sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-04 00:00:14 -04:00
Code Issues Projects Releases Wiki Activity

lib: All settings use configured namespace

Browse Source
This commit is contained in:
Tobias Brunner 2014-01-28 16:38:06 +01:00
parent 7a684aece4
commit 8dc6e71632
24 changed files with 196 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
man/strongswan.conf.5.in
View File

@ -139,11 +139,15 @@ Plugins to load in ipsec attest tool
.BR Note :
Many of these options also apply to \fBcharon\-cmd\fR and other
\fBcharon\fR derivatives. Just use their respective name (e.g.
\fIcharon\-cmd\fR) instead of \fIcharon\fR.
\fIcharon\-cmd\fR) instead of \fIcharon\fR. For many options defaults
can be defined in the \fIlibstrongswan\fR section.
.TP
.BR charon.block_threshold " [5]"
Maximum number of half-open IKE_SAs for a single peer IP
.TP
.BR charon.cert_cache " [yes]"
Whether relations in validated certificate chains should be cached in memory
.TP
.BR charon.cisco_unity " [no]
Send Cisco Unity vendor ID payload (IKEv1 only)
.TP
@ -153,6 +157,31 @@ Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed
.BR charon.cookie_threshold " [10]"
Number of half-open IKE_SAs that activate the cookie mechanism
.TP
.BR charon.crypto_test.bench " [no]"
.TP
.BR charon.crypto_test.bench_size " [1024]"
.TP
.BR charon.crypto_test.bench_time " [50]"
.TP
.BR charon.crypto_test.on_add " [no]"
Test crypto algorithms during registration
.TP
.BR charon.crypto_test.on_create " [no]"
Test crypto algorithms on each crypto primitive instantiation
.TP
.BR charon.crypto_test.required " [no]"
Strictly require at least one test vector to enable an algorithm
.TP
.BR charon.crypto_test.rng_true " [no]"
Whether to test RNG with TRUE quality; requires a lot of entropy
.TP
.BR charon.dh_exponent_ansi_x9_42 " [yes]"
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
strength
.TP
.BR charon.dns1
.TQ
.BR charon.dns2
@ -161,6 +190,9 @@ DNS servers assigned to peer via configuration payload (CP)
.BR charon.dos_protection " [yes]"
Enable Denial of Service protection using cookies and aggressiveness checks
.TP
.BR charon.ecp_x_coordinate_only " [yes]"
Compliance with the errata for RFC 4753
.TP
.BR charon.filelog
Section to define file loggers, see LOGGER CONFIGURATION
.TP
@ -183,6 +215,12 @@ Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING).
.BR charon.hash_and_url " [no]"
Enable hash and URL support
.TP
.BR charon.host_resolver.max_threads " [3]"
Maximum number of concurrent resolver threads (they are terminated if unused)
.TP
.BR charon.host_resolver.min_threads " [0]"
Minimum number of resolver threads to keep around
.TP
.BR charon.i_dont_care_about_security_and_use_aggressive_mode_psk " [no]"
If enabled responders are allowed to use IKEv1 Aggressive Mode with pre-shared
keys, which is discouraged due to security concerns (offline attacks on the
@ -225,6 +263,9 @@ Install virtual IP addresses
The name of the interface on which virtual IP addresses should be installed.
If not specified the addresses will be installed on the outbound interface.
.TP
.BR charon.integrity_test " [no]"
Check daemon, libstrongswan and plugin integrity at startup
.TP
.BR charon.interfaces_ignore
A comma-separated list of network interfaces that should be ignored, if
.B charon.interfaces_use
@ -237,6 +278,15 @@ All other interfaces are ignored.
.BR charon.keep_alive " [20s]"
NAT keep alive interval
.TP
.BR charon.leak_detective.detailed " [yes]"
Includes source file names and line numbers in leak detective output
.TP
.BR charon.leak_detective.usage_threshold " [10240]"
Threshold in bytes for leaks to be reported (0 to report all)
.TP
.BR charon.leak_detective.usage_threshold_count " [0]"
Threshold in number of allocations for leaks to be reported (0 to report all)
.TP
.BR charon.load
Plugins to load in the IKEv2 daemon charon
.TP
@ -263,6 +313,10 @@ otherwise a random port will be allocated.
.BR charon.process_route " [yes]"
Process RTM_NEWROUTE and RTM_DELROUTE events
.TP
.BR charon.processor.priority_threads
Subsection to configure the number of reserved threads per priority class
see JOB PRIORITY MANAGEMENT
.TP
.BR charon.receive_delay " [0]"
Delay in ms for receiving packets, to simulate larger RTT
.TP
@ -327,6 +381,10 @@ might be used as indicator on the number of reserved threads.
.TP
.BR charon.user
Name of the user the daemon changes to after startup
.TP
.BR charon.x509.enforce_critical " [yes]"
Discard certificates with unsupported or unknown critical extensions
.
.SS charon.plugins subsection
.TP
.BR charon.plugins.android_log.loglevel " [1]"
@ -336,6 +394,12 @@ Loglevel for logging to Android specific logger
Section to specify arbitrary attributes that are assigned to a peer via
configuration payload (CP)
.TP
.BR charon.plugins.attr-sql.database
Database URI for attr-sql plugin used by charon
.TP
.BR charon.plugins.attr-sql.lease_history " [yes]"
Enable logging of SQL IP pool leases
.TP
.BR charon.plugins.certexpire.csv.cron
Cron style string specifying CSV export times
.TP
@ -603,6 +667,9 @@ Request peer authentication based on a client certificate
.BR charon.plugins.error-notify.socket " [unix://@piddir@/charon.enfy]"
Socket provided by the error-notify plugin
.TP
.BR charon.plugins.gcrypt.quick_random " [no]"
Use faster random numbers in gcrypt; for testing only, produces weak keys!
.TP
.BR charon.plugins.ha.autobalance " [0]"
Interval in seconds to automatically balance handled segments between nodes.
Set to 0 to disable.
@ -680,6 +747,51 @@ Section to configure the load-tester plugin, see LOAD TESTS
.BR charon.plugins.lookip.socket " [unix://@piddir@/charon.lkp]"
Socket provided by the lookip plugin
.TP
.BR charon.plugins.ntru.max_drbg_requests " [4294967294]"
Number of pseudo-random bit requests from the DRBG before an automatic
reseeding occurs.
.TP
.BR charon.plugins.ntru.parameter_set " [optimum]"
The following parameter sets are available:
.BR x9_98_speed ,
.BR x9_98_bandwidth ,
.B x9_98_balance
and
.BR optimum ,
the last set not being part of the X9.98 standard but having the best performance.
.TP
.BR charon.plugins.openssl.engine_id " [pkcs11]"
ENGINE ID to use in the OpenSSL plugin
.TP
.BR charon.plugins.openssl.fips_mode " [0]"
Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
.TP
.BR charon.plugins.pkcs11.modules
List of available PKCS#11 modules
.TP
.BR charon.plugins.pkcs11.load_certs " [yes]"
Whether to load certificates from tokens
.TP
.BR charon.plugins.pkcs11.reload_certs " [no]"
Reload certificates from all tokens if charon receives a SIGHUP
.TP
.BR charon.plugins.pkcs11.use_dh " [no]"
Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
.TP
.BR charon.plugins.pkcs11.use_ecc " [no]"
Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
operations. ECDSA private keys can be used regardless of this option
.TP
.BR charon.plugins.pkcs11.use_hasher " [no]"
Whether the PKCS#11 modules should be used to hash data
.TP
.BR charon.plugins.pkcs11.use_pubkey " [no]"
Whether the PKCS#11 modules should be used for public key operations, even for
keys not stored on tokens
.TP
.BR charon.plugins.pkcs11.use_rng " [no]"
Whether the PKCS#11 modules should be used as RNG
.TP
.BR charon.plugins.radattr.dir
Directory where RADIUS attributes are stored in client-ID specific files.
.TP
@ -687,6 +799,16 @@ Directory where RADIUS attributes are stored in client-ID specific files.
Attributes are added to all IKE_AUTH messages by default (-1), or only to the
IKE_AUTH message with the given IKEv2 message ID.
.TP
.BR charon.plugins.random.random " [@random_device@]"
File to read random bytes from, instead of @random_device@
.TP
.BR charon.plugins.random.urandom " [@urandom_device@]"
File to read pseudo random bytes from, instead of @urandom_device@
.TP
.BR charon.plugins.random.strong_equals_true " [no]"
If set to yes the RNG_STRONG class reads random bytes from the same source as
the RNG_TRUE class.
.TP
.BR charon.plugins.resolve.file " [/etc/resolv.conf]"
File where to add DNS server entries
.TP
@ -787,6 +909,20 @@ Name of the strongSwan PDP as contained in the AAA certificate
.BR charon.plugins.tnc-pdp.timeout
Timeout in seconds before closing incomplete connections
.TP
.BR charon.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
File to read DNS resolver configuration from
.TP
.BR charon.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
File to read DNSSEC trust anchors from (usually root zone KSK). The format of
the file is the standard DNS Zone file format, anchors can be stored as DS or
DNSKEY entries in the file.
.TP
.BR charon.plugins.unbound.dlv_anchors
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
is then used as a root trusted DLV, this means that it is a lookaside for
the root.
.TP
.BR charon.plugins.updown.dns_handler " [no]"
Whether the updown script should handle DNS serves assigned via IKEv1 Mode
Config or IKEv2 Config Payloads (if enabled they can't be handled by other
@ -810,142 +946,6 @@ Open/close a PAM session for each active IKE_SA
.BR charon.plugins.xauth-pam.trim_email " [yes]"
If an email address is given as an XAuth username, trim it to just the
username part.
.SS libstrongswan section
.TP
.BR libstrongswan.cert_cache " [yes]"
Whether relations in validated certificate chains should be cached in memory
.TP
.BR libstrongswan.crypto_test.bench " [no]"
.TP
.BR libstrongswan.crypto_test.bench_size " [1024]"
.TP
.BR libstrongswan.crypto_test.bench_time " [50]"
.TP
.BR libstrongswan.crypto_test.on_add " [no]"
Test crypto algorithms during registration
.TP
.BR libstrongswan.crypto_test.on_create " [no]"
Test crypto algorithms on each crypto primitive instantiation
.TP
.BR libstrongswan.crypto_test.required " [no]"
Strictly require at least one test vector to enable an algorithm
.TP
.BR libstrongswan.crypto_test.rng_true " [no]"
Whether to test RNG with TRUE quality; requires a lot of entropy
.TP
.BR libstrongswan.dh_exponent_ansi_x9_42 " [yes]"
Use ANSI X9.42 DH exponent size or optimum size matched to cryptographical
strength
.TP
.BR libstrongswan.ecp_x_coordinate_only " [yes]"
Compliance with the errata for RFC 4753
.TP
.BR libstrongswan.host_resolver.max_threads " [3]"
Maximum number of concurrent resolver threads (they are terminated if unused)
.TP
.BR libstrongswan.host_resolver.min_threads " [0]"
Minimum number of resolver threads to keep around
.TP
.BR libstrongswan.integrity_test " [no]"
Check daemon, libstrongswan and plugin integrity at startup
.TP
.BR libstrongswan.leak_detective.detailed " [yes]"
Includes source file names and line numbers in leak detective output
.TP
.BR libstrongswan.leak_detective.usage_threshold " [10240]"
Threshold in bytes for leaks to be reported (0 to report all)
.TP
.BR libstrongswan.leak_detective.usage_threshold_count " [0]"
Threshold in number of allocations for leaks to be reported (0 to report all)
.TP
.BR libstrongswan.processor.priority_threads
Subsection to configure the number of reserved threads per priority class
see JOB PRIORITY MANAGEMENT
.TP
.BR libstrongswan.x509.enforce_critical " [yes]"
Discard certificates with unsupported or unknown critical extensions
.SS libstrongswan.plugins subsection
.TP
.BR libstrongswan.plugins.attr-sql.database
Database URI for attr-sql plugin used by charon
.TP
.BR libstrongswan.plugins.attr-sql.lease_history " [yes]"
Enable logging of SQL IP pool leases
.TP
.BR libstrongswan.plugins.gcrypt.quick_random " [no]"
Use faster random numbers in gcrypt; for testing only, produces weak keys!
.TP
.BR libstrongswan.plugins.ntru.max_drbg_requests " [4294967294]"
Number of pseudo-random bit requests from the DRBG before an automatic
reseeding occurs.
.TP
.BR libstrongswan.plugins.ntru.parameter_set " [optimum]"
The following parameter sets are available:
.BR x9_98_speed ,
.BR x9_98_bandwidth ,
.B x9_98_balance
and
.BR optimum ,
the last set not being part of the X9.98 standard but having the best performance.
.TP
.BR libstrongswan.plugins.openssl.engine_id " [pkcs11]"
ENGINE ID to use in the OpenSSL plugin
.TP
.BR libstrongswan.plugins.openssl.fips_mode " [0]"
Set OpenSSL FIPS mode: disabled(0), enabled(1), Suite B enabled(2)
.TP
.BR libstrongswan.plugins.pkcs11.modules
List of available PKCS#11 modules
.TP
.BR libstrongswan.plugins.pkcs11.load_certs " [yes]"
Whether to load certificates from tokens
.TP
.BR libstrongswan.plugins.pkcs11.reload_certs " [no]"
Reload certificates from all tokens if charon receives a SIGHUP
.TP
.BR libstrongswan.plugins.pkcs11.use_dh " [no]"
Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc option)
.TP
.BR libstrongswan.plugins.pkcs11.use_ecc " [no]"
Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
operations. ECDSA private keys can be used regardless of this option
.TP
.BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
Whether the PKCS#11 modules should be used to hash data
.TP
.BR libstrongswan.plugins.pkcs11.use_pubkey " [no]"
Whether the PKCS#11 modules should be used for public key operations, even for
keys not stored on tokens
.TP
.BR libstrongswan.plugins.pkcs11.use_rng " [no]"
Whether the PKCS#11 modules should be used as RNG
.TP
.BR libstrongswan.plugins.random.random " [@random_device@]"
File to read random bytes from, instead of @random_device@
.TP
.BR libstrongswan.plugins.random.urandom " [@urandom_device@]"
File to read pseudo random bytes from, instead of @urandom_device@
.TP
.BR libstrongswan.plugins.random.strong_equals_true " [no]"
If set to yes the RNG_STRONG class reads random bytes from the same source as
the RNG_TRUE class.
.TP
.BR libstrongswan.plugins.unbound.resolv_conf " [/etc/resolv.conf]"
File to read DNS resolver configuration from
.TP
.BR libstrongswan.plugins.unbound.trust_anchors " [/etc/ipsec.d/dnssec.keys]"
File to read DNSSEC trust anchors from (usually root zone KSK). The format of
the file is the standard DNS Zone file format, anchors can be stored as DS or
DNSKEY entries in the file.
.TP
.BR libstrongswan.plugins.unbound.dlv_anchors
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as \fItrust_anchors\fR. Only one DLV can be configured, which
is then used as a root trusted DLV, this means that it is a lookaside for
the root.
.SS libtls section
.TP
.BR libtls.cipher
@ -1378,22 +1378,22 @@ for one).
To ensure that there are always enough threads available for higher priority
tasks, threads must be reserved for each priority class.
.TP
.BR libstrongswan.processor.priority_threads.critical " [0]"
.BR charon.processor.priority_threads.critical " [0]"
Threads reserved for CRITICAL priority class jobs
.TP
.BR libstrongswan.processor.priority_threads.high " [0]"
.BR charon.processor.priority_threads.high " [0]"
Threads reserved for HIGH priority class jobs
.TP
.BR libstrongswan.processor.priority_threads.medium " [0]"
.BR charon.processor.priority_threads.medium " [0]"
Threads reserved for MEDIUM priority class jobs
.TP
.BR libstrongswan.processor.priority_threads.low " [0]"
.BR charon.processor.priority_threads.low " [0]"
Threads reserved for LOW priority class jobs
.PP
Let's consider the following configuration:
.PP
.EX
libstrongswan {
charon {
processor {
priority_threads {
high = 1

2
src/libstrongswan/credentials/credential_manager.c
View File

@ -1349,7 +1349,7 @@ credential_manager_t *credential_manager_create()
this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
this->exclusive_local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy);
if (lib->settings->get_bool(lib->settings, "libstrongswan.cert_cache", TRUE))
if (lib->settings->get_bool(lib->settings, "%s.cert_cache", TRUE, lib->ns))
{
this->cache = cert_cache_create();
this->sets->insert_first(this->sets, this->cache);

6
src/libstrongswan/crypto/crypto_factory.c
View File

@ -967,11 +967,11 @@ crypto_factory_t *crypto_factory_create()
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
.tester = crypto_tester_create(),
.test_on_add = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.on_add", FALSE),
"%s.crypto_test.on_add", FALSE, lib->ns),
.test_on_create = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.on_create", FALSE),
"%s.crypto_test.on_create", FALSE, lib->ns),
.bench = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.bench", FALSE),
"%s.crypto_test.bench", FALSE, lib->ns),
);
return &this->public;

8
src/libstrongswan/crypto/crypto_tester.c
View File

@ -1207,13 +1207,13 @@ crypto_tester_t *crypto_tester_create()
.rng = linked_list_create(),
.required = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.required", FALSE),
"%s.crypto_test.required", FALSE, lib->ns),
.rng_true = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.rng_true", FALSE),
"%s.crypto_test.rng_true", FALSE, lib->ns),
.bench_time = lib->settings->get_int(lib->settings,
"libstrongswan.crypto_test.bench_time", 50),
"%s.crypto_test.bench_time", 50, lib->ns),
.bench_size = lib->settings->get_int(lib->settings,
"libstrongswan.crypto_test.bench_size", 1024),
"%s.crypto_test.bench_size", 1024, lib->ns),
);
/* enforce a block size of 16, should be fine for all algorithms */

2
src/libstrongswan/crypto/diffie_hellman.c
View File

@ -444,7 +444,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
{
if (!dh_params[i].public.subgroup.len &&
lib->settings->get_int(lib->settings,
"libstrongswan.dh_exponent_ansi_x9_42", TRUE))
"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
{
dh_params[i].public.exp_len = dh_params[i].public.prime.len;
}

4
src/libstrongswan/library.c
View File

@ -108,7 +108,7 @@ void library_deinit()
}
detailed = lib->settings->get_bool(lib->settings,
"libstrongswan.leak_detective.detailed", TRUE);
"%s.leak_detective.detailed", TRUE, lib->ns);
/* make sure the cache is clear before unloading plugins */
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
@ -318,7 +318,7 @@ bool library_init(char *settings, const char *namespace)
}
if (lib->settings->get_bool(lib->settings,
"libstrongswan.integrity_test", FALSE))
"%s.integrity_test", FALSE, lib->ns))
{
#ifdef INTEGRITY_TEST
this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);

8
src/libstrongswan/networking/host_resolver.c
View File

@ -355,11 +355,11 @@ host_resolver_t *host_resolver_create()
);
this->min_threads = max(0, lib->settings->get_int(lib->settings,
"libstrongswan.host_resolver.min_threads",
MIN_THREADS_DEFAULT));
"%s.host_resolver.min_threads",
MIN_THREADS_DEFAULT, lib->ns));
this->max_threads = max(this->min_threads ?: 1,
lib->settings->get_int(lib->settings,
"libstrongswan.host_resolver.max_threads",
MAX_THREADS_DEFAULT));
"%s.host_resolver.max_threads",
MAX_THREADS_DEFAULT, lib->ns));
return &this->public;
}

4
src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
View File

@ -194,8 +194,8 @@ plugin_t *gcrypt_plugin_create()
/* we currently do not use secure memory */
gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.gcrypt.quick_random", FALSE))
if (lib->settings->get_bool(lib->settings, "%s.plugins.gcrypt.quick_random",
FALSE, lib->ns))
{
gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
}

4
src/libstrongswan/plugins/ntru/ntru_drbg.c
View File

@ -230,8 +230,8 @@ ntru_drbg_t *ntru_drbg_create(u_int32_t strength, chunk_t pers_str,
}
max_requests = lib->settings->get_int(lib->settings,
"libstrongswan.plugins.ntru.max_drbg_requests",
MAX_DRBG_REQUESTS);
"%s.plugins.ntru.max_drbg_requests",
MAX_DRBG_REQUESTS, lib->ns);
INIT(this,
.public = {

2
src/libstrongswan/plugins/ntru/ntru_ke.c
View File

@ -316,7 +316,7 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
u_int32_t strength;
parameter_set = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.ntru.parameter_set", "optimum");
"%s.plugins.ntru.parameter_set", "optimum", lib->ns);
if (streq(parameter_set, "x9_98_speed"))
{

2
src/libstrongswan/plugins/openssl/openssl_crl.c
View File

@ -471,7 +471,7 @@ static bool parse_extensions(private_openssl_crl_t *this)
default:
ok = X509_EXTENSION_get_critical(ext) == 0 ||
!lib->settings->get_bool(lib->settings,
"libstrongswan.x509.enforce_critical", TRUE);
"%s.x509.enforce_critical", TRUE, lib->ns);
if (!ok)
{
DBG1(DBG_LIB, "found unsupported critical X.509 "

2
src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
View File

@ -201,7 +201,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this,
* http://www.rfc-editor.org/errata_search.php?eid=9
*/
x_coordinate_only = lib->settings->get_bool(lib->settings,
"libstrongswan.ecp_x_coordinate_only", TRUE);
"%s.ecp_x_coordinate_only", TRUE, lib->ns);
if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
{
goto error;

2
src/libstrongswan/plugins/openssl/openssl_plugin.c
View File

@ -522,7 +522,7 @@ plugin_t *openssl_plugin_create()
int fips_mode;
fips_mode = lib->settings->get_int(lib->settings,
"libstrongswan.plugins.openssl.fips_mode", FIPS_MODE);
"%s.plugins.openssl.fips_mode", FIPS_MODE, lib->ns);
#ifdef OPENSSL_FIPS
if (fips_mode)
{

2
src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
View File

@ -558,7 +558,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
if (!engine_id)
{
engine_id = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.openssl.engine_id", "pkcs11");
"%s.plugins.openssl.engine_id", "pkcs11", lib->ns);
}
engine = ENGINE_by_id(engine_id);
if (!engine)

2
src/libstrongswan/plugins/openssl/openssl_x509.c
View File

@ -1012,7 +1012,7 @@ static bool parse_extensions(private_openssl_x509_t *this)
default:
ok = X509_EXTENSION_get_critical(ext) == 0 ||
!lib->settings->get_bool(lib->settings,
"libstrongswan.x509.enforce_critical", TRUE);
"%s.x509.enforce_critical", TRUE, lib->ns);
if (!ok)
{
char buf[80] = "";

2
src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
View File

@ -135,7 +135,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
};
if (!lib->settings->get_bool(lib->settings,
"libstrongswan.ecp_x_coordinate_only", TRUE))
"%s.ecp_x_coordinate_only", TRUE, lib->ns))
{ /* we only get the x coordinate back */
return;
}

8
src/libstrongswan/plugins/pkcs11/pkcs11_manager.c
View File

@ -338,7 +338,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
);
enumerator = lib->settings->create_section_enumerator(lib->settings,
"libstrongswan.plugins.pkcs11.modules");
"%s.plugins.pkcs11.modules", lib->ns);
while (enumerator->enumerate(enumerator, &module))
{
INIT(entry,
@ -346,7 +346,7 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
);
entry->path = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.pkcs11.modules.%s.path", NULL, module);
"%s.plugins.pkcs11.modules.%s.path", NULL, lib->ns, module);
if (!entry->path)
{
DBG1(DBG_CFG, "PKCS11 module '%s' lacks library path", module);
@ -355,8 +355,8 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb,
}
entry->lib = pkcs11_library_create(module, entry->path,
lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.modules.%s.os_locking",
FALSE, module));
"%s.plugins.pkcs11.modules.%s.os_locking",
FALSE, lib->ns, module));
if (!entry->lib)
{
free(entry);

18
src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c
View File

@ -83,8 +83,8 @@ static void token_event_cb(private_pkcs11_plugin_t *this, pkcs11_library_t *p11,
if (add && this->handle_events)
{
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.modules.%s.load_certs",
TRUE, p11->get_name(p11)))
"%s.plugins.pkcs11.modules.%s.load_certs",
TRUE, lib->ns, p11->get_name(p11)))
{
creds = pkcs11_creds_create(p11, slot);
if (creds)
@ -174,8 +174,8 @@ static bool handle_certs(private_pkcs11_plugin_t *this,
METHOD(plugin_t, reload, bool,
private_pkcs11_plugin_t *this)
{
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.reload_certs", FALSE))
if (lib->settings->get_bool(lib->settings, "%s.plugins.pkcs11.reload_certs",
FALSE, lib->ns))
{
DBG1(DBG_CFG, "reloading certificates from PKCS#11 tokens");
handle_certs(this, NULL, FALSE, NULL);
@ -247,28 +247,28 @@ METHOD(plugin_t, get_features, int,
if (!count)
{ /* initialize only once */
bool use_ecc = lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_ecc", FALSE);
"%s.plugins.pkcs11.use_ecc", FALSE, lib->ns);
plugin_features_add(f, f_manager, countof(f_manager), &count);
/* private key handling for EC keys is not disabled by use_ecc */
plugin_features_add(f, f_privkey, countof(f_privkey), &count);
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_pubkey", FALSE))
"%s.plugins.pkcs11.use_pubkey", FALSE, lib->ns))
{
plugin_features_add(f, f_pubkey, countof(f_pubkey) - (use_ecc ? 0 : 1),
&count);
}
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_hasher", FALSE))
"%s.plugins.pkcs11.use_hasher", FALSE, lib->ns))
{
plugin_features_add(f, f_hash, countof(f_hash), &count);
}
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_rng", FALSE))
"%s.plugins.pkcs11.use_rng", FALSE, lib->ns))
{
plugin_features_add(f, f_rng, countof(f_rng), &count);
}
if (lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.pkcs11.use_dh", FALSE))
"%s.plugins.pkcs11.use_dh", FALSE, lib->ns))
{
plugin_features_add(f, f_dh, countof(f_dh), &count);
if (use_ecc)

6
src/libstrongswan/plugins/random/random_plugin.c
View File

@ -143,11 +143,11 @@ plugin_t *random_plugin_create()
);
strong_equals_true = lib->settings->get_bool(lib->settings,
"libstrongswan.plugins.random.strong_equals_true", FALSE);
"%s.plugins.random.strong_equals_true", FALSE, lib->ns);
urandom_file = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.random.urandom", DEV_URANDOM);
"%s.plugins.random.urandom", DEV_URANDOM, lib->ns);
random_file = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.random.random", DEV_RANDOM);
"%s.plugins.random.random", DEV_RANDOM, lib->ns);
if (!open_dev(urandom_file, &dev_urandom) ||
!open_dev(random_file, &dev_random))
{

12
src/libstrongswan/plugins/unbound/unbound_resolver.c
View File

@ -97,14 +97,14 @@ resolver_t *unbound_resolver_create(void)
char *resolv_conf, *trust_anchors, *dlv_anchors;
resolv_conf = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.resolv_conf",
RESOLV_CONF_FILE);
"%s.plugins.unbound.resolv_conf",
RESOLV_CONF_FILE, lib->ns);
trust_anchors = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.trust_anchors",
TRUST_ANCHOR_FILE);
"%s.plugins.unbound.trust_anchors",
TRUST_ANCHOR_FILE, lib->ns);
dlv_anchors = lib->settings->get_str(lib->settings,
"libstrongswan.plugins.unbound.dlv_anchors",
NULL);
"%s.plugins.unbound.dlv_anchors",
NULL, lib->ns);
INIT(this,
.public = {

2
src/libstrongswan/plugins/x509/x509_cert.c
View File

@ -1446,7 +1446,7 @@ static bool parse_certificate(private_x509_cert_t *this)
break;
default:
if (critical && lib->settings->get_bool(lib->settings,
"libstrongswan.x509.enforce_critical", TRUE))
"%s.x509.enforce_critical", TRUE, lib->ns))
{
DBG1(DBG_ASN, "critical '%s' extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :

2
src/libstrongswan/plugins/x509/x509_crl.c
View File

@ -325,7 +325,7 @@ static bool parse(private_x509_crl_t *this)
break;
default:
if (critical && lib->settings->get_bool(lib->settings,
"libstrongswan.x509.enforce_critical", TRUE))
"%s.x509.enforce_critical", TRUE, lib->ns))
{
DBG1(DBG_ASN, "critical '%s' extension not supported",
(extn_oid == OID_UNKNOWN) ? "unknown" :

2
src/libstrongswan/processing/processor.c
View File

@ -545,7 +545,7 @@ processor_t *processor_create()
{
this->jobs[i] = linked_list_create();
this->prio_threads[i] = lib->settings->get_int(lib->settings,
"libstrongswan.processor.priority_threads.%N", 0,
"%s.processor.priority_threads.%N", 0, lib->ns,
job_priority_names, i);
}

6
src/libstrongswan/utils/leak_detective.c
View File

@ -754,11 +754,11 @@ METHOD(leak_detective_t, usage, void,
size_t sum = 0;
thresh = lib->settings->get_int(lib->settings,
"libstrongswan.leak_detective.usage_threshold", 10240);
"%s.leak_detective.usage_threshold", 10240, lib->ns);
thresh_count = lib->settings->get_int(lib->settings,
"libstrongswan.leak_detective.usage_threshold_count", 0);
"%s.leak_detective.usage_threshold_count", 0, lib->ns);
detailed = lib->settings->get_bool(lib->settings,
"libstrongswan.leak_detective.detailed", TRUE);
"%s.leak_detective.detailed", TRUE, lib->ns);
leaks = print_traces(this, cb, user, thresh, thresh_count,
detailed, &whitelisted, &sum);