.TP
-.BR libstrongswan.crypto_test.on_add " [no]"
-Test crypto algorithms during registration
-.TP
-.BR libstrongswan.crypto_test.on_create " [no]"
-Test crypto algorithms on each crypto primitive instantiation
-.TP
-.BR libstrongswan.crypto_test.required " [no]"
-Strictly require at least one test vector to enable an algorithm
-.TP
-.BR libstrongswan.crypto_test.rng_true " [no]"
-Whether to test RNG with TRUE quality; requires a lot of entropy
-.TP
-.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
-Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
-strength
-.TP
-.BR libstrongswan.ecp_x_coordinate_only " [yes]"
-Compliance with the errata for RFC 4753
-.TP
-.BR libstrongswan.host_resolver.max_threads " [3]"
-Maximum number of concurrent resolver threads (they are terminated if unused)
-.TP
-.BR libstrongswan.host_resolver.min_threads " [0]"
-Minimum number of resolver threads to keep around
-.TP
-.BR libstrongswan.integrity_test " [no]"
-Check daemon, libstrongswan and plugin integrity at startup
-.TP
-.BR libstrongswan.leak_detective.detailed " [yes]"
-Includes source file names and line numbers in leak detective output
-.TP
-.BR libstrongswan.leak_detective.usage_threshold " [10240]"
-Threshold in bytes for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
-Threshold in number of allocations for leaks to be reported (0 to report all)
-.TP
-.BR libstrongswan.processor.priority_threads
-Subsection to configure the number of reserved threads per priority class
-see JOB PRIORITY MANAGEMENT
-.TP
-.BR libstrongswan.x509.enforce_critical " [yes]"
-Discard certificates with unsupported or unknown critical extensions
-.SS libstrongswan.plugins subsection
-.TP
-.BR libstrongswan.plugins.attr-sql.database
-Database URI for attr-sql plugin used by charon
-.TP
-.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
-Enable logging of SQL IP pool leases
-.TP
-.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
-Use faster random numbers in gcrypt; for testing only, produces weak keys!
-.TP
-.BR libstrongswan.plugins.ntru.max_drbg_requests " [4294967294]"
-Number of pseudo-random bit requests from the DRBG before an automatic
-reseeding occurs.
-.TP
-.BR libstrongswan.plugins.ntru.parameter_set " [optimum]"
-The following parameter sets are available:
-.BR x9_98_speed ,
-.BR x9_98_bandwidth ,
-.B x9_98_balance
-and
-.BR optimum ,
-the last set not being part of the X9.98 standard but having the best performance.
-.TP
-.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
-ENGINE ID to use in the OpenSSL plugin
-.TP
-.BR libstrongswan.plugins.openssl.fips_mode " [0]"
-Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
-.TP
-.BR libstrongswan.plugins.pkcs11.modules
-List of available PKCS#11 modules
-.TP
-.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
-Whether to load certificates from tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
-Reload certificates from all tokens if charon receives a SIGHUP
-.TP
-.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
-Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
-.TP
-.BR libstrongswan.plugins.pkcs11.use_ecc " [no]"
-Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
-operations. ECDSA private keys can be used regardless of this option
-.TP
-.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-Whether the PKCS#11 modules should be used to hash data
-.TP
-.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]"
-Whether the PKCS#11 modules should be used for public key operations, even for
-keys not stored on tokens
-.TP
-.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
-Whether the PKCS#11 modules should be used as RNG
-.TP
-.BR libstrongswan.plugins.random.random " [@random_device@]"
-File to read random bytes from, instead of @random_device@
-.TP
-.BR libstrongswan.plugins.random.urandom " [@urandom_device@]"
-File to read pseudo random bytes from, instead of @urandom_device@
-.TP
-.BR libstrongswan.plugins.random.strong_equals_true " [no]"
-If set to yes the RNG_STRONG class reads random bytes from the same source as
-the RNG_TRUE class.
-.TP
-.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
-File to read DNS resolver configuration from
-.TP
-.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
-File to read DNSSEC trust anchors from (usually root zone KSK). The format of
-the file is the standard DNS Zone file format, anchors can be stored as DS or
-DNSKEY entries in the file.
-.TP
-.BR libstrongswan.plugins.unbound.dlv_anchors
-File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
-the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
-is then used as a root trusted DLV, this means that it is a lookaside for
-the root.
 .SS libtls section
 .TP
 .BR libtls.cipher
@@ -1378,22 +1378,22 @@ for one).
 To ensure that there are always enough threads available for higher priority
 tasks, threads must be reserved for each priority class.
 .TP
-.BR libstrongswan.processor.priority_threads.critical " [0]"
+.BR charon.processor.priority_threads.critical " [0]"
 Threads reserved for CRITICAL priority class jobs
 .TP
-.BR libstrongswan.processor.priority_threads.high " [0]"
+.BR charon.processor.priority_threads.high " [0]"
 Threads reserved for HIGH priority class jobs
 .TP
-.BR libstrongswan.processor.priority_threads.medium " [0]"
+.BR charon.processor.priority_threads.medium " [0]"
 Threads reserved for MEDIUM priority class jobs
 .TP
-.BR libstrongswan.processor.priority_threads.low " [0]"
+.BR charon.processor.priority_threads.low " [0]"
 Threads reserved for LOW priority class jobs
 .PP
 Let's consider the following configuration:
 .PP
 .EX
-       libstrongswan {
+       charon {
                processor {
                        priority_threads {
                                high = 1
index de19c8d..3ec0714 100644 (file)
@@ -1349,7 +1349,7 @@ credential_manager_t *credential_manager_create()
 
        this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
        this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
-       if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
+       if (lib->settings->get_bool(lib->settings, "%s.cert_cache", TRUE, lib->ns))
        {
                this->cache = cert_cache_create();
                this->sets->insert_first(this->sets, this->cache);
index edcabfe..dba3f6f 100644 (file)
@@ -967,11 +967,11 @@ crypto_factory_t *crypto_factory_create()
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
                .tester = crypto_tester_create(),
                .test_on_add = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.crypto_test.on_add", FALSE),
+                                                               "%s.crypto_test.on_add", FALSE, lib->ns),
                .test_on_create = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.crypto_test.on_create", FALSE),
+                                                               "%s.crypto_test.on_create", FALSE, lib->ns),
                .bench = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.crypto_test.bench", FALSE),
+                                                               "%s.crypto_test.bench", FALSE, lib->ns),
        );
 
        return &this->public;
index 5a0dccc..30724b1 100644 (file)
@@ -1207,13 +1207,13 @@ crypto_tester_t *crypto_tester_create()
                .rng = linked_list_create(),
 
                .required = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.crypto_test.required", FALSE),
+                                                               "%s.crypto_test.required", FALSE, lib->ns),
                .rng_true = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.crypto_test.rng_true", FALSE),
+                                                               "%s.crypto_test.rng_true", FALSE, lib->ns),
                .bench_time = lib->settings->get_int(lib->settings,
-                                                               "libstrongswan.crypto_test.bench_time", 50),
+                                                               "%s.crypto_test.bench_time", 50, lib->ns),
                .bench_size = lib->settings->get_int(lib->settings,
-                                                               "libstrongswan.crypto_test.bench_size", 1024),
+                                                               "%s.crypto_test.bench_size", 1024, lib->ns),
        );
 
        /* enforce a block size of 16, should be fine for all algorithms */
index f71ebc6..5c1d08d 100644 (file)
@@ -444,7 +444,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
                        {
                                if (!dh_params[i].public.subgroup.len &&
                                        lib->settings->get_int(lib->settings,
-                                                               "libstrongswan.dh_exponent_ansi_x9_42", TRUE))
+                                                                       "%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
                                {
                                        dh_params[i].public.exp_len = dh_params[i].public.prime.len;
                                }
index c075fd8..0df0c42 100644 (file)
@@ -108,7 +108,7 @@ void library_deinit()
        }
 
        detailed = lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.leak_detective.detailed", TRUE);
+                                                               "%s.leak_detective.detailed", TRUE, lib->ns);
 
        /* make sure the cache is clear before unloading plugins */
        lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
@@ -318,7 +318,7 @@ bool library_init(char *settings, const char *namespace)
        }
 
        if (lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.integrity_test", FALSE))
+                                                               "%s.integrity_test", FALSE, lib->ns))
        {
 #ifdef INTEGRITY_TEST
                this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
index 99a17d1..10af11a 100644 (file)
@@ -355,11 +355,11 @@ host_resolver_t *host_resolver_create()
        );
 
        this->min_threads = max(0, lib->settings->get_int(lib->settings,
-                                                                       "libstrongswan.host_resolver.min_threads",
-                                                                        MIN_THREADS_DEFAULT));
+                                                                                               "%s.host_resolver.min_threads",
+                                                                                               MIN_THREADS_DEFAULT, lib->ns));
        this->max_threads = max(this->min_threads ?: 1,
                                                        lib->settings->get_int(lib->settings,
-                                                                       "libstrongswan.host_resolver.max_threads",
-                                                                        MAX_THREADS_DEFAULT));
+                                                                                               "%s.host_resolver.max_threads",
+                                                                                               MAX_THREADS_DEFAULT, lib->ns));
        return &this->public;
 }
index 160db04..44f3f84 100644 (file)
@@ -194,8 +194,8 @@ plugin_t *gcrypt_plugin_create()
 
        /* we currently do not use secure memory */
        gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
-       if (lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.gcrypt.quick_random", FALSE))
+       if (lib->settings->get_bool(lib->settings, "%s.plugins.gcrypt.quick_random",
+                                                               FALSE, lib->ns))
        {
                gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
        }
index 6fc13aa..181a589 100644 (file)
@@ -230,8 +230,8 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
        }
 
        max_requests = lib->settings->get_int(lib->settings,
-                                                       "libstrongswan.plugins.ntru.max_drbg_requests",
-                                                        MAX_DRBG_REQUESTS);
+                                                                                 "%s.plugins.ntru.max_drbg_requests",
+                                                                                 MAX_DRBG_REQUESTS, lib->ns);
 
        INIT(this,
                .public = {
index a23991b..39fb261 100644 (file)
@@ -316,7 +316,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
        u_int32_t strength;
 
        parameter_set = lib->settings->get_str(lib->settings,
-                               "libstrongswan.plugins.ntru.parameter_set", "optimum");
+                                               "%s.plugins.ntru.parameter_set", "optimum", lib->ns);
 
        if (streq(parameter_set, "x9_98_speed"))
        {
index 18aa5ce..cb02c66 100644 (file)
@@ -471,7 +471,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
                                default:
                                        ok = X509_EXTENSION_get_critical(ext) == 0 ||
                                                 !lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.x509.enforce_critical", TRUE);
+                                                                       "%s.x509.enforce_critical", TRUE, lib->ns);
                                        if (!ok)
                                        {
                                                DBG1(DBG_LIB, "found unsupported critical X.509 "
index 835ed58..b487d59 100644 (file)
@@ -201,7 +201,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
         * http://www.rfc-editor.org/errata_search.php?eid=9
         */
        x_coordinate_only = lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.ecp_x_coordinate_only", TRUE);
+                                                                       "%s.ecp_x_coordinate_only", TRUE, lib->ns);
        if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
        {
                goto error;
index ff25086..f4aef82 100644 (file)
@@ -522,7 +522,7 @@ plugin_t *openssl_plugin_create()
        int fips_mode;
 
        fips_mode = lib->settings->get_int(lib->settings,
-                                               "libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
+                                                       "%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
 #ifdef OPENSSL_FIPS
        if (fips_mode)
        {
index 036f53d..10a35c1 100644 (file)
@@ -558,7 +558,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
        if (!engine_id)
        {
                engine_id = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.openssl.engine_id", "pkcs11");
+                                                       "%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
        }
        engine = ENGINE_by_id(engine_id);
        if (!engine)
index 24b12d5..7a5b206 100644 (file)
@@ -1012,7 +1012,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
                                default:
                                        ok = X509_EXTENSION_get_critical(ext) == 0 ||
                                                 !lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.x509.enforce_critical", TRUE);
+                                                                       "%s.x509.enforce_critical", TRUE, lib->ns);
                                        if (!ok)
                                        {
                                                char buf[80] = "";
index 2e5af95..36cc284 100644 (file)
@@ -135,7 +135,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
                        };
 
                        if (!lib->settings->get_bool(lib->settings,
-                                                               "libstrongswan.ecp_x_coordinate_only", TRUE))
+                                                                       "%s.ecp_x_coordinate_only", TRUE, lib->ns))
                        {       /* we only get the x coordinate back */
                                return;
                        }
index 8bda5b6..96c4a18 100644 (file)
@@ -338,7 +338,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
        );
 
        enumerator = lib->settings->create_section_enumerator(lib->settings,
-                                                                               "libstrongswan.plugins.pkcs11.modules");
+                                                                               "%s.plugins.pkcs11.modules", lib->ns);
        while (enumerator->enumerate(enumerator, &module))
        {
                INIT(entry,
@@ -346,7 +346,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
                );
 
                entry->path = lib->settings->get_str(lib->settings,
-                               "libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
+                               "%s.plugins.pkcs11.modules.%s.path", NULL, lib->ns, module);
                if (!entry->path)
                {
                        DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module);
@@ -355,8 +355,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
                }
                entry->lib = pkcs11_library_create(module, entry->path,
                                                lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.modules.%s.os_locking",
-                                                       FALSE, module));
+                                                       "%s.plugins.pkcs11.modules.%s.os_locking",
+                                                       FALSE, lib->ns, module));
                if (!entry->lib)
                {
                        free(entry);
index 3faa59c..bd2a2c1 100644 (file)
@@ -83,8 +83,8 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
        if (add && this->handle_events)
        {
                if (lib->settings->get_bool(lib->settings,
-                                               "libstrongswan.plugins.pkcs11.modules.%s.load_certs",
-                                               TRUE, p11->get_name(p11)))
+                                                               "%s.plugins.pkcs11.modules.%s.load_certs",
+                                                               TRUE, lib->ns, p11->get_name(p11)))
                {
                        creds = pkcs11_creds_create(p11, slot);
                        if (creds)
@@ -174,8 +174,8 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
 METHOD(plugin_t, reload, bool,
        private_pkcs11_plugin_t *this)
 {
-       if (lib->settings->get_bool(lib->settings,
-                                       "libstrongswan.plugins.pkcs11.reload_certs", FALSE))
+       if (lib->settings->get_bool(lib->settings, "%s.plugins.pkcs11.reload_certs",
+                                                               FALSE, lib->ns))
        {
                DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
                handle_certs(this, NULL, FALSE, NULL);
@@ -247,28 +247,28 @@ METHOD(plugin_t, get_features, int,
        if (!count)
        {       /* initialize only once */
                bool use_ecc = lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.use_ecc", FALSE);
+                                                               "%s.plugins.pkcs11.use_ecc", FALSE, lib->ns);
                plugin_features_add(f, f_manager, countof(f_manager), &count);
                /* private key handling for EC keys is not disabled by use_ecc */
                plugin_features_add(f, f_privkey, countof(f_privkey), &count);
                if (lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
+                                                               "%s.plugins.pkcs11.use_pubkey", FALSE, lib->ns))
                {
                        plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
                                                                &count);
                }
                if (lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.use_hasher", FALSE))
+                                                               "%s.plugins.pkcs11.use_hasher", FALSE, lib->ns))
                {
                        plugin_features_add(f, f_hash, countof(f_hash), &count);
                }
                if (lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.use_rng", FALSE))
+                                                               "%s.plugins.pkcs11.use_rng", FALSE, lib->ns))
                {
                        plugin_features_add(f, f_rng, countof(f_rng), &count);
                }
                if (lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.pkcs11.use_dh", FALSE))
+                                                               "%s.plugins.pkcs11.use_dh", FALSE, lib->ns))
                {
                        plugin_features_add(f, f_dh, countof(f_dh), &count);
                        if (use_ecc)
index 8ac1ac3..1f10792 100644 (file)
@@ -143,11 +143,11 @@ plugin_t *random_plugin_create()
        );
 
        strong_equals_true = lib->settings->get_bool(lib->settings,
-                                               "libstrongswan.plugins.random.strong_equals_true", FALSE);
+                                               "%s.plugins.random.strong_equals_true", FALSE, lib->ns);
        urandom_file = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.random.urandom", DEV_URANDOM);
+                                               "%s.plugins.random.urandom", DEV_URANDOM, lib->ns);
        random_file = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.random.random", DEV_RANDOM);
+                                               "%s.plugins.random.random", DEV_RANDOM, lib->ns);
        if (!open_dev(urandom_file, &dev_urandom) ||
                !open_dev(random_file, &dev_random))
        {
index 42cdbc6..745e59d 100644 (file)
@@ -97,14 +97,14 @@ resolver_t *unbound_resolver_create(void)
        char *resolv_conf, *trust_anchors, *dlv_anchors;
 
        resolv_conf = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.unbound.resolv_conf",
-                                               RESOLV_CONF_FILE);
+                                                                               "%s.plugins.unbound.resolv_conf",
+                                                                               RESOLV_CONF_FILE, lib->ns);
        trust_anchors = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.unbound.trust_anchors",
-                                               TRUST_ANCHOR_FILE);
+                                                                               "%s.plugins.unbound.trust_anchors",
+                                                                               TRUST_ANCHOR_FILE, lib->ns);
        dlv_anchors = lib->settings->get_str(lib->settings,
-                                               "libstrongswan.plugins.unbound.dlv_anchors",
-                                               NULL);
+                                                                               "%s.plugins.unbound.dlv_anchors",
+                                                                               NULL, lib->ns);
 
        INIT(this,
                .public = {
index 85c4815..09eda32 100644 (file)
@@ -1446,7 +1446,7 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                break;
                                        default:
                                                if (critical && lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.x509.enforce_critical", TRUE))
+                                                       "%s.x509.enforce_critical", TRUE, lib->ns))
                                                {
                                                        DBG1(DBG_ASN, "critical '%s' extension not supported",
                                                                 (extn_oid == OID_UNKNOWN) ? "unknown" :
index efb70c9..d6057c3 100644 (file)
@@ -325,7 +325,7 @@ static bool parse(private_x509_crl_t *this)
                                                break;
                                        default:
                                                if (critical && lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.x509.enforce_critical", TRUE))
+                                                       "%s.x509.enforce_critical", TRUE, lib->ns))
                                                {
                                                        DBG1(DBG_ASN, "critical '%s' extension not supported",
                                                                 (extn_oid == OID_UNKNOWN) ? "unknown" :
index adbd956..012b169 100644 (file)
@@ -545,7 +545,7 @@ processor_t *processor_create()
        {
                this->jobs[i] = linked_list_create();
                this->prio_threads[i] = lib->settings->get_int(lib->settings,
-                                               "libstrongswan.processor.priority_threads.%N", 0,
+                                               "%s.processor.priority_threads.%N", 0, lib->ns,
                                                job_priority_names, i);
        }
 
index ff80bbc..6f5a2c8 100644 (file)
@@ -754,11 +754,11 @@ METHOD(leak_detective_t, usage, void,
        size_t sum = 0;
 
        thresh = lib->settings->get_int(lib->settings,
-                                       "libstrongswan.leak_detective.usage_threshold", 10240);
+                                               "%s.leak_detective.usage_threshold", 10240, lib->ns);
        thresh_count = lib->settings->get_int(lib->settings,
-                                       "libstrongswan.leak_detective.usage_threshold_count", 0);
+                                               "%s.leak_detective.usage_threshold_count", 0, lib->ns);
        detailed = lib->settings->get_bool(lib->settings,
-                                       "libstrongswan.leak_detective.detailed", TRUE);
+                                               "%s.leak_detective.detailed", TRUE, lib->ns);
 
        leaks = print_traces(this, cb, user, thresh, thresh_count,
                                                 detailed, &whitelisted, &sum);