From 1312eab0368f945c25a6ceb29208f6efaedd8b50 Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Fri, 25 Apr 2014 11:22:45 +0200
Subject: [PATCH] swanctl: Change syntax of secrets to accept identities with
 special chars

Having identity strings in the settings key is problematic, as the parser can't
handle arbitrary characters in it. Further, the space separation makes it
impossible to define identities with spaces.

The new format uses key prefixes, similar to those used in local/remote auth
sections of connections. The secrets section takes subsections with type
prefixes, and each subsection uses "id" prefixes to define an arbitrary
number of identities.
---
 src/swanctl/commands/load_creds.c | 86 +++++++++++++++++--------------
 src/swanctl/swanctl.conf          | 15 +++---
 2 files changed, 55 insertions(+), 46 deletions(-)

diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 52cdfb9caf..94d31f49f0 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -273,30 +273,44 @@ static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
 }
 
 /**
- * Load a single secret for ids over VICI
+ * Load a single secret over VICI
  */
-static bool load_secret(vici_conn_t *conn, char *type, char *owners,
-						char *value, bool raw)
+static bool load_secret(vici_conn_t *conn, settings_t *cfg,
+						char *section, bool raw)
 {
 	enumerator_t *enumerator;
 	vici_req_t *req;
 	vici_res_t *res;
 	chunk_t data;
-	char *owner;
+	char *key, *value, buf[128], *type = NULL;
 	bool ret = TRUE;
+	int i;
+	char *types[] = {
+		"eap",
+		"xauth",
+		"ike",
+	};
 
-	req = vici_begin("load-shared");
-
-	vici_add_key_valuef(req, "type", "%s", type);
-	vici_begin_list(req, "owners");
-	enumerator = enumerator_create_token(owners, " ", " ");
-	while (enumerator->enumerate(enumerator, &owner))
+	for (i = 0; i < countof(types); i++)
+	{
+		if (strpfx(section, types[i]))
+		{
+			type = types[i];
+			break;
+		}
+	}
+	if (!type)
 	{
-		vici_add_list_itemf(req, "%s", owner);
+		fprintf(stderr, "ignoring unsupported secret '%s'\n", section);
+		return FALSE;
 	}
-	enumerator->destroy(enumerator);
-	vici_end_list(req);
 
+	value = cfg->get_str(cfg, "secrets.%s.secret", NULL, section);
+	if (!value)
+	{
+		fprintf(stderr, "missing secret in '%s', ignored\n", section);
+		return FALSE;
+	}
 	if (strcasepfx(value, "0x"))
 	{
 		data = chunk_from_hex(chunk_from_str(value + 2), NULL);
@@ -309,9 +323,26 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
 	{
 		data = chunk_clone(chunk_from_str(value));
 	}
+
+	req = vici_begin("load-shared");
+
+	vici_add_key_valuef(req, "type", "%s", type);
 	vici_add_key_value(req, "data", data.ptr, data.len);
 	chunk_clear(&data);
 
+	vici_begin_list(req, "owners");
+	snprintf(buf, sizeof(buf), "secrets.%s", section);
+	enumerator = cfg->create_key_value_enumerator(cfg, buf);
+	while (enumerator->enumerate(enumerator, &key, &value))
+	{
+		if (strpfx(key, "id"))
+		{
+			vici_add_list_itemf(req, "%s", value);
+		}
+	}
+	enumerator->destroy(enumerator);
+	vici_end_list(req);
+
 	res = vici_submit(req, conn);
 	if (!res)
 	{
@@ -330,37 +361,12 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
 	}
 	else
 	{
-		printf("loaded %s secret for: ", type);
-		enumerator = enumerator_create_token(owners, " ", " ");
-		while (enumerator->enumerate(enumerator, &owner))
-		{
-			printf("'%s' ", owner);
-		}
-		enumerator->destroy(enumerator);
-		printf("\n");
+		printf("loaded %s secret '%s'\n", type, section);
 	}
 	vici_free_res(res);
 	return ret;
 }
 
-/**
- * Load secrets from settings section
- */
-static void load_secrets(vici_conn_t *conn, settings_t *cfg,
-						 char *section, bool raw)
-{
-	enumerator_t *enumerator;
-	char buf[64], *key, *value;
-
-	snprintf(buf, sizeof(buf), "secrets.%s", section);
-	enumerator = cfg->create_key_value_enumerator(cfg, buf);
-	while (enumerator->enumerate(enumerator, &key, &value))
-	{
-		load_secret(conn, section, key, value, raw);
-	}
-	enumerator->destroy(enumerator);
-}
-
 /**
  * Clear all currently loaded credentials
  */
@@ -440,7 +446,7 @@ static int load_creds(vici_conn_t *conn)
 	enumerator = cfg->create_section_enumerator(cfg, "secrets");
 	while (enumerator->enumerate(enumerator, &section))
 	{
-		load_secrets(conn, cfg, section, raw);
+		load_secret(conn, cfg, section, raw);
 	}
 	enumerator->destroy(enumerator);
 
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 7580740b1a..f43d1d49b9 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -113,10 +113,13 @@ connections {
 }
 
 secrets {
-	eap {
-#		tester = testpassword
-	}
-	ike {
-#		sun.strongswan.org = 0x12345678901234
-	}
+#	eap-tester {
+#		id = tester
+#		secret = test
+#	}
+#	ike-moon {
+#		id-local = sun.strongswan.org
+#		id-remote = mon.strongswan.org
+#		secret = 0x12345678901234
+#	}
 }
-- 
2.47.2