readded local_credential_store
authorMartin Willi <martin@strongswan.org>
Tue, 20 Jun 2006 08:43:57 +0000 (08:43 -0000)
committerMartin Willi <martin@strongswan.org>
Tue, 20 Jun 2006 08:43:57 +0000 (08:43 -0000)
added sendcert policy to connection
some other cleanups

14 files changed:
src/charon/Makefile.am
src/charon/config/connections/connection.c
src/charon/config/connections/connection.h
src/charon/config/credentials/credential_store.c [deleted file]
src/charon/config/credentials/credential_store.h
src/charon/config/credentials/local_credential_store.c [new file with mode: 0644]
src/charon/config/credentials/local_credential_store.h [new file with mode: 0644]
src/charon/daemon.c
src/charon/daemon.h
src/charon/testing/connection_test.c
src/charon/threads/stroke_interface.c
src/libstrongswan/types.h
src/stroke/stroke.c
src/stroke/stroke.h

index ab0e802..6bf2c04 100644 (file)
@@ -6,8 +6,8 @@ config/connections/connection.c config/connections/connection.h \
 config/connections/local_connection_store.c config/connections/local_connection_store.h config/connections/connection_store.h \
 config/policies/policy.c config/policies/policy.h \
 config/policies/local_policy_store.c config/policies/policy_store.h config/policies/local_policy_store.h \
-config/credentials/credential_store.c config/credentials/credential_store.h \
-config/traffic_selector.c config/traffic_selector.h \
+config/credentials/local_credential_store.c config/credentials/local_credential_store.h \
+config/credentials/credential_store.h config/traffic_selector.c config/traffic_selector.h \
 config/proposal.c config/proposal.h config/configuration.c config/configuration.h \
 sa/states/state.c sa/states/state.h sa/states/ike_sa_init_requested.c sa/states/ike_sa_init_requested.h \
 sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_sa_established.h \
index a938d8b..243c896 100644 (file)
@@ -37,6 +37,15 @@ mapping_t auth_method_m[] = {
        {MAPPING_END, NULL}
 };
 
+/** 
+ * String mappings for cert_policy_t.
+ */
+mapping_t cert_policy_m[] = {
+       {CERT_ALWAYS_SEND, "CERT_ALWAYS_SEND"},
+       {CERT_SEND_IF_ASKED, "CERT_SEND_IF_ASKED"},
+       {CERT_NEVER_SEND, "CERT_NEVER_SEND"},
+       {MAPPING_END, NULL}
+};
 
 typedef struct private_connection_t private_connection_t;
 
@@ -59,6 +68,21 @@ struct private_connection_t {
         * Does charon handle this connection? Or can he ignore it?
         */
        bool ikev2;
+       
+       /**
+        * should we send a certificate request?
+        */
+       cert_policy_t cert_req_policy;
+       
+       /**
+        * should we send a certificates?
+        */
+       cert_policy_t cert_policy;
+       
+       /**
+        * ID of us
+        */
+       identification_t *my_id;
 
        /**
         * Host information of my host.
@@ -98,6 +122,22 @@ static bool is_ikev2 (private_connection_t *this)
 }
 
 /**
+ * Implementation of connection_t.get_cert_req_policy.
+ */
+static cert_policy_t get_cert_req_policy (private_connection_t *this)
+{
+       return this->cert_req_policy;
+}
+
+/**
+ * Implementation of connection_t.get_cert_policy.
+ */
+static cert_policy_t get_cert_policy (private_connection_t *this)
+{
+       return this->cert_policy;
+}
+
+/**
  * Implementation of connection_t.get_my_host.
  */
 static host_t *get_my_host (private_connection_t *this)
@@ -254,8 +294,8 @@ static connection_t *clone(private_connection_t *this)
        iterator_t *iterator;
        proposal_t *proposal;
        private_connection_t *clone = (private_connection_t*)connection_create(
-                       this->name,
-                       this->ikev2,
+                       this->name, this->ikev2,
+                       this->cert_policy, this->cert_req_policy,
                        this->my_host->clone(this->my_host),
                        this->other_host->clone(this->other_host),
                        this->auth_method);
@@ -295,13 +335,18 @@ static void destroy(private_connection_t *this)
 /**
  * Described in header.
  */
-connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t *other_host, auth_method_t auth_method)
+connection_t * connection_create(char *name, bool ikev2,
+                                                                cert_policy_t cert_policy, cert_policy_t cert_req_policy,
+                                                                host_t *my_host, host_t *other_host, 
+                                                                auth_method_t auth_method)
 {
        private_connection_t *this = malloc_thing(private_connection_t);
 
        /* public functions */
        this->public.get_name = (char*(*)(connection_t*))get_name;
        this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2;
+       this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy;
+       this->public.get_cert_req_policy = (cert_policy_t(*)(connection_t*))get_cert_req_policy;
        this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host;
        this->public.update_my_host = (void(*)(connection_t*,host_t*))update_my_host;
        this->public.update_other_host = (void(*)(connection_t*,host_t*))update_other_host;
@@ -318,6 +363,8 @@ connection_t * connection_create(char *name, bool ikev2, host_t *my_host, host_t
        /* private variables */
        this->name = strdup(name);
        this->ikev2 = ikev2;
+       this->cert_policy = cert_policy;
+       this->cert_req_policy = cert_req_policy;
        this->my_host = my_host;
        this->other_host = other_host;
        this->auth_method = auth_method;
index 5235746..50563da 100644 (file)
@@ -67,6 +67,36 @@ enum auth_method_t {
 extern mapping_t auth_method_m[];
 
 
+typedef enum cert_policy_t cert_policy_t;
+
+/**
+ * Certificate sending policy. This is also used for certificate
+ * requests when using this definition for the other peer. If
+ * it is CERT_NEVER_SEND, a certreq is ommited, otherwise its
+ * included.
+ *
+ * @ingroup config
+ * 
+ * @warning These definitions must be the same as in pluto/starter,
+ * as they are sent over the stroke socket.
+ */
+enum cert_policy_t {
+       /** always send certificates, even when not requested */
+       CERT_ALWAYS_SEND   = 0,
+       /** send certificate upon cert request */
+       CERT_SEND_IF_ASKED = 1,
+       /** never send a certificate, even when requested */
+       CERT_NEVER_SEND    = 2,
+};
+
+/**
+ * string mappings for certpolicy_t.
+ * 
+ * @ingroup config
+ */
+extern mapping_t cert_policy_m[];
+
+
 typedef struct connection_t connection_t;
 
 /**
@@ -189,6 +219,28 @@ struct connection_t {
        bool (*is_ikev2) (connection_t *this);
        
        /**
+        * @brief Should be sent a certificate request for this connection?
+        *
+        * A certificate request contains serials of our trusted CA certificates.
+        * This flag says if such a request is sent on connection setup to
+        * the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise.
+        *
+        * @param this          calling object
+        * @return                      - TRUE, if certificate request should be sent
+        */
+       cert_policy_t (*get_cert_req_policy) (connection_t *this);
+       
+       /**
+        * @brief Should be sent a certificate for this connection?
+        *
+        * Return the policy used to send the certificate.
+        *
+        * @param this          calling object
+        * @return                      certificate sending policy
+        */
+       cert_policy_t (*get_cert_policy) (connection_t *this);
+       
+       /**
         * @brief Get the DH group to use for connection initialization.
         * 
         * @param this          calling object
@@ -230,17 +282,19 @@ struct connection_t {
  * do not modify or destroy them after a call to 
  * connection_create(). Name gets cloned internally.
  *
- * @param name                 connection identifier
- * @param ikev2                        TRUE if this is an IKEv2 connection
- * @param my_host              host_t representing local address
- * @param other_host   host_t representing remote address
- * @param auth_method  Authentication method to use for our(!) auth data
- * @return                             connection_t object.
+ * @param name                         connection identifier
+ * @param ikev2                                TRUE if this is an IKEv2 connection
+ * @param cert_policy          certificate send policy
+ * @param cert_req_policy      certificate request send policy
+ * @param my_host                      host_t representing local address
+ * @param other_host           host_t representing remote address
+ * @param auth_method          Authentication method to use for our(!) auth data
+ * @return                                     connection_t object.
  * 
  * @ingroup config
  */
-connection_t * connection_create(char *name,
-                                                                bool ikev2,
+connection_t * connection_create(char *name, bool ikev2,
+                                                                cert_policy_t cert_pol, cert_policy_t req_pol,
                                                                 host_t *my_host, host_t *other_host,
                                                                 auth_method_t auth_method);
 
diff --git a/src/charon/config/credentials/credential_store.c b/src/charon/config/credentials/credential_store.c
deleted file mode 100644 (file)
index 6e7d338..0000000
+++ /dev/null
@@ -1,625 +0,0 @@
-/**
- * @file credential_store.c
- * 
- * @brief Implementation of credential_store_t.
- *  
- */
-
-/*
- * Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * for more details.
- */
-
-#include <sys/stat.h>
-#include <dirent.h>
-#include <string.h>
-#include <pthread.h>
-
-#include "credential_store.h"
-
-#include <utils/lexparser.h>
-#include <utils/linked_list.h>
-#include <utils/logger_manager.h>
-#include <crypto/x509.h>
-#include <crypto/crl.h>
-
-#define PATH_BUF       256
-
-typedef struct private_credential_store_t private_credential_store_t;
-
-/**
- * Private data of an credential_store_t object
- */
-struct private_credential_store_t {
-
-       /**
-        * Public part
-        */
-       credential_store_t public;
-       
-       /**
-        * list of key_entry_t's with private keys
-        */
-       linked_list_t *private_keys;
-       
-       /**
-        * list of X.509 certificates with public keys
-        */
-       linked_list_t *certs;
-
-       /**
-        * list of X.509 CA certificates with public keys
-        */
-       linked_list_t *ca_certs;
-
-       /**
-        * list of X.509 CRLs
-        */
-       linked_list_t *crls;
-
-       /**
-        * mutex controlling the access to the crls linked list
-        */
-       pthread_mutex_t crls_mutex;
-
-       /**
-        * enforce strict crl policy
-        */
-       bool strict;
-
-       /**
-        * Assigned logger
-        */
-       logger_t *logger;
-};
-
-
-/**
- * Implementation of credential_store_t.get_shared_secret.
- */    
-static status_t get_shared_secret(private_credential_store_t *this, identification_t *id, chunk_t *secret)
-{
-       return FAILED;
-}
-
-/**
- * Implementation of credential_store_t.get_rsa_public_key.
- */
-static rsa_public_key_t * get_rsa_public_key(private_credential_store_t *this, identification_t *id)
-{
-       rsa_public_key_t *found = NULL;
-
-       iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
-
-       while (iterator->has_next(iterator))
-       {
-               x509_t *cert;
-
-               iterator->current(iterator, (void**)&cert);
-
-               if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
-               {
-                       found = cert->get_public_key(cert);
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-       return found;
-}
-
-/**
- * Implementation of credential_store_t.get_rsa_private_key.
- */
-static rsa_private_key_t* get_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
-{
-       rsa_private_key_t *found = NULL;
-       rsa_private_key_t *current;
-
-       iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
-       while (iterator->has_next(iterator))
-       {
-               iterator->current(iterator, (void**)&current);
-
-               if (current->belongs_to(current, pubkey))
-               {
-                       found = current->clone(current);
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-       return found;
-}
-
-/**
- * Implementation of credential_store_t.has_rsa_private_key.
- */
-static bool has_rsa_private_key(private_credential_store_t *this, rsa_public_key_t *pubkey)
-{
-       bool found = FALSE;
-       rsa_private_key_t *current;
-
-       iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
-
-       while (iterator->has_next(iterator))
-       {
-               iterator->current(iterator, (void**)&current);
-
-               if (current->belongs_to(current, pubkey))
-               {
-                       found = TRUE;
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-       return found;
-}
-
-/**
- * Add a unique certificate to a linked list
- */
-static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
-{
-       bool found = FALSE;
-
-       iterator_t *iterator = certs->create_iterator(certs, TRUE);
-
-       while (iterator->has_next(iterator))
-       {
-               x509_t *current_cert;
-
-               iterator->current(iterator, (void**)&current_cert);
-               if (cert->equals(cert, current_cert))
-               {
-                       found = TRUE;
-                       cert->destroy(cert);
-                       cert = current_cert;
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-
-       if (!found)
-       {
-               certs->insert_last(certs, (void*)cert);
-       }
-       return cert;
-}
-
-/**
- * Implements credential_store_t.add_end_certificate
- */
-static x509_t* add_end_certificate(private_credential_store_t *this, x509_t *cert)
-{
-       return add_certificate(this->certs, cert);
-}
-
-/**
- * Implements credential_store_t.add_ca_certificate
- */
-static x509_t* add_ca_certificate(private_credential_store_t *this, x509_t *cert)
-{
-       return add_certificate(this->ca_certs, cert);
-}
-
-/**
- * Implements credential_store_t.log_certificates
- */
-static void log_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
-{
-       iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
-       
-       if (iterator->get_count(iterator))
-       {
-               logger->log(logger, CONTROL, "");
-               logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
-               logger->log(logger, CONTROL, "");
-       }
-       
-       while (iterator->has_next(iterator))
-       {
-               x509_t *cert;
-               bool has_key;
-               
-               iterator->current(iterator, (void**)&cert);
-               has_key = has_rsa_private_key(this, cert->get_public_key(cert));
-               cert->log_certificate(cert, logger, utc, has_key);
-       }
-       iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.log_ca_certificates
- */
-static void log_ca_certificates(private_credential_store_t *this, logger_t *logger, bool utc)
-{
-       iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
-
-       if (iterator->get_count(iterator))
-       {
-               logger->log(logger, CONTROL, "");
-               logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
-               logger->log(logger, CONTROL, "");
-       }
-
-       while (iterator->has_next(iterator))
-       {
-               x509_t *cert;
-
-               iterator->current(iterator, (void**)&cert);
-               cert->log_certificate(cert, logger, utc, FALSE);
-       }
-       iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.log_crls
- */
-static void log_crls(private_credential_store_t *this, logger_t *logger, bool utc)
-{
-       iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
-
-       pthread_mutex_lock(&(this->crls_mutex));
-       if (iterator->get_count(iterator))
-       {
-               logger->log(logger, CONTROL, "");
-               logger->log(logger, CONTROL, "List of X.509 CRLs:");
-               logger->log(logger, CONTROL, "");
-       }
-
-       while (iterator->has_next(iterator))
-       {
-               crl_t *crl;
-
-               iterator->current(iterator, (void**)&crl);
-               crl->log_crl(crl, logger, utc, this->strict);
-       }
-       pthread_mutex_unlock(&(this->crls_mutex));
-
-       iterator->destroy(iterator);
-}
-
-/**
- * Implements credential_store_t.load_ca_certificates
- */
-static void load_ca_certificates(private_credential_store_t *this, const char *path)
-{
-       struct dirent* entry;
-       struct stat stb;
-       DIR* dir;
-       x509_t *cert;
-       
-       this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", path);
-
-       dir = opendir(path);
-       if (dir == NULL)
-       {
-               this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", path);
-               return;
-       }
-
-       while ((entry = readdir(dir)) != NULL)
-       {
-               char file[PATH_BUF];
-
-               snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
-               
-               if (stat(file, &stb) == -1)
-               {
-                       continue;
-               }
-               /* try to parse all regular files */
-               if (stb.st_mode & S_IFREG)
-               {
-                       cert = x509_create_from_file(file, "ca certificate");
-                       if (cert)
-                       {
-                               err_t ugh = cert->is_valid(cert, NULL);
-
-                               if (ugh != NULL)        
-                               {
-                                       this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
-                               }
-                               if (cert->is_ca(cert))
-                               {
-                                       cert = add_certificate(this->ca_certs, cert);
-                               }
-                               else
-                               {
-                                       this->logger->log(this->logger, ERROR,
-                                                       "  CA basic constraints flag not set, cert discarded");
-                                       cert->destroy(cert);
-                               }
-                       }
-               }
-       }
-       closedir(dir);
-}
-
-/**
- * Add the latest crl to a linked list
- */
-static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
-{
-       bool found = FALSE;
-
-       iterator_t *iterator = crls->create_iterator(crls, TRUE);
-
-       while (iterator->has_next(iterator))
-       {
-               crl_t *current_crl;
-
-               iterator->current(iterator, (void**)&current_crl);
-               if (crl->equals_issuer(crl, current_crl))
-               {
-                       found = TRUE;
-                       if (crl->is_newer(crl, current_crl))
-                       {
-                               crl_t *old_crl = NULL;
-
-                               iterator->replace(iterator, (void**)&old_crl, (void*)crl);
-                               if (old_crl != NULL)
-                               {
-                                       old_crl->destroy(old_crl);
-                               }
-                               logger->log(logger, CONTROL|LEVEL1, "  thisUpdate is newer - existing crl replaced");
-                       }
-                       else
-                       {
-                               crl->destroy(crl);
-                               crl = current_crl;
-                               logger->log(logger, CONTROL|LEVEL1, "  thisUpdate is not newer - existing crl retained");
-                       }
-                       break;
-               }
-       }
-       iterator->destroy(iterator);
-
-       if (!found)
-       {
-               crls->insert_last(crls, (void*)crl);
-               logger->log(logger, CONTROL|LEVEL1, "  crl added");
-       }
-       return crl;
-}
-
-/**
- * Implements credential_store_t.load_crls
- */
-static void load_crls(private_credential_store_t *this, const char *path)
-{
-       struct dirent* entry;
-       struct stat stb;
-       DIR* dir;
-       crl_t *crl;
-       
-       this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", path);
-
-       dir = opendir(path);
-       if (dir == NULL)
-       {
-               this->logger->log(this->logger, ERROR, "error opening crl directory %s'", path);
-               return;
-       }
-
-       while ((entry = readdir(dir)) != NULL)
-       {
-               char file[PATH_BUF];
-
-               snprintf(file, sizeof(file), "%s/%s", path, entry->d_name);
-               
-               if (stat(file, &stb) == -1)
-               {
-                       continue;
-               }
-               /* try to parse all regular files */
-               if (stb.st_mode & S_IFREG)
-               {
-                       crl = crl_create_from_file(file);
-                       if (crl)
-                       {
-                               err_t ugh = crl->is_valid(crl, NULL, this->strict);
-
-                               if (ugh != NULL)        
-                               {
-                                       this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
-                               }
-                               pthread_mutex_lock(&(this->crls_mutex));
-                               crl = add_crl(this->crls, crl, this->logger);
-                               pthread_mutex_unlock(&(this->crls_mutex));
-                       }
-               }
-       }
-       closedir(dir);
-}
-
-/**
- * Implements credential_store_t.load_private_keys
- */
-static void load_private_keys(private_credential_store_t *this, const char *secretsfile, const char *defaultpath)
-{
-       FILE *fd = fopen(secretsfile, "r");
-
-       if (fd)
-       {
-               int bytes;
-               int line_nr = 0;
-       chunk_t chunk, src, line;
-
-               this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", secretsfile);
-
-               fseek(fd, 0, SEEK_END);
-               chunk.len = ftell(fd);
-               rewind(fd);
-               chunk.ptr = malloc(chunk.len);
-               bytes = fread(chunk.ptr, 1, chunk.len, fd);
-               fclose(fd);
-
-               src = chunk;
-
-               while (fetchline(&src, &line))
-               {
-                       chunk_t ids, token;
-
-                       line_nr++;
-
-                       if (!eat_whitespace(&line))
-                       {
-                               continue;
-                       }
-                       if (!extract_token(&ids, ':', &line))
-                       {
-                               this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
-                               goto error;
-                       }
-                       if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
-                       {
-                               this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
-                               goto error;
-                       }
-                       if (match("RSA", &token))
-                       {
-                               char path[PATH_BUF];
-                               chunk_t filename;
-
-                               err_t ugh = extract_value(&filename, &line);
-
-                               if (ugh != NULL)
-                               {
-                                       this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
-                                       goto error;
-                               }
-                               if (filename.len == 0)
-                               {
-                                       this->logger->log(this->logger, ERROR,
-                                               "line %d: empty filename", line_nr);
-                                       goto error;
-                               }
-                               if (*filename.ptr == '/')
-                               {
-                                       /* absolute path name */
-                                       snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
-                               }
-                               else
-                               {
-                                       /* relative path name */
-                                       snprintf(path, sizeof(path), "%s/%.*s", defaultpath, filename.len, filename.ptr);
-                               }
-
-                               rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
-                               if (key)
-                               {
-                                       this->private_keys->insert_last(this->private_keys, (void*)key);
-                               }
-                       }
-                       else if (match("PSK", &token))
-                       {
-
-                       }
-                       else if (match("PIN", &token))
-                       {
-
-                       }
-                       else
-                       {
-                               this->logger->log(this->logger, ERROR,
-                                        "line %d: token must be either RSA, PSK, or PIN",
-                                         line_nr, token.len);
-                               goto error;
-                       }
-               }
-error:
-               free(chunk.ptr);
-       }
-       else
-       {
-               this->logger->log(this->logger, ERROR, "could not open file '%s'", secretsfile);
-       }
-}
-
-/**
- * Implementation of credential_store_t.destroy.
- */
-static void destroy(private_credential_store_t *this)
-{
-       x509_t *cert;
-       crl_t *crl;
-       rsa_private_key_t *key;
-       
-       /* destroy cert list */
-       while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
-       {
-               cert->destroy(cert);
-       }
-       this->certs->destroy(this->certs);
-
-       /* destroy ca cert list */
-       while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
-       {
-               cert->destroy(cert);
-       }
-       this->ca_certs->destroy(this->ca_certs);
-
-       /* destroy crl list */
-       pthread_mutex_lock(&(this->crls_mutex));
-       while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
-       {
-               crl->destroy(crl);
-       }
-       this->crls->destroy(this->crls);
-       pthread_mutex_unlock(&(this->crls_mutex));
-
-    /* destroy private key list */
-       while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
-       {
-               key->destroy(key);
-       }
-       this->private_keys->destroy(this->private_keys);
-
-       free(this);
-}
-
-/**
- * Described in header.
- */
-credential_store_t * credential_store_create(bool strict)
-{
-       private_credential_store_t *this = malloc_thing(private_credential_store_t);
-
-       this->public.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
-       this->public.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
-       this->public.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
-       this->public.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
-       this->public.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
-       this->public.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
-       this->public.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
-       this->public.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
-       this->public.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
-       this->public.load_ca_certificates = (void(*)(credential_store_t*,const char*))load_ca_certificates;
-       this->public.load_crls = (void(*)(credential_store_t*,const char*))load_crls;
-       this->public.load_private_keys = (void(*)(credential_store_t*,const char*, const char*))load_private_keys;
-       this->public.destroy = (void(*)(credential_store_t*))destroy;
-       
-       /* initialize mutexes */
-       pthread_mutex_init(&(this->crls_mutex), NULL);
-
-       /* private variables */
-       this->private_keys = linked_list_create();
-       this->certs = linked_list_create();
-       this->ca_certs = linked_list_create();
-       this->crls = linked_list_create();
-       this->strict = strict;
-       this->logger = logger_manager->get_logger(logger_manager, CONFIG);
-
-       return (&this->public);
-}
index 4b6623d..302eefe 100755 (executable)
@@ -108,6 +108,7 @@ struct credential_store_t {
         * @return                      pointer to the added or already existing certificate
         */
        x509_t* (*add_ca_certificate) (credential_store_t *this, x509_t *cert);
+       
        /**
         * @brief Lists all certificates kept in the local credential store.
         *
@@ -143,7 +144,7 @@ struct credential_store_t {
         * @param this          calling object
         * @param path          directory to load certificates from
         */
-       void (*load_ca_certificates) (credential_store_t *this, const char *path);
+       void (*load_ca_certificates) (credential_store_t *this);
        
        /**
         * @brief Loads CRLs from a default directory.
@@ -153,7 +154,7 @@ struct credential_store_t {
         * @param this          calling object
         * @param path          directory to load crls from 
         */
-       void (*load_crls) (credential_store_t *this, const char *path);
+       void (*load_crls) (credential_store_t *this);
        
        /**
         * @brief Loads RSA private keys defined in ipsec.secrets
@@ -163,10 +164,8 @@ struct credential_store_t {
         * key must already be loaded to get the ID from.
         * 
         * @param this                  calling object
-        * @param secretsfile   file where secrets are stored
-        * @param path                  default directory for private keys
         */
-       void (*load_private_keys) (credential_store_t *this, const char *secretsfile, const char *path);
+       void (*load_private_keys) (credential_store_t *this);
 
        /**
         * @brief Destroys a credential_store_t object.
diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c
new file mode 100644 (file)
index 0000000..ef12884
--- /dev/null
@@ -0,0 +1,625 @@
+/**
+ * @file local_credential_store.c
+ * 
+ * @brief Implementation of local_credential_store_t.
+ *  
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/stat.h>
+#include <dirent.h>
+#include <string.h>
+#include <pthread.h>
+
+#include "local_credential_store.h"
+
+#include <utils/lexparser.h>
+#include <utils/linked_list.h>
+#include <utils/logger_manager.h>
+#include <crypto/x509.h>
+#include <crypto/crl.h>
+
+#define PATH_BUF 256
+
+typedef struct private_local_credential_store_t private_local_credential_store_t;
+
+/**
+ * Private data of an local_credential_store_t object
+ */
+struct private_local_credential_store_t {
+
+       /**
+        * Public part
+        */
+       local_credential_store_t public;
+       
+       /**
+        * list of key_entry_t's with private keys
+        */
+       linked_list_t *private_keys;
+       
+       /**
+        * list of X.509 certificates with public keys
+        */
+       linked_list_t *certs;
+
+       /**
+        * list of X.509 CA certificates with public keys
+        */
+       linked_list_t *ca_certs;
+
+       /**
+        * list of X.509 CRLs
+        */
+       linked_list_t *crls;
+
+       /**
+        * mutex controlling the access to the crls linked list
+        */
+       pthread_mutex_t crls_mutex;
+
+       /**
+        * enforce strict crl policy
+        */
+       bool strict;
+
+       /**
+        * Assigned logger
+        */
+       logger_t *logger;
+};
+
+
+/**
+ * Implementation of local_credential_store_t.get_shared_secret.
+ */    
+static status_t get_shared_secret(private_local_credential_store_t *this, identification_t *id, chunk_t *secret)
+{
+       return FAILED;
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_public_key.
+ */
+static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *this, identification_t *id)
+{
+       rsa_public_key_t *found = NULL;
+
+       iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+
+       while (iterator->has_next(iterator))
+       {
+               x509_t *cert;
+
+               iterator->current(iterator, (void**)&cert);
+
+               if (id->equals(id, cert->get_subject(cert)) || cert->equals_subjectAltName(cert, id))
+               {
+                       found = cert->get_public_key(cert);
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+       return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.get_rsa_private_key.
+ */
+static rsa_private_key_t *get_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
+{
+       rsa_private_key_t *found = NULL;
+       rsa_private_key_t *current;
+
+       iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&current);
+
+               if (current->belongs_to(current, pubkey))
+               {
+                       found = current->clone(current);
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+       return found;
+}
+
+/**
+ * Implementation of local_credential_store_t.has_rsa_private_key.
+ */
+static bool has_rsa_private_key(private_local_credential_store_t *this, rsa_public_key_t *pubkey)
+{
+       bool found = FALSE;
+       rsa_private_key_t *current;
+
+       iterator_t *iterator = this->private_keys->create_iterator(this->private_keys, TRUE);
+
+       while (iterator->has_next(iterator))
+       {
+               iterator->current(iterator, (void**)&current);
+
+               if (current->belongs_to(current, pubkey))
+               {
+                       found = TRUE;
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+       return found;
+}
+
+/**
+ * Add a unique certificate to a linked list
+ */
+static x509_t* add_certificate(linked_list_t *certs, x509_t *cert)
+{
+       bool found = FALSE;
+
+       iterator_t *iterator = certs->create_iterator(certs, TRUE);
+
+       while (iterator->has_next(iterator))
+       {
+               x509_t *current_cert;
+
+               iterator->current(iterator, (void**)&current_cert);
+               if (cert->equals(cert, current_cert))
+               {
+                       found = TRUE;
+                       cert->destroy(cert);
+                       cert = current_cert;
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+
+       if (!found)
+       {
+               certs->insert_last(certs, (void*)cert);
+       }
+       return cert;
+}
+
+/**
+ * Implements local_credential_store_t.add_end_certificate
+ */
+static x509_t* add_end_certificate(private_local_credential_store_t *this, x509_t *cert)
+{
+       return add_certificate(this->certs, cert);
+}
+
+/**
+ * Implements local_credential_store_t.add_ca_certificate
+ */
+static x509_t* add_ca_certificate(private_local_credential_store_t *this, x509_t *cert)
+{
+       return add_certificate(this->ca_certs, cert);
+}
+
+/**
+ * Implements local_credential_store_t.log_certificates
+ */
+static void log_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+       iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE);
+       
+       if (iterator->get_count(iterator))
+       {
+               logger->log(logger, CONTROL, "");
+               logger->log(logger, CONTROL, "List of X.509 End Entity Certificates:");
+               logger->log(logger, CONTROL, "");
+       }
+       
+       while (iterator->has_next(iterator))
+       {
+               x509_t *cert;
+               bool has_key;
+               
+               iterator->current(iterator, (void**)&cert);
+               has_key = has_rsa_private_key(this, cert->get_public_key(cert));
+               cert->log_certificate(cert, logger, utc, has_key);
+       }
+       iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.log_ca_certificates
+ */
+static void log_ca_certificates(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+       iterator_t *iterator = this->ca_certs->create_iterator(this->ca_certs, TRUE);
+
+       if (iterator->get_count(iterator))
+       {
+               logger->log(logger, CONTROL, "");
+               logger->log(logger, CONTROL, "List of X.509 CA Certificates:");
+               logger->log(logger, CONTROL, "");
+       }
+
+       while (iterator->has_next(iterator))
+       {
+               x509_t *cert;
+
+               iterator->current(iterator, (void**)&cert);
+               cert->log_certificate(cert, logger, utc, FALSE);
+       }
+       iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.log_crls
+ */
+static void log_crls(private_local_credential_store_t *this, logger_t *logger, bool utc)
+{
+       iterator_t *iterator = this->crls->create_iterator(this->crls, TRUE);
+
+       pthread_mutex_lock(&(this->crls_mutex));
+       if (iterator->get_count(iterator))
+       {
+               logger->log(logger, CONTROL, "");
+               logger->log(logger, CONTROL, "List of X.509 CRLs:");
+               logger->log(logger, CONTROL, "");
+       }
+
+       while (iterator->has_next(iterator))
+       {
+               crl_t *crl;
+
+               iterator->current(iterator, (void**)&crl);
+               crl->log_crl(crl, logger, utc, this->strict);
+       }
+       pthread_mutex_unlock(&(this->crls_mutex));
+
+       iterator->destroy(iterator);
+}
+
+/**
+ * Implements local_credential_store_t.load_ca_certificates
+ */
+static void load_ca_certificates(private_local_credential_store_t *this)
+{
+       struct dirent* entry;
+       struct stat stb;
+       DIR* dir;
+       x509_t *cert;
+       
+       this->logger->log(this->logger, CONTROL, "loading ca certificates from '%s/'", CA_CERTIFICATE_DIR);
+
+       dir = opendir(CA_CERTIFICATE_DIR);
+       if (dir == NULL)
+       {
+               this->logger->log(this->logger, ERROR, "error opening ca certs directory %s'", CA_CERTIFICATE_DIR);
+               return;
+       }
+
+       while ((entry = readdir(dir)) != NULL)
+       {
+               char file[PATH_BUF];
+
+               snprintf(file, sizeof(file), "%s/%s", CA_CERTIFICATE_DIR, entry->d_name);
+               
+               if (stat(file, &stb) == -1)
+               {
+                       continue;
+               }
+               /* try to parse all regular files */
+               if (stb.st_mode & S_IFREG)
+               {
+                       cert = x509_create_from_file(file, "ca certificate");
+                       if (cert)
+                       {
+                               err_t ugh = cert->is_valid(cert, NULL);
+
+                               if (ugh != NULL)        
+                               {
+                                       this->logger->log(this->logger, ERROR, "warning: ca certificate %s", ugh);
+                               }
+                               if (cert->is_ca(cert))
+                               {
+                                       cert = add_certificate(this->ca_certs, cert);
+                               }
+                               else
+                               {
+                                       this->logger->log(this->logger, ERROR,
+                                                       "  CA basic constraints flag not set, cert discarded");
+                                       cert->destroy(cert);
+                               }
+                       }
+               }
+       }
+       closedir(dir);
+}
+
+/**
+ * Add the latest crl to a linked list
+ */
+static crl_t* add_crl(linked_list_t *crls, crl_t *crl, logger_t *logger)
+{
+       bool found = FALSE;
+
+       iterator_t *iterator = crls->create_iterator(crls, TRUE);
+
+       while (iterator->has_next(iterator))
+       {
+               crl_t *current_crl;
+
+               iterator->current(iterator, (void**)&current_crl);
+               if (crl->equals_issuer(crl, current_crl))
+               {
+                       found = TRUE;
+                       if (crl->is_newer(crl, current_crl))
+                       {
+                               crl_t *old_crl = NULL;
+
+                               iterator->replace(iterator, (void**)&old_crl, (void*)crl);
+                               if (old_crl != NULL)
+                               {
+                                       old_crl->destroy(old_crl);
+                               }
+                               logger->log(logger, CONTROL|LEVEL1, "  thisUpdate is newer - existing crl replaced");
+                       }
+                       else
+                       {
+                               crl->destroy(crl);
+                               crl = current_crl;
+                               logger->log(logger, CONTROL|LEVEL1, "  thisUpdate is not newer - existing crl retained");
+                       }
+                       break;
+               }
+       }
+       iterator->destroy(iterator);
+
+       if (!found)
+       {
+               crls->insert_last(crls, (void*)crl);
+               logger->log(logger, CONTROL|LEVEL1, "  crl added");
+       }
+       return crl;
+}
+
+/**
+ * Implements local_credential_store_t.load_crls
+ */
+static void load_crls(private_local_credential_store_t *this)
+{
+       struct dirent* entry;
+       struct stat stb;
+       DIR* dir;
+       crl_t *crl;
+       
+       this->logger->log(this->logger, CONTROL, "loading crls from '%s/'", CRL_DIR);
+
+       dir = opendir(CRL_DIR);
+       if (dir == NULL)
+       {
+               this->logger->log(this->logger, ERROR, "error opening crl directory %s'", CRL_DIR);
+               return;
+       }
+
+       while ((entry = readdir(dir)) != NULL)
+       {
+               char file[PATH_BUF];
+
+               snprintf(file, sizeof(file), "%s/%s", CRL_DIR, entry->d_name);
+               
+               if (stat(file, &stb) == -1)
+               {
+                       continue;
+               }
+               /* try to parse all regular files */
+               if (stb.st_mode & S_IFREG)
+               {
+                       crl = crl_create_from_file(file);
+                       if (crl)
+                       {
+                               err_t ugh = crl->is_valid(crl, NULL, this->strict);
+
+                               if (ugh != NULL)        
+                               {
+                                       this->logger->log(this->logger, ERROR, "warning: crl %s", ugh);
+                               }
+                               pthread_mutex_lock(&(this->crls_mutex));
+                               crl = add_crl(this->crls, crl, this->logger);
+                               pthread_mutex_unlock(&(this->crls_mutex));
+                       }
+               }
+       }
+       closedir(dir);
+}
+
+/**
+ * Implements local_credential_store_t.load_private_keys
+ */
+static void load_private_keys(private_local_credential_store_t *this)
+{
+       FILE *fd = fopen(SECRETS_FILE, "r");
+
+       if (fd)
+       {
+               int bytes;
+               int line_nr = 0;
+       chunk_t chunk, src, line;
+
+               this->logger->log(this->logger, CONTROL, "loading secrets from \"%s\"", SECRETS_FILE);
+
+               fseek(fd, 0, SEEK_END);
+               chunk.len = ftell(fd);
+               rewind(fd);
+               chunk.ptr = malloc(chunk.len);
+               bytes = fread(chunk.ptr, 1, chunk.len, fd);
+               fclose(fd);
+
+               src = chunk;
+
+               while (fetchline(&src, &line))
+               {
+                       chunk_t ids, token;
+
+                       line_nr++;
+
+                       if (!eat_whitespace(&line))
+                       {
+                               continue;
+                       }
+                       if (!extract_token(&ids, ':', &line))
+                       {
+                               this->logger->log(this->logger, ERROR, "line %d: missing ':' separator", line_nr);
+                               goto error;
+                       }
+                       if (!eat_whitespace(&line) || !extract_token(&token, ' ', &line))
+                       {
+                               this->logger->log(this->logger, ERROR, "line %d: missing token", line_nr);
+                               goto error;
+                       }
+                       if (match("RSA", &token))
+                       {
+                               char path[PATH_BUF];
+                               chunk_t filename;
+
+                               err_t ugh = extract_value(&filename, &line);
+
+                               if (ugh != NULL)
+                               {
+                                       this->logger->log(this->logger, ERROR, "line %d: %s", line_nr, ugh);
+                                       goto error;
+                               }
+                               if (filename.len == 0)
+                               {
+                                       this->logger->log(this->logger, ERROR,
+                                               "line %d: empty filename", line_nr);
+                                       goto error;
+                               }
+                               if (*filename.ptr == '/')
+                               {
+                                       /* absolute path name */
+                                       snprintf(path, sizeof(path), "%.*s", filename.len, filename.ptr);
+                               }
+                               else
+                               {
+                                       /* relative path name */
+                                       snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR, filename.len, filename.ptr);
+                               }
+
+                               rsa_private_key_t *key = rsa_private_key_create_from_file(path, NULL);
+                               if (key)
+                               {
+                                       this->private_keys->insert_last(this->private_keys, (void*)key);
+                               }
+                       }
+                       else if (match("PSK", &token))
+                       {
+
+                       }
+                       else if (match("PIN", &token))
+                       {
+
+                       }
+                       else
+                       {
+                               this->logger->log(this->logger, ERROR,
+                                        "line %d: token must be either RSA, PSK, or PIN",
+                                         line_nr, token.len);
+                               goto error;
+                       }
+               }
+error:
+               free(chunk.ptr);
+       }
+       else
+       {
+               this->logger->log(this->logger, ERROR, "could not open file '%s'", SECRETS_FILE);
+       }
+}
+
+/**
+ * Implementation of local_credential_store_t.destroy.
+ */
+static void destroy(private_local_credential_store_t *this)
+{
+       x509_t *cert;
+       crl_t *crl;
+       rsa_private_key_t *key;
+       
+       /* destroy cert list */
+       while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+       {
+               cert->destroy(cert);
+       }
+       this->certs->destroy(this->certs);
+
+       /* destroy ca cert list */
+       while (this->ca_certs->remove_last(this->ca_certs, (void**)&cert) == SUCCESS)
+       {
+               cert->destroy(cert);
+       }
+       this->ca_certs->destroy(this->ca_certs);
+
+       /* destroy crl list */
+       pthread_mutex_lock(&(this->crls_mutex));
+       while (this->crls->remove_last(this->crls, (void**)&crl) == SUCCESS)
+       {
+               crl->destroy(crl);
+       }
+       this->crls->destroy(this->crls);
+       pthread_mutex_unlock(&(this->crls_mutex));
+
+    /* destroy private key list */
+       while (this->private_keys->remove_last(this->private_keys, (void**)&key) == SUCCESS)
+       {
+               key->destroy(key);
+       }
+       this->private_keys->destroy(this->private_keys);
+
+       free(this);
+}
+
+/**
+ * Described in header.
+ */
+local_credential_store_t * local_credential_store_create(bool strict)
+{
+       private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t);
+
+       this->public.credential_store.get_shared_secret = (status_t(*)(credential_store_t*,identification_t*,chunk_t*))get_shared_secret;
+       this->public.credential_store.get_rsa_private_key = (rsa_private_key_t*(*)(credential_store_t*,rsa_public_key_t*))get_rsa_private_key;
+       this->public.credential_store.has_rsa_private_key = (bool(*)(credential_store_t*,rsa_public_key_t*))has_rsa_private_key;
+       this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key;
+       this->public.credential_store.add_end_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_end_certificate;
+       this->public.credential_store.add_ca_certificate = (x509_t*(*)(credential_store_t*,x509_t*))add_ca_certificate;
+       this->public.credential_store.log_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_certificates;
+       this->public.credential_store.log_ca_certificates = (void(*)(credential_store_t*,logger_t*,bool))log_ca_certificates;
+       this->public.credential_store.log_crls = (void(*)(credential_store_t*,logger_t*,bool))log_crls;
+       this->public.credential_store.load_ca_certificates = (void(*)(credential_store_t*))load_ca_certificates;
+       this->public.credential_store.load_crls = (void(*)(credential_store_t*))load_crls;
+       this->public.credential_store.load_private_keys = (void(*)(credential_store_t*))load_private_keys;
+       this->public.credential_store.destroy = (void(*)(credential_store_t*))destroy;
+       
+       /* initialize mutexes */
+       pthread_mutex_init(&(this->crls_mutex), NULL);
+
+       /* private variables */
+       this->private_keys = linked_list_create();
+       this->certs = linked_list_create();
+       this->ca_certs = linked_list_create();
+       this->crls = linked_list_create();
+       this->strict = strict;
+       this->logger = logger_manager->get_logger(logger_manager, CONFIG);
+
+       return (&this->public);
+}
diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h
new file mode 100644 (file)
index 0000000..f27fe0c
--- /dev/null
@@ -0,0 +1,64 @@
+/**
+ * @file local_credential_store.h
+ *
+ * @brief Interface of local_credential_store_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+#ifndef LOCAL_CREDENTIAL_H_
+#define LOCAL_CREDENTIAL_H_
+
+#include <types.h>
+#include <daemon.h>
+#include <config/credentials/credential_store.h>
+
+
+typedef struct local_credential_store_t local_credential_store_t;
+
+/**
+ * @brief A credential_store_t implementation using simple credentail lists.
+ *
+ * The local_credential_store_t class implements the credential_store_t interface
+ * as simple as possible. The credentials are stored in lists, and are loaded from
+ * files on the disk.
+ * Shared secret are not handled yet, so get_shared_secret always returns NOT_FOUND.
+ *
+ * @b Constructors:
+ *  - local_credential_store_create(bool strict)
+ * 
+ * @ingroup config
+ */
+struct local_credential_store_t {
+       
+       /**
+        * Implements credential_store_t interface
+        */
+       credential_store_t credential_store;
+};
+
+/**
+ * @brief Creates a local_credential_store_t instance.
+ *
+ * @param  strict              enforce a strict crl policy
+ * @return                             credential store instance.
+ *
+ * @ingroup config
+ */
+local_credential_store_t *local_credential_store_create(bool strict);
+
+#endif /* LOCAL_CREDENTIAL_H_ */
index 7172662..63edd42 100644 (file)
@@ -177,14 +177,13 @@ static void initialize(private_daemon_t *this, bool strict)
        this->public.send_queue = send_queue_create();
        this->public.connections = (connection_store_t*)local_connection_store_create();
        this->public.policies = (policy_store_t*)local_policy_store_create();
-       this->public.credentials = credential_store_create(strict);
+       this->public.credentials = (credential_store_t*)local_credential_store_create(strict);
 
        /* load keys, ca certificates and crls */
        credentials = this->public.credentials;
-       credentials->load_ca_certificates(credentials, CA_CERTIFICATE_DIR);
-       credentials->load_crls(credentials, CRL_DIR);
-       credentials->load_private_keys(credentials, SECRETS_FILE, PRIVATE_KEY_DIR);
-       
+       credentials->load_ca_certificates(credentials);
+       credentials->load_crls(credentials);
+       credentials->load_private_keys(credentials);
        
        /* start building threads, we are multi-threaded NOW */
        this->public.stroke = stroke_create();
index 737db5a..4f5fbba 100644 (file)
  */
 #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
 
+
 typedef struct daemon_t daemon_t;
 
 /**
index 9ba4ef3..8f46286 100644 (file)
@@ -33,7 +33,10 @@ void test_connection(protected_tester_t *tester)
 {
        host_t *alice = host_create(AF_INET, "192.168.0.1", 500);
        host_t *bob = host_create(AF_INET, "192.168.0.2", 500);
-       connection_t *connection = connection_create("alice-bob", TRUE, alice, bob, RSA_DIGITAL_SIGNATURE);
+       connection_t *connection = connection_create(
+                       "alice-bob", TRUE, 
+                       CERT_ALWAYS_SEND, CERT_ALWAYS_SEND,
+                       alice, bob, RSA_DIGITAL_SIGNATURE);
        proposal_t *prop1, *prop2, *prop3, *prop4;
        linked_list_t *list;
 
index 6a86edb..47acb24 100755 (executable)
@@ -345,6 +345,7 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg)
        this->logger->log(this->logger, CONTROL|LEVEL1, "  other ca:'%s'", other_ca->get_string(other_ca));
 
        connection = connection_create(msg->add_conn.name, msg->add_conn.ikev2,
+                                                                  msg->add_conn.me.sendcert, msg->add_conn.other.sendcert,
                                                                   my_host, other_host,
                                                                   RSA_DIGITAL_SIGNATURE);
        if (msg->add_conn.algorithms.ike)
@@ -611,11 +612,11 @@ static void stroke_reread(private_stroke_t *this, stroke_msg_t *msg)
 {
        if (msg->reread.flags & REREAD_CACERTS)
        {
-               charon->credentials->load_ca_certificates(charon->credentials, CA_CERTIFICATE_DIR);
+               charon->credentials->load_ca_certificates(charon->credentials);
        }
        if (msg->reread.flags & REREAD_CRLS)
        {
-               charon->credentials->load_crls(charon->credentials, CRL_DIR);
+               charon->credentials->load_crls(charon->credentials);
        }
 }
 
index ed67913..0a1ea08 100644 (file)
@@ -109,19 +109,6 @@ enum status_t {
        CREATED,
 };
 
-
-/**
-  * Certificate sending policy
-  */
-typedef enum certpolicy {
-  CERT_ALWAYS_SEND   = 0,
-  CERT_SEND_IF_ASKED = 1,
-  CERT_NEVER_SEND    = 2,
-
-  CERT_YES_SEND      = 3,      /* synonym for CERT_ALWAYS_SEND */
-  CERT_NO_SEND       = 4       /* synonym for CERT_NEVER_SEND  */
-} certpolicy_t;
-
 /**
  * RFC 2459 CRL reason codes
  */
index 8cce195..c8ec9c7 100644 (file)
@@ -122,7 +122,7 @@ static int add_connection(char *name,
        msg.add_conn.me.subnet_mask = my_netmask;
        msg.add_conn.me.cert = NULL;
        msg.add_conn.me.ca = NULL;
-       msg.add_conn.me.sendcert = CERT_SEND_IF_ASKED;
+       msg.add_conn.me.sendcert = 1;
        
        msg.add_conn.other.id = push_string(&msg, other_id);
        msg.add_conn.other.address = push_string(&msg, other_addr);
@@ -130,7 +130,7 @@ static int add_connection(char *name,
        msg.add_conn.other.subnet_mask = other_netmask;
        msg.add_conn.other.cert = NULL;
        msg.add_conn.other.ca = NULL;
-       msg.add_conn.other.sendcert = CERT_SEND_IF_ASKED;
+       msg.add_conn.other.sendcert = 1;
        
        return send_stroke_msg(&msg);
 }
index 0f2f1d0..bf182eb 100644 (file)
@@ -23,6 +23,8 @@
 #ifndef STROKE_H_
 #define STROKE_H_
 
+#include <sys/types.h>
+
 /**
  * Socket which is used to communicate between charon and stroke
  */
 
 #define STROKE_BUF_LEN         2048
 
+typedef enum list_flag_t list_flag_t;
+
 /**
-  * Definition of the LIST flags
-  */
-#define LIST_NONE              0x0000  /* don't list anything */
-#define LIST_CERTS             0x0001  /* list all host/user certs */
-#define LIST_CACERTS   0x0002  /* list all ca certs */
-#define LIST_CRLS              0x0004  /* list all crls */
-#define LIST_ALL               0x0007  /* all list options */
+ * Definition of the LIST flags, used for
+ * the various stroke list* commands.
+ */
+enum list_flag_t {
+       /** don't list anything */
+       LIST_NONE =     0x0000,
+       /** list all host/user certs */
+       LIST_CERTS =    0x0001,
+       /** list all ca certs */
+       LIST_CACERTS =  0x0002,
+       /** list all crls */
+       LIST_CRLS =             0x0004,
+       /** all list options */
+       LIST_ALL =              0x0007,
+};
+
+typedef enum reread_flag_t reread_flag_t;
 
 /**
-  * Definition of the REREAD flags
-  */
-#define REREAD_NONE            0x0000  /* don't reread anything */
-#define REREAD_CACERTS 0x0001  /* reread all ca certs */
-#define REREAD_CRLS            0x0002  /* reread all crls */
-#define REREAD_ALL             0x0003  /* all reread options */
+ * Definition of the REREAD flags, used for
+ * the various stroke reread* commands.
+ */
+enum reread_flag_t {
+       /** don't reread anything */
+       REREAD_NONE =           0x0000,
+       /** reread all ca certs */
+       REREAD_CACERTS =        0x0001,
+       /** reread all crls */
+       REREAD_CRLS =           0x0002,
+       /** all reread options */
+       REREAD_ALL =            0x0003,
+};
 
 typedef struct stroke_end_t stroke_end_t;
 
+/**
+ * definition of a peer in a stroke message
+ */
 struct stroke_end_t {
        char *id;
        char *cert;
@@ -56,7 +80,7 @@ struct stroke_end_t {
        char *address;
        char *subnet;
        int subnet_mask;
-       certpolicy_t sendcert;
+       int sendcert;
 };
 
 typedef struct stroke_msg_t stroke_msg_t;
@@ -66,7 +90,7 @@ typedef struct stroke_msg_t stroke_msg_t;
  */
 struct stroke_msg_t {
        /* length of this message with all strings */
-       u_int length;
+       u_int16_t length;
 
        /* type of the message */
        enum {
@@ -134,13 +158,13 @@ struct stroke_msg_t {
 
                /* data for STR_LIST */
                struct {
-                       u_int flags;
+                       list_flag_t flags;
                        bool  utc;
                } list;
 
                /* data for STR_REREAD */
                struct {
-                       u_int flags;
+                       reread_flag_t flags;
                } reread;
 
        };