From 3ea6eb4176044f95a6ff1c1ea653126049973417 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 5 Jun 2021 09:18:36 +0200 Subject: strongSwan: refresh patch set imported from Alpine Debian package builder requires each patch ebeing prefixes with -+ or a whitespace if line was not altered. Some patches contained a TAB. --- packages/strongswan/Jenkinsfile | 2 +- ...optional-source-and-remote-overrides-for-.patch | 403 +++++++++++---------- ...-vici-send-certificates-for-ike-sa-events.patch | 123 +++---- ...d-support-for-individual-sa-state-changes.patch | 59 +-- 4 files changed, 295 insertions(+), 292 deletions(-) (limited to 'packages/strongswan') diff --git a/packages/strongswan/Jenkinsfile b/packages/strongswan/Jenkinsfile index 7c5f3075..d8b254f2 100644 --- a/packages/strongswan/Jenkinsfile +++ b/packages/strongswan/Jenkinsfile @@ -21,7 +21,7 @@ def pkgList = [ ['name': 'strongswan', - 'scmCommit': 'debian/5.9.1-1 ', + 'scmCommit': 'debian/5.9.1-1', 'scmUrl': 'https://salsa.debian.org/debian/strongswan.git', 'buildCmd': 'cd ..; ./build.sh'], ] diff --git a/packages/strongswan/patches/1001-charon-add-optional-source-and-remote-overrides-for-.patch b/packages/strongswan/patches/1001-charon-add-optional-source-and-remote-overrides-for-.patch index 081c987c..6819ca08 100644 --- a/packages/strongswan/patches/1001-charon-add-optional-source-and-remote-overrides-for-.patch +++ b/packages/strongswan/patches/1001-charon-add-optional-source-and-remote-overrides-for-.patch @@ -23,33 +23,33 @@ Signed-off-by: Timo Teräs src/libcharon/plugins/vici/vici_config.c | 2 +- src/libcharon/plugins/vici/vici_control.c | 64 ++++++++++++++++--- .../processing/jobs/start_action_job.c | 2 +- - src/libcharon/sa/ike_sa_manager.c | 51 ++++++++++++++- + src/libcharon/sa/ike_sa_manager.c | 50 ++++++++++++++- src/libcharon/sa/ike_sa_manager.h | 8 ++- src/libcharon/sa/trap_manager.c | 45 ++++++------- src/swanctl/commands/initiate.c | 40 +++++++++++- - 11 files changed, 218 insertions(+), 47 deletions(-) + 11 files changed, 217 insertions(+), 47 deletions(-) diff --git a/src/charon-cmd/cmd/cmd_connection.c b/src/charon-cmd/cmd/cmd_connection.c -index b91c89830..55f8d224f 100644 +index 0481d78d4..805d6f198 100644 --- a/src/charon-cmd/cmd/cmd_connection.c +++ b/src/charon-cmd/cmd/cmd_connection.c -@@ -439,7 +439,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) - child_cfg = create_child_cfg(this, peer_cfg); - - if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, +@@ -438,7 +438,7 @@ static job_requeue_t initiate(private_cmd_connection_t *this) + child_cfg = create_child_cfg(this, peer_cfg); + + if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - controller_cb_empty, NULL, 0, FALSE) != SUCCESS) + NULL, NULL, controller_cb_empty, NULL, 0, FALSE) != SUCCESS) - { - terminate(pid); - } + { + terminate(pid); + } diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c -index 0c86275e2..baa83f440 100644 +index 3baa9342a..5abc4c1df 100644 --- a/src/libcharon/control/controller.c +++ b/src/libcharon/control/controller.c @@ -15,6 +15,28 @@ * for more details. */ - + +/* + * Copyright (C) 2014 Timo Teräs + * @@ -73,12 +73,12 @@ index 0c86275e2..baa83f440 100644 + */ + #include "controller.h" - + #include @@ -102,6 +124,16 @@ struct interface_listener_t { - */ - ike_sa_t *ike_sa; - + */ + ike_sa_t *ike_sa; + + /** + * Our host hint. + */ @@ -89,107 +89,107 @@ index 0c86275e2..baa83f440 100644 + */ + host_t *other_host; + - /** - * unique ID, used for various methods - */ + /** + * unique ID, used for various methods + */ @@ -414,9 +446,14 @@ METHOD(job_t, initiate_execute, job_requeue_t, - ike_sa_t *ike_sa; - interface_listener_t *listener = &job->listener; - peer_cfg_t *peer_cfg = listener->peer_cfg; + ike_sa_t *ike_sa; + interface_listener_t *listener = &job->listener; + peer_cfg_t *peer_cfg = listener->peer_cfg; + host_t *my_host = listener->my_host; + host_t *other_host = listener->other_host; - - ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, - peer_cfg); + peer_cfg, my_host, other_host); + DESTROY_IF(my_host); + DESTROY_IF(other_host); + - if (!ike_sa) - { - DESTROY_IF(listener->child_cfg); + if (!ike_sa) + { + DESTROY_IF(listener->child_cfg); @@ -425,6 +462,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, - listener_done(listener); - return JOB_REQUEUE_NONE; - } + listener_done(listener); + return JOB_REQUEUE_NONE; + } + - listener->lock->lock(listener->lock); - listener->ike_sa = ike_sa; - listener->lock->unlock(listener->lock); + listener->lock->lock(listener->lock); + listener->ike_sa = ike_sa; + listener->lock->unlock(listener->lock); @@ -497,6 +535,7 @@ METHOD(job_t, initiate_execute, job_requeue_t, - + METHOD(controller_t, initiate, status_t, - private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + private_controller_t *this, peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, u_int timeout, bool limits) + controller_cb_t callback, void *param, u_int timeout, bool limits) { - interface_job_t *job; + interface_job_t *job; @@ -519,6 +558,8 @@ METHOD(controller_t, initiate, status_t, - .status = FAILED, - .child_cfg = child_cfg, - .peer_cfg = peer_cfg, + .status = FAILED, + .child_cfg = child_cfg, + .peer_cfg = peer_cfg, + .my_host = my_host ? my_host->clone(my_host) : NULL, + .other_host = other_host ? other_host->clone(other_host) : NULL, - .lock = spinlock_create(), - .options.limits = limits, - }, + .lock = spinlock_create(), + .options.limits = limits, + }, diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h index b4ccfced2..7a088b122 100644 --- a/src/libcharon/control/controller.h +++ b/src/libcharon/control/controller.h @@ -79,6 +79,8 @@ struct controller_t { - * - * @param peer_cfg peer_cfg to use for IKE_SA setup - * @param child_cfg optional child_cfg to set up CHILD_SA from + * + * @param peer_cfg peer_cfg to use for IKE_SA setup + * @param child_cfg optional child_cfg to set up CHILD_SA from + * @param my_host optional address hint for source + * @param other_host optional address hint for destination - * @param cb logging callback - * @param param parameter to include in each call of cb - * @param timeout timeout in ms to wait for callbacks, 0 to disable + * @param cb logging callback + * @param param parameter to include in each call of cb + * @param timeout timeout in ms to wait for callbacks, 0 to disable @@ -92,6 +94,7 @@ struct controller_t { - */ - status_t (*initiate)(controller_t *this, - peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + */ + status_t (*initiate)(controller_t *this, + peer_cfg_t *peer_cfg, child_cfg_t *child_cfg, + host_t *my_host, host_t *other_host, - controller_cb_t callback, void *param, u_int timeout, - bool limits); - + controller_cb_t callback, void *param, u_int timeout, + bool limits); + diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index 8d84b934e..b00d0e62d 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -108,7 +108,7 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - if (msg->output_verbosity < 0) - { - charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + if (msg->output_verbosity < 0) + { + charon->controller->initiate(charon->controller, peer_cfg, child_cfg, - NULL, NULL, 0, FALSE); + NULL, NULL, NULL, NULL, 0, FALSE); - } - else - { + } + else + { @@ -116,7 +116,8 @@ static void charon_initiate(private_stroke_control_t *this, peer_cfg_t *peer_cfg - status_t status; - - status = charon->controller->initiate(charon->controller, + status_t status; + + status = charon->controller->initiate(charon->controller, - peer_cfg, child_cfg, (controller_cb_t)stroke_log, + peer_cfg, child_cfg, NULL, NULL, + (controller_cb_t)stroke_log, - &info, this->timeout, FALSE); - switch (status) - { + &info, this->timeout, FALSE); + switch (status) + { diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c -index 1ff0754f4..6a133decd 100644 +index 2a4d58eab..0e9d24d11 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c -@@ -2122,7 +2122,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, - DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), +@@ -2149,7 +2149,7 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg, + DBG1(DBG_CFG, "initiating '%s'", child_cfg->get_name(child_cfg)); + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), child_cfg->get_ref(child_cfg), - NULL, NULL, 0, FALSE); + NULL, NULL, NULL, NULL, 0, FALSE); - break; - case ACTION_ROUTE: - DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); + break; + case ACTION_ROUTE: + DBG1(DBG_CFG, "installing '%s'", child_cfg->get_name(child_cfg)); diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c index 4c09b578d..abd7b5d4b 100644 --- a/src/libcharon/plugins/vici/vici_control.c @@ -197,7 +197,7 @@ index 4c09b578d..abd7b5d4b 100644 @@ -16,6 +16,28 @@ * for more details. */ - + +/* + * Copyright (C) 2014 Timo Teräs + * @@ -222,33 +222,33 @@ index 4c09b578d..abd7b5d4b 100644 + #include "vici_control.h" #include "vici_builder.h" - + @@ -174,9 +196,11 @@ static child_cfg_t* find_child_cfg(char *name, char *pname, peer_cfg_t **out) CALLBACK(initiate, vici_message_t*, - private_vici_control_t *this, char *name, u_int id, vici_message_t *request) + private_vici_control_t *this, char *name, u_int id, vici_message_t *request) { + vici_message_t* msg; - peer_cfg_t *peer_cfg = NULL; - child_cfg_t *child_cfg; + peer_cfg_t *peer_cfg = NULL; + child_cfg_t *child_cfg; - char *child, *ike, *type, *sa; + host_t *my_host = NULL, *other_host = NULL; + char *child, *ike, *type, *sa, *my_host_str, *other_host_str; - int timeout; - bool limits; - controller_cb_t log_cb = NULL; + int timeout; + bool limits; + controller_cb_t log_cb = NULL; @@ -190,6 +214,8 @@ CALLBACK(initiate, vici_message_t*, - timeout = request->get_int(request, 0, "timeout"); - limits = request->get_bool(request, FALSE, "init-limits"); - log.level = request->get_int(request, 1, "loglevel"); + timeout = request->get_int(request, 0, "timeout"); + limits = request->get_bool(request, FALSE, "init-limits"); + log.level = request->get_int(request, 1, "loglevel"); + my_host_str = request->get_str(request, NULL, "my-host"); + other_host_str = request->get_str(request, NULL, "other-host"); - - if (!child && !ike) - { + + if (!child && !ike) + { @@ -200,31 +226,51 @@ CALLBACK(initiate, vici_message_t*, - log_cb = (controller_cb_t)log_vici; - } - + log_cb = (controller_cb_t)log_vici; + } + + if (my_host_str) + { + my_host = host_create_from_string(my_host_str, 0); @@ -259,73 +259,73 @@ index 4c09b578d..abd7b5d4b 100644 + } + + - type = child ? "CHILD_SA" : "IKE_SA"; - sa = child ?: ike; - - child_cfg = find_child_cfg(child, ike, &peer_cfg); - + type = child ? "CHILD_SA" : "IKE_SA"; + sa = child ?: ike; + + child_cfg = find_child_cfg(child, ike, &peer_cfg); + - DBG1(DBG_CFG, "vici initiate %s '%s'", type, sa); + DBG1(DBG_CFG, "vici initiate %s '%s', me %H, other %H, limits %d", type, sa, my_host, other_host, limits); - if (!peer_cfg) - { + if (!peer_cfg) + { - return send_reply(this, "%s config '%s' not found", type, sa); + msg = send_reply(this, "%s config '%s' not found", type, sa); + goto ret; - } + } - switch (charon->controller->initiate(charon->controller, peer_cfg, - child_cfg, log_cb, &log, timeout, limits)) + switch (charon->controller->initiate(charon->controller, + peer_cfg, child_cfg, my_host, other_host, + log_cb, &log, timeout, limits)) - { - case SUCCESS: + { + case SUCCESS: - return send_reply(this, NULL); + msg = send_reply(this, NULL); + break; - case OUT_OF_RES: + case OUT_OF_RES: - return send_reply(this, "%s '%s' not established after %dms", type, + msg = send_reply(this, "%s '%s' not established after %dms", type, - sa, timeout); + sa, timeout); + break; - case INVALID_STATE: + case INVALID_STATE: - return send_reply(this, "establishing %s '%s' not possible at the " + msg = send_reply(this, "establishing %s '%s' not possible at the " - "moment due to limits", type, sa); + "moment due to limits", type, sa); + break; - case FAILED: - default: + case FAILED: + default: - return send_reply(this, "establishing %s '%s' failed", type, sa); + msg = send_reply(this, "establishing %s '%s' failed", type, sa); + break; - } + } +ret: + if (my_host) my_host->destroy(my_host); + if (other_host) other_host->destroy(other_host); + return msg; } - + CALLBACK(terminate, vici_message_t*, diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c index 3a0ed879f..e3399007b 100644 --- a/src/libcharon/processing/jobs/start_action_job.c +++ b/src/libcharon/processing/jobs/start_action_job.c @@ -61,7 +61,7 @@ METHOD(job_t, execute, job_requeue_t, - charon->controller->initiate(charon->controller, - peer_cfg->get_ref(peer_cfg), - child_cfg->get_ref(child_cfg), + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), + child_cfg->get_ref(child_cfg), - NULL, NULL, 0, FALSE); + NULL, NULL, NULL, NULL, 0, FALSE); - break; - case ACTION_ROUTE: - DBG1(DBG_JOB, "start action: route '%s'", name); + break; + case ACTION_ROUTE: + DBG1(DBG_JOB, "start action: route '%s'", name); diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c -index 440894e9b..493599413 100644 +index f95ff19af..5ead905a8 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -17,6 +17,28 @@ * for more details. */ - + +/* + * Copyright (C) 2014 Timo Teräs + * @@ -350,21 +350,21 @@ index 440894e9b..493599413 100644 + #include #include - + @@ -1423,7 +1445,8 @@ out: } - + METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) + private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg, + host_t *my_host, host_t *other_host) { - enumerator_t *enumerator; - entry_t *entry; + enumerator_t *enumerator; + entry_t *entry; @@ -1432,7 +1455,17 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - ike_cfg_t *current_ike; - u_int segment; - + ike_cfg_t *current_ike; + u_int segment; + - DBG2(DBG_MGR, "checkout IKE_SA by config"); + if (my_host && my_host->get_port(my_host) == 0) + { @@ -377,13 +377,13 @@ index 440894e9b..493599413 100644 + + DBG2(DBG_MGR, "checkout IKE_SA by config '%s', me %H, other %H", + peer_cfg->get_name(peer_cfg), my_host, other_host); - - if (this->reuse_ikesa || peer_cfg->get_ike_version(peer_cfg) == IKEV1) - { -@@ -1449,6 +1482,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - continue; - } - + + if (!this->reuse_ikesa && peer_cfg->get_ike_version(peer_cfg) != IKEV1) + { /* IKE_SA reuse disabled by config (not possible for IKEv1) */ +@@ -1455,6 +1488,15 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + continue; + } + + if (my_host && !my_host->ip_equals(my_host, entry->ike_sa->get_my_host(entry->ike_sa))) + { + continue; @@ -393,66 +393,66 @@ index 440894e9b..493599413 100644 + continue; + } + - current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); - if (current_peer && current_peer->equals(current_peer, peer_cfg)) - { -@@ -1480,6 +1523,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, - return NULL; - } - ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) + { +@@ -1477,6 +1519,10 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + if (!ike_sa) + { /* no IKE_SA using such a config, hand out a new */ + ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE); + if (my_host || other_host) + { + ike_sa->update_hosts(ike_sa, my_host, other_host, TRUE); + } - } - charon->bus->set_sa(charon->bus, ike_sa); - + } + charon->bus->set_sa(charon->bus, ike_sa); + diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index efad2e4d6..c43edabbb 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -93,7 +93,8 @@ struct ike_sa_manager_t { - ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message); - - /** + ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message); + + /** - * Checkout an IKE_SA for initiation by a peer_config. + * Checkout an IKE_SA for initiation by a peer_config and optional + * source and remote host addresses. - * - * To initiate, a CHILD_SA may be established within an existing IKE_SA. - * This call checks for an existing IKE_SA by comparing the configuration. + * + * To initiate, a CHILD_SA may be established within an existing IKE_SA. + * This call checks for an existing IKE_SA by comparing the configuration. @@ -103,10 +104,13 @@ struct ike_sa_manager_t { - * the found IKE_SA is in the DELETING state. - * - * @param peer_cfg configuration used to find an existing IKE_SA + * the found IKE_SA is in the DELETING state. + * + * @param peer_cfg configuration used to find an existing IKE_SA + * @param my_host source host address for wildcard peer_cfg + * @param other_host remote host address for wildcard peer_cfg - * @return checked out/created IKE_SA - */ - ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this, + * @return checked out/created IKE_SA + */ + ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this, - peer_cfg_t *peer_cfg); + peer_cfg_t *peer_cfg, + host_t *my_host, host_t *other_host); - - /** - * Reset initiator SPI. + + /** + * Reset initiator SPI. diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 2bc531b38..7220ea597 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -432,7 +432,7 @@ METHOD(trap_manager_t, acquire, void, - peer_cfg_t *peer; - child_cfg_t *child; - ike_sa_t *ike_sa; + peer_cfg_t *peer; + child_cfg_t *child; + ike_sa_t *ike_sa; - host_t *host; + host_t *host, *my_host = NULL, *other_host = NULL; - bool wildcard, ignore = FALSE; - - this->lock->read_lock(this->lock); + bool wildcard, ignore = FALSE; + + this->lock->read_lock(this->lock); @@ -508,36 +508,27 @@ METHOD(trap_manager_t, acquire, void, - this->lock->unlock(this->lock); - - if (wildcard) + this->lock->unlock(this->lock); + + if (wildcard) - { /* the peer config would match IKE_SAs with other peers */ - ike_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, - peer->get_ike_version(peer), TRUE); @@ -468,13 +468,13 @@ index 2bc531b38..7220ea597 100644 + ike_cfg_t *ike_cfg; + uint16_t port; + uint8_t mask; - + - port = ike_cfg->get_other_port(ike_cfg); - dst->to_subnet(dst, &host, &mask); - host->set_port(host, port); - ike_sa->set_other_host(ike_sa, host); + ike_cfg = peer->get_ike_cfg(peer); - + - port = ike_cfg->get_my_port(ike_cfg); - src->to_subnet(src, &host, &mask); - host->set_port(host, port); @@ -482,7 +482,7 @@ index 2bc531b38..7220ea597 100644 + port = ike_cfg->get_other_port(ike_cfg); + dst->to_subnet(dst, &other_host, &mask); + other_host->set_port(other_host, port); - + - charon->bus->set_sa(charon->bus, ike_sa); - } - } @@ -493,16 +493,16 @@ index 2bc531b38..7220ea597 100644 + port = ike_cfg->get_my_port(ike_cfg); + src->to_subnet(src, &my_host, &mask); + my_host->set_port(my_host, port); - } + } + ike_sa = charon->ike_sa_manager->checkout_by_config( + charon->ike_sa_manager, peer, + my_host, other_host); + DESTROY_IF(my_host); + DESTROY_IF(other_host); + - if (ike_sa) - { - if (ike_sa->get_peer_cfg(ike_sa) == NULL) + if (ike_sa) + { + if (ike_sa->get_peer_cfg(ike_sa) == NULL) diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c index 8ade8bf41..03b2cb0f4 100644 --- a/src/swanctl/commands/initiate.c @@ -510,7 +510,7 @@ index 8ade8bf41..03b2cb0f4 100644 @@ -13,6 +13,28 @@ * for more details. */ - + +/* + * Copyright (C) 2014 Timo Teräs + * @@ -534,34 +534,34 @@ index 8ade8bf41..03b2cb0f4 100644 + */ + #include "command.h" - + #include @@ -37,7 +59,7 @@ static int initiate(vici_conn_t *conn) - vici_req_t *req; - vici_res_t *res; - command_format_options_t format = COMMAND_FORMAT_NONE; + vici_req_t *req; + vici_res_t *res; + command_format_options_t format = COMMAND_FORMAT_NONE; - char *arg, *child = NULL, *ike = NULL; + char *arg, *child = NULL, *ike = NULL, *my_host = NULL, *other_host = NULL; - int ret = 0, timeout = 0, level = 1; - - while (TRUE) + int ret = 0, timeout = 0, level = 1; + + while (TRUE) @@ -64,6 +86,12 @@ static int initiate(vici_conn_t *conn) - case 'l': - level = atoi(arg); - continue; + case 'l': + level = atoi(arg); + continue; + case 'S': + my_host = arg; + continue; + case 'R': + other_host = arg; + continue; - case EOF: - break; - default: + case EOF: + break; + default: @@ -87,6 +115,14 @@ static int initiate(vici_conn_t *conn) - { - vici_add_key_valuef(req, "ike", "%s", ike); - } + { + vici_add_key_valuef(req, "ike", "%s", ike); + } + if (my_host) + { + vici_add_key_valuef(req, "my-host", "%s", my_host); @@ -570,17 +570,18 @@ index 8ade8bf41..03b2cb0f4 100644 + { + vici_add_key_valuef(req, "other-host", "%s", other_host); + } - if (timeout) - { - vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); + if (timeout) + { + vici_add_key_valuef(req, "timeout", "%d", timeout * 1000); @@ -133,6 +169,8 @@ static void __attribute__ ((constructor))reg() - {"help", 'h', 0, "show usage information"}, - {"child", 'c', 1, "initiate a CHILD_SA configuration"}, - {"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"}, + {"help", 'h', 0, "show usage information"}, + {"child", 'c', 1, "initiate a CHILD_SA configuration"}, + {"ike", 'i', 1, "initiate an IKE_SA, or name of child's parent"}, + {"source", 'S', 1, "override source address"}, + {"remote", 'R', 1, "override remote address"}, - {"timeout", 't', 1, "timeout in seconds before detaching"}, - {"raw", 'r', 0, "dump raw response message"}, - {"pretty", 'P', 0, "dump raw response message in pretty print"}, --- -2.24.0 + {"timeout", 't', 1, "timeout in seconds before detaching"}, + {"raw", 'r', 0, "dump raw response message"}, + {"pretty", 'P', 0, "dump raw response message in pretty print"}, +-- +2.20.1 + diff --git a/packages/strongswan/patches/1002-vici-send-certificates-for-ike-sa-events.patch b/packages/strongswan/patches/1002-vici-send-certificates-for-ike-sa-events.patch index 6909055f..704cbc61 100644 --- a/packages/strongswan/patches/1002-vici-send-certificates-for-ike-sa-events.patch +++ b/packages/strongswan/patches/1002-vici-send-certificates-for-ike-sa-events.patch @@ -12,31 +12,31 @@ Signed-off-by: Timo Teräs 1 file changed, 41 insertions(+), 7 deletions(-) diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index 16e3c8b1f..2ca885e8b 100644 +index ad07ff12d..e3f6a0d26 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c -@@ -348,7 +348,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b, +@@ -379,7 +379,7 @@ static void list_vips(private_vici_query_t *this, vici_builder_t *b, * List details of an IKE_SA */ static void list_ike(private_vici_query_t *this, vici_builder_t *b, - ike_sa_t *ike_sa, time_t now) + ike_sa_t *ike_sa, time_t now, bool add_certs) { - time_t t; - ike_sa_id_t *id; -@@ -357,6 +357,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, - uint32_t if_id; - uint16_t alg, ks; - host_t *host; + time_t t; + ike_sa_id_t *id; +@@ -388,6 +388,8 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + uint32_t if_id; + uint16_t alg, ks; + host_t *host; + auth_cfg_t *auth_cfg; + enumerator_t *enumerator; - - b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa)); - b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa)); -@@ -366,11 +368,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, - b->add_kv(b, "local-host", "%H", host); - b->add_kv(b, "local-port", "%d", host->get_port(host)); - b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa)); + + b->add_kv(b, "uniqueid", "%u", ike_sa->get_unique_id(ike_sa)); + b->add_kv(b, "version", "%u", ike_sa->get_version(ike_sa)); +@@ -397,11 +399,43 @@ static void list_ike(private_vici_query_t *this, vici_builder_t *b, + b->add_kv(b, "local-host", "%H", host); + b->add_kv(b, "local-port", "%d", host->get_port(host)); + b->add_kv(b, "local-id", "%Y", ike_sa->get_my_id(ike_sa)); + if (add_certs) + { + enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, TRUE); @@ -53,11 +53,11 @@ index 16e3c8b1f..2ca885e8b 100644 + } + enumerator->destroy(enumerator); + } - - host = ike_sa->get_other_host(ike_sa); - b->add_kv(b, "remote-host", "%H", host); - b->add_kv(b, "remote-port", "%d", host->get_port(host)); - b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa)); + + host = ike_sa->get_other_host(ike_sa); + b->add_kv(b, "remote-host", "%H", host); + b->add_kv(b, "remote-port", "%d", host->get_port(host)); + b->add_kv(b, "remote-id", "%Y", ike_sa->get_other_id(ike_sa)); + if (add_certs) + { + enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); @@ -74,57 +74,58 @@ index 16e3c8b1f..2ca885e8b 100644 + } + enumerator->destroy(enumerator); + } - - eap = ike_sa->get_other_eap_id(ike_sa); - -@@ -500,7 +534,7 @@ CALLBACK(list_sas, vici_message_t*, - b = vici_builder_create(); - b->begin_section(b, ike_sa->get_name(ike_sa)); - + + eap = ike_sa->get_other_eap_id(ike_sa); + +@@ -531,7 +565,7 @@ CALLBACK(list_sas, vici_message_t*, + b = vici_builder_create(); + b->begin_section(b, ike_sa->get_name(ike_sa)); + - list_ike(this, b, ike_sa, now); + list_ike(this, b, ike_sa, now, TRUE); - - b->begin_section(b, "child-sas"); - csas = ike_sa->create_child_sa_enumerator(ike_sa); -@@ -1673,7 +1707,7 @@ METHOD(listener_t, ike_updown, bool, - } - - b->begin_section(b, ike_sa->get_name(ike_sa)); + + b->begin_section(b, "child-sas"); + csas = ike_sa->create_child_sa_enumerator(ike_sa); +@@ -1717,7 +1751,7 @@ METHOD(listener_t, ike_updown, bool, + } + + b->begin_section(b, ike_sa->get_name(ike_sa)); - list_ike(this, b, ike_sa, now); + list_ike(this, b, ike_sa, now, up); - b->end_section(b); - - this->dispatcher->raise_event(this->dispatcher, -@@ -1698,10 +1732,10 @@ METHOD(listener_t, ike_rekey, bool, - b = vici_builder_create(); - b->begin_section(b, old->get_name(old)); - b->begin_section(b, "old"); + b->end_section(b); + + this->dispatcher->raise_event(this->dispatcher, +@@ -1742,10 +1776,10 @@ METHOD(listener_t, ike_rekey, bool, + b = vici_builder_create(); + b->begin_section(b, old->get_name(old)); + b->begin_section(b, "old"); - list_ike(this, b, old, now); + list_ike(this, b, old, now, TRUE); - b->end_section(b); - b->begin_section(b, "new"); + b->end_section(b); + b->begin_section(b, "new"); - list_ike(this, b, new, now); + list_ike(this, b, new, now, TRUE); - b->end_section(b); - b->end_section(b); - -@@ -1731,7 +1765,7 @@ METHOD(listener_t, child_updown, bool, - } - - b->begin_section(b, ike_sa->get_name(ike_sa)); + b->end_section(b); + b->end_section(b); + +@@ -1776,7 +1810,7 @@ METHOD(listener_t, child_updown, bool, + } + + b->begin_section(b, ike_sa->get_name(ike_sa)); - list_ike(this, b, ike_sa, now); + list_ike(this, b, ike_sa, now, up); - b->begin_section(b, "child-sas"); - - b->begin_section(b, child_sa->get_name(child_sa)); -@@ -1763,7 +1797,7 @@ METHOD(listener_t, child_rekey, bool, - b = vici_builder_create(); - - b->begin_section(b, ike_sa->get_name(ike_sa)); + b->begin_section(b, "child-sas"); + + snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa), +@@ -1811,7 +1845,7 @@ METHOD(listener_t, child_rekey, bool, + b = vici_builder_create(); + + b->begin_section(b, ike_sa->get_name(ike_sa)); - list_ike(this, b, ike_sa, now); + list_ike(this, b, ike_sa, now, TRUE); - b->begin_section(b, "child-sas"); + b->begin_section(b, "child-sas"); + + b->begin_section(b, old->get_name(old)); +-- +2.20.1 - b->begin_section(b, old->get_name(old)); --- -2.24.0 diff --git a/packages/strongswan/patches/1003-vici-add-support-for-individual-sa-state-changes.patch b/packages/strongswan/patches/1003-vici-add-support-for-individual-sa-state-changes.patch index debbfc9a..db4ce160 100644 --- a/packages/strongswan/patches/1003-vici-add-support-for-individual-sa-state-changes.patch +++ b/packages/strongswan/patches/1003-vici-add-support-for-individual-sa-state-changes.patch @@ -14,30 +14,30 @@ Signed-off-by: Timo Teräs 1 file changed, 105 insertions(+) diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c -index 2ca885e8b..29f77c769 100644 +index e3f6a0d26..9968cdd3c 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c -@@ -1673,8 +1673,16 @@ static void manage_commands(private_vici_query_t *this, bool reg) - this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); - this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); - this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); +@@ -1717,8 +1717,16 @@ static void manage_commands(private_vici_query_t *this, bool reg) + this->dispatcher->manage_event(this->dispatcher, "list-cert", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-rekey", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-state-established", reg); + this->dispatcher->manage_event(this->dispatcher, "ike-state-destroying", reg); - this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); - this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); + this->dispatcher->manage_event(this->dispatcher, "child-updown", reg); + this->dispatcher->manage_event(this->dispatcher, "child-rekey", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-installing", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-installed", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-updating", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-rekeying", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-rekeyed", reg); + this->dispatcher->manage_event(this->dispatcher, "child-state-destroying", reg); - manage_command(this, "list-sas", list_sas, reg); - manage_command(this, "list-policies", list_policies, reg); - manage_command(this, "list-conns", list_conns, reg); -@@ -1745,6 +1753,45 @@ METHOD(listener_t, ike_rekey, bool, - return TRUE; + manage_command(this, "list-sas", list_sas, reg); + manage_command(this, "list-policies", list_policies, reg); + manage_command(this, "list-conns", list_conns, reg); +@@ -1789,6 +1797,45 @@ METHOD(listener_t, ike_rekey, bool, + return TRUE; } - + +METHOD(listener_t, ike_state_change, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) +{ @@ -78,12 +78,12 @@ index 2ca885e8b..29f77c769 100644 +} + METHOD(listener_t, child_updown, bool, - private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, bool up) { -@@ -1820,6 +1867,62 @@ METHOD(listener_t, child_rekey, bool, - return TRUE; +@@ -1868,6 +1915,62 @@ METHOD(listener_t, child_rekey, bool, + return TRUE; } - + +METHOD(listener_t, child_state_change, bool, + private_vici_query_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) +{ @@ -141,18 +141,19 @@ index 2ca885e8b..29f77c769 100644 +} + METHOD(vici_query_t, destroy, void, - private_vici_query_t *this) + private_vici_query_t *this) { -@@ -1839,8 +1942,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) - .listener = { - .ike_updown = _ike_updown, - .ike_rekey = _ike_rekey, +@@ -1887,8 +1990,10 @@ vici_query_t *vici_query_create(vici_dispatcher_t *dispatcher) + .listener = { + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .ike_state_change = _ike_state_change, - .child_updown = _child_updown, - .child_rekey = _child_rekey, + .child_updown = _child_updown, + .child_rekey = _child_rekey, + .child_state_change = _child_state_change, - }, - .destroy = _destroy, - }, --- -2.24.0 + }, + .destroy = _destroy, + }, +-- +2.20.1 + -- cgit v1.2.3