fprintf(stderr, "Usage: charon\n"
" [--help]\n"
" [--version]\n"
- " [--strictcrlpolicy]\n"
- " [--cachecrls]\n"
- " [--crlcheckinterval <interval>]\n"
" [--use-syslog]\n"
" [--debug-<type> <level>]\n"
" <type>: log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
*/
int main(int argc, char *argv[])
{
- u_int crl_check_interval = 0;
- bool cache_crls = FALSE;
bool use_syslog = FALSE;
private_daemon_t *private_charon;
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "use-syslog", no_argument, NULL, 'l' },
- { "cachecrls", no_argument, NULL, 'C' },
- { "crlcheckinterval", required_argument, NULL, 'x' },
/* TODO: handle "debug-all" */
{ "debug-dmn", required_argument, &signal, DBG_DMN },
{ "debug-mgr", required_argument, &signal, DBG_MGR },
case 'l':
use_syslog = TRUE;
continue;
- case 'C':
- cache_crls = TRUE;
- continue;
- case 'x':
- crl_check_interval = atoi(optarg);
- continue;
case 0:
/* option is in signal */
levels[signal] = atoi(optarg);
* mutex to lock lists above
*/
mutex_t *mutex;
+
+ /**
+ * cache CRLs to disk?
+ */
+ bool cachecrl;
};
/**
*/
static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
{
- if (cert->get_type(cert) == CERT_X509_CRL)
+ if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
{
/* CRLs get cached to /etc/ipsec.d/crls/authkeyId.der */
crl_t *crl = (crl_t*)cert;
}
/**
+ * Implementation of stroke_cred_t.cachecrl.
+ */
+static void cachecrl(private_stroke_cred_t *this, bool enabled)
+{
+ DBG1(DBG_CFG, "crl caching to %s %s",
+ CRL_DIR, enabled ? "enabled" : "disabled");
+ this->cachecrl = enabled;
+}
+
+
+/**
* Convert a string of characters into a binary secret
* A string between single or double quotes is treated as ASCII characters
* A string prepended by 0x is treated as HEX and prepended by 0s as Base64
this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
+ this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
this->public.destroy = (void(*)(stroke_cred_t*))destroy;
this->certs = linked_list_create();
load_certs(this);
load_secrets(this);
+ this->cachecrl = FALSE;
+
return &this->public;
}
certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
/**
+ * Enable/Disable CRL caching to disk.
+ *
+ * @param enabled TRUE to enable, FALSE to disable
+ */
+ void (*cachecrl)(stroke_cred_t *this, bool enabled);
+
+ /**
* Destroy a stroke_cred instance.
*/
void (*destroy)(stroke_cred_t *this);
charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
}
+/**
+ * set various config options
+ */
+static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ this->cred->cachecrl(this->cred, msg->config.cachecrl);
+}
/**
* destroy a job context
case STR_LOGLEVEL:
stroke_loglevel(this, msg, out);
break;
+ case STR_CONFIG:
+ stroke_config(this, msg, out);
+ break;
case STR_LIST:
stroke_list(this, msg, out);
break;
{
arg[argc++] = "--use-syslog";
}
- if (cfg->setup.cachecrls)
- {
- arg[argc++] = "--cachecrls";
- }
- if (cfg->setup.crlcheckinterval > 0)
- {
- snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
- arg[argc++] = "--crlcheckinterval";
- arg[argc++] = buffer1;
- }
{ /* parse debug string */
char *pos, *level, *buf_pos, type[4];
names in a
.B config
.B setup
-section are:
+section affecting both daemons are:
.TP 14
.B cachecrls
certificate revocation lists (CRLs) fetched via http or ldap will be cached in
or
.BR no .
.TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
.B dumpdir
in what directory should things started by \fBipsec starter\fR
(notably the Pluto and Charon daemons) be allowed to dump core?
if at least one CRL URI is defined and to
.B no
if no URI is known.
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
.PP
The following
.B config section
parameters are used by the IKEv1 Pluto daemon only:
.TP
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
.B keep_alive
interval in seconds between NAT keep alive packets, the default being 20 seconds.
.TP
.TP
.B virtual_private
defines private networks using a wildcard notation.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
.PP
The following
.B config section
/* schedule next try */
alarm(PLUTO_RESTART_DELAY);
}
+ starter_stroke_configure(cfg);
}
_action_ &= ~FLAG_ACTION_START_CHARON;
}
return send_stroke_msg(&msg);
}
+int starter_stroke_configure(starter_config_t *cfg)
+{
+ stroke_msg_t msg;
+
+ if (cfg->setup.cachecrls)
+ {
+ msg.type = STR_CONFIG;
+ msg.length = offsetof(stroke_msg_t, buffer);
+ msg.config.cachecrl = 1;
+ return send_stroke_msg(&msg);
+ }
+ return 0;
+}
extern int starter_stroke_initiate_conn(starter_conn_t *conn);
extern int starter_stroke_add_ca(starter_ca_t *ca);
extern int starter_stroke_del_ca(starter_ca_t *ca);
+extern int starter_stroke_configure(starter_config_t *cfg);
#endif /* _STARTER_STROKE_H_ */
STR_DEL_CA,
/* set a log type to log/not log */
STR_LOGLEVEL,
+ /* configure global options for stroke */
+ STR_CONFIG,
/* list various objects */
STR_LIST,
/* reread various objects */
char *type;
int level;
} loglevel;
+
+ /* data for STR_CONFIG */
+ struct {
+ int cachecrl;
+ } config;
/* data for STR_LIST */
struct {