respecting ipsec.conf cachecrls= option
authorMartin Willi <martin@strongswan.org>
Thu, 17 Apr 2008 15:01:57 +0000 (15:01 -0000)
committerMartin Willi <martin@strongswan.org>
Thu, 17 Apr 2008 15:01:57 +0000 (15:01 -0000)
src/charon/daemon.c
src/charon/plugins/stroke/stroke_cred.c
src/charon/plugins/stroke/stroke_cred.h
src/charon/plugins/stroke/stroke_socket.c
src/starter/invokecharon.c
src/starter/ipsec.conf.5
src/starter/starter.c
src/starter/starterstroke.c
src/starter/starterstroke.h
src/stroke/stroke_msg.h

index 1f24483..87f3348 100644 (file)
@@ -456,9 +456,6 @@ static void usage(const char *msg)
        fprintf(stderr, "Usage: charon\n"
                                        "         [--help]\n"
                                        "         [--version]\n"
-                                       "         [--strictcrlpolicy]\n"
-                                       "         [--cachecrls]\n"
-                                       "         [--crlcheckinterval <interval>]\n"
                                        "         [--use-syslog]\n"
                                        "         [--debug-<type> <level>]\n"
                                        "           <type>:  log context type (dmn|mgr|ike|chd|job|cfg|knl|net|enc|lib)\n"
@@ -474,8 +471,6 @@ static void usage(const char *msg)
  */
 int main(int argc, char *argv[])
 {
-       u_int crl_check_interval = 0;
-       bool cache_crls = FALSE;
        bool use_syslog = FALSE;
 
        private_daemon_t *private_charon;
@@ -512,8 +507,6 @@ int main(int argc, char *argv[])
                        { "help", no_argument, NULL, 'h' },
                        { "version", no_argument, NULL, 'v' },
                        { "use-syslog", no_argument, NULL, 'l' },
-                       { "cachecrls", no_argument, NULL, 'C' },
-                       { "crlcheckinterval", required_argument, NULL, 'x' },
                        /* TODO: handle "debug-all" */
                        { "debug-dmn", required_argument, &signal, DBG_DMN },
                        { "debug-mgr", required_argument, &signal, DBG_MGR },
@@ -542,12 +535,6 @@ int main(int argc, char *argv[])
                        case 'l':
                                use_syslog = TRUE;
                                continue;
-                       case 'C':
-                               cache_crls = TRUE;
-                               continue;
-                       case 'x':
-                               crl_check_interval = atoi(optarg);
-                               continue;
                        case 0:
                                /* option is in signal */
                                levels[signal] = atoi(optarg);
index 6ce2f8f..38656b8 100644 (file)
@@ -73,6 +73,11 @@ struct private_stroke_cred_t {
         * mutex to lock lists above
         */
        mutex_t *mutex;
+       
+       /**
+        * cache CRLs to disk?
+        */
+       bool cachecrl;
 };
 
 /**
@@ -527,7 +532,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
  */
 static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 {
-       if (cert->get_type(cert) == CERT_X509_CRL)
+       if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
        {
                /* CRLs get cached to /etc/ipsec.d/crls/authkeyId.der */
                crl_t *crl = (crl_t*)cert;
@@ -561,6 +566,17 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
 }
 
 /**
+ * Implementation of stroke_cred_t.cachecrl.
+ */
+static void cachecrl(private_stroke_cred_t *this, bool enabled)
+{
+       DBG1(DBG_CFG, "crl caching to %s %s",
+                CRL_DIR, enabled ? "enabled" : "disabled");
+       this->cachecrl = enabled;
+}
+
+
+/**
  * Convert a string of characters into a binary secret
  * A string between single or double quotes is treated as ASCII characters
  * A string prepended by 0x is treated as HEX and prepended by 0s as Base64
@@ -912,6 +928,7 @@ stroke_cred_t *stroke_cred_create()
        this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
        this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
        this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
+       this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
        this->public.destroy = (void(*)(stroke_cred_t*))destroy;
        
        this->certs = linked_list_create();
@@ -922,6 +939,8 @@ stroke_cred_t *stroke_cred_create()
        load_certs(this);
        load_secrets(this);
        
+       this->cachecrl = FALSE;
+       
        return &this->public;
 }
 
index cbfed11..1b9ef98 100644 (file)
@@ -63,6 +63,13 @@ struct stroke_cred_t {
        certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
        
        /**
+        * Enable/Disable CRL caching to disk.
+        *
+        * @param enabled               TRUE to enable, FALSE to disable
+        */
+       void (*cachecrl)(stroke_cred_t *this, bool enabled);
+       
+       /**
      * Destroy a stroke_cred instance.
      */
     void (*destroy)(stroke_cred_t *this);
index 9ee5a24..03bc470 100644 (file)
@@ -355,6 +355,13 @@ static void stroke_loglevel(private_stroke_socket_t *this, stroke_msg_t *msg, FI
        charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level);
 }
 
+/**
+ * set various config options
+ */
+static void stroke_config(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+       this->cred->cachecrl(this->cred, msg->config.cachecrl);
+}
 
 /**
  * destroy a job context
@@ -448,6 +455,9 @@ static job_requeue_t process(stroke_job_context_t *ctx)
                case STR_LOGLEVEL:
                        stroke_loglevel(this, msg, out);
                        break;
+               case STR_CONFIG:
+                       stroke_config(this, msg, out);
+                       break;
                case STR_LIST:
                        stroke_list(this, msg, out);
                        break;
index d69b2ce..23fc956 100644 (file)
@@ -118,16 +118,6 @@ starter_start_charon (starter_config_t *cfg, bool debug)
     {
        arg[argc++] = "--use-syslog";
     }
-    if (cfg->setup.cachecrls)
-    {
-       arg[argc++] = "--cachecrls";
-    }
-    if (cfg->setup.crlcheckinterval > 0)
-    {
-       snprintf(buffer1, BUF_LEN, "%u", cfg->setup.crlcheckinterval);
-       arg[argc++] = "--crlcheckinterval";
-       arg[argc++] = buffer1;
-    }
 
     {   /* parse debug string */
        char *pos, *level, *buf_pos, type[4];
index db0ab98..335042f 100644 (file)
@@ -885,7 +885,7 @@ The currently-accepted
 names in a
 .B config
 .B setup
-section are:
+section affecting both daemons are:
 .TP 14
 .B cachecrls
 certificate revocation lists (CRLs) fetched via http or ldap will be cached in
@@ -905,11 +905,6 @@ Accepted values are
 or
 .BR no .
 .TP
-.B crlcheckinterval
-interval in seconds. CRL fetching is enabled if the value is greater than zero.
-Asynchronous, periodic checking for fresh CRLs is currently done by the
-IKEv1 Pluto daemon only.
-.TP
 .B dumpdir
 in what directory should things started by \fBipsec starter\fR
 (notably the Pluto and Charon daemons) be allowed to dump core?
@@ -940,11 +935,37 @@ which reverts to
 if at least one CRL URI is defined and to
 .B no
 if no URI is known.
+.TP
+.B uniqueids
+whether a particular participant ID should be kept unique,
+with any new (automatically keyed)
+connection using an ID from a different IP address
+deemed to replace all old ones using that ID;
+acceptable values are
+.B yes
+(the default)
+and
+.BR no .
+Participant IDs normally \fIare\fR unique,
+so a new (automatically-keyed) connection using the same ID is
+almost invariably intended to replace an old one.
+The IKEv2 daemon also accepts the value
+.B replace
+wich is identical to
+.B yes
+and the value
+.B keep
+to reject new IKE_SA setups and keep the duplicate established earlier.
 .PP
 The following
 .B config section
 parameters are used by the IKEv1 Pluto daemon only:
 .TP
+.B crlcheckinterval
+interval in seconds. CRL fetching is enabled if the value is greater than zero.
+Asynchronous, periodic checking for fresh CRLs is currently done by the
+IKEv1 Pluto daemon only.
+.TP
 .B keep_alive
 interval in seconds between NAT keep alive packets, the default being 20 seconds.
 .TP
@@ -1035,27 +1056,6 @@ Default is none.
 .TP
 .B virtual_private
 defines private networks using a wildcard notation.
-.TP
-.B uniqueids
-whether a particular participant ID should be kept unique,
-with any new (automatically keyed)
-connection using an ID from a different IP address
-deemed to replace all old ones using that ID;
-acceptable values are
-.B yes
-(the default)
-and
-.BR no .
-Participant IDs normally \fIare\fR unique,
-so a new (automatically-keyed) connection using the same ID is
-almost invariably intended to replace an old one.
-The IKEv2 daemon also accepts the value
-.B replace
-wich is identical to
-.B yes
-and the value
-.B keep
-to reject new IKE_SA setups and keep the duplicate established earlier.
 .PP
 The following
 .B config section
index af55961..c92b2bc 100644 (file)
@@ -541,6 +541,7 @@ int main (int argc, char **argv)
                    /* schedule next try */
                    alarm(PLUTO_RESTART_DELAY);
                }
+               starter_stroke_configure(cfg);
            }
            _action_ &= ~FLAG_ACTION_START_CHARON;
        }
index ddac556..1ee7ddc 100644 (file)
@@ -327,4 +327,17 @@ int starter_stroke_del_ca(starter_ca_t *ca)
        return send_stroke_msg(&msg);
 }
 
+int starter_stroke_configure(starter_config_t *cfg)
+{
+       stroke_msg_t msg;
+    
+       if (cfg->setup.cachecrls)
+       {
+               msg.type = STR_CONFIG;
+               msg.length = offsetof(stroke_msg_t, buffer);
+               msg.config.cachecrl = 1;
+               return send_stroke_msg(&msg);
+       }
+       return 0;
+}
 
index 8d45141..5591d1c 100644 (file)
@@ -25,5 +25,6 @@ extern int starter_stroke_route_conn(starter_conn_t *conn);
 extern int starter_stroke_initiate_conn(starter_conn_t *conn);
 extern int starter_stroke_add_ca(starter_ca_t *ca);
 extern int starter_stroke_del_ca(starter_ca_t *ca);
+extern int starter_stroke_configure(starter_config_t *cfg);
 
 #endif /* _STARTER_STROKE_H_ */
index 068f063..12df245 100644 (file)
@@ -169,6 +169,8 @@ struct stroke_msg_t {
                STR_DEL_CA,
                /* set a log type to log/not log */
                STR_LOGLEVEL,
+               /* configure global options for stroke */
+               STR_CONFIG,
                /* list various objects */
                STR_LIST,
                /* reread various objects */
@@ -238,6 +240,11 @@ struct stroke_msg_t {
                        char *type;
                        int level;
                } loglevel;
+               
+               /* data for STR_CONFIG */
+               struct {
+                       int cachecrl;
+               } config;
 
                /* data for STR_LIST */
                struct {