config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
config/policies/policy.c config/policies/policy.h \
config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
-config/credentials/credential_store.c config/credentials/credential_store.h \
-config/traffic_selector.c config/traffic_selector.h \
+config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/credentials/credential_store.h config/traffic_selector.c config/traffic_selector.h \
config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
sa/states/state.c sa/states/state.h sa/states/ike_sa_init_requested.c sa/states/ike_sa_init_requested.h \
sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_sa_established.h \
{MAPPING_END, NULL}
};
+/**
+ * String mappings for cert_policy_t.
+ */
+mapping_t cert_policy_m[] = {
+ {CERT_ALWAYS_SEND, "CERT_ALWAYS_SEND"},
+ {CERT_SEND_IF_ASKED, "CERT_SEND_IF_ASKED"},
+ {CERT_NEVER_SEND, "CERT_NEVER_SEND"},
+ {MAPPING_END, NULL}
+};
typedef struct private_connection_t private_connection_t;
* Does charon handle this connection? Or can he ignore it?
*/
bool ikev2;
+
+ /**
+ * should we send a certificate request?
+ */
+ cert_policy_t cert_req_policy;
+
+ /**
+ * should we send a certificates?
+ */
+ cert_policy_t cert_policy;
+
+ /**
+ * ID of us
+ */
+ identification_t *my_id;
/**
* Host information of my host.
}
/**
+ * Implementation of connection_t.get_cert_req_policy.
+ */
+static cert_policy_t get_cert_req_policy (private_connection_t *this)
+{
+ return this->cert_req_policy;
+}
+
+/**
+ * Implementation of connection_t.get_cert_policy.
+ */
+static cert_policy_t get_cert_policy (private_connection_t *this)
+{
+ return this->cert_policy;
+}
+
+/**
* Implementation of connection_t.get_my_host.
*/
static host_t *get_my_host (private_connection_t *this)
iterator_t *iterator;
proposal_t *proposal;
private_connection_t *clone = (private_connection_t*)connection_create(
- this->name,
- this->ikev2,
+ this->name, this->ikev2,
+ this->cert_policy, this->cert_req_policy,
this->my_host->clone(this->my_host),
this->other_host->clone(this->other_host),
this->auth_method);
/**
* Described in header.
*/
-connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t *other_host, auth_method_t auth_method)
+connection_t * connection_create(char *name, bool ikev2,
+ cert_policy_t cert_policy, cert_policy_t cert_req_policy,
+ host_t *my_host, host_t *other_host,
+ auth_method_t auth_method)
{
private_connection_t *this = malloc_thing(private_connection_t);
/* public functions */
this->public.get_name = (char*(*)(connection_t*))get_name;
this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2;
+ this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy;
+ this->public.get_cert_req_policy = (cert_policy_t(*)(connection_t*))get_cert_req_policy;
this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
/* private variables */
this->name = strdup(name);
this->ikev2 = ikev2;
+ this->cert_policy = cert_policy;
+ this->cert_req_policy = cert_req_policy;
this->my_host = my_host;
this->other_host = other_host;
this->auth_method = auth_method;
extern mapping_t auth_method_m[];
+typedef enum cert_policy_t cert_policy_t;
+
+/**
+ * Certificate sending policy. This is also used for certificate
+ * requests when using this definition for the other peer. If
+ * it is CERT_NEVER_SEND, a certreq is ommited, otherwise its
+ * included.
+ *
+ * @ingroup config
+ *
+ * @warning These definitions must be the same as in pluto/starter,
+ * as they are sent over the stroke socket.
+ */
+enum cert_policy_t {
+ /** always send certificates, even when not requested */
+ CERT_ALWAYS_SEND = 0,
+ /** send certificate upon cert request */
+ CERT_SEND_IF_ASKED = 1,
+ /** never send a certificate, even when requested */
+ CERT_NEVER_SEND = 2,
+};
+
+/**
+ * string mappings for certpolicy_t.
+ *
+ * @ingroup config
+ */
+extern mapping_t cert_policy_m[];
+
+
typedef struct connection_t connection_t;
/**
bool (*is_ikev2) (connection_t *this);
/**
+ * @brief Should be sent a certificate request for this connection?
+ *
+ * A certificate request contains serials of our trusted CA certificates.
+ * This flag says if such a request is sent on connection setup to
+ * the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise.
+ *
+ * @param this calling object
+ * @return - TRUE, if certificate request should be sent
+ */
+ cert_policy_t (*get_cert_req_policy) (connection_t *this);
+
+ /**
+ * @brief Should be sent a certificate for this connection?
+ *
+ * Return the policy used to send the certificate.
+ *
+ * @param this calling object
+ * @return certificate sending policy
+ */
+ cert_policy_t (*get_cert_policy) (connection_t *this);
+
+ /**
* @brief Get the DH group to use for connection initialization.
*
* @param this calling object
* do not modify or destroy them after a call to
* connection_create(). Name gets cloned internally.
*
- * @param name connection identifier
- * @param ikev2 TRUE if this is an IKEv2 connection
- * @param my_host host_t representing local address
- * @param other_host host_t representing remote address
- * @param auth_method Authentication method to use for our(!) auth data
- * @return connection_t object.
+ * @param name connection identifier
+ * @param ikev2 TRUE if this is an IKEv2 connection
+ * @param cert_policy certificate send policy
+ * @param cert_req_policy certificate request send policy
+ * @param my_host host_t representing local address
+ * @param other_host host_t representing remote address
+ * @param auth_method Authentication method to use for our(!) auth data
+ * @return connection_t object.
*
* @ingroup config
*/
-connection_t * connection_create(char *name,
- bool ikev2,
+connection_t * connection_create(char *name, bool ikev2,
+ cert_policy_t cert_pol, cert_policy_t req_pol,
host_t *my_host, host_t *other_host,
auth_method_t auth_method);
+++ /dev/null
-/**
- * @file credential_store.c
- *
- * @brief Implementation of credential_store_t.
- *
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <sys/stat.h>
-#include <dirent.h>
-#include <string.h>
-#include <pthread.h>
-
-#include "credential_store.h"
-
-#include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <utils/logger_manager.h>
-#include <crypto/x509.h>
-#include <crypto/crl.h>
-
-#define PATH_BUF 256
-
-typedef struct private_credential_store_t private_credential_store_t;
-
-/**
- * Private data of an credential_store_t object
- */
-struct private_credential_store_t {
-
- /**
- * Public part
- */
- credential_store_t public;
-
- /**
- * list of key_entry_t's with private keys
- */
- linked_list_t *private_keys;
-
- /**
- * list of X.509 certificates with public keys
- */
- linked_list_t *certs;
-
- /**
- * list of X.509 CA certificates with public keys
- */
- linked_list_t *ca_certs;
-
- /**
- * list of X.509 CRLs
- */
- linked_list_t *crls;
-
- /**
- * mutex controlling the access to the crls linked list
- */
- pthread_mutex_t crls_mutex;
-
- /**
- * enforce strict crl policy
- */
- bool strict;
-
- /**
- * Assigned logger
- */
- logger_t *logger;
-};
-
-
-/**
- * Implementation of credential_store_t.get_shared_secret.
- */
-static status_t get_shared_secret(private_credential_store_t *this, identification_t *id, chunk_t *secret)
-{
- return FAILED;
-}
-
-/**
- * Implementation of credential_store_t.get_rsa_public_key.
- */
-static rsa_public_key_t * get_rsa_public_key(private_credential_store_t *this, identification_t *id)
-{
- rsa_public_key_t *found = NULL;
-
- iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
-
- while (iterator->has_next(iterator))
- {
- x509_t *cert;
-
- iterator->current(iterator, (void**)&cert);
-
- if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
- {
- found = cert->get_public_key(cert);
- break;
- }
- }
- iterator->destroy(iterator);
- return found;
-}
-
-/**
- * Implementation of credential_store_t.get_rsa_private_key.
- */
-static rsa_private_key_t* get_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
-{
- rsa_private_key_t *found = NULL;
- rsa_private_key_t *current;
-
- iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
- while (iterator->has_next(iterator))
- {
- iterator->current(iterator, (void**)¤t);
-
- if (current->belongs_to(current, pubkey))
- {
- found = current->clone(current);
- break;
- }
- }
- iterator->destroy(iterator);
- return found;
-}
-
-/**
- * Implementation of credential_store_t.has_rsa_private_key.
- */
-static bool has_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
-{
- bool found = FALSE;
- rsa_private_key_t *current;
-
- iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
- while (iterator->has_next(iterator))
- {
- iterator->current(iterator, (void**)¤t);
-
- if (current->belongs_to(current, pubkey))
- {
- found = TRUE;
- break;
- }
- }
- iterator->destroy(iterator);
- return found;
-}
-
-/**
- * Add a unique certificate to a linked list
- */
-static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
-{
- bool found = FALSE;
-
- iterator_t *iterator = certs->create_iterator(certs, TRUE);
-
- while (iterator->has_next(iterator))
- {
- x509_t *current_cert;
-
- iterator->current(iterator, (void**)¤t_cert);
- if (cert->equals(cert, current_cert))
- {
- found = TRUE;
- cert->destroy(cert);
- cert = current_cert;
- break;
- }
- }
- iterator->destroy(iterator);
-
- if (!found)
- {
- certs->insert_last(certs, (void*)cert);
- }
- return cert;
-}
-
-/**
- * Implements credential_store_t.add_end_certificate
- */
-static x509_t* add_end_certificate(private_credential_store_t *this, x509_t *cert)
-{
- return add_certificate(this->certs, cert);
-}
-
-/**
- * Implements credential_store_t.add_ca_certificate
- */
-static x509_t* add_ca_certificate(private_credential_store_t *this, x509_t *cert)
-{
- return add_certificate(this->ca_certs, cert);
-}
-
-/**
- * Implements credential_store_t.log_certificates
- */
-static void log_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
-{
- iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
-
- if (iterator->get_count(iterator))
- {
- logger->log(logger, CONTROL, "");
- logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
- logger->log(logger, CONTROL, "");
- }
-
- while (iterator->has_next(iterator))
- {
- x509_t *cert;
- bool has_key;
-
- iterator->current(iterator, (void**)&cert);
- has_key = has_rsa_private_key(this, cert->get_public_key(cert));
- cert->log_certificate(cert, logger, utc, has_key);
- }
- iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.log_ca_certificates
- */
-static void log_ca_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
-{
- iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
-
- if (iterator->get_count(iterator))
- {
- logger->log(logger, CONTROL, "");
- logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
- logger->log(logger, CONTROL, "");
- }
-
- while (iterator->has_next(iterator))
- {
- x509_t *cert;
-
- iterator->current(iterator, (void**)&cert);
- cert->log_certificate(cert, logger, utc, FALSE);
- }
- iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.log_crls
- */
-static void log_crls(private_credential_store_t *this, logger_t *logger, bool utc)
-{
- iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
-
- pthread_mutex_lock(&(this->crls_mutex));
- if (iterator->get_count(iterator))
- {
- logger->log(logger, CONTROL, "");
- logger->log(logger, CONTROL, "List of X.509 CRLs:");
- logger->log(logger, CONTROL, "");
- }
-
- while (iterator->has_next(iterator))
- {
- crl_t *crl;
-
- iterator->current(iterator, (void**)&crl);
- crl->log_crl(crl, logger, utc, this->strict);
- }
- pthread_mutex_unlock(&(this->crls_mutex));
-
- iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.load_ca_certificates
- */
-static void load_ca_certificates(private_credential_store_t *this, const char *path)
-{
- struct dirent* entry;
- struct stat stb;
- DIR* dir;
- x509_t *cert;
-
- this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", path);
-
- dir = opendir(path);
- if (dir == NULL)
- {
- this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", path);
- return;
- }
-
- while ((entry = readdir(dir)) != NULL)
- {
- char file[PATH_BUF];
-
- snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
-
- if (stat(file, &stb) == -1)
- {
- continue;
- }
- /* try to parse all regular files */
- if (stb.st_mode & S_IFREG)
- {
- cert = x509_create_from_file(file, "ca certificate");
- if (cert)
- {
- err_t ugh = cert->is_valid(cert, NULL);
-
- if (ugh != NULL)
- {
- this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
- }
- if (cert->is_ca(cert))
- {
- cert = add_certificate(this->ca_certs, cert);
- }
- else
- {
- this->logger->log(this->logger, ERROR,
- " CA basic constraints flag not set, cert discarded");
- cert->destroy(cert);
- }
- }
- }
- }
- closedir(dir);
-}
-
-/**
- * Add the latest crl to a linked list
- */
-static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
-{
- bool found = FALSE;
-
- iterator_t *iterator = crls->create_iterator(crls, TRUE);
-
- while (iterator->has_next(iterator))
- {
- crl_t *current_crl;
-
- iterator->current(iterator, (void**)¤t_crl);
- if (crl->equals_issuer(crl, current_crl))
- {
- found = TRUE;
- if (crl->is_newer(crl, current_crl))
- {
- crl_t *old_crl = NULL;
-
- iterator->replace(iterator, (void**)&old_crl, (void*)crl);
- if (old_crl != NULL)
- {
- old_crl->destroy(old_crl);
- }
- logger->log(logger, CONTROL|LEVEL1, " thisUpdate is newer - existing crl replaced");
- }
- else
- {
- crl->destroy(crl);
- crl = current_crl;
- logger->log(logger, CONTROL|LEVEL1, " thisUpdate is not newer - existing crl retained");
- }
- break;
- }
- }
- iterator->destroy(iterator);
-
- if (!found)
- {
- crls->insert_last(crls, (void*)crl);
- logger->log(logger, CONTROL|LEVEL1, " crl added");
- }
- return crl;
-}
-
-/**
- * Implements credential_store_t.load_crls
- */
-static void load_crls(private_credential_store_t *this, const char *path)
-{
- struct dirent* entry;
- struct stat stb;
- DIR* dir;
- crl_t *crl;
-
- this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", path);
-
- dir = opendir(path);
- if (dir == NULL)
- {
- this->logger->log(this->logger, ERROR, "error opening crl directory %s'", path);
- return;
- }
-
- while ((entry = readdir(dir)) != NULL)
- {
- char file[PATH_BUF];
-
- snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
-
- if (stat(file, &stb) == -1)
- {
- continue;
- }
- /* try to parse all regular files */
- if (stb.st_mode & S_IFREG)
- {
- crl = crl_create_from_file(file);
- if (crl)
- {
- err_t ugh = crl->is_valid(crl, NULL, this->strict);
-
- if (ugh != NULL)
- {
- this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
- }
- pthread_mutex_lock(&(this->crls_mutex));
- crl = add_crl(this->crls, crl, this->logger);
- pthread_mutex_unlock(&(this->crls_mutex));
- }
- }
- }
- closedir(dir);
-}
-
-/**
- * Implements credential_store_t.load_private_keys
- */
-static void load_private_keys(private_credential_store_t *this, const char *secretsfile, const char *defaultpath)
-{
- FILE *fd = fopen(secretsfile, "r");
-
- if (fd)
- {
- int bytes;
- int line_nr = 0;
- chunk_t chunk, src, line;
-
- this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", secretsfile);
-
- fseek(fd, 0, SEEK_END);
- chunk.len = ftell(fd);
- rewind(fd);
- chunk.ptr = malloc(chunk.len);
- bytes = fread(chunk.ptr, 1, chunk.len, fd);
- fclose(fd);
-
- src = chunk;
-
- while (fetchline(&src, &line))
- {
- chunk_t ids, token;
-
- line_nr++;
-
- if (!eat_whitespace(&line))
- {
- continue;
- }
- if (!extract_token(&ids, ':', &line))
- {
- this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
- goto error;
- }
- if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
- {
- this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
- goto error;
- }
- if (match("RSA", &token))
- {
- char path[PATH_BUF];
- chunk_t filename;
-
- err_t ugh = extract_value(&filename, &line);
-
- if (ugh != NULL)
- {
- this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
- goto error;
- }
- if (filename.len == 0)
- {
- this->logger->log(this->logger, ERROR,
- "line %d: empty filename", line_nr);
- goto error;
- }
- if (*filename.ptr == '/')
- {
- /* absolute path name */
- snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
- }
- else
- {
- /* relative path name */
- snprintf(path, sizeof(path), "%s/%.*s", defaultpath, filename.len, filename.ptr);
- }
-
- rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
- if (key)
- {
- this->private_keys->insert_last(this->private_keys, (void*)key);
- }
- }
- else if (match("PSK", &token))
- {
-
- }
- else if (match("PIN", &token))
- {
-
- }
- else
- {
- this->logger->log(this->logger, ERROR,
- "line %d: token must be either RSA, PSK, or PIN",
- line_nr, token.len);
- goto error;
- }
- }
-error:
- free(chunk.ptr);
- }
- else
- {
- this->logger->log(this->logger, ERROR, "could not open file '%s'", secretsfile);
- }
-}
-
-/**
- * Implementation of credential_store_t.destroy.
- */
-static void destroy(private_credential_store_t *this)
-{
- x509_t *cert;
- crl_t *crl;
- rsa_private_key_t *key;
-
- /* destroy cert list */
- while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
- {
- cert->destroy(cert);
- }
- this->certs->destroy(this->certs);
-
- /* destroy ca cert list */
- while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
- {
- cert->destroy(cert);
- }
- this->ca_certs->destroy(this->ca_certs);
-
- /* destroy crl list */
- pthread_mutex_lock(&(this->crls_mutex));
- while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
- {
- crl->destroy(crl);
- }
- this->crls->destroy(this->crls);
- pthread_mutex_unlock(&(this->crls_mutex));
-
- /* destroy private key list */
- while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
- {
- key->destroy(key);
- }
- this->private_keys->destroy(this->private_keys);
-
- free(this);
-}
-
-/**
- * Described in header.
- */
-credential_store_t * credential_store_create(bool strict)
-{
- private_credential_store_t *this = malloc_thing(private_credential_store_t);
-
- this->public.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
- this->public.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
- this->public.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
- this->public.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
- this->public.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
- this->public.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
- this->public.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
- this->public.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
- this->public.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
- this->public.load_ca_certificates = (void(*)(credential_store_t*,const char*))load_ca_certificates;
- this->public.load_crls = (void(*)(credential_store_t*,const char*))load_crls;
- this->public.load_private_keys = (void(*)(credential_store_t*,const char*, const char*))load_private_keys;
- this->public.destroy = (void(*)(credential_store_t*))destroy;
-
- /* initialize mutexes */
- pthread_mutex_init(&(this->crls_mutex), NULL);
-
- /* private variables */
- this->private_keys = linked_list_create();
- this->certs = linked_list_create();
- this->ca_certs = linked_list_create();
- this->crls = linked_list_create();
- this->strict = strict;
- this->logger = logger_manager->get_logger(logger_manager, CONFIG);
-
- return (&this->public);
-}
* @return pointer to the added or already existing certificate
*/
x509_t* (*add_ca_certificate) (credential_store_t *this, x509_t *cert);
+
/**
* @brief Lists all certificates kept in the local credential store.
*
* @param this calling object
* @param path directory to load certificates from
*/
- void (*load_ca_certificates) (credential_store_t *this, const char *path);
+ void (*load_ca_certificates) (credential_store_t *this);
/**
* @brief Loads CRLs from a default directory.
* @param this calling object
* @param path directory to load crls from
*/
- void (*load_crls) (credential_store_t *this, const char *path);
+ void (*load_crls) (credential_store_t *this);
/**
* @brief Loads RSA private keys defined in ipsec.secrets
* key must already be loaded to get the ID from.
*
* @param this calling object
- * @param secretsfile file where secrets are stored
- * @param path default directory for private keys
*/
- void (*load_private_keys) (credential_store_t *this, const char *secretsfile, const char *path);
+ void (*load_private_keys) (credential_store_t *this);
/**
* @brief Destroys a credential_store_t object.
--- /dev/null
+/**
+ * @file local_credential_store.c
+ *
+ * @brief Implementation of local_credential_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <dirent.h>
+#include <string.h>
+#include <pthread.h>
+
+#include "local_credential_store.h"
+
+#include <utils/lexparser.h>
+#include <utils/linked_list.h>
+#include <utils/logger_manager.h>
+#include <crypto/x509.h>
+#include <crypto/crl.h>
+
+#define PATH_BUF 256
+
+typedef struct private_local_credential_store_t private_local_credential_store_t;
+
+/**
+ * Private data of an local_credential_store_t object
+ */
+struct private_local_credential_store_t {
+
+ /**
+ * Public part
+ */
+ local_credential_store_t public;
+
+ /**
+ * list of key_entry_t's with private keys
+ */
+ linked_list_t *private_keys;
+
+ /**
+ * list of X.509 certificates with public keys
+ */
+ linked_list_t *certs;
+
+ /**
+ * list of X.509 CA certificates with public keys
+ */
+ linked_list_t *ca_certs;
+
+ /**
+ * list of X.509 CRLs
+ */
+ linked_list_t *crls;
+
+ /**
+ * mutex controlling the access to the crls linked list
+ */
+ pthread_mutex_t crls_mutex;
+
+ /**
+ * enforce strict crl policy
+ */
+ bool strict;
+
+ /**
+ * Assigned logger
+ */
+ logger_t *logger;
+};
+
+
+/**
+ * Implementation of local_credential_store_t.get_shared_secret.
+ */
+static status_t get_shared_secret(private_local_credential_store_t *this, identification_t *id, chunk_t *secret)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_public_key.
+ */
+static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id)
+{
+ rsa_public_key_t *found = NULL;
+
+ iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+
+ while (iterator->has_next(iterator))
+ {
+ x509_t *cert;
+
+ iterator->current(iterator, (void**)&cert);
+
+ if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
+ {
+ found = cert->get_public_key(cert);
+ break;
+ }
+ }
+ iterator->destroy(iterator);
+ return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_private_key.
+ */
+static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
+{
+ rsa_private_key_t *found = NULL;
+ rsa_private_key_t *current;
+
+ iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+ while (iterator->has_next(iterator))
+ {
+ iterator->current(iterator, (void**)¤t);
+
+ if (current->belongs_to(current, pubkey))
+ {
+ found = current->clone(current);
+ break;
+ }
+ }
+ iterator->destroy(iterator);
+ return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.has_rsa_private_key.
+ */
+static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
+{
+ bool found = FALSE;
+ rsa_private_key_t *current;
+
+ iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+ while (iterator->has_next(iterator))
+ {
+ iterator->current(iterator, (void**)¤t);
+
+ if (current->belongs_to(current, pubkey))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ iterator->destroy(iterator);
+ return found;
+}
+
+/**
+ * Add a unique certificate to a linked list
+ */
+static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
+{
+ bool found = FALSE;
+
+ iterator_t *iterator = certs->create_iterator(certs, TRUE);
+
+ while (iterator->has_next(iterator))
+ {
+ x509_t *current_cert;
+
+ iterator->current(iterator, (void**)¤t_cert);
+ if (cert->equals(cert, current_cert))
+ {
+ found = TRUE;
+ cert->destroy(cert);
+ cert = current_cert;
+ break;
+ }
+ }
+ iterator->destroy(iterator);
+
+ if (!found)
+ {
+ certs->insert_last(certs, (void*)cert);
+ }
+ return cert;
+}
+
+/**
+ * Implements local_credential_store_t.add_end_certificate
+ */
+static x509_t* add_end_certificate(private_local_credential_store_t *this, x509_t *cert)
+{
+ return add_certificate(this->certs, cert);
+}
+
+/**
+ * Implements local_credential_store_t.add_ca_certificate
+ */
+static x509_t* add_ca_certificate(private_local_credential_store_t *this, x509_t *cert)
+{
+ return add_certificate(this->ca_certs, cert);
+}
+
+/**
+ * Implements local_credential_store_t.log_certificates
+ */
+static void log_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+ iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+
+ if (iterator->get_count(iterator))
+ {
+ logger->log(logger, CONTROL, "");
+ logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
+ logger->log(logger, CONTROL, "");
+ }
+
+ while (iterator->has_next(iterator))
+ {
+ x509_t *cert;
+ bool has_key;
+
+ iterator->current(iterator, (void**)&cert);
+ has_key = has_rsa_private_key(this, cert->get_public_key(cert));
+ cert->log_certificate(cert, logger, utc, has_key);
+ }
+ iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.log_ca_certificates
+ */
+static void log_ca_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+ iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
+
+ if (iterator->get_count(iterator))
+ {
+ logger->log(logger, CONTROL, "");
+ logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
+ logger->log(logger, CONTROL, "");
+ }
+
+ while (iterator->has_next(iterator))
+ {
+ x509_t *cert;
+
+ iterator->current(iterator, (void**)&cert);
+ cert->log_certificate(cert, logger, utc, FALSE);
+ }
+ iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.log_crls
+ */
+static void log_crls(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+ iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
+
+ pthread_mutex_lock(&(this->crls_mutex));
+ if (iterator->get_count(iterator))
+ {
+ logger->log(logger, CONTROL, "");
+ logger->log(logger, CONTROL, "List of X.509 CRLs:");
+ logger->log(logger, CONTROL, "");
+ }
+
+ while (iterator->has_next(iterator))
+ {
+ crl_t *crl;
+
+ iterator->current(iterator, (void**)&crl);
+ crl->log_crl(crl, logger, utc, this->strict);
+ }
+ pthread_mutex_unlock(&(this->crls_mutex));
+
+ iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.load_ca_certificates
+ */
+static void load_ca_certificates(private_local_credential_store_t *this)
+{
+ struct dirent* entry;
+ struct stat stb;
+ DIR* dir;
+ x509_t *cert;
+
+ this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR);
+
+ dir = opendir(CA_CERTIFICATE_DIR);
+ if (dir == NULL)
+ {
+ this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR);
+ return;
+ }
+
+ while ((entry = readdir(dir)) != NULL)
+ {
+ char file[PATH_BUF];
+
+ snprintf(file, sizeof(file), "%s/%s", CA_CERTIFICATE_DIR, entry->d_name);
+
+ if (stat(file, &stb) == -1)
+ {
+ continue;
+ }
+ /* try to parse all regular files */
+ if (stb.st_mode & S_IFREG)
+ {
+ cert = x509_create_from_file(file, "ca certificate");
+ if (cert)
+ {
+ err_t ugh = cert->is_valid(cert, NULL);
+
+ if (ugh != NULL)
+ {
+ this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
+ }
+ if (cert->is_ca(cert))
+ {
+ cert = add_certificate(this->ca_certs, cert);
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR,
+ " CA basic constraints flag not set, cert discarded");
+ cert->destroy(cert);
+ }
+ }
+ }
+ }
+ closedir(dir);
+}
+
+/**
+ * Add the latest crl to a linked list
+ */
+static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
+{
+ bool found = FALSE;
+
+ iterator_t *iterator = crls->create_iterator(crls, TRUE);
+
+ while (iterator->has_next(iterator))
+ {
+ crl_t *current_crl;
+
+ iterator->current(iterator, (void**)¤t_crl);
+ if (crl->equals_issuer(crl, current_crl))
+ {
+ found = TRUE;
+ if (crl->is_newer(crl, current_crl))
+ {
+ crl_t *old_crl = NULL;
+
+ iterator->replace(iterator, (void**)&old_crl, (void*)crl);
+ if (old_crl != NULL)
+ {
+ old_crl->destroy(old_crl);
+ }
+ logger->log(logger, CONTROL|LEVEL1, " thisUpdate is newer - existing crl replaced");
+ }
+ else
+ {
+ crl->destroy(crl);
+ crl = current_crl;
+ logger->log(logger, CONTROL|LEVEL1, " thisUpdate is not newer - existing crl retained");
+ }
+ break;
+ }
+ }
+ iterator->destroy(iterator);
+
+ if (!found)
+ {
+ crls->insert_last(crls, (void*)crl);
+ logger->log(logger, CONTROL|LEVEL1, " crl added");
+ }
+ return crl;
+}
+
+/**
+ * Implements local_credential_store_t.load_crls
+ */
+static void load_crls(private_local_credential_store_t *this)
+{
+ struct dirent* entry;
+ struct stat stb;
+ DIR* dir;
+ crl_t *crl;
+
+ this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", CRL_DIR);
+
+ dir = opendir(CRL_DIR);
+ if (dir == NULL)
+ {
+ this->logger->log(this->logger, ERROR, "error opening crl directory %s'", CRL_DIR);
+ return;
+ }
+
+ while ((entry = readdir(dir)) != NULL)
+ {
+ char file[PATH_BUF];
+
+ snprintf(file, sizeof(file), "%s/%s", CRL_DIR, entry->d_name);
+
+ if (stat(file, &stb) == -1)
+ {
+ continue;
+ }
+ /* try to parse all regular files */
+ if (stb.st_mode & S_IFREG)
+ {
+ crl = crl_create_from_file(file);
+ if (crl)
+ {
+ err_t ugh = crl->is_valid(crl, NULL, this->strict);
+
+ if (ugh != NULL)
+ {
+ this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
+ }
+ pthread_mutex_lock(&(this->crls_mutex));
+ crl = add_crl(this->crls, crl, this->logger);
+ pthread_mutex_unlock(&(this->crls_mutex));
+ }
+ }
+ }
+ closedir(dir);
+}
+
+/**
+ * Implements local_credential_store_t.load_private_keys
+ */
+static void load_private_keys(private_local_credential_store_t *this)
+{
+ FILE *fd = fopen(SECRETS_FILE, "r");
+
+ if (fd)
+ {
+ int bytes;
+ int line_nr = 0;
+ chunk_t chunk, src, line;
+
+ this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", SECRETS_FILE);
+
+ fseek(fd, 0, SEEK_END);
+ chunk.len = ftell(fd);
+ rewind(fd);
+ chunk.ptr = malloc(chunk.len);
+ bytes = fread(chunk.ptr, 1, chunk.len, fd);
+ fclose(fd);
+
+ src = chunk;
+
+ while (fetchline(&src, &line))
+ {
+ chunk_t ids, token;
+
+ line_nr++;
+
+ if (!eat_whitespace(&line))
+ {
+ continue;
+ }
+ if (!extract_token(&ids, ':', &line))
+ {
+ this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
+ goto error;
+ }
+ if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
+ {
+ this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
+ goto error;
+ }
+ if (match("RSA", &token))
+ {
+ char path[PATH_BUF];
+ chunk_t filename;
+
+ err_t ugh = extract_value(&filename, &line);
+
+ if (ugh != NULL)
+ {
+ this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
+ goto error;
+ }
+ if (filename.len == 0)
+ {
+ this->logger->log(this->logger, ERROR,
+ "line %d: empty filename", line_nr);
+ goto error;
+ }
+ if (*filename.ptr == '/')
+ {
+ /* absolute path name */
+ snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+ }
+ else
+ {
+ /* relative path name */
+ snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, filename.len, filename.ptr);
+ }
+
+ rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
+ if (key)
+ {
+ this->private_keys->insert_last(this->private_keys, (void*)key);
+ }
+ }
+ else if (match("PSK", &token))
+ {
+
+ }
+ else if (match("PIN", &token))
+ {
+
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR,
+ "line %d: token must be either RSA, PSK, or PIN",
+ line_nr, token.len);
+ goto error;
+ }
+ }
+error:
+ free(chunk.ptr);
+ }
+ else
+ {
+ this->logger->log(this->logger, ERROR, "could not open file '%s'", SECRETS_FILE);
+ }
+}
+
+/**
+ * Implementation of local_credential_store_t.destroy.
+ */
+static void destroy(private_local_credential_store_t *this)
+{
+ x509_t *cert;
+ crl_t *crl;
+ rsa_private_key_t *key;
+
+ /* destroy cert list */
+ while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+ {
+ cert->destroy(cert);
+ }
+ this->certs->destroy(this->certs);
+
+ /* destroy ca cert list */
+ while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
+ {
+ cert->destroy(cert);
+ }
+ this->ca_certs->destroy(this->ca_certs);
+
+ /* destroy crl list */
+ pthread_mutex_lock(&(this->crls_mutex));
+ while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
+ {
+ crl->destroy(crl);
+ }
+ this->crls->destroy(this->crls);
+ pthread_mutex_unlock(&(this->crls_mutex));
+
+ /* destroy private key list */
+ while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
+ {
+ key->destroy(key);
+ }
+ this->private_keys->destroy(this->private_keys);
+
+ free(this);
+}
+
+/**
+ * Described in header.
+ */
+local_credential_store_t * local_credential_store_create(bool strict)
+{
+ private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t);
+
+ this->public.credential_store.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
+ this->public.credential_store.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
+ this->public.credential_store.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
+ this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
+ this->public.credential_store.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
+ this->public.credential_store.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
+ this->public.credential_store.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
+ this->public.credential_store.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
+ this->public.credential_store.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
+ this->public.credential_store.load_ca_certificates = (void(*)(credential_store_t*))load_ca_certificates;
+ this->public.credential_store.load_crls = (void(*)(credential_store_t*))load_crls;
+ this->public.credential_store.load_private_keys = (void(*)(credential_store_t*))load_private_keys;
+ this->public.credential_store.destroy = (void(*)(credential_store_t*))destroy;
+
+ /* initialize mutexes */
+ pthread_mutex_init(&(this->crls_mutex), NULL);
+
+ /* private variables */
+ this->private_keys = linked_list_create();
+ this->certs = linked_list_create();
+ this->ca_certs = linked_list_create();
+ this->crls = linked_list_create();
+ this->strict = strict;
+ this->logger = logger_manager->get_logger(logger_manager, CONFIG);
+
+ return (&this->public);
+}
--- /dev/null
+/**
+ * @file local_credential_store.h
+ *
+ * @brief Interface of local_credential_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef LOCAL_CREDENTIAL_H_
+#define LOCAL_CREDENTIAL_H_
+
+#include <types.h>
+#include <daemon.h>
+#include <config/credentials/credential_store.h>
+
+
+typedef struct local_credential_store_t local_credential_store_t;
+
+/**
+ * @brief A credential_store_t implementation using simple credentail lists.
+ *
+ * The local_credential_store_t class implements the credential_store_t interface
+ * as simple as possible. The credentials are stored in lists, and are loaded from
+ * files on the disk.
+ * Shared secret are not handled yet, so get_shared_secret always returns NOT_FOUND.
+ *
+ * @b Constructors:
+ * - local_credential_store_create(bool strict)
+ *
+ * @ingroup config
+ */
+struct local_credential_store_t {
+
+ /**
+ * Implements credential_store_t interface
+ */
+ credential_store_t credential_store;
+};
+
+/**
+ * @brief Creates a local_credential_store_t instance.
+ *
+ * @param strict enforce a strict crl policy
+ * @return credential store instance.
+ *
+ * @ingroup config
+ */
+local_credential_store_t *local_credential_store_create(bool strict);
+
+#endif /* LOCAL_CREDENTIAL_H_ */
this->public.send_queue = send_queue_create();
this->public.connections = (connection_store_t*)local_connection_store_create();
this->public.policies = (policy_store_t*)local_policy_store_create();
- this->public.credentials = credential_store_create(strict);
+ this->public.credentials = (credential_store_t*)local_credential_store_create(strict);
/* load keys, ca certificates and crls */
credentials = this->public.credentials;
- credentials->load_ca_certificates(credentials, CA_CERTIFICATE_DIR);
- credentials->load_crls(credentials, CRL_DIR);
- credentials->load_private_keys(credentials, SECRETS_FILE, PRIVATE_KEY_DIR);
-
+ credentials->load_ca_certificates(credentials);
+ credentials->load_crls(credentials);
+ credentials->load_private_keys(credentials);
/* start building threads, we are multi-threaded NOW */
this->public.stroke = stroke_create();
*/
#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
+
typedef struct daemon_t daemon_t;
/**
{
host_t *alice = host_create(AF_INET, "192.168.0.1", 500);
host_t *bob = host_create(AF_INET, "192.168.0.2", 500);
- connection_t *connection = connection_create("alice-bob", TRUE, alice, bob, RSA_DIGITAL_SIGNATURE);
+ connection_t *connection = connection_create(
+ "alice-bob", TRUE,
+ CERT_ALWAYS_SEND, CERT_ALWAYS_SEND,
+ alice, bob, RSA_DIGITAL_SIGNATURE);
proposal_t *prop1, *prop2, *prop3, *prop4;
linked_list_t *list;
this->logger->log(this->logger, CONTROL|LEVEL1, " other ca:'%s'", other_ca->get_string(other_ca));
connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2,
+ msg->add_conn.me.sendcert, msg->add_conn.other.sendcert,
my_host, other_host,
RSA_DIGITAL_SIGNATURE);
if (msg->add_conn.algorithms.ike)
{
if (msg->reread.flags & REREAD_CACERTS)
{
- charon->credentials->load_ca_certificates(charon->credentials, CA_CERTIFICATE_DIR);
+ charon->credentials->load_ca_certificates(charon->credentials);
}
if (msg->reread.flags & REREAD_CRLS)
{
- charon->credentials->load_crls(charon->credentials, CRL_DIR);
+ charon->credentials->load_crls(charon->credentials);
}
}
CREATED,
};
-
-/**
- * Certificate sending policy
- */
-typedef enum certpolicy {
- CERT_ALWAYS_SEND = 0,
- CERT_SEND_IF_ASKED = 1,
- CERT_NEVER_SEND = 2,
-
- CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
- CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */
-} certpolicy_t;
-
/**
* RFC 2459 CRL reason codes
*/
msg.add_conn.me.subnet_mask = my_netmask;
msg.add_conn.me.cert = NULL;
msg.add_conn.me.ca = NULL;
- msg.add_conn.me.sendcert = CERT_SEND_IF_ASKED;
+ msg.add_conn.me.sendcert = 1;
msg.add_conn.other.id = push_string(&msg, other_id);
msg.add_conn.other.address = push_string(&msg, other_addr);
msg.add_conn.other.subnet_mask = other_netmask;
msg.add_conn.other.cert = NULL;
msg.add_conn.other.ca = NULL;
- msg.add_conn.other.sendcert = CERT_SEND_IF_ASKED;
+ msg.add_conn.other.sendcert = 1;
return send_stroke_msg(&msg);
}
#ifndef STROKE_H_
#define STROKE_H_
+#include <sys/types.h>
+
/**
* Socket which is used to communicate between charon and stroke
*/
#define STROKE_BUF_LEN 2048
+typedef enum list_flag_t list_flag_t;
+
/**
- * Definition of the LIST flags
- */
-#define LIST_NONE 0x0000 /* don't list anything */
-#define LIST_CERTS 0x0001 /* list all host/user certs */
-#define LIST_CACERTS 0x0002 /* list all ca certs */
-#define LIST_CRLS 0x0004 /* list all crls */
-#define LIST_ALL 0x0007 /* all list options */
+ * Definition of the LIST flags, used for
+ * the various stroke list* commands.
+ */
+enum list_flag_t {
+ /** don't list anything */
+ LIST_NONE = 0x0000,
+ /** list all host/user certs */
+ LIST_CERTS = 0x0001,
+ /** list all ca certs */
+ LIST_CACERTS = 0x0002,
+ /** list all crls */
+ LIST_CRLS = 0x0004,
+ /** all list options */
+ LIST_ALL = 0x0007,
+};
+
+typedef enum reread_flag_t reread_flag_t;
/**
- * Definition of the REREAD flags
- */
-#define REREAD_NONE 0x0000 /* don't reread anything */
-#define REREAD_CACERTS 0x0001 /* reread all ca certs */
-#define REREAD_CRLS 0x0002 /* reread all crls */
-#define REREAD_ALL 0x0003 /* all reread options */
+ * Definition of the REREAD flags, used for
+ * the various stroke reread* commands.
+ */
+enum reread_flag_t {
+ /** don't reread anything */
+ REREAD_NONE = 0x0000,
+ /** reread all ca certs */
+ REREAD_CACERTS = 0x0001,
+ /** reread all crls */
+ REREAD_CRLS = 0x0002,
+ /** all reread options */
+ REREAD_ALL = 0x0003,
+};
typedef struct stroke_end_t stroke_end_t;
+/**
+ * definition of a peer in a stroke message
+ */
struct stroke_end_t {
char *id;
char *cert;
char *address;
char *subnet;
int subnet_mask;
- certpolicy_t sendcert;
+ int sendcert;
};
typedef struct stroke_msg_t stroke_msg_t;
*/
struct stroke_msg_t {
/* length of this message with all strings */
- u_int length;
+ u_int16_t length;
/* type of the message */
enum {
/* data for STR_LIST */
struct {
- u_int flags;
+ list_flag_t flags;
bool utc;
} list;
/* data for STR_REREAD */
struct {
- u_int flags;
+ reread_flag_t flags;
} reread;
};