mirror of
https://github.com/strongswan/strongswan.git
synced 2025-11-27 00:00:29 -05:00
swanctl: Change syntax of secrets to accept identities with special chars
Having identity strings in the settings key is problematic, as the parser can't handle arbitrary characters in it. Further, the space separation makes it impossible to define identities with spaces. The new format uses key prefixes, similar to those used in local/remote auth sections of connections. The secrets section takes subsections with type prefixes, and each subsection uses "id" prefixes to define an arbitrary number of identities.
This commit is contained in:
Martin Willi
parent
a2875525ae
commit
1312eab036
@ -273,30 +273,44 @@ static void load_keys(vici_conn_t *conn, bool raw, bool noprompt,
|
||||
}
|
||||
|
||||
/**
|
||||
* Load a single secret for ids over VICI
|
||||
* Load a single secret over VICI
|
||||
*/
|
||||
static bool load_secret(vici_conn_t *conn, char *type, char *owners,
|
||||
char *value, bool raw)
|
||||
static bool load_secret(vici_conn_t *conn, settings_t *cfg,
|
||||
char *section, bool raw)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
vici_req_t *req;
|
||||
vici_res_t *res;
|
||||
chunk_t data;
|
||||
char *owner;
|
||||
char *key, *value, buf[128], *type = NULL;
|
||||
bool ret = TRUE;
|
||||
int i;
|
||||
char *types[] = {
|
||||
"eap",
|
||||
"xauth",
|
||||
"ike",
|
||||
};
|
||||
|
||||
req = vici_begin("load-shared");
|
||||
|
||||
vici_add_key_valuef(req, "type", "%s", type);
|
||||
vici_begin_list(req, "owners");
|
||||
enumerator = enumerator_create_token(owners, " ", " ");
|
||||
while (enumerator->enumerate(enumerator, &owner))
|
||||
for (i = 0; i < countof(types); i++)
|
||||
{
|
||||
vici_add_list_itemf(req, "%s", owner);
|
||||
if (strpfx(section, types[i]))
|
||||
{
|
||||
type = types[i];
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!type)
|
||||
{
|
||||
fprintf(stderr, "ignoring unsupported secret '%s'\n", section);
|
||||
return FALSE;
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
vici_end_list(req);
|
||||
|
||||
value = cfg->get_str(cfg, "secrets.%s.secret", NULL, section);
|
||||
if (!value)
|
||||
{
|
||||
fprintf(stderr, "missing secret in '%s', ignored\n", section);
|
||||
return FALSE;
|
||||
}
|
||||
if (strcasepfx(value, "0x"))
|
||||
{
|
||||
data = chunk_from_hex(chunk_from_str(value + 2), NULL);
|
||||
@ -309,9 +323,26 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
|
||||
{
|
||||
data = chunk_clone(chunk_from_str(value));
|
||||
}
|
||||
|
||||
req = vici_begin("load-shared");
|
||||
|
||||
vici_add_key_valuef(req, "type", "%s", type);
|
||||
vici_add_key_value(req, "data", data.ptr, data.len);
|
||||
chunk_clear(&data);
|
||||
|
||||
vici_begin_list(req, "owners");
|
||||
snprintf(buf, sizeof(buf), "secrets.%s", section);
|
||||
enumerator = cfg->create_key_value_enumerator(cfg, buf);
|
||||
while (enumerator->enumerate(enumerator, &key, &value))
|
||||
{
|
||||
if (strpfx(key, "id"))
|
||||
{
|
||||
vici_add_list_itemf(req, "%s", value);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
vici_end_list(req);
|
||||
|
||||
res = vici_submit(req, conn);
|
||||
if (!res)
|
||||
{
|
||||
@ -330,37 +361,12 @@ static bool load_secret(vici_conn_t *conn, char *type, char *owners,
|
||||
}
|
||||
else
|
||||
{
|
||||
printf("loaded %s secret for: ", type);
|
||||
enumerator = enumerator_create_token(owners, " ", " ");
|
||||
while (enumerator->enumerate(enumerator, &owner))
|
||||
{
|
||||
printf("'%s' ", owner);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
printf("\n");
|
||||
printf("loaded %s secret '%s'\n", type, section);
|
||||
}
|
||||
vici_free_res(res);
|
||||
return ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Load secrets from settings section
|
||||
*/
|
||||
static void load_secrets(vici_conn_t *conn, settings_t *cfg,
|
||||
char *section, bool raw)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
char buf[64], *key, *value;
|
||||
|
||||
snprintf(buf, sizeof(buf), "secrets.%s", section);
|
||||
enumerator = cfg->create_key_value_enumerator(cfg, buf);
|
||||
while (enumerator->enumerate(enumerator, &key, &value))
|
||||
{
|
||||
load_secret(conn, section, key, value, raw);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Clear all currently loaded credentials
|
||||
*/
|
||||
@ -440,7 +446,7 @@ static int load_creds(vici_conn_t *conn)
|
||||
enumerator = cfg->create_section_enumerator(cfg, "secrets");
|
||||
while (enumerator->enumerate(enumerator, §ion))
|
||||
{
|
||||
load_secrets(conn, cfg, section, raw);
|
||||
load_secret(conn, cfg, section, raw);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
|
||||
@ -113,10 +113,13 @@ connections {
|
||||
}
|
||||
|
||||
secrets {
|
||||
eap {
|
||||
# tester = testpassword
|
||||
}
|
||||
ike {
|
||||
# sun.strongswan.org = 0x12345678901234
|
||||
}
|
||||
# eap-tester {
|
||||
# id = tester
|
||||
# secret = test
|
||||
# }
|
||||
# ike-moon {
|
||||
# id-local = sun.strongswan.org
|
||||
# id-remote = mon.strongswan.org
|
||||
# secret = 0x12345678901234
|
||||
# }
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user