Added strongswan.conf and runtime option to enable/disable whitelist plugin
authorMartin Willi <martin@revosec.ch>
Thu, 17 Mar 2011 16:15:16 +0000 (17:15 +0100)
committerMartin Willi <martin@revosec.ch>
Thu, 17 Mar 2011 16:15:16 +0000 (17:15 +0100)
src/libcharon/plugins/whitelist/whitelist.c
src/libcharon/plugins/whitelist/whitelist_control.c
src/libcharon/plugins/whitelist/whitelist_listener.c
src/libcharon/plugins/whitelist/whitelist_listener.h
src/libcharon/plugins/whitelist/whitelist_msg.h

index 34f4ef7..5f511f2 100644 (file)
@@ -169,6 +169,14 @@ int main(int argc, char *argv[])
        {
                return send_msg(WHITELIST_LIST, argc == 3 ? argv[2] : "%any");
        }
+       if (argc == 2 && strcmp(argv[1], "enable") == 0)
+       {
+               return send_msg(WHITELIST_ENABLE, "");
+       }
+       if (argc == 2 && strcmp(argv[1], "disable") == 0)
+       {
+               return send_msg(WHITELIST_DISABLE, "");
+       }
        fprintf(stderr, "Usage:\n");
        fprintf(stderr, "  %s add <identity>\n", argv[0]);
        fprintf(stderr, "  %s remove <identity>\n", argv[0]);
@@ -176,5 +184,7 @@ int main(int argc, char *argv[])
        fprintf(stderr, "  %s remove-from <file>\n", argv[0]);
        fprintf(stderr, "  %s flush [<pattern>]\n", argv[0]);
        fprintf(stderr, "  %s list [<pattern>]\n", argv[0]);
+       fprintf(stderr, "  %s enable\n", argv[0]);
+       fprintf(stderr, "  %s disable\n", argv[0]);
        return 1;
 }
index 0533565..4a1fc5d 100644 (file)
@@ -138,6 +138,12 @@ static void dispatch(private_whitelist_control_t *this,
                case WHITELIST_FLUSH:
                        this->listener->flush(this->listener, id);
                        break;
+               case WHITELIST_ENABLE:
+                       this->listener->set_active(this->listener, TRUE);
+                       break;
+               case WHITELIST_DISABLE:
+                       this->listener->set_active(this->listener, FALSE);
+                       break;
                default:
                        DBG1(DBG_CFG, "received unknown whitelist command");
                        break;
index 66e9d80..a25e905 100644 (file)
@@ -40,6 +40,11 @@ struct private_whitelist_listener_t {
         * Hashtable with whitelisted identities
         */
        hashtable_t *ids;
+
+       /**
+        * Whitelist checking enabled
+        */
+       bool enabled;
 };
 
 /**
@@ -63,7 +68,7 @@ METHOD(listener_t, authorize, bool,
        bool final, bool *success)
 {
        /* check each authentication round */
-       if (!final)
+       if (this->enabled && !final)
        {
                bool whitelisted = FALSE;
                identification_t *id;
@@ -153,6 +158,13 @@ METHOD(whitelist_listener_t, flush, void,
        this->lock->unlock(this->lock);
 }
 
+METHOD(whitelist_listener_t, set_active, void,
+       private_whitelist_listener_t *this, bool enable)
+{
+       DBG1(DBG_CFG, "whitelist functionality %sabled", enable ? "en" : "dis");
+       this->enabled = enable;
+}
+
 METHOD(whitelist_listener_t, destroy, void,
        private_whitelist_listener_t *this)
 {
@@ -186,11 +198,14 @@ whitelist_listener_t *whitelist_listener_create()
                        .remove = _remove_,
                        .create_enumerator = _create_enumerator,
                        .flush = _flush,
+                       .set_active = _set_active,
                        .destroy = _destroy,
                },
                .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
                .ids = hashtable_create((hashtable_hash_t)hash,
                                                                (hashtable_equals_t)equals, 32),
+               .enabled = lib->settings->get_bool(lib->settings,
+                                                               "charon.plugins.whitelist.enabled", TRUE),
        );
 
        return &this->public;
index ed76d5f..ac94752 100644 (file)
@@ -67,6 +67,13 @@ struct whitelist_listener_t {
        void (*flush)(whitelist_listener_t *this, identification_t *id);
 
        /**
+        * Enable/Disable whitelist checking.
+        *
+        * @param enable        TRUE to enable, FALSE to disable
+        */
+       void (*set_active)(whitelist_listener_t *this, bool enable);
+
+       /**
         * Destroy a whitelist_listener_t.
         */
        void (*destroy)(whitelist_listener_t *this);
index 18b140f..91823b0 100644 (file)
@@ -39,6 +39,10 @@ enum {
        WHITELIST_END = 4,
        /* flush identities matching id */
        WHITELIST_FLUSH = 5,
+       /* enable whitelist checking */
+       WHITELIST_ENABLE = 6,
+       /* disable whitelist checking */
+       WHITELIST_DISABLE = 7,
 };
 
 /**