vici: strongswan.conf cache_crls = yes saves fetched CRLs to disk

conf/options/charon.opt

@@ -30,6 +30,12 @@ charon.cert_cache = yes
 	Whether relations in validated certificate chains should be cached in
 	memory.
 
+charon.cache_crls = no
+	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	be saved under a unique file name derived from the public key of the
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 

src/libcharon/plugins/stroke/stroke_cred.c

@@ -562,7 +562,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 	}
 }
 
-METHOD(stroke_cred_t, cache_cert, void,
+METHOD(credential_set_t, cache_cert, void,
 	private_stroke_cred_t *this, certificate_t *cert)
 {
 	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
@@ -1497,6 +1497,10 @@ stroke_cred_t *stroke_cred_create(stroke_ca_t *ca)
 		.ca = ca,
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		cachecrl(this, TRUE);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 

src/libcharon/plugins/stroke/stroke_socket.c

@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the

src/libcharon/plugins/vici/Makefile.am

@@ -2,6 +2,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \

src/libcharon/plugins/vici/vici_cred.c

@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,8 +25,15 @@
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/x509.h>
 
+#include <errno.h>
+
 typedef struct private_vici_cred_t private_vici_cred_t;
 
+/**
+ * Directory for saved X.509 CRLs
+ */
+#define CRL_DIR SWANCTLDIR "/x509crl"
+
 /**
  * Private data of an vici_cred_t object.
  */
@@ -46,8 +53,51 @@ struct private_vici_cred_t {
 	 * credentials
 	 */
 	mem_cred_t *creds;
+
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
+
 };
 
+METHOD(credential_set_t, cache_cert, void,
+	private_vici_cred_t *this, certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+	{
+		/* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
+		crl_t *crl = (crl_t*)cert;
+
+		cert->get_ref(cert);
+		if (this->creds->add_crl(this->creds, crl))
+		{
+			char buf[BUF_LEN];
+			chunk_t chunk, hex;
+
+			chunk = crl->get_authKeyIdentifier(crl);
+			hex = chunk_to_hex(chunk, NULL, FALSE);
+			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
+			free(hex.ptr);
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
+				free(chunk.ptr);
+			}
+		}
+	}
+}
+
 /**
  * Create a (error) reply message
  */
@@ -349,6 +399,13 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
 	INIT(this,
 		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)_cache_cert,
+			},
 			.add_cert = _add_cert,
 			.destroy = _destroy,
 		},
@@ -356,6 +413,11 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		.creds = mem_cred_create(),
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		this->cachecrl = TRUE;
+		DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	manage_commands(this, TRUE);

src/libcharon/plugins/vici/vici_cred.h

@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,6 +26,8 @@
 
 #include "vici_dispatcher.h"
 
+#include <credentials/credential_set.h>
+
 typedef struct vici_cred_t vici_cred_t;
 
 /**
@@ -30,6 +35,11 @@ typedef struct vici_cred_t vici_cred_t;
  */
 struct vici_cred_t {
 
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
 	/**
 	 * Add a certificate to the certificate store
 	 *

src/libcharon/plugins/vici/vici_plugin.c

@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -130,6 +130,7 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->cred = vici_cred_create(this->dispatcher);
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
 			this->config = vici_config_create(this->dispatcher, this->authority,
 											  this->cred);
@@ -158,6 +159,7 @@ static bool register_vici(private_vici_plugin_t *this,
 		this->logger->destroy(this->logger);
 		this->attrs->destroy(this->attrs);
 		this->config->destroy(this->config);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 		lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
 		this->authority->destroy(this->authority);
 		this->cred->destroy(this->cred);

testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf

@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m

testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf

@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }

testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf

@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m

testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf

@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }

testing/tests/swanctl/crl-to-cache/description.txt

@@ -0,0 +1,6 @@
+By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched
+via http from the web server <b>winnetou</b> is saved locally in the
+directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b>
+and the gateway <b>moon</b> when the IPsec connection is set up. The
+<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b>
+is used as a unique filename for the cached CRL. 

testing/tests/swanctl/crl-to-cache/evaltest.dat

@@ -0,0 +1,4 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES

testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}

testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}

testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}

testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,21 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}

testing/tests/swanctl/crl-to-cache/posttest.dat

@@ -0,0 +1,5 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*

testing/tests/swanctl/crl-to-cache/pretest.dat

@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null

testing/tests/swanctl/crl-to-cache/test.conf

@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1