This helps debug authentication issues with x509 certificates.
ok markus@
-/* $OpenBSD: ca.c,v 1.78 2021/02/24 22:17:48 tobhe Exp $ */
+/* $OpenBSD: ca.c,v 1.79 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
int ca_x509_subjectaltname_get(X509 *cert, struct iked_id *);
int ca_dispatch_parent(int, struct privsep_proc *, struct imsg *);
int ca_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
+int ca_dispatch_control(int, struct privsep_proc *, struct imsg *);
+void ca_store_info(struct iked *, const char *, X509_STORE *);
static struct privsep_proc procs[] = {
{ "parent", PROC_PARENT, ca_dispatch_parent },
- { "ikev2", PROC_IKEV2, ca_dispatch_ikev2 }
+ { "ikev2", PROC_IKEV2, ca_dispatch_ikev2 },
+ { "control", PROC_CONTROL, ca_dispatch_control }
};
struct ca_store {
return (0);
}
+int
+ca_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg)
+{
+ struct iked *env = p->p_env;
+ struct ca_store *store = env->sc_priv;
+
+ switch (imsg->hdr.type) {
+ case IMSG_CTL_SHOW_CERTSTORE:
+ ca_store_info(env, "CA", store->ca_cas);
+ ca_store_info(env, "CERT", store->ca_certs);
+ /* Send empty reply to indicate end of information. */
+ proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
+ NULL, 0);
+ break;
+ default:
+ return (-1);
+ }
+
+ return (0);
+}
+
int
ca_setcert(struct iked *env, struct iked_sahdr *sh, struct iked_id *id,
uint8_t type, uint8_t *data, size_t len, enum privsep_procid procid)
return (0);
}
+void
+ca_store_info(struct iked *env, const char *msg, X509_STORE *ctx)
+{
+ STACK_OF(X509_OBJECT) *h;
+ X509_OBJECT *xo;
+ X509 *cert;
+ int i;
+ X509_NAME *subject;
+ char *name;
+ char *buf;
+ size_t buflen;
+
+ h = X509_STORE_get0_objects(ctx);
+ for (i = 0; i < sk_X509_OBJECT_num(h); i++) {
+ xo = sk_X509_OBJECT_value(h, i);
+ if (X509_OBJECT_get_type(xo) != X509_LU_X509)
+ continue;
+ cert = X509_OBJECT_get0_X509(xo);
+ if ((subject = X509_get_subject_name(cert)) == NULL ||
+ (name = X509_NAME_oneline(subject, NULL, 0)) == NULL)
+ continue;
+ buflen = asprintf(&buf, "%s: %s\n", msg, name);
+ free(name);
+ if (buf == NULL)
+ continue;
+ proc_compose(&env->sc_ps, PROC_CONTROL, IMSG_CTL_SHOW_CERTSTORE,
+ buf, buflen + 1);
+ free(buf);
+ }
+}
+
struct ibuf *
ca_x509_serialize(X509 *x509)
{
-/* $OpenBSD: control.c,v 1.31 2021/04/20 21:11:56 dv Exp $ */
+/* $OpenBSD: control.c,v 1.32 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
void control_imsg_forward(struct imsg *);
void control_run(struct privsep *, struct privsep_proc *, void *);
int control_dispatch_ikev2(int, struct privsep_proc *, struct imsg *);
+int control_dispatch_ca(int, struct privsep_proc *, struct imsg *);
static struct privsep_proc procs[] = {
{ "parent", PROC_PARENT, NULL },
{ "ikev2", PROC_IKEV2, control_dispatch_ikev2 },
+ { "ca", PROC_CERT, control_dispatch_ca },
};
pid_t
proc_forward_imsg(&env->sc_ps, &imsg, PROC_IKEV2, -1);
c->flags |= CTL_CONN_NOTIFY;
break;
+ case IMSG_CTL_SHOW_CERTSTORE:
+ proc_forward_imsg(&env->sc_ps, &imsg, PROC_CERT, -1);
+ c->flags |= CTL_CONN_NOTIFY;
+ break;
default:
log_debug("%s: error handling imsg %d",
__func__, imsg.hdr.type);
return (-1);
}
+
+int
+control_dispatch_ca(int fd, struct privsep_proc *p, struct imsg *imsg)
+{
+ switch (imsg->hdr.type) {
+ case IMSG_CTL_SHOW_CERTSTORE:
+ control_imsg_forward(imsg);
+ return (0);
+ default:
+ break;
+ }
+
+ return (-1);
+}
-/* $OpenBSD: types.h,v 1.46 2021/10/26 17:31:22 tobhe Exp $ */
+/* $OpenBSD: types.h,v 1.47 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
IMSG_OCSP_CFG,
IMSG_AUTH,
IMSG_PRIVKEY,
- IMSG_PUBKEY
+ IMSG_PUBKEY,
+ IMSG_CTL_SHOW_CERTSTORE
};
enum privsep_procid {
-/* $OpenBSD: ikectl.c,v 1.26 2020/06/10 17:44:44 kn Exp $ */
+/* $OpenBSD: ikectl.c,v 1.27 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
{ IMSG_CTL_RELOAD, "reload", NULL },
{ IMSG_CTL_RESET, "reset", NULL },
{ IMSG_CTL_SHOW_SA, "show sa", NULL },
+ { IMSG_CTL_SHOW_CERTSTORE, "show certstore", NULL },
{ 0, NULL, NULL }
};
imsg_compose(ibuf, IMSG_CTL_SHOW_SA, 0, 0, -1, NULL, 0);
done = 0;
break;
+ case SHOW_CERTSTORE:
+ imsg_compose(ibuf, IMSG_CTL_SHOW_CERTSTORE, 0, 0, -1, NULL, 0);
+ done = 0;
+ break;
case RELOAD:
imsg_compose(ibuf, IMSG_CTL_RELOAD, 0, 0, -1, NULL, 0);
break;
done = monitor(&imsg);
break;
case SHOW_SA:
+ case SHOW_CERTSTORE:
done = show_string(&imsg);
break;
default:
{
int done = 0;
- if (imsg->hdr.type != IMSG_CTL_SHOW_SA)
+ switch (imsg->hdr.type) {
+ case IMSG_CTL_SHOW_SA:
+ case IMSG_CTL_SHOW_CERTSTORE:
+ break;
+ default:
return (done);
-
+ }
if (IMSG_DATA_SIZE(imsg) > 0)
printf("%s", (char *)imsg->data);
else
-/* $OpenBSD: parser.c,v 1.19 2020/03/22 15:59:05 tobhe Exp $ */
+/* $OpenBSD: parser.c,v 1.20 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
static const struct token t_show[] = {
{ KEYWORD, "ca", SHOW_CA, t_show_ca },
{ KEYWORD, "sa", SHOW_SA, NULL },
+ { KEYWORD, "certstore", SHOW_CERTSTORE,NULL },
{ ENDTOKEN, "", NONE, NULL }
};
-/* $OpenBSD: parser.h,v 1.16 2020/03/22 15:59:05 tobhe Exp $ */
+/* $OpenBSD: parser.h,v 1.17 2021/11/21 22:44:08 tobhe Exp $ */
/*
* Copyright (c) 2007-2013 Reyk Floeter <reyk@openbsd.org>
SHOW_CA,
SHOW_CA_CERTIFICATES,
SHOW_SA,
- RESET_ID
+ RESET_ID,
+ SHOW_CERTSTORE
};
struct parse_result {
projects / openbsd / commitdiff