From: Andreas Steffen Date: Tue, 9 Aug 2022 05:38:06 +0000 (+0200) Subject: pki: Additional pki.scep options for strongswan.conf X-Git-Tag: 5.9.8dr1~2^2~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=122796df27799b4d29e60be9ae8eb885ecc587ff;p=thirdparty%2Fstrongswan.git pki: Additional pki.scep options for strongswan.conf --- diff --git a/conf/options/pki.opt b/conf/options/pki.opt index d6d160fa06..2cbea779c0 100644 --- a/conf/options/pki.opt +++ b/conf/options/pki.opt @@ -1,6 +1,12 @@ pki.load = Plugins to load in the pki tool. +pki.scep.http_bind + Source IP address to bind for HTTP operations. + +pki.scep.http_timeout = 30s + Timeout for HTTP operations. + pki.scep.renewal_via_pkcs_req = no Some SCEP servers (e.g. openxpki) are incorrectly doing certificate renewal via messageType PKCSReq (19) instead of RenewalReq (17). diff --git a/src/pki/commands/scep.c b/src/pki/commands/scep.c index 5815cf23a5..37f5a94828 100644 --- a/src/pki/commands/scep.c +++ b/src/pki/commands/scep.c @@ -76,11 +76,7 @@ static int scep() linked_list_t *san; enumerator_t *enumerator; int status = 1; - bool ok, stored = FALSE; - - scep_http_params_t http_params = { - .get_request = FALSE, .timeout = 30, .bind = NULL - }; + bool ok, http_post = FALSE, stored = FALSE; bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, lib->ns); @@ -273,7 +269,7 @@ static int scep() public = private->get_public_key(private); /* Request capabilities from SCEP server */ - if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, &http_params, + if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CAPS, FALSE, &scep_response)) { DBG1(DBG_APP, "did not receive a valid scep response"); @@ -338,10 +334,9 @@ static int scep() if ((caps_flags & SCEP_CAPS_POSTPKIOPERATION) || (caps_flags & SCEP_CAPS_SCEPSTANDARD)) { - http_params.get_request = FALSE; + http_post = TRUE; } - DBG2(DBG_APP, "HTTP POST %ssupported", - http_params.get_request ? "not " : ""); + DBG2(DBG_APP, "HTTP POST %ssupported", http_post ? "" : "not "); scheme = get_signature_scheme(private, digest_alg, pss); if (!scheme) @@ -467,7 +462,7 @@ static int scep() goto end; } - if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, &http_params, + if (!scep_http_request(url, pkcs7_req, SCEP_PKI_OPERATION, http_post, &scep_response)) { DBG1(DBG_APP, "did not receive a valid SCEP response"); @@ -526,8 +521,8 @@ static int scep() DBG1(DBG_APP, "failed to build SCEP certPoll request"); goto end; } - if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION, - &http_params, &scep_response)) + if (!scep_http_request(url, certPoll, SCEP_PKI_OPERATION, http_post, + &scep_response)) { DBG1(DBG_APP, "did not receive a valid SCEP response"); goto end; diff --git a/src/pki/commands/scepca.c b/src/pki/commands/scepca.c index a443155f37..24271f78bc 100644 --- a/src/pki/commands/scepca.c +++ b/src/pki/commands/scepca.c @@ -248,10 +248,6 @@ static int scepca() int cert_type_count[] = { 0, 0, 0 }; - scep_http_params_t http_params = { - .get_request = TRUE, .timeout = 30, .bind = NULL - }; - while (TRUE) { switch (command_getopt(&arg)) @@ -289,7 +285,7 @@ static int scepca() return command_usage("--url is required"); } - if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, &http_params, + if (!scep_http_request(url, chunk_empty, SCEP_GET_CA_CERT, FALSE, &scep_response)) { DBG1(DBG_APP, "did not receive a valid scep response"); diff --git a/src/pki/scep/scep.c b/src/pki/scep/scep.c index 7d6fafa10d..eaa5b53233 100644 --- a/src/pki/scep/scep.c +++ b/src/pki/scep/scep.c @@ -334,7 +334,7 @@ static char* escape_http_request(chunk_t req) * Send a SCEP request via HTTP and wait for a response */ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, - scep_http_params_t *http_params, chunk_t *response) + bool http_post, chunk_t *response) { int len; status_t status; @@ -342,21 +342,42 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, const char *operation; host_t *srcip = NULL; - /* initialize response */ - *response = chunk_empty; + uint32_t http_timeout = lib->settings->get_time(lib->settings, + "%s.scep.http_timeout", 30, lib->ns); - if (http_params->bind) + char *http_bind = lib->settings->get_str(lib->settings, + "%s.scep.http_bind", NULL, lib->ns); + + if (http_bind) { - srcip = host_create_from_string(http_params->bind, 0); + srcip = host_create_from_string(http_bind, 0); } DBG2(DBG_APP, "sending scep request to '%s'", url); + /* initialize response */ + *response = chunk_empty; + operation = operations[op]; switch (op) { case SCEP_PKI_OPERATION: default: - if (http_params->get_request) + if (http_post) + { + /* form complete url */ + len = strlen(url) + 11 + strlen(operation) + 1; + complete_url = malloc(len); + snprintf(complete_url, len, "%s?operation=%s", url, operation); + + status = lib->fetcher->fetch(lib->fetcher, complete_url, response, + FETCH_TIMEOUT, http_timeout, + FETCH_REQUEST_DATA, msg, + FETCH_REQUEST_TYPE, "", + FETCH_REQUEST_HEADER, "Expect:", + FETCH_SOURCEIP, srcip, + FETCH_END); + } + else /* HTTP_GET */ { char *escaped_req = escape_http_request(msg); @@ -369,28 +390,13 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, free(escaped_req); status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_TIMEOUT, http_params->timeout, + FETCH_TIMEOUT, http_timeout, FETCH_REQUEST_HEADER, "Pragma:", FETCH_REQUEST_HEADER, "Host:", FETCH_REQUEST_HEADER, "Accept:", FETCH_SOURCEIP, srcip, FETCH_END); } - else /* HTTP_POST */ - { - /* form complete url */ - len = strlen(url) + 11 + strlen(operation) + 1; - complete_url = malloc(len); - snprintf(complete_url, len, "%s?operation=%s", url, operation); - - status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_TIMEOUT, http_params->timeout, - FETCH_REQUEST_DATA, msg, - FETCH_REQUEST_TYPE, "", - FETCH_REQUEST_HEADER, "Expect:", - FETCH_SOURCEIP, srcip, - FETCH_END); - } break; case SCEP_GET_CA_CERT: case SCEP_GET_CA_CAPS: @@ -401,7 +407,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, snprintf(complete_url, len, "%s?operation=%s", url, operation); status = lib->fetcher->fetch(lib->fetcher, complete_url, response, - FETCH_TIMEOUT, http_params->timeout, + FETCH_TIMEOUT, http_timeout, FETCH_SOURCEIP, srcip, FETCH_END); } diff --git a/src/pki/scep/scep.h b/src/pki/scep/scep.h index bfb49a4d16..ead203505b 100644 --- a/src/pki/scep/scep.h +++ b/src/pki/scep/scep.h @@ -68,13 +68,6 @@ typedef struct { chunk_t recipientNonce; } scep_attributes_t; -/* SCEP http parameters */ -typedef struct { - bool get_request; - u_int timeout; - char *bind; -} scep_http_params_t; - /* SCEP CA Capabilities */ typedef enum { SCEP_CAPS_AES = 0, @@ -108,8 +101,8 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg, size_t key_size, certificate_t *signer_cert, hash_algorithm_t digest_alg, private_key_t *private_key); -bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, - scep_http_params_t *http_params, chunk_t *response); +bool scep_http_request(const char *url, chunk_t msg, scep_op_t op, bool use_post, + chunk_t *response); bool scep_parse_response(chunk_t response, chunk_t transID, container_t **out, scep_attributes_t *attrs);