swanctl: Change syntax of secrets to accept identities with special chars

Having identity strings in the settings key is problematic, as the parser can't
handle arbitrary characters in it. Further, the space separation makes it
impossible to define identities with spaces.

The new format uses key prefixes, similar to those used in local/remote auth
sections of connections. The secrets section takes subsections with type
prefixes, and each subsection uses "id" prefixes to define an arbitrary
number of identities.

diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 52cdfb9cafbc8dc5adc65d7b457d37c8f3f40b6e..94d31f49f009b918d5cbf881d688ddbade700a82 100644 (file)
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -273,30 +273,44 @@ static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
 }
 
 /**
- * Load a single secret for ids over VICI
+ * Load a single secret over VICI
  */
-static bool load_secret(vici_conn_t *conn, char *type, char *owners,
-                                               char *value, bool raw)
+static bool load_secret(vici_conn_t *conn, settings_t *cfg,
+                                               char *section, bool raw)
 {
        enumerator_t *enumerator;
        vici_req_t *req;
        vici_res_t *res;
        chunk_t data;
-       char *owner;
+       char *key, *value, buf[128], *type = NULL;
        bool ret = TRUE;
+       int i;
+       char *types[] = {
+               "eap",
+               "xauth",
+               "ike",
+       };
 
-       req = vici_begin("load-shared");
-
-       vici_add_key_valuef(req, "type", "%s", type);
-       vici_begin_list(req, "owners");
-       enumerator = enumerator_create_token(owners, " ", " ");
-       while (enumerator->enumerate(enumerator, &owner))
+       for (i = 0; i < countof(types); i++)
+       {
+               if (strpfx(section, types[i]))
+               {
+                       type = types[i];
+                       break;
+               }
+       }
+       if (!type)
        {
-               vici_add_list_itemf(req, "%s", owner);
+               fprintf(stderr, "ignoring unsupported secret '%s'\n", section);
+               return FALSE;
        }
-       enumerator->destroy(enumerator);
-       vici_end_list(req);
 
+       value = cfg->get_str(cfg, "secrets.%s.secret", NULL, section);
+       if (!value)
+       {
+               fprintf(stderr, "missing secret in '%s', ignored\n", section);
+               return FALSE;
+       }
        if (strcasepfx(value, "0x"))
        {
                data = chunk_from_hex(chunk_from_str(value + 2), NULL);
@@ -309,9 +323,26 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
        {
                data = chunk_clone(chunk_from_str(value));
        }
+
+       req = vici_begin("load-shared");
+
+       vici_add_key_valuef(req, "type", "%s", type);
        vici_add_key_value(req, "data", data.ptr, data.len);
        chunk_clear(&data);
 
+       vici_begin_list(req, "owners");
+       snprintf(buf, sizeof(buf), "secrets.%s", section);
+       enumerator = cfg->create_key_value_enumerator(cfg, buf);
+       while (enumerator->enumerate(enumerator, &key, &value))
+       {
+               if (strpfx(key, "id"))
+               {
+                       vici_add_list_itemf(req, "%s", value);
+               }
+       }
+       enumerator->destroy(enumerator);
+       vici_end_list(req);
+
        res = vici_submit(req, conn);
        if (!res)
        {
@@ -330,37 +361,12 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
        }
        else
        {
-               printf("loaded %s secret for: ", type);
-               enumerator = enumerator_create_token(owners, " ", " ");
-               while (enumerator->enumerate(enumerator, &owner))
-               {
-                       printf("'%s' ", owner);
-               }
-               enumerator->destroy(enumerator);
-               printf("\n");
+               printf("loaded %s secret '%s'\n", type, section);
        }
        vici_free_res(res);
        return ret;
 }
 
-/**
- * Load secrets from settings section
- */
-static void load_secrets(vici_conn_t *conn, settings_t *cfg,
-                                                char *section, bool raw)
-{
-       enumerator_t *enumerator;
-       char buf[64], *key, *value;
-
-       snprintf(buf, sizeof(buf), "secrets.%s", section);
-       enumerator = cfg->create_key_value_enumerator(cfg, buf);
-       while (enumerator->enumerate(enumerator, &key, &value))
-       {
-               load_secret(conn, section, key, value, raw);
-       }
-       enumerator->destroy(enumerator);
-}
-
 /**
  * Clear all currently loaded credentials
  */
@@ -440,7 +446,7 @@ static int load_creds(vici_conn_t *conn)
        enumerator = cfg->create_section_enumerator(cfg, "secrets");
        while (enumerator->enumerate(enumerator, &section))
        {
-               load_secrets(conn, cfg, section, raw);
+               load_secret(conn, cfg, section, raw);
        }
        enumerator->destroy(enumerator);
 

diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 7580740b1a2815282456cf35a050f7505f129cde..f43d1d49b9de3799866822f0b1602e20531eafcb 100644 (file)
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -113,10 +113,13 @@ connections {
 }
 
 secrets {
-       eap {
-#              tester = testpassword
-       }
-       ike {
-#              sun.strongswan.org = 0x12345678901234
-       }
+#      eap-tester {
+#              id = tester
+#              secret = test
+#      }
+#      ike-moon {
+#              id-local = sun.strongswan.org
+#              id-remote = mon.strongswan.org
+#              secret = 0x12345678901234
+#      }
 }