From: Tobias Brunner Date: Thu, 26 Jul 2018 15:57:36 +0000 (+0200) Subject: vici: Make PPK related options configurable X-Git-Tag: 5.7.0rc1~19^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f94528061ef840d1db5bd86ab7dd84c62f847d7;p=thirdparty%2Fstrongswan.git vici: Make PPK related options configurable --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 8afefaa094..10c62dc899 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2,7 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * - * Copyright (C) 2015-2017 Tobias Brunner + * Copyright (C) 2015-2018 Tobias Brunner * Copyright (C) 2015-2018 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -304,6 +304,8 @@ typedef struct { bool mobike; bool send_certreq; bool pull; + identification_t *ppk_id; + bool ppk_required; cert_policy_t send_cert; uint64_t dpd_delay; uint64_t dpd_timeout; @@ -403,6 +405,8 @@ static void log_peer_data(peer_data_t *data) DBG2(DBG_CFG, " remote_port = %u", data->remote_port); DBG2(DBG_CFG, " send_certreq = %u", data->send_certreq); DBG2(DBG_CFG, " send_cert = %N", cert_policy_names, data->send_cert); + DBG2(DBG_CFG, " ppk_id = %Y", data->ppk_id); + DBG2(DBG_CFG, " ppk_required = %u", data->ppk_required); DBG2(DBG_CFG, " mobike = %u", data->mobike); DBG2(DBG_CFG, " aggressive = %u", data->aggressive); DBG2(DBG_CFG, " dscp = 0x%.2x", data->dscp); @@ -469,6 +473,7 @@ static void free_peer_data(peer_data_t *data) free(data->pools); free(data->local_addrs); free(data->remote_addrs); + DESTROY_IF(data->ppk_id); #ifdef ME free(data->mediated_by); DESTROY_IF(data->peer_id); @@ -1584,9 +1589,8 @@ CALLBACK(parse_hosts, bool, return TRUE; } -#ifdef ME /** - * Parse peer ID + * Parse peer/ppk ID */ CALLBACK(parse_peer_id, bool, identification_t **out, chunk_t v) @@ -1600,7 +1604,7 @@ CALLBACK(parse_peer_id, bool, *out = identification_create_from_string(buf); return TRUE; } -#endif /* ME */ + CALLBACK(cert_kv, bool, cert_data_t *cert, vici_message_t *message, char *name, chunk_t value) @@ -1744,6 +1748,8 @@ CALLBACK(peer_kv, bool, { "rekey_time", parse_time, &peer->rekey_time }, { "over_time", parse_time, &peer->over_time }, { "rand_time", parse_time, &peer->rand_time }, + { "ppk_id", parse_peer_id, &peer->ppk_id }, + { "ppk_required", parse_bool, &peer->ppk_required }, #ifdef ME { "mediation", parse_bool, &peer->mediation }, { "mediated_by", parse_string, &peer->mediated_by }, @@ -2480,6 +2486,8 @@ CALLBACK(config_sn, bool, .push_mode = !peer.pull, .dpd = peer.dpd_delay, .dpd_timeout = peer.dpd_timeout, + .ppk_id = peer.ppk_id ? peer.ppk_id->clone(peer.ppk_id) : NULL, + .ppk_required = peer.ppk_required, }; #ifdef ME cfg.mediation = peer.mediation; diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index f529902db2..0b84458bea 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -787,6 +787,7 @@ CALLBACK(list_conns, vici_message_t*, child_cfg_t *child_cfg; char *ike, *str, *interface; uint32_t manual_prio, dpd_delay, dpd_timeout; + identification_t *ppk_id; linked_list_t *list; traffic_selector_t *ts; lifetime_cfg_t *lft; @@ -849,6 +850,16 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "dpd_timeout", "%u", dpd_timeout); } + ppk_id = peer_cfg->get_ppk_id(peer_cfg); + if (ppk_id) + { + b->add_kv(b, "ppk_id", "%Y", ppk_id); + } + if (peer_cfg->ppk_required(peer_cfg)) + { + b->add_kv(b, "ppk_required", "yes"); + } + build_auth_cfgs(peer_cfg, TRUE, b); build_auth_cfgs(peer_cfg, FALSE, b); diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 5b44c541bb..82bc424b7c 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -188,6 +188,12 @@ connections..send_cert = ifasked certificate payloads altogether, _always_ causes certificate payloads to be sent unconditionally whenever certificate authentication is used. +connections..ppk_id = + String identifying the Postquantum Preshared Key (PPK) to be used. + +connections..ppk_required = no + Whether a Postquantum Preshared Key (PPK) is required for this connection. + connections..keyingtries = 1 Number of retransmission sequences to perform during initial connect.