Whether relations in validated certificate chains should be cached in
memory.
+charon.cache_crls = no
+ Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+ be saved under a unique file name derived from the public key of the
+ Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+ **/etc/swanctl/x509crl** (vici), respectively.
+
charon.cisco_unity = no
Send Cisco Unity vendor ID payload (IKEv1 only).
}
}
-METHOD(stroke_cred_t, cache_cert, void,
+METHOD(credential_set_t, cache_cert, void,
private_stroke_cred_t *this, certificate_t *cert)
{
if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
.ca = ca,
);
+ if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+ {
+ cachecrl(this, TRUE);
+ }
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
/*
* Copyright (C) 2011-2013 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
-I$(top_srcdir)/src/libcharon \
+ -DSWANCTLDIR=\""${swanctldir}\"" \
-DIPSEC_PIDDIR=\"${piddir}\"
AM_CFLAGS = \
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <credentials/certificates/crl.h>
#include <credentials/certificates/x509.h>
+#include <errno.h>
+
typedef struct private_vici_cred_t private_vici_cred_t;
+/**
+ * Directory for saved X.509 CRLs
+ */
+#define CRL_DIR SWANCTLDIR "/x509crl"
+
/**
* Private data of an vici_cred_t object.
*/
* credentials
*/
mem_cred_t *creds;
+
+ /**
+ * cache CRLs to disk?
+ */
+ bool cachecrl;
+
};
+METHOD(credential_set_t, cache_cert, void,
+ private_vici_cred_t *this, certificate_t *cert)
+{
+ if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+ {
+ /* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
+ crl_t *crl = (crl_t*)cert;
+
+ cert->get_ref(cert);
+ if (this->creds->add_crl(this->creds, crl))
+ {
+ char buf[BUF_LEN];
+ chunk_t chunk, hex;
+
+ chunk = crl->get_authKeyIdentifier(crl);
+ hex = chunk_to_hex(chunk, NULL, FALSE);
+ snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
+ free(hex.ptr);
+
+ if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+ {
+ if (chunk_write(chunk, buf, 022, TRUE))
+ {
+ DBG1(DBG_CFG, " written crl file '%s' (%d bytes)",
+ buf, chunk.len);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " writing crl file '%s' failed: %s",
+ buf, strerror(errno));
+ }
+ free(chunk.ptr);
+ }
+ }
+ }
+}
+
/**
* Create a (error) reply message
*/
INIT(this,
.public = {
+ .set = {
+ .create_private_enumerator = (void*)return_null,
+ .create_cert_enumerator = (void*)return_null,
+ .create_shared_enumerator = (void*)return_null,
+ .create_cdp_enumerator = (void*)return_null,
+ .cache_cert = (void*)_cache_cert,
+ },
.add_cert = _add_cert,
.destroy = _destroy,
},
.creds = mem_cred_create(),
);
+ if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+ {
+ this->cachecrl = TRUE;
+ DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
+ }
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
manage_commands(this, TRUE);
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
#include "vici_dispatcher.h"
+#include <credentials/credential_set.h>
+
typedef struct vici_cred_t vici_cred_t;
/**
*/
struct vici_cred_t {
+ /**
+ * Implements credential_set_t
+ */
+ credential_set_t set;
+
/**
* Add a certificate to the certificate store
*
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
this->cred = vici_cred_create(this->dispatcher);
this->authority = vici_authority_create(this->dispatcher,
this->cred);
+ lib->credmgr->add_set(lib->credmgr, &this->cred->set);
lib->credmgr->add_set(lib->credmgr, &this->authority->set);
this->config = vici_config_create(this->dispatcher, this->authority,
this->cred);
this->logger->destroy(this->logger);
this->attrs->destroy(this->attrs);
this->config->destroy(this->config);
+ lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
this->authority->destroy(this->authority);
this->cred->destroy(this->cred);
config setup
strictcrlpolicy=yes
- cachecrls=yes
conn %default
ikelifetime=60m
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+ cache_crls = yes
}
config setup
strictcrlpolicy=yes
- cachecrls=yes
conn %default
ikelifetime=60m
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+ cache_crls = yes
}
--- /dev/null
+By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
+via http from the web server <b>winnetou</b> is saved locally in the
+directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
+and the gateway <b>moon</b> when the IPsec connection is set up. The
+<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
+is used as a unique filename for the cached CRL.
--- /dev/null
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+
+ cache_crls = yes
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+ }
+ }
+ version = 2
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+
+ cache_crls = yes
+}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+ }
+ }
+ version = 2
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*
--- /dev/null
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1