diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
| commit | a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch) | |
| tree | d82a9d506c62cff257e5292845b68df3ca5c60dc | |
| parent | 12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff) | |
| download | vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip | |
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in
some cases.
- Enable integrity checking.
446 files changed, 9152 insertions, 3452 deletions
diff --git a/Makefile.am b/Makefile.am index 95eb8d95e..172949977 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,9 @@ -SUBDIRS = src testing scripts +SUBDIRS = src testing + +if USE_SCRIPTS + SUBDIRS += scripts +endif + EXTRA_DIST = Doxyfile.in CREDITS CLEANFILES = apidoc Doxyfile @@ -10,6 +15,3 @@ Doxyfile : Doxyfile.in apidoc : Doxyfile doxygen - -dist-hook : - rm -rf `find $(distdir)/testing -name .svn` diff --git a/Makefile.in b/Makefile.in index 8755056b2..bc83e3d31 100644 --- a/Makefile.in +++ b/Makefile.in @@ -31,6 +31,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_SCRIPTS_TRUE@am__append_1 = scripts subdir = . DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in $(top_srcdir)/configure \ @@ -58,7 +59,7 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = $(SUBDIRS) +DIST_SUBDIRS = src testing scripts DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) @@ -71,12 +72,14 @@ GZIP_ENV = --best distuninstallcheck_listfiles = find . -type f -print distcleancheck_listfiles = find . -type f -print ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -141,6 +144,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -181,7 +185,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -215,7 +221,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -SUBDIRS = src testing scripts +SUBDIRS = src testing $(am__append_1) EXTRA_DIST = Doxyfile.in CREDITS CLEANFILES = apidoc Doxyfile all: all-recursive @@ -441,9 +447,6 @@ distdir: $(DISTFILES) || exit 1; \ fi; \ done - $(MAKE) $(AM_MAKEFLAGS) \ - top_distdir="$(top_distdir)" distdir="$(distdir)" \ - dist-hook -find $(distdir) -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ @@ -641,18 +644,18 @@ uninstall-am: .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-generic \ clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \ - dist-gzip dist-hook dist-lzma dist-shar dist-tarZ dist-zip \ - distcheck distclean distclean-generic distclean-libtool \ - distclean-tags distcleancheck distdir distuninstallcheck dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am + dist-gzip dist-lzma dist-shar dist-tarZ dist-zip distcheck \ + distclean distclean-generic distclean-libtool distclean-tags \ + distcleancheck distdir distuninstallcheck dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-recursive \ + uninstall uninstall-am Doxyfile : Doxyfile.in @@ -663,9 +666,6 @@ Doxyfile : Doxyfile.in apidoc : Doxyfile doxygen - -dist-hook : - rm -rf `find $(distdir)/testing -name .svn` # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: @@ -1,3 +1,37 @@ +strongswan-4.3.4 +---------------- + +- IKEv2 charon daemon ported to FreeBSD and Mac OS X. Installation details can + be found on wiki.strongswan.org. + +- ipsec statusall shows the number of bytes transmitted and received over + ESP connections configured by the IKEv2 charon daemon. + +- The IKEv2 charon daemon supports include files in ipsec.secrets. + + +strongswan-4.3.3 +---------------- + +- The configuration option --enable-integrity-test plus the strongswan.conf + option libstrongswan.integrity_test = yes activate integrity tests + of the IKE daemons charon and pluto, libstrongswan and all loaded + plugins. Thus dynamic library misconfigurations and non-malicious file + manipulations can be reliably detected. + +- The new default setting libstrongswan.ecp_x_coordinate_only=yes allows + IKEv1 interoperability with MS Windows using the ECP DH groups 19 and 20. + +- The IKEv1 pluto daemon now supports the AES-CCM and AES-GCM ESP + authenticated encryption algorithms. + +- The IKEv1 pluto daemon now supports V4 OpenPGP keys. + +- The RDN parser vulnerability discovered by Orange Labs research team + was not completely fixed in version 4.3.2. Some more modifications + had to be applied to the asn1_length() function to make it robust. + + strongswan-4.3.2 ---------------- diff --git a/aclocal.m4 b/aclocal.m4 index b547a212b..9e6e86249 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -19,6 +19,192 @@ You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically `autoreconf'.])]) +# lib-prefix.m4 serial 5 (gettext-0.15) +dnl Copyright (C) 2001-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +dnl AC_LIB_ARG_WITH is synonymous to AC_ARG_WITH in autoconf-2.13, and +dnl similar to AC_ARG_WITH in autoconf 2.52...2.57 except that is doesn't +dnl require excessive bracketing. +ifdef([AC_HELP_STRING], +[AC_DEFUN([AC_LIB_ARG_WITH], [AC_ARG_WITH([$1],[[$2]],[$3],[$4])])], +[AC_DEFUN([AC_][LIB_ARG_WITH], [AC_ARG_WITH([$1],[$2],[$3],[$4])])]) + +dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed +dnl to access previously installed libraries. The basic assumption is that +dnl a user will want packages to use other packages he previously installed +dnl with the same --prefix option. +dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate +dnl libraries, but is otherwise very convenient. +AC_DEFUN([AC_LIB_PREFIX], +[ + AC_BEFORE([$0], [AC_LIB_LINKFLAGS]) + AC_REQUIRE([AC_PROG_CC]) + AC_REQUIRE([AC_CANONICAL_HOST]) + AC_REQUIRE([AC_LIB_PREPARE_MULTILIB]) + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + dnl By default, look in $includedir and $libdir. + use_additional=yes + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + AC_LIB_ARG_WITH([lib-prefix], +[ --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib + --without-lib-prefix don't search for libraries in includedir and libdir], +[ + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + else + additional_includedir="$withval/include" + additional_libdir="$withval/$acl_libdirstem" + fi + fi +]) + if test $use_additional = yes; then + dnl Potentially add $additional_includedir to $CPPFLAGS. + dnl But don't add it + dnl 1. if it's the standard /usr/include, + dnl 2. if it's already present in $CPPFLAGS, + dnl 3. if it's /usr/local/include and we are using GCC on Linux, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + for x in $CPPFLAGS; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + dnl Really add $additional_includedir to $CPPFLAGS. + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir" + fi + fi + fi + fi + dnl Potentially add $additional_libdir to $LDFLAGS. + dnl But don't add it + dnl 1. if it's the standard /usr/lib, + dnl 2. if it's already present in $LDFLAGS, + dnl 3. if it's /usr/local/lib and we are using GCC on Linux, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then + haveit= + for x in $LDFLAGS; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then + if test -n "$GCC"; then + case $host_os in + linux*) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + dnl Really add $additional_libdir to $LDFLAGS. + LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir" + fi + fi + fi + fi + fi +]) + +dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix, +dnl acl_final_exec_prefix, containing the values to which $prefix and +dnl $exec_prefix will expand at the end of the configure script. +AC_DEFUN([AC_LIB_PREPARE_PREFIX], +[ + dnl Unfortunately, prefix and exec_prefix get only finally determined + dnl at the end of configure. + if test "X$prefix" = "XNONE"; then + acl_final_prefix="$ac_default_prefix" + else + acl_final_prefix="$prefix" + fi + if test "X$exec_prefix" = "XNONE"; then + acl_final_exec_prefix='${prefix}' + else + acl_final_exec_prefix="$exec_prefix" + fi + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + eval acl_final_exec_prefix=\"$acl_final_exec_prefix\" + prefix="$acl_save_prefix" +]) + +dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the +dnl variables prefix and exec_prefix bound to the values they will have +dnl at the end of the configure script. +AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX], +[ + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + $1 + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" +]) + +dnl AC_LIB_PREPARE_MULTILIB creates a variable acl_libdirstem, containing +dnl the basename of the libdir, either "lib" or "lib64". +AC_DEFUN([AC_LIB_PREPARE_MULTILIB], +[ + dnl There is no formal standard regarding lib and lib64. The current + dnl practice is that on a system supporting 32-bit and 64-bit instruction + dnl sets or ABIs, 64-bit libraries go under $prefix/lib64 and 32-bit + dnl libraries go under $prefix/lib. We determine the compiler's default + dnl mode by looking at the compiler's library search path. If at least + dnl of its elements ends in /lib64 or points to a directory whose absolute + dnl pathname ends in /lib64, we assume a 64-bit ABI. Otherwise we use the + dnl default, namely "lib". + acl_libdirstem=lib + searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'` + if test -n "$searchpath"; then + acl_save_IFS="${IFS= }"; IFS=":" + for searchdir in $searchpath; do + if test -d "$searchdir"; then + case "$searchdir" in + */lib64/ | */lib64 ) acl_libdirstem=lib64 ;; + *) searchdir=`cd "$searchdir" && pwd` + case "$searchdir" in + */lib64 ) acl_libdirstem=lib64 ;; + esac ;; + esac + fi + done + IFS="$acl_save_IFS" + fi +]) + dnl Autoconf macros for libgcrypt dnl Copyright (C) 2002, 2004 Free Software Foundation, Inc. dnl @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.63 for strongSwan 4.3.2. +# Generated by GNU Autoconf 2.63 for strongSwan 4.3.4. # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, # 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. @@ -743,8 +743,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='4.3.2' -PACKAGE_STRING='strongSwan 4.3.2' +PACKAGE_VERSION='4.3.4' +PACKAGE_STRING='strongSwan 4.3.4' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. @@ -791,6 +791,8 @@ USE_FILE_CONFIG_FALSE USE_FILE_CONFIG_TRUE USE_LIBSTRONGSWAN_FALSE USE_LIBSTRONGSWAN_TRUE +USE_SCRIPTS_FALSE +USE_SCRIPTS_TRUE USE_TOOLS_FALSE USE_TOOLS_TRUE USE_CHARON_FALSE @@ -932,9 +934,14 @@ gtk_LIBS gtk_CFLAGS xml_LIBS xml_CFLAGS +SOCKLIB +BTLIB DLLIB -PERL +ALLOCA +ipsecgid +ipsecuid GPERF +PERL YFLAGS YACC LEXLIB @@ -956,6 +963,10 @@ DUMPBIN LD FGREP SED +LIBTOOL +EGREP +GREP +CPP host_os host_vendor host_cpu @@ -964,10 +975,6 @@ build_os build_vendor build_cpu build -LIBTOOL -EGREP -GREP -CPP am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE @@ -982,8 +989,8 @@ EXEEXT ac_ct_CC CPPFLAGS LDFLAGS -CC CFLAGS +CC ipsecgroup ipsecuser IPSEC_ROUTING_TABLE_PRIO @@ -1133,6 +1140,7 @@ enable_pluto enable_threads enable_charon enable_tools +enable_scripts enable_updown enable_attr enable_resolv_conf @@ -1144,6 +1152,7 @@ enable_uci enable_nm enable_vstr enable_dependency_tracking +with_lib_prefix enable_shared enable_static with_pic @@ -1722,7 +1731,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 4.3.2 to adapt to many kinds of systems. +\`configure' configures strongSwan 4.3.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1792,7 +1801,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 4.3.2:";; + short | recursive ) echo "Configuration of strongSwan 4.3.4:";; esac cat <<\_ACEOF @@ -1891,8 +1900,8 @@ Optional Features: templates (default is NO). --enable-manager build web management console (default is NO). --enable-mediation enable IKEv2 Mediation Extension (default is NO). - --enable-integrity-test enable the integrity test of the crypto library - (default is NO). + --enable-integrity-test enable integrity testing of libstrongswan and + plugins (default is NO). --disable-pluto disable the IKEv1 keying daemon pluto. (default is NO). --disable-threads disable the use of threads in pluto. Charon always @@ -1901,6 +1910,8 @@ Optional Features: NO). --disable-tools disable additional utilities (openac and scepclient). (default is NO). + --disable-scripts disable additional utilities (found in directory + scripts). (default is NO). --disable-updown disable updown firewall script plugin. (default is NO). --disable-attr disable strongswan.conf based configuration @@ -1961,12 +1972,14 @@ Optional Packages: priority for IPsec routing table (default: 220) --with-user=user change user of the daemons to "user" after startup - (default is 0). + (default is "root"). --with-group=group change group of the daemons to "group" after startup - (default is 0). + (default is "root"). --with-capabilities=libcap capability dropping using libcap. Currenlty only the value "libcap" is supported (default is NO). + --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib + --without-lib-prefix don't search for libraries in includedir and libdir --with-pic try to use only PIC/non-PIC objects [default=use both] --with-gnu-ld assume the C compiler uses GNU ld [default=no] @@ -2060,7 +2073,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 4.3.2 +strongSwan configure 4.3.4 generated by GNU Autoconf 2.63 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -2074,7 +2087,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 4.3.2, which was +It was created by strongSwan $as_me 4.3.4, which was generated by GNU Autoconf 2.63. Invocation command line was $ $0 $@ @@ -2790,7 +2803,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='4.3.2' + VERSION='4.3.4' cat >>confdefs.h <<_ACEOF @@ -3940,6 +3953,19 @@ else fi +# Check whether --enable-scripts was given. +if test "${enable_scripts+set}" = set; then + enableval=$enable_scripts; if test x$enableval = xyes; then + scripts=true + else + scripts=false + fi +else + scripts=true + +fi + + # Check whether --enable-updown was given. if test "${enable_updown+set}" = set; then enableval=$enable_updown; if test x$enableval = xyes; then @@ -4049,7 +4075,6 @@ fi if test -z "$CFLAGS"; then CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing" - fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -5154,6 +5179,238 @@ else fi +# Make sure we can run config.sub. +$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || + { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 +$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} + { (exit 1); exit 1; }; } + +{ $as_echo "$as_me:$LINENO: checking build system type" >&5 +$as_echo_n "checking build system type... " >&6; } +if test "${ac_cv_build+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_build_alias=$build_alias +test "x$ac_build_alias" = x && + ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` +test "x$ac_build_alias" = x && + { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 +$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} + { (exit 1); exit 1; }; } +ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} + { (exit 1); exit 1; }; } + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 +$as_echo "$ac_cv_build" >&6; } +case $ac_cv_build in +*-*-*) ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 +$as_echo "$as_me: error: invalid value of canonical build" >&2;} + { (exit 1); exit 1; }; };; +esac +build=$ac_cv_build +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_build +shift +build_cpu=$1 +build_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +build_os=$* +IFS=$ac_save_IFS +case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac + + +{ $as_echo "$as_me:$LINENO: checking host system type" >&5 +$as_echo_n "checking host system type... " >&6; } +if test "${ac_cv_host+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "x$host_alias" = x; then + ac_cv_host=$ac_cv_build +else + ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || + { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 +$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} + { (exit 1); exit 1; }; } +fi + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 +$as_echo "$ac_cv_host" >&6; } +case $ac_cv_host in +*-*-*) ;; +*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 +$as_echo "$as_me: error: invalid value of canonical host" >&2;} + { (exit 1); exit 1; }; };; +esac +host=$ac_cv_host +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_host +shift +host_cpu=$1 +host_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +host_os=$* +IFS=$ac_save_IFS +case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac + + + + acl_libdirstem=lib + searchpath=`(LC_ALL=C $CC -print-search-dirs) 2>/dev/null | sed -n -e 's,^libraries: ,,p' | sed -e 's,^=,,'` + if test -n "$searchpath"; then + acl_save_IFS="${IFS= }"; IFS=":" + for searchdir in $searchpath; do + if test -d "$searchdir"; then + case "$searchdir" in + */lib64/ | */lib64 ) acl_libdirstem=lib64 ;; + *) searchdir=`cd "$searchdir" && pwd` + case "$searchdir" in + */lib64 ) acl_libdirstem=lib64 ;; + esac ;; + esac + fi + done + IFS="$acl_save_IFS" + fi + + + if test "X$prefix" = "XNONE"; then + acl_final_prefix="$ac_default_prefix" + else + acl_final_prefix="$prefix" + fi + if test "X$exec_prefix" = "XNONE"; then + acl_final_exec_prefix='${prefix}' + else + acl_final_exec_prefix="$exec_prefix" + fi + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + eval acl_final_exec_prefix=\"$acl_final_exec_prefix\" + prefix="$acl_save_prefix" + + + + + + + + use_additional=yes + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + +# Check whether --with-lib-prefix was given. +if test "${with_lib_prefix+set}" = set; then + withval=$with_lib_prefix; + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + else + additional_includedir="$withval/include" + additional_libdir="$withval/$acl_libdirstem" + fi + fi + +fi + + if test $use_additional = yes; then + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + for x in $CPPFLAGS; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir" + fi + fi + fi + fi + if test "X$additional_libdir" != "X/usr/$acl_libdirstem"; then + haveit= + for x in $LDFLAGS; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_libdir" = "X/usr/local/$acl_libdirstem"; then + if test -n "$GCC"; then + case $host_os in + linux*) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir" + fi + fi + fi + fi + fi + ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -6303,89 +6560,6 @@ macro_revision='1.3012' ltmain="$ac_aux_dir/ltmain.sh" -# Make sure we can run config.sub. -$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || - { { $as_echo "$as_me:$LINENO: error: cannot run $SHELL $ac_aux_dir/config.sub" >&5 -$as_echo "$as_me: error: cannot run $SHELL $ac_aux_dir/config.sub" >&2;} - { (exit 1); exit 1; }; } - -{ $as_echo "$as_me:$LINENO: checking build system type" >&5 -$as_echo_n "checking build system type... " >&6; } -if test "${ac_cv_build+set}" = set; then - $as_echo_n "(cached) " >&6 -else - ac_build_alias=$build_alias -test "x$ac_build_alias" = x && - ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` -test "x$ac_build_alias" = x && - { { $as_echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 -$as_echo "$as_me: error: cannot guess build type; you must specify one" >&2;} - { (exit 1); exit 1; }; } -ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || - { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&5 -$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $ac_build_alias failed" >&2;} - { (exit 1); exit 1; }; } - -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_build" >&5 -$as_echo "$ac_cv_build" >&6; } -case $ac_cv_build in -*-*-*) ;; -*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical build" >&5 -$as_echo "$as_me: error: invalid value of canonical build" >&2;} - { (exit 1); exit 1; }; };; -esac -build=$ac_cv_build -ac_save_IFS=$IFS; IFS='-' -set x $ac_cv_build -shift -build_cpu=$1 -build_vendor=$2 -shift; shift -# Remember, the first character of IFS is used to create $*, -# except with old shells: -build_os=$* -IFS=$ac_save_IFS -case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac - - -{ $as_echo "$as_me:$LINENO: checking host system type" >&5 -$as_echo_n "checking host system type... " >&6; } -if test "${ac_cv_host+set}" = set; then - $as_echo_n "(cached) " >&6 -else - if test "x$host_alias" = x; then - ac_cv_host=$ac_cv_build -else - ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || - { { $as_echo "$as_me:$LINENO: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&5 -$as_echo "$as_me: error: $SHELL $ac_aux_dir/config.sub $host_alias failed" >&2;} - { (exit 1); exit 1; }; } -fi - -fi -{ $as_echo "$as_me:$LINENO: result: $ac_cv_host" >&5 -$as_echo "$ac_cv_host" >&6; } -case $ac_cv_host in -*-*-*) ;; -*) { { $as_echo "$as_me:$LINENO: error: invalid value of canonical host" >&5 -$as_echo "$as_me: error: invalid value of canonical host" >&2;} - { (exit 1); exit 1; }; };; -esac -host=$ac_cv_host -ac_save_IFS=$IFS; IFS='-' -set x $ac_cv_host -shift -host_cpu=$1 -host_vendor=$2 -shift; shift -# Remember, the first character of IFS is used to create $*, -# except with old shells: -host_os=$* -IFS=$ac_save_IFS -case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac - - { $as_echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5 $as_echo_n "checking for a sed that does not truncate output... " >&6; } if test "${ac_cv_path_SED+set}" = set; then @@ -6846,13 +7020,13 @@ if test "${lt_cv_nm_interface+set}" = set; then else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6849: $ac_compile\"" >&5) + (eval echo "\"\$as_me:7023: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6852: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:7026: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6855: output\"" >&5) + (eval echo "\"\$as_me:7029: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8057,7 +8231,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8060 "configure"' > conftest.$ac_ext + echo '#line 8234 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9422,11 +9596,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9425: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9599: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9429: \$? = $ac_status" >&5 + echo "$as_me:9603: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9761,11 +9935,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9764: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9938: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9768: \$? = $ac_status" >&5 + echo "$as_me:9942: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9866,11 +10040,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9869: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10043: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9873: \$? = $ac_status" >&5 + echo "$as_me:10047: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9921,11 +10095,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9924: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10098: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9928: \$? = $ac_status" >&5 + echo "$as_me:10102: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12734,7 +12908,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12737 "configure" +#line 12911 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12830,7 +13004,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12833 "configure" +#line 13007 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13057,6 +13231,117 @@ CC="$lt_save_CC" # Only expand once: +{ $as_echo "$as_me:$LINENO: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if test "${ac_cv_path_EGREP+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + ac_count=`expr $ac_count + 1` + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done +done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + { { $as_echo "$as_me:$LINENO: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&5 +$as_echo "$as_me: error: no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" >&2;} + { (exit 1); exit 1; }; } + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_AWK+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:$LINENO: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + for ac_prog in flex lex do # Extract the first word of "$ac_prog", so it can be a program name with args. @@ -13313,16 +13598,16 @@ fi done test -n "$YACC" || YACC="yacc" -# Extract the first word of "gperf", so it can be a program name with args. -set dummy gperf; ac_word=$2 +# Extract the first word of "perl", so it can be a program name with args. +set dummy perl; ac_word=$2 { $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_path_GPERF+set}" = set; then +if test "${ac_cv_path_PERL+set}" = set; then $as_echo_n "(cached) " >&6 else - case $GPERF in + case $PERL in [\\/]* | ?:[\\/]*) - ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path. + ac_cv_path_PERL="$PERL" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -13333,7 +13618,7 @@ do test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext" + ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -13344,26 +13629,26 @@ IFS=$as_save_IFS ;; esac fi -GPERF=$ac_cv_path_GPERF -if test -n "$GPERF"; then - { $as_echo "$as_me:$LINENO: result: $GPERF" >&5 -$as_echo "$GPERF" >&6; } +PERL=$ac_cv_path_PERL +if test -n "$PERL"; then + { $as_echo "$as_me:$LINENO: result: $PERL" >&5 +$as_echo "$PERL" >&6; } else { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } fi -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 +# Extract the first word of "gperf", so it can be a program name with args. +set dummy gperf; ac_word=$2 { $as_echo "$as_me:$LINENO: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } -if test "${ac_cv_path_PERL+set}" = set; then +if test "${ac_cv_path_GPERF+set}" = set; then $as_echo_n "(cached) " >&6 else - case $PERL in + case $GPERF in [\\/]* | ?:[\\/]*) - ac_cv_path_PERL="$PERL" # Let the user override the test with a path. + ac_cv_path_GPERF="$GPERF" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR @@ -13374,7 +13659,7 @@ do test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then - ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext" + ac_cv_path_GPERF="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi @@ -13385,10 +13670,10 @@ IFS=$as_save_IFS ;; esac fi -PERL=$ac_cv_path_PERL -if test -n "$PERL"; then - { $as_echo "$as_me:$LINENO: result: $PERL" >&5 -$as_echo "$PERL" >&6; } +GPERF=$ac_cv_path_GPERF +if test -n "$GPERF"; then + { $as_echo "$as_me:$LINENO: result: $GPERF" >&5 +$as_echo "$GPERF" >&6; } else { $as_echo "$as_me:$LINENO: result: no" >&5 $as_echo "no" >&6; } @@ -13396,6 +13681,46 @@ fi +{ $as_echo "$as_me:$LINENO: checking gperf version >= 3.0.0" >&5 +$as_echo_n "checking gperf version >= 3.0.0... " >&6; } +if test -x "$GPERF"; then + if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi +else + { $as_echo "$as_me:$LINENO: result: not found" >&5 +$as_echo "not found" >&6; } +fi + +{ $as_echo "$as_me:$LINENO: checking for uid of user \"$ipsecuser\"" >&5 +$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; } +ipsecuid=`id -u $ipsecuser 2>/dev/null` +if test -n "$ipsecuid"; then + { $as_echo "$as_me:$LINENO: result: $ipsecuid" >&5 +$as_echo "$ipsecuid" >&6; } + +else + { { $as_echo "$as_me:$LINENO: error: not found" >&5 +$as_echo "$as_me: error: not found" >&2;} + { (exit 1); exit 1; }; } +fi +{ $as_echo "$as_me:$LINENO: checking for gid of group \"$ipsecgroup\"" >&5 +$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; } +ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` +if test -n "$ipsecgid"; then + { $as_echo "$as_me:$LINENO: result: $ipsecgid" >&5 +$as_echo "$ipsecgid" >&6; } + +else + { { $as_echo "$as_me:$LINENO: error: not found" >&5 +$as_echo "$as_me: error: not found" >&2;} + { (exit 1); exit 1; }; } +fi + if test x$eap_aka = xtrue; then gmp=true; @@ -13663,8 +13988,386 @@ _ACEOF fi +# The Ultrix 4.2 mips builtin alloca declared by alloca.h only works +# for constant arguments. Useless! +{ $as_echo "$as_me:$LINENO: checking for working alloca.h" >&5 +$as_echo_n "checking for working alloca.h... " >&6; } +if test "${ac_cv_working_alloca_h+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <alloca.h> +int +main () +{ +char *p = (char *) alloca (2 * sizeof (int)); + if (p) return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_working_alloca_h=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_working_alloca_h=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_working_alloca_h" >&5 +$as_echo "$ac_cv_working_alloca_h" >&6; } +if test $ac_cv_working_alloca_h = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_ALLOCA_H 1 +_ACEOF + +fi + +{ $as_echo "$as_me:$LINENO: checking for alloca" >&5 +$as_echo_n "checking for alloca... " >&6; } +if test "${ac_cv_func_alloca_works+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#ifdef __GNUC__ +# define alloca __builtin_alloca +#else +# ifdef _MSC_VER +# include <malloc.h> +# define alloca _alloca +# else +# ifdef HAVE_ALLOCA_H +# include <alloca.h> +# else +# ifdef _AIX + #pragma alloca +# else +# ifndef alloca /* predefined by HP cc +Olibcalls */ +char *alloca (); +# endif +# endif +# endif +# endif +#endif + +int +main () +{ +char *p = (char *) alloca (1); + if (p) return 0; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_func_alloca_works=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_cv_func_alloca_works=no +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_func_alloca_works" >&5 +$as_echo "$ac_cv_func_alloca_works" >&6; } + +if test $ac_cv_func_alloca_works = yes; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_ALLOCA 1 +_ACEOF + +else + # The SVR3 libPW and SVR4 libucb both contain incompatible functions +# that cause trouble. Some versions do not even contain alloca or +# contain a buggy version. If you still want to use their alloca, +# use ar to extract alloca.o from them instead of compiling alloca.c. + +ALLOCA=\${LIBOBJDIR}alloca.$ac_objext + +cat >>confdefs.h <<\_ACEOF +#define C_ALLOCA 1 +_ACEOF + + +{ $as_echo "$as_me:$LINENO: checking whether \`alloca.c' needs Cray hooks" >&5 +$as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; } +if test "${ac_cv_os_cray+set}" = set; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#if defined CRAY && ! defined CRAY2 +webecray +#else +wenotbecray +#endif + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "webecray" >/dev/null 2>&1; then + ac_cv_os_cray=yes +else + ac_cv_os_cray=no +fi +rm -f conftest* + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_os_cray" >&5 +$as_echo "$ac_cv_os_cray" >&6; } +if test $ac_cv_os_cray = yes; then + for ac_func in _getb67 GETB67 getb67; do + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 +$as_echo_n "checking for $ac_func... " >&6; } +if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func. + For example, HP-UX 11i <limits.h> declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer <limits.h> to <assert.h> if __STDC__ is defined, since + <limits.h> exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include <limits.h> +#else +# include <assert.h> +#endif + +#undef $ac_func + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$ac_func || defined __stub___$ac_func +choke me +#endif + +int +main () +{ +return $ac_func (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + eval "$as_ac_var=yes" +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + eval "$as_ac_var=no" +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext conftest.$ac_ext +fi +ac_res=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +as_val=`eval 'as_val=${'$as_ac_var'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + +cat >>confdefs.h <<_ACEOF +#define CRAY_STACKSEG_END $ac_func +_ACEOF + + break +fi + + done +fi + +{ $as_echo "$as_me:$LINENO: checking stack direction for C alloca" >&5 +$as_echo_n "checking stack direction for C alloca... " >&6; } +if test "${ac_cv_c_stack_direction+set}" = set; then + $as_echo_n "(cached) " >&6 +else + if test "$cross_compiling" = yes; then + ac_cv_c_stack_direction=0 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +int +find_stack_direction () +{ + static char *addr = 0; + auto char dummy; + if (addr == 0) + { + addr = &dummy; + return find_stack_direction (); + } + else + return (&dummy > addr) ? 1 : -1; +} + +int +main () +{ + return find_stack_direction () < 0; +} +_ACEOF +rm -f conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_c_stack_direction=1 +else + $as_echo "$as_me: program exited with status $ac_status" >&5 +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +( exit $ac_status ) +ac_cv_c_stack_direction=-1 +fi +rm -rf conftest.dSYM +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi + + +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_c_stack_direction" >&5 +$as_echo "$ac_cv_c_stack_direction" >&6; } + +cat >>confdefs.h <<_ACEOF +#define STACK_DIRECTION $ac_cv_c_stack_direction +_ACEOF + + +fi + saved_LIBS=$LIBS + LIBS="" { $as_echo "$as_me:$LINENO: checking for library containing dlopen" >&5 $as_echo_n "checking for library containing dlopen... " >&6; } @@ -13753,37 +14456,53 @@ if test "$ac_res" != no; then DLLIB=$LIBS fi -LIBS=$saved_LIBS -{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5 -$as_echo_n "checking for dladdr... " >&6; } +LIBS="" +{ $as_echo "$as_me:$LINENO: checking for library containing backtrace" >&5 +$as_echo_n "checking for library containing backtrace... " >&6; } +if test "${ac_cv_search_backtrace+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -#define _GNU_SOURCE - #include <dlfcn.h> + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char backtrace (); int main () { -Dl_info* info = 0; - dladdr(0, info); +return backtrace (); ; return 0; } _ACEOF -rm -f conftest.$ac_objext -if { (ac_try="$ac_compile" +for ac_lib in '' execinfo; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" $as_echo "$ac_try_echo") >&5 - (eval "$ac_compile") 2>conftest.er1 + (eval "$ac_link") 2>conftest.er1 ac_status=$? grep -v '^ *+' conftest.er1 >conftest.err rm -f conftest.er1 @@ -13792,22 +14511,40 @@ $as_echo "$ac_try_echo") >&5 (exit $ac_status); } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err - } && test -s conftest.$ac_objext; then - { $as_echo "$as_me:$LINENO: result: yes" >&5 -$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF -#define HAVE_DLADDR 1 -_ACEOF - + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_search_backtrace=$ac_res else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - { $as_echo "$as_me:$LINENO: result: no" >&5 -$as_echo "no" >&6; } fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_backtrace+set}" = set; then + break +fi +done +if test "${ac_cv_search_backtrace+set}" = set; then + : +else + ac_cv_search_backtrace=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_backtrace" >&5 +$as_echo "$ac_cv_search_backtrace" >&6; } +ac_res=$ac_cv_search_backtrace +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + BTLIB=$LIBS +fi for ac_func in backtrace @@ -13911,36 +14648,107 @@ fi done -for ac_func in prctl -do -as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -{ $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 -$as_echo_n "checking for $ac_func... " >&6; } -if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then + +LIBS="" +{ $as_echo "$as_me:$LINENO: checking for library containing socket" >&5 +$as_echo_n "checking for library containing socket... " >&6; } +if test "${ac_cv_search_socket+set}" = set; then $as_echo_n "(cached) " >&6 else - cat >conftest.$ac_ext <<_ACEOF + ac_func_search_save_LIBS=$LIBS +cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF cat confdefs.h >>conftest.$ac_ext cat >>conftest.$ac_ext <<_ACEOF /* end confdefs.h. */ -/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func. - For example, HP-UX 11i <limits.h> declares gettimeofday. */ -#define $ac_func innocuous_$ac_func - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $ac_func (); below. - Prefer <limits.h> to <assert.h> if __STDC__ is defined, since - <limits.h> exists even on freestanding compilers. */ -#ifdef __STDC__ -# include <limits.h> -#else -# include <assert.h> +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" #endif +char socket (); +int +main () +{ +return socket (); + ; + return 0; +} +_ACEOF +for ac_lib in '' socket; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + rm -f conftest.$ac_objext conftest$ac_exeext +if { (ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_link") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then + ac_cv_search_socket=$ac_res +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 -#undef $ac_func + +fi + +rm -rf conftest.dSYM +rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ + conftest$ac_exeext + if test "${ac_cv_search_socket+set}" = set; then + break +fi +done +if test "${ac_cv_search_socket+set}" = set; then + : +else + ac_cv_search_socket=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:$LINENO: result: $ac_cv_search_socket" >&5 +$as_echo "$ac_cv_search_socket" >&6; } +ac_res=$ac_cv_search_socket +if test "$ac_res" != no; then + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + SOCKLIB=$LIBS +else + { $as_echo "$as_me:$LINENO: checking for socket in -lnsl" >&5 +$as_echo_n "checking for socket in -lnsl... " >&6; } +if test "${ac_cv_lib_nsl_socket+set}" = set; then + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnsl -lsocket $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC @@ -13948,18 +14756,11 @@ cat >>conftest.$ac_ext <<_ACEOF #ifdef __cplusplus extern "C" #endif -char $ac_func (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$ac_func || defined __stub___$ac_func -choke me -#endif - +char socket (); int main () { -return $ac_func (); +return socket (); ; return 0; } @@ -13985,34 +14786,87 @@ $as_echo "$ac_try_echo") >&5 test "$cross_compiling" = yes || $as_test_x conftest$ac_exeext }; then - eval "$as_ac_var=yes" + ac_cv_lib_nsl_socket=yes else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 - eval "$as_ac_var=no" + ac_cv_lib_nsl_socket=no fi rm -rf conftest.dSYM rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \ conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS fi -ac_res=`eval 'as_val=${'$as_ac_var'} - $as_echo "$as_val"'` - { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -as_val=`eval 'as_val=${'$as_ac_var'} - $as_echo "$as_val"'` - if test "x$as_val" = x""yes; then - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_socket" >&5 +$as_echo "$ac_cv_lib_nsl_socket" >&6; } +if test "x$ac_cv_lib_nsl_socket" = x""yes; then + SOCKLIB="-lsocket -lnsl" +fi + + +fi + + + +LIBS=$saved_LIBS + +{ $as_echo "$as_me:$LINENO: checking for dladdr" >&5 +$as_echo_n "checking for dladdr... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#define _GNU_SOURCE + #include <dlfcn.h> +int +main () +{ +Dl_info* info = 0; + dladdr(0, info); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; }; cat >>confdefs.h <<\_ACEOF +#define HAVE_DLADDR 1 _ACEOF +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; } + fi -done +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -for ac_func in gethostbyname_r + +for ac_func in prctl do as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` { $as_echo "$as_me:$LINENO: checking for $ac_func" >&5 @@ -14114,9 +14968,156 @@ done +for ac_header in sys/sockio.h +do +as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + { $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:$LINENO: checking $ac_header usability" >&5 +$as_echo_n "checking $ac_header usability... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + ac_header_compiler=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_compiler=no +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:$LINENO: checking $ac_header presence" >&5 +$as_echo_n "checking $ac_header presence... " >&6; } +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then + ac_header_preproc=yes +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +{ $as_echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } -for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +$as_echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { $as_echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +$as_echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + + ;; +esac +{ $as_echo "$as_me:$LINENO: checking for $ac_header" >&5 +$as_echo_n "checking for $ac_header... " >&6; } +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then + $as_echo_n "(cached) " >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +ac_res=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + { $as_echo "$as_me:$LINENO: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + +fi +as_val=`eval 'as_val=${'$as_ac_Header'} + $as_echo "$as_val"'` + if test "x$as_val" = x""yes; then + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + + + +for ac_header in net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h do as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then @@ -17838,6 +18839,111 @@ fi fi +if test x$integrity_test = xtrue; then + { $as_echo "$as_me:$LINENO: checking for dladdr()" >&5 +$as_echo_n "checking for dladdr()... " >&6; } + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#define _GNU_SOURCE + #include <dlfcn.h> +int +main () +{ +Dl_info info; dladdr(main, &info); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; }; + { { $as_echo "$as_me:$LINENO: error: dladdr() not supported, required by integrity-test!" >&5 +$as_echo "$as_me: error: dladdr() not supported, required by integrity-test!" >&2;} + { (exit 1); exit 1; }; } + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:$LINENO: checking for dl_iterate_phdr()" >&5 +$as_echo_n "checking for dl_iterate_phdr()... " >&6; } + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#define _GNU_SOURCE + #include <link.h> +int +main () +{ +dl_iterate_phdr((void*)0, (void*)0); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext +if { (ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:$LINENO: $ac_try_echo\"" +$as_echo "$ac_try_echo") >&5 + (eval "$ac_compile") 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + $as_echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then + { $as_echo "$as_me:$LINENO: result: yes" >&5 +$as_echo "yes" >&6; } +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + { $as_echo "$as_me:$LINENO: result: no" >&5 +$as_echo "no" >&6; }; + { { $as_echo "$as_me:$LINENO: error: dl_iterate_phdr() not supported, required by integrity-test!" >&5 +$as_echo "$as_me: error: dl_iterate_phdr() not supported, required by integrity-test!" >&2;} + { (exit 1); exit 1; }; } + +fi + +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + libstrongswan_plugins= pluto_plugins= @@ -18445,6 +19551,14 @@ else USE_TOOLS_FALSE= fi + if test x$scripts = xtrue; then + USE_SCRIPTS_TRUE= + USE_SCRIPTS_FALSE='#' +else + USE_SCRIPTS_TRUE='#' + USE_SCRIPTS_FALSE= +fi + if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then USE_LIBSTRONGSWAN_TRUE= USE_LIBSTRONGSWAN_FALSE='#' @@ -18485,7 +19599,7 @@ _ACEOF fi -ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/fips/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/charon/plugins/eap_aka/Makefile src/charon/plugins/eap_identity/Makefile src/charon/plugins/eap_md5/Makefile src/charon/plugins/eap_gtc/Makefile src/charon/plugins/eap_sim/Makefile src/charon/plugins/eap_sim_file/Makefile src/charon/plugins/eap_mschapv2/Makefile src/charon/plugins/eap_radius/Makefile src/charon/plugins/kernel_netlink/Makefile src/charon/plugins/kernel_pfkey/Makefile src/charon/plugins/kernel_pfroute/Makefile src/charon/plugins/kernel_klips/Makefile src/charon/plugins/smp/Makefile src/charon/plugins/sql/Makefile src/charon/plugins/medsrv/Makefile src/charon/plugins/medcli/Makefile src/charon/plugins/nm/Makefile src/charon/plugins/uci/Makefile src/charon/plugins/stroke/Makefile src/charon/plugins/updown/Makefile src/charon/plugins/attr/Makefile src/charon/plugins/resolv_conf/Makefile src/charon/plugins/unit_tester/Makefile src/charon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -19083,6 +20197,13 @@ $as_echo "$as_me: error: conditional \"USE_TOOLS\" was never defined. Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi +if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then + { { $as_echo "$as_me:$LINENO: error: conditional \"USE_SCRIPTS\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +$as_echo "$as_me: error: conditional \"USE_SCRIPTS\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then { { $as_echo "$as_me:$LINENO: error: conditional \"USE_LIBSTRONGSWAN\" was never defined. Usually this means the macro was only invoked conditionally." >&5 @@ -19426,7 +20547,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 4.3.2, which was +This file was extended by strongSwan $as_me 4.3.4, which was generated by GNU Autoconf 2.63. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19480,7 +20601,7 @@ Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_version="\\ -strongSwan config.status 4.3.2 +strongSwan config.status 4.3.4 configured by $0, generated by GNU Autoconf 2.63, with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" @@ -19875,7 +20996,6 @@ do "src/libstrongswan/plugins/gcrypt/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcrypt/Makefile" ;; "src/libstrongswan/plugins/agent/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/agent/Makefile" ;; "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; - "src/libstrongswan/fips/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/fips/Makefile" ;; "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;; "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;; "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;; @@ -19917,6 +21037,7 @@ do "src/libfast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfast/Makefile" ;; "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;; "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;; + "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; diff --git a/configure.in b/configure.in index e97e69139..f677cb622 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ dnl =========================== dnl initialize & set some vars dnl =========================== -AC_INIT(strongSwan,4.3.2) +AC_INIT(strongSwan,4.3.4) AM_INIT_AUTOMAKE(tar-ustar) AC_SUBST(confdir, '${sysconfdir}') PKG_PROG_PKG_CONFIG @@ -125,14 +125,14 @@ AC_ARG_WITH( AC_ARG_WITH( [user], - AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is 0).]), + AS_HELP_STRING([--with-user=user],[change user of the daemons to "user" after startup (default is "root").]), [AC_DEFINE_UNQUOTED(IPSEC_USER, "$withval") AC_SUBST(ipsecuser, "$withval")], [AC_SUBST(ipsecuser, "root")] ) AC_ARG_WITH( [group], - AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is 0).]), + AS_HELP_STRING([--with-group=group],[change group of the daemons to "group" after startup (default is "root").]), [AC_DEFINE_UNQUOTED(IPSEC_GROUP, "$withval") AC_SUBST(ipsecgroup, "$withval")], [AC_SUBST(ipsecgroup, "root")] ) @@ -588,7 +588,7 @@ AC_ARG_ENABLE( AC_ARG_ENABLE( [integrity-test], - AS_HELP_STRING([--enable-integrity-test],[enable the integrity test of the crypto library (default is NO).]), + AS_HELP_STRING([--enable-integrity-test],[enable integrity testing of libstrongswan and plugins (default is NO).]), [if test x$enableval = xyes; then integrity_test=true fi] @@ -639,6 +639,17 @@ AC_ARG_ENABLE( ) AC_ARG_ENABLE( + [scripts], + AS_HELP_STRING([--disable-scripts],[disable additional utilities (found in directory scripts). (default is NO).]), + [if test x$enableval = xyes; then + scripts=true + else + scripts=false + fi], + scripts=true +) + +AC_ARG_ENABLE( [updown], AS_HELP_STRING([--disable-updown],[disable updown firewall script plugin. (default is NO).]), [if test x$enableval = xyes; then @@ -740,9 +751,10 @@ dnl set up compiler and flags dnl ========================= if test -z "$CFLAGS"; then - AC_SUBST(CFLAGS, "-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing") + CFLAGS="-g -O2 -Wall -Wno-format -Wno-pointer-sign -Wno-strict-aliasing" fi AC_PROG_CC +AC_LIB_PREFIX AC_C_BIGENDIAN dnl ========================= @@ -751,10 +763,42 @@ dnl ========================= AC_PROG_INSTALL AC_PROG_LIBTOOL +AC_PROG_EGREP +AC_PROG_AWK AC_PROG_LEX AC_PROG_YACC -AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) AC_PATH_PROG([PERL], [perl], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) +AC_PATH_PROG([GPERF], [gperf], [], [$PATH:/bin:/usr/bin:/usr/local/bin]) + +dnl because gperf is not needed by end-users we just report it but do not abort on failure +AC_MSG_CHECKING([gperf version >= 3.0.0]) +if test -x "$GPERF"; then + if test "`$GPERF --version | $AWK -F' ' '/^GNU gperf/ { print $3 }' | $AWK -F. '{ print $1 }'`" -ge "3"; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + fi +else + AC_MSG_RESULT([not found]) +fi + +dnl translate user/group to numercial ids +AC_MSG_CHECKING([for uid of user "$ipsecuser"]) +ipsecuid=`id -u $ipsecuser 2>/dev/null` +if test -n "$ipsecuid"; then + AC_MSG_RESULT([$ipsecuid]) + AC_SUBST(ipsecuid) +else + AC_MSG_ERROR([not found]) +fi +AC_MSG_CHECKING([for gid of group "$ipsecgroup"]) +ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` +if test -n "$ipsecgid"; then + AC_MSG_RESULT([$ipsecgid]) + AC_SUBST(ipsecgid) +else + AC_MSG_ERROR([not found]) +fi dnl ========================= dnl dependency calculation @@ -800,13 +844,33 @@ dnl check required libraries and header files dnl =========================================== AC_HEADER_STDBOOL +AC_FUNC_ALLOCA +dnl libraries needed on some platforms but not on others +dnl ==================================================== saved_LIBS=$LIBS + +dnl FreeBSD and Mac OS X have dlopen integrated in libc, Linux needs libdl LIBS="" AC_SEARCH_LIBS(dlopen, dl, [DLLIB=$LIBS]) -LIBS=$saved_LIBS AC_SUBST(DLLIB) +dnl glibc's backtrace() can be replicated on FreeBSD with libexecinfo +LIBS="" +AC_SEARCH_LIBS(backtrace, execinfo, [BTLIB=$LIBS]) +AC_CHECK_FUNCS(backtrace) +AC_SUBST(BTLIB) + +dnl OpenSolaris needs libsocket and libnsl for socket() +LIBS="" +AC_SEARCH_LIBS(socket, socket, [SOCKLIB=$LIBS], + [AC_CHECK_LIB(nsl, socket, [SOCKLIB="-lsocket -lnsl"], [], [-lsocket])] +) +AC_SUBST(SOCKLIB) + +LIBS=$saved_LIBS +dnl ====================== + AC_MSG_CHECKING(for dladdr) AC_TRY_COMPILE( [#define _GNU_SOURCE @@ -817,11 +881,10 @@ AC_TRY_COMPILE( [AC_MSG_RESULT([no])] ) -AC_CHECK_FUNCS(backtrace) AC_CHECK_FUNCS(prctl) -AC_CHECK_FUNCS(gethostbyname_r) -AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h) +AC_CHECK_HEADERS(sys/sockio.h) +AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h) AC_CHECK_MEMBERS([struct sockaddr.sa_len], [], [], [ @@ -1039,6 +1102,25 @@ if test x$capabilities = xlibcap; then AC_CHECK_HEADER([sys/capability.h],,[AC_MSG_ERROR([libcap header sys/capability.h not found!])]) fi +if test x$integrity_test = xtrue; then + AC_MSG_CHECKING([for dladdr()]) + AC_TRY_COMPILE( + [#define _GNU_SOURCE + #include <dlfcn.h>], + [Dl_info info; dladdr(main, &info);], + [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); + AC_MSG_ERROR([dladdr() not supported, required by integrity-test!])] + ) + AC_MSG_CHECKING([for dl_iterate_phdr()]) + AC_TRY_COMPILE( + [#define _GNU_SOURCE + #include <link.h>], + [dl_iterate_phdr((void*)0, (void*)0);], + [AC_MSG_RESULT([yes])], [AC_MSG_RESULT([no]); + AC_MSG_ERROR([dl_iterate_phdr() not supported, required by integrity-test!])] + ) +fi + dnl ====================================== dnl collect all plugins for libstrongswan dnl ====================================== @@ -1210,6 +1292,7 @@ AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue) AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) +AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) @@ -1257,7 +1340,6 @@ AC_OUTPUT( src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile - src/libstrongswan/fips/Makefile src/libfreeswan/Makefile src/pluto/Makefile src/whack/Makefile @@ -1299,6 +1381,7 @@ AC_OUTPUT( src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile + src/checksum/Makefile scripts/Makefile testing/Makefile ) diff --git a/debian/changelog b/debian/changelog index ad23eba11..997d2ac95 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +strongswan (4.3.4-1) unstable; urgency=low + + * New upstream release. + * This release supports integrity checking of libraries, which is + now enabled at build-time and can be enabled at run-time using + libstrongswan { + integrity_test = yes + } + in /etc/strongswan.conf. + * Don't disable internal crypto libraries for pluto. They might be + required when working with older ipsec.conf files. + * charon now supports "include" directives in ipsec.secrets for + compatibility with how the maintainer script includes RSA private keys. + + -- Rene Mayrhofer <rene@mayrhofer.eu.org> Wed, 21 Oct 2009 11:14:56 +0000 + strongswan (4.3.2-1) unstable; urgency=HIGH Urgency high because of security issue and FTBFS. diff --git a/debian/rules b/debian/rules index aaf03f971..8b9219a8e 100755 --- a/debian/rules +++ b/debian/rules @@ -20,9 +20,7 @@ CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \ --enable-openssl --enable-agent \ --enable-eap-radius --enable-eap-identity --enable-eap-md5 \ --enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \ - --enable-sql \ - --disable-aes --disable-des --disable-fips-prf --disable-gmp \ - --disable-md5 --disable-sha1 --disable-sha2 \ + --enable-sql --enable-integrity-test \ --enable-nm # Could enable --enable-nat-transport, but this is actually insecure, # so don't! diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 9cd2baa88..63f0242fe 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -96,12 +96,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -166,6 +168,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -206,7 +209,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/Makefile.am b/src/Makefile.am index 09eb13fe3..ebdaa6a63 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -44,8 +44,12 @@ if USE_MEDSRV SUBDIRS += medsrv endif +if USE_INTEGRITY_TEST + SUBDIRS += checksum +endif + EXTRA_DIST = strongswan.conf install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true diff --git a/src/Makefile.in b/src/Makefile.in index 26046e6a1..18da06f7b 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -42,6 +42,7 @@ host_triplet = @host@ @USE_FAST_TRUE@am__append_9 = libfast @USE_MANAGER_TRUE@am__append_10 = manager @USE_MEDSRV_TRUE@am__append_11 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_12 = checksum subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -65,15 +66,17 @@ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \ _copyright pluto whack charon stroke _updown _updown_espmark \ - openac scepclient dumm libfast manager medsrv + openac scepclient dumm libfast manager medsrv checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -138,6 +141,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -178,7 +182,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -215,7 +221,7 @@ xml_LIBS = @xml_LIBS@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ - $(am__append_10) $(am__append_11) + $(am__append_10) $(am__append_11) $(am__append_12) EXTRA_DIST = strongswan.conf all: all-recursive @@ -532,7 +538,7 @@ uninstall-am: install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 9f178fdfa..fabc84a29 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -71,12 +71,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -181,7 +184,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 3db887ef0..60755da69 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index 2852b7e67..55d3c6b4d 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 3b5b9c068..dd51555c0 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -2,6 +2,7 @@ ipsec_PROGRAMS = charon charon_SOURCES = \ bus/bus.c bus/bus.h \ +bus/listeners/listener.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ config/backend_manager.c config/backend_manager.h config/backend.h \ @@ -107,7 +108,7 @@ AM_CFLAGS = -rdynamic \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) +charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) $(SOCKLIB) # compile options ################# @@ -128,10 +129,6 @@ if USE_ME sa/tasks/ike_me.c sa/tasks/ike_me.h endif -if USE_INTEGRITY_TEST - AM_CFLAGS += -DINTEGRITY_TEST -endif - if USE_CAPABILITIES charon_LDADD += -lcap endif diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 77884d50e..59c0228f8 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -47,56 +47,55 @@ ipsec_PROGRAMS = charon$(EXEEXT) @USE_ME_TRUE@ sa/mediation_manager.c sa/mediation_manager.h \ @USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h -@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST -@USE_CAPABILITIES_TRUE@am__append_5 = -lcap -@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester -@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester -@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey -@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey -@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute -@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute -@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips -@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips -@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink -@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink -@USE_STROKE_TRUE@am__append_16 = plugins/stroke -@USE_STROKE_TRUE@am__append_17 = stroke -@USE_SMP_TRUE@am__append_18 = plugins/smp -@USE_SMP_TRUE@am__append_19 = smp -@USE_SQL_TRUE@am__append_20 = plugins/sql -@USE_SQL_TRUE@am__append_21 = sql -@USE_UPDOWN_TRUE@am__append_22 = plugins/updown -@USE_UPDOWN_TRUE@am__append_23 = updown -@USE_ATTR_TRUE@am__append_24 = plugins/attr -@USE_ATTR_TRUE@am__append_25 = attr -@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity -@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity -@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim -@USE_EAP_SIM_TRUE@am__append_29 = eapsim -@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file -@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file -@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5 -@USE_EAP_MD5_TRUE@am__append_33 = eapmd5 -@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc -@USE_EAP_GTC_TRUE@am__append_35 = eapgtc -@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka -@USE_EAP_AKA_TRUE@am__append_37 = eapaka -@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2 -@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2 -@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius -@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius -@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv -@USE_MEDSRV_TRUE@am__append_43 = medsrv -@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli -@USE_MEDCLI_TRUE@am__append_45 = medcli -@USE_NM_TRUE@am__append_46 = plugins/nm -@USE_NM_TRUE@am__append_47 = nm -@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf -@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf -@USE_UCI_TRUE@am__append_50 = plugins/uci -@USE_UCI_TRUE@am__append_51 = uci -@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester -@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester +@USE_CAPABILITIES_TRUE@am__append_4 = -lcap +@USE_LOAD_TESTS_TRUE@am__append_5 = plugins/load_tester +@USE_LOAD_TESTS_TRUE@am__append_6 = load-tester +@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey +@USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey +@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute +@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute +@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips +@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips +@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink +@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink +@USE_STROKE_TRUE@am__append_15 = plugins/stroke +@USE_STROKE_TRUE@am__append_16 = stroke +@USE_SMP_TRUE@am__append_17 = plugins/smp +@USE_SMP_TRUE@am__append_18 = smp +@USE_SQL_TRUE@am__append_19 = plugins/sql +@USE_SQL_TRUE@am__append_20 = sql +@USE_UPDOWN_TRUE@am__append_21 = plugins/updown +@USE_UPDOWN_TRUE@am__append_22 = updown +@USE_ATTR_TRUE@am__append_23 = plugins/attr +@USE_ATTR_TRUE@am__append_24 = attr +@USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity +@USE_EAP_IDENTITY_TRUE@am__append_26 = eapidentity +@USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim +@USE_EAP_SIM_TRUE@am__append_28 = eapsim +@USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file +@USE_EAP_SIM_FILE_TRUE@am__append_30 = eapsim-file +@USE_EAP_MD5_TRUE@am__append_31 = plugins/eap_md5 +@USE_EAP_MD5_TRUE@am__append_32 = eapmd5 +@USE_EAP_GTC_TRUE@am__append_33 = plugins/eap_gtc +@USE_EAP_GTC_TRUE@am__append_34 = eapgtc +@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka +@USE_EAP_AKA_TRUE@am__append_36 = eapaka +@USE_EAP_MSCHAPV2_TRUE@am__append_37 = plugins/eap_mschapv2 +@USE_EAP_MSCHAPV2_TRUE@am__append_38 = eapmschapv2 +@USE_EAP_RADIUS_TRUE@am__append_39 = plugins/eap_radius +@USE_EAP_RADIUS_TRUE@am__append_40 = eapradius +@USE_MEDSRV_TRUE@am__append_41 = plugins/medsrv +@USE_MEDSRV_TRUE@am__append_42 = medsrv +@USE_MEDCLI_TRUE@am__append_43 = plugins/medcli +@USE_MEDCLI_TRUE@am__append_44 = medcli +@USE_NM_TRUE@am__append_45 = plugins/nm +@USE_NM_TRUE@am__append_46 = nm +@USE_RESOLV_CONF_TRUE@am__append_47 = plugins/resolv_conf +@USE_RESOLV_CONF_TRUE@am__append_48 = resolv-conf +@USE_UCI_TRUE@am__append_49 = plugins/uci +@USE_UCI_TRUE@am__append_50 = uci +@USE_UNIT_TESTS_TRUE@am__append_51 = plugins/unit_tester +@USE_UNIT_TESTS_TRUE@am__append_52 = unit-tester subdir = src/charon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -108,7 +107,7 @@ CONFIG_CLEAN_FILES = am__installdirs = "$(DESTDIR)$(ipsecdir)" ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) -am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \ +am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \ bus/listeners/file_logger.c bus/listeners/file_logger.h \ bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ config/backend_manager.c config/backend_manager.h \ @@ -289,7 +288,8 @@ charon_OBJECTS = $(am_charon_OBJECTS) am__DEPENDENCIES_1 = charon_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -325,12 +325,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \ plugins/resolv_conf plugins/uci plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -395,6 +397,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -435,7 +438,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -469,14 +474,15 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \ - bus/listeners/file_logger.h bus/listeners/sys_logger.c \ - bus/listeners/sys_logger.h config/backend_manager.c \ - config/backend_manager.h config/backend.h config/child_cfg.c \ - config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h config/auth_cfg.c config/auth_cfg.h \ - config/traffic_selector.c config/traffic_selector.h \ +charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ + bus/listeners/file_logger.c bus/listeners/file_logger.h \ + bus/listeners/sys_logger.c bus/listeners/sys_logger.h \ + config/backend_manager.c config/backend_manager.h \ + config/backend.h config/child_cfg.c config/child_cfg.h \ + config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \ + config/peer_cfg.h config/proposal.c config/proposal.h \ + config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \ + config/traffic_selector.h \ config/attributes/attribute_provider.h \ config/attributes/attribute_handler.h \ config/attributes/attribute_manager.c \ @@ -593,30 +599,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" \ - -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \ + -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ -DPLUGINS=\""${PLUGINS}\"" charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ - -lpthread -lm $(DLLIB) $(am__append_5) + -lpthread -lm $(DLLIB) $(SOCKLIB) $(am__append_4) # build optional plugins ######################## -SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \ - $(am__append_12) $(am__append_14) $(am__append_16) \ - $(am__append_18) $(am__append_20) $(am__append_22) \ - $(am__append_24) $(am__append_26) $(am__append_28) \ - $(am__append_30) $(am__append_32) $(am__append_34) \ - $(am__append_36) $(am__append_38) $(am__append_40) \ - $(am__append_42) $(am__append_44) $(am__append_46) \ - $(am__append_48) $(am__append_50) $(am__append_52) -PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \ +SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \ $(am__append_11) $(am__append_13) $(am__append_15) \ $(am__append_17) $(am__append_19) $(am__append_21) \ $(am__append_23) $(am__append_25) $(am__append_27) \ $(am__append_29) $(am__append_31) $(am__append_33) \ $(am__append_35) $(am__append_37) $(am__append_39) \ $(am__append_41) $(am__append_43) $(am__append_45) \ - $(am__append_47) $(am__append_49) $(am__append_51) \ - $(am__append_53) + $(am__append_47) $(am__append_49) $(am__append_51) +PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \ + $(am__append_10) $(am__append_12) $(am__append_14) \ + $(am__append_16) $(am__append_18) $(am__append_20) \ + $(am__append_22) $(am__append_24) $(am__append_26) \ + $(am__append_28) $(am__append_30) $(am__append_32) \ + $(am__append_34) $(am__append_36) $(am__append_38) \ + $(am__append_40) $(am__append_42) $(am__append_44) \ + $(am__append_46) $(am__append_48) $(am__append_50) \ + $(am__append_52) all: all-recursive .SUFFIXES: diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c index bb7014b0b..2671f848e 100644 --- a/src/charon/bus/bus.c +++ b/src/charon/bus/bus.c @@ -117,7 +117,7 @@ static entry_t *entry_create(listener_t *listener, bool blocker) this->listener = listener; this->blocker = blocker; this->calling = 0; - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); return this; } @@ -351,6 +351,41 @@ static void unregister_listener(private_bus_t *this, entry_t *entry, } /** + * Implementation of bus_t.alert + */ +static void alert(private_bus_t *this, alert_t alert, ...) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + va_list args; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->alert) + { + continue; + } + entry->calling++; + va_start(args, alert); + keep = entry->listener->alert(entry->listener, ike_sa, alert, args); + va_end(args); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** * Implementation of bus_t.ike_state_change */ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, @@ -374,7 +409,6 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -409,7 +443,6 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -443,7 +476,6 @@ static void message(private_bus_t *this, message_t *message, bool incoming) if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -476,7 +508,6 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; } } enumerator->destroy(enumerator); @@ -511,7 +542,143 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, if (!keep) { unregister_listener(this, entry, enumerator); - break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.child_updown + */ +static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->child_updown) + { + continue; + } + entry->calling++; + keep = entry->listener->child_updown(entry->listener, + ike_sa, child_sa, up); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.child_rekey + */ +static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = pthread_getspecific(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->child_rekey) + { + continue; + } + entry->calling++; + keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of bus_t.ike_updown + */ +static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->ike_updown) + { + continue; + } + entry->calling++; + keep = entry->listener->ike_updown(entry->listener, ike_sa, up); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + /* a down event for IKE_SA implicitly downs all CHILD_SAs */ + if (!up) + { + iterator_t *iterator; + child_sa_t *child_sa; + + iterator = ike_sa->create_child_sa_iterator(ike_sa); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + child_updown(this, child_sa, FALSE); + } + iterator->destroy(iterator); + } +} + +/** + * Implementation of bus_t.ike_rekey + */ +static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->ike_rekey) + { + continue; + } + entry->calling++; + keep = entry->listener->ike_rekey(entry->listener, old, new); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); } } enumerator->destroy(enumerator); @@ -545,7 +712,6 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final) if (!keep) { unregister_listener(this, entry, enumerator); - break; } if (!success) { @@ -580,16 +746,21 @@ bus_t *bus_create() this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa; this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_; this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog; + this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert; this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change; this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change; this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message; this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; + this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown; + this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey; + this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown; + this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey; this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize; this->public.destroy = (void(*)(bus_t*)) destroy; this->listeners = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); pthread_key_create(&this->thread_id, NULL); pthread_key_create(&this->thread_sa, NULL); diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h index 5faea088f..9c90db6f9 100644 --- a/src/charon/bus/bus.h +++ b/src/charon/bus/bus.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2006-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ typedef enum debug_t debug_t; typedef enum level_t level_t; -typedef struct listener_t listener_t; +typedef enum alert_t alert_t; typedef struct bus_t bus_t; #include <stdarg.h> @@ -31,6 +31,7 @@ typedef struct bus_t bus_t; #include <sa/ike_sa.h> #include <sa/child_sa.h> #include <processing/jobs/job.h> +#include <bus/listeners/listener.h> /** * Debug message group. @@ -126,105 +127,12 @@ enum level_t { # define DBG4(...) {} #endif /* DBG4 */ - /** - * Listener interface, listens to events if registered to the bus. + * Kind of alerts to raise. */ -struct listener_t { - - /** - * Log a debugging message. - * - * The implementing signal function returns TRUE to stay registered - * to the bus, or FALSE to unregister itself. - * Calling bus_t.log() inside of a registered listener is possible, - * but the bus does not invoke listeners recursively. - * - * @param singal kind of the signal (up, down, rekeyed, ...) - * @param level verbosity level of the signal - * @param thread ID of the thread raised this signal - * @param ike_sa IKE_SA associated to the event - * @param format printf() style format string - * @param args vprintf() style va_list argument list - " @return TRUE to stay registered, FALSE to unregister - */ - bool (*log) (listener_t *this, debug_t group, level_t level, int thread, - ike_sa_t *ike_sa, char* format, va_list args); - - /** - * Handle state changes in an IKE_SA. - * - * @param ike_sa IKE_SA which changes its state - * @param state new IKE_SA state this IKE_SA changes to - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa, - ike_sa_state_t state); - - /** - * Handle state changes in a CHILD_SA. - * - * @param ike_sa IKE_SA containing the affected CHILD_SA - * @param child_sa CHILD_SA which changes its state - * @param state new CHILD_SA state this CHILD_SA changes to - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, child_sa_state_t state); - - /** - * Hook called for received/sent messages of an IKE_SA. - * - * @param ike_sa IKE_SA sending/receving a message - * @param message message object - * @param incoming TRUE for incoming messages, FALSE for outgoing - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message, - bool incoming); - - /** - * Hook called with IKE_SA key material. - * - * @param ike_sa IKE_SA this keymat belongs to - * @param dh diffie hellman shared secret - * @param nonce_i initiators nonce - * @param nonce_r responders nonce - * @param rekey IKE_SA we are rekeying, if any - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey); - - /** - * Hook called with CHILD_SA key material. - * - * @param ike_sa IKE_SA the child sa belongs to - * @param child_sa CHILD_SA this keymat is used for - * @param dh diffie hellman shared secret - * @param nonce_i initiators nonce - * @param nonce_r responders nonce - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); - - /** - * Hook called to invoke additional authorization rules. - * - * An authorization hook gets invoked several times: After each - * authentication round, the hook gets invoked with with final = FALSE. - * After authentication is complete and the peer configuration is selected, - * it is invoked again, but with final = TRUE. - * - * @param ike_sa IKE_SA to authorize - * @param auth list of auth_cfg_t, done in peers authentication rounds - * @param final TRUE if this is the final hook invocation - * @param success set to TRUE to complete IKE_SA, FALSE abort - * @return TRUE to stay registered, FALSE to unregister - */ - bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth, - bool final, bool *success); +enum alert_t { + /* a RADIUS server did not respond, no additional arguments */ + ALERT_RADIUS_NOT_RESPONDING, }; /** @@ -307,6 +215,15 @@ struct bus_t { */ void (*vlog)(bus_t *this, debug_t group, level_t level, char* format, va_list args); + + /** + * Raise an alert over the bus. + * + * @param alert kind of alert + * @param ... alert specific attributes + */ + void (*alert)(bus_t *this, alert_t alert, ...); + /** * Send a IKE_SA state change event to the bus. * @@ -361,6 +278,39 @@ struct bus_t { */ void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + + /** + * IKE_SA up/down hook. + * + * @param ike_sa IKE_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + */ + void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up); + + /** + * IKE_SA rekeying hook. + * + * @param old rekeyed and obsolete IKE_SA + * @param new new IKE_SA replacing old + */ + void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new); + + /** + * CHILD_SA up/down hook. + * + * @param child_sa CHILD_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + */ + void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up); + + /** + * CHILD_SA rekeying hook. + * + * @param old rekeyed and obsolete CHILD_SA + * @param new new CHILD_SA replacing old + */ + void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new); + /** * Destroy the event bus. */ diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h index 7282224a5..a69374f23 100644 --- a/src/charon/bus/listeners/file_logger.h +++ b/src/charon/bus/listeners/file_logger.h @@ -21,9 +21,9 @@ #ifndef FILE_LOGGER_H_ #define FILE_LOGGER_H_ -typedef struct file_logger_t file_logger_t; +#include <bus/listeners/listener.h> -#include <bus/bus.h> +typedef struct file_logger_t file_logger_t; /** * Logger to files which implements listener_t. diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h new file mode 100644 index 000000000..578f08ebe --- /dev/null +++ b/src/charon/bus/listeners/listener.h @@ -0,0 +1,179 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup listener listener + * @{ @ingroup listeners + */ + +#ifndef LISTENER_H_ +#define LISTENER_H_ + +typedef struct listener_t listener_t; + +#include <bus/bus.h> + +/** + * Listener interface, listens to events if registered to the bus. + */ +struct listener_t { + + /** + * Log a debugging message. + * + * The implementing signal function returns TRUE to stay registered + * to the bus, or FALSE to unregister itself. + * Calling bus_t.log() inside of a registered listener is possible, + * but the bus does not invoke listeners recursively. + * + * @param group kind of the signal (up, down, rekeyed, ...) + * @param level verbosity level of the signal + * @param thread ID of the thread raised this signal + * @param ike_sa IKE_SA associated to the event + * @param format printf() style format string + * @param args vprintf() style va_list argument list + " @return TRUE to stay registered, FALSE to unregister + */ + bool (*log)(listener_t *this, debug_t group, level_t level, int thread, + ike_sa_t *ike_sa, char* format, va_list args); + + /** + * Hook called if a critical alert is risen. + * + * @param ike_sa IKE_SA associated to the alert, if any + * @param alert kind of alert + * @param ... alert specific argument list + " @return TRUE to stay registered, FALSE to unregister + */ + bool (*alert)(listener_t *this, ike_sa_t *ike_sa, + alert_t alert, va_list args); + + /** + * Handle state changes in an IKE_SA. + * + * @param ike_sa IKE_SA which changes its state + * @param state new IKE_SA state this IKE_SA changes to + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa, + ike_sa_state_t state); + + /** + * Handle state changes in a CHILD_SA. + * + * @param ike_sa IKE_SA containing the affected CHILD_SA + * @param child_sa CHILD_SA which changes its state + * @param state new CHILD_SA state this CHILD_SA changes to + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, child_sa_state_t state); + + /** + * Hook called for received/sent messages of an IKE_SA. + * + * @param ike_sa IKE_SA sending/receving a message + * @param message message object + * @param incoming TRUE for incoming messages, FALSE for outgoing + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming); + + /** + * Hook called with IKE_SA key material. + * + * @param ike_sa IKE_SA this keymat belongs to + * @param dh diffie hellman shared secret + * @param nonce_i initiators nonce + * @param nonce_r responders nonce + * @param rekey IKE_SA we are rekeying, if any + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey); + + /** + * Hook called with CHILD_SA key material. + * + * @param ike_sa IKE_SA the child sa belongs to + * @param child_sa CHILD_SA this keymat is used for + * @param dh diffie hellman shared secret + * @param nonce_i initiators nonce + * @param nonce_r responders nonce + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + + /** + * Hook called if an IKE_SA gets up or down. + * + * @param ike_sa IKE_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up); + + /** + * Hook called when an IKE_SA gets rekeyed. + * + * @param old rekeyed IKE_SA getting obsolete + * @param new new IKE_SA replacing old + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new); + + /** + * Hook called when a CHILD_SA gets up or down. + * + * @param ike_sa IKE_SA containing the handled CHILD_SA + * @param child_sa CHILD_SA coming up/going down + * @param up TRUE for an up event, FALSE for a down event + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, bool up); + + /** + * Hook called when an CHILD_SA gets rekeyed. + * + * @param ike_sa IKE_SA containing the rekeyed CHILD_SA + * @param old rekeyed CHILD_SA getting obsolete + * @param new new CHILD_SA replacing old + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa, + child_sa_t *old, child_sa_t *new); + + /** + * Hook called to invoke additional authorization rules. + * + * An authorization hook gets invoked several times: After each + * authentication round, the hook gets invoked with with final = FALSE. + * After authentication is complete and the peer configuration is selected, + * it is invoked again, but with final = TRUE. + * + * @param ike_sa IKE_SA to authorize + * @param auth list of auth_cfg_t, done in peers authentication rounds + * @param final TRUE if this is the final hook invocation + * @param success set to TRUE to complete IKE_SA, FALSE abort + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth, + bool final, bool *success); +}; + +#endif /* LISTENER_ @}*/ diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c index 5bcf28f24..0b579ce92 100644 --- a/src/charon/bus/listeners/sys_logger.c +++ b/src/charon/bus/listeners/sys_logger.c @@ -15,7 +15,6 @@ #include <stdio.h> #include <string.h> -#include <pthread.h> #include "sys_logger.h" diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h index 6eda096a9..3ed0f02fa 100644 --- a/src/charon/bus/listeners/sys_logger.h +++ b/src/charon/bus/listeners/sys_logger.h @@ -21,11 +21,11 @@ #ifndef SYS_LOGGER_H_ #define SYS_LOGGER_H_ -typedef struct sys_logger_t sys_logger_t; - #include <syslog.h> -#include <bus/bus.h> +#include <bus/listeners/listener.h> + +typedef struct sys_logger_t sys_logger_t; /** * Logger for syslog which implements listener_t. diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c index 83e431c43..bf45fdb42 100644 --- a/src/charon/config/attributes/attribute_manager.c +++ b/src/charon/config/attributes/attribute_manager.c @@ -260,7 +260,7 @@ attribute_manager_t *attribute_manager_create() this->providers = linked_list_create(); this->handlers = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index 3a3a78466..cfd611858 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -438,7 +438,7 @@ backend_manager_t *backend_manager_create() this->public.destroy = (void (*)(backend_manager_t*))destroy; this->backends = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c index 43e41671a..990ee3fd6 100644 --- a/src/charon/config/child_cfg.c +++ b/src/charon/config/child_cfg.c @@ -345,35 +345,6 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca } /** - * Implementation of child_cfg_t.equal_traffic_selectors. - */ -bool equal_traffic_selectors(private_child_cfg_t *this, bool local, - linked_list_t *ts_list, host_t *host) -{ - linked_list_t *this_list; - traffic_selector_t *this_ts, *ts; - bool result; - - this_list = (local) ? this->my_ts : this->other_ts; - - /* currently equality is established for single traffic selectors only */ - if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1) - { - return FALSE; - } - - this_list->get_first(this_list, (void**)&this_ts); - this_ts = this_ts->clone(this_ts); - this_ts->set_address(this_ts, host); - ts_list->get_first(ts_list, (void**)&ts); - - result = ts->equals(ts, this_ts); - - this_ts->destroy(this_ts); - return result; -} - -/** * Implementation of child_cfg_t.get_updown. */ static char* get_updown(private_child_cfg_t *this) @@ -525,7 +496,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, this->public.get_name = (char* (*) (child_cfg_t*))get_name; this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; - this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors; this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal; diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index 185fee3da..33c75701c 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -150,18 +150,6 @@ struct child_cfg_t { linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host); - - /** - * Checks [single] traffic selectors for equality - * - * @param local TRUE for TS on local side, FALSE for remote - * @param ts list with single traffic selector to compare with - * @param host address to use for narrowing "dynamic" TS', or NULL - * @return TRUE if TS are equal, FALSE otherwise - */ - bool (*equal_traffic_selectors)(child_cfg_t *this, bool local, - linked_list_t *ts_list, host_t *host); - /** * Get the updown script to run for the CHILD_SA. * diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index da796d6a2..f096f269e 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -250,22 +250,46 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this) } /** - * Check if child_cfg contains traffic selectors + * Check how good a list of TS matches a given child config */ -static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts, - host_t *host) +static int get_ts_match(child_cfg_t *cfg, bool local, + linked_list_t *sup_list, host_t *host) { - linked_list_t *selected; - int prio; + linked_list_t *cfg_list; + enumerator_t *sup_enum, *cfg_enum; + traffic_selector_t *sup_ts, *cfg_ts; + int match = 0, round; - if (child->equal_traffic_selectors(child, mine, ts, host)) + /* fetch configured TS list, narrowing dynamic TS */ + cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host); + + /* use a round counter to rate leading TS with higher priority */ + round = sup_list->get_count(sup_list); + + sup_enum = sup_list->create_enumerator(sup_list); + while (sup_enum->enumerate(sup_enum, &sup_ts)) { - return 2; + cfg_enum = cfg_list->create_enumerator(cfg_list); + while (cfg_enum->enumerate(cfg_enum, &cfg_ts)) + { + if (cfg_ts->equals(cfg_ts, sup_ts)) + { /* equality is honored better than matches */ + match += round * 5; + } + else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) || + sup_ts->is_contained_in(sup_ts, cfg_ts)) + { + match += round * 1; + } + } + cfg_enum->destroy(cfg_enum); + round--; } - selected = child->get_traffic_selectors(child, mine, ts, host); - prio = selected->get_count(selected) ? 1 : 0; - selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); - return prio; + sup_enum->destroy(sup_enum); + + cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy)); + + return match; } /** @@ -279,21 +303,23 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, child_cfg_t *current, *found = NULL; enumerator_t *enumerator; int best = 0; - - DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); + + DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts); enumerator = create_child_cfg_enumerator(this); while (enumerator->enumerate(enumerator, ¤t)) { - int prio = contains_ts(current, TRUE, my_ts, my_host) + - contains_ts(current, FALSE, other_ts, other_host); - - if (prio) + int my_prio, other_prio; + + my_prio = get_ts_match(current, TRUE, my_ts, my_host); + other_prio = get_ts_match(current, FALSE, other_ts, other_host); + + if (my_prio && other_prio) { - DBG2(DBG_CFG, " candidate \"%s\" with prio %d", - current->get_name(current), prio); - if (prio > best) + DBG2(DBG_CFG, " candidate \"%s\" with prio %d+%d", + current->get_name(current), my_prio, other_prio); + if (my_prio + other_prio > best) { - best = prio; + best = my_prio + other_prio; DESTROY_IF(found); found = current->get_ref(current); } @@ -637,7 +663,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->ike_version = ike_version; this->ike_cfg = ike_cfg; this->child_cfgs = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->cert_policy = cert_policy; this->unique = unique; this->keyingtries = keyingtries; diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index e2dfcca4f..cf7e19605 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -266,6 +266,9 @@ static bool is_authenticated_encryption(u_int16_t alg) case ENCR_AES_GCM_ICV8: case ENCR_AES_GCM_ICV12: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: return TRUE; } return FALSE; diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 776dbe599..0967cbc81 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -1591,7 +1591,7 @@ credential_manager_t *credential_manager_create() this->cache = cert_cache_create(); this->cache_queue = linked_list_create(); this->sets->insert_first(this->sets, this->cache); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c index 907f5072f..dee0463e6 100644 --- a/src/charon/credentials/sets/cert_cache.c +++ b/src/charon/credentials/sets/cert_cache.c @@ -383,7 +383,7 @@ cert_cache_t *cert_cache_create() this->relations[i].subject = NULL; this->relations[i].issuer = NULL; this->relations[i].hits = 0; - this->relations[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); } return &this->public; } diff --git a/src/charon/daemon.c b/src/charon/daemon.c index c646ef9b4..0689c448e 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -20,7 +20,9 @@ #ifdef HAVE_PRCTL #include <sys/prctl.h> #endif +#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */ #include <signal.h> +#undef _POSIX_PTHREAD_SEMANTICS #include <pthread.h> #include <sys/stat.h> #include <sys/types.h> @@ -42,10 +44,9 @@ #include <config/traffic_selector.h> #include <config/proposal.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips/fips_signature.h> -#endif /* INTEGRITY_TEST */ +#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ +#define LOG_AUTHPRIV LOG_AUTH +#endif typedef struct private_daemon_t private_daemon_t; @@ -469,6 +470,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")"); + if (lib->integrity) + { + DBG1(DBG_DMN, "integrity tests enabled:"); + DBG1(DBG_DMN, "lib 'libstrongswan': passed file and segment integrity tests"); + DBG1(DBG_DMN, "daemon 'charon': passed file integrity test"); + } + /* load secrets, ca certificates and crls */ this->public.processor = processor_create(); this->public.scheduler = scheduler_create(); @@ -487,19 +495,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) lib->settings->get_str(lib->settings, "charon.load", PLUGINS)); print_plugins(); - -#ifdef INTEGRITY_TEST - DBG1(DBG_DMN, "integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(DBG_DMN, " integrity test passed"); - } - else - { - DBG1(DBG_DMN, " integrity test failed"); - return FALSE; - } -#endif /* INTEGRITY_TEST */ this->public.ike_sa_manager = ike_sa_manager_create(); if (this->public.ike_sa_manager == NULL) @@ -686,7 +681,20 @@ int main(int argc, char *argv[]) dbg = dbg_stderr; /* initialize library */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "charon", argv[0])) + { + dbg_stderr(1, "integrity check of charon failed"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } + lib->printf_hook->add_handler(lib->printf_hook, 'R', traffic_selector_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, @@ -757,7 +765,7 @@ int main(int argc, char *argv[]) { DBG1(DBG_DMN, "initialization failed - aborting charon"); destroy(private_charon); - exit(-1); + exit(SS_RC_INITIALIZATION_FAILED); } if (check_pidfile()) diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c index 5188b79fe..53ae1d200 100644 --- a/src/charon/kernel/kernel_interface.c +++ b/src/charon/kernel/kernel_interface.c @@ -104,6 +104,19 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi, } /** + * Implementation of kernel_interface_t.query_sa + */ +static status_t query_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) +{ + if (!this->ipsec) + { + return NOT_SUPPORTED; + } + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes); +} + +/** * Implementation of kernel_interface_t.del_sa */ static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst, @@ -387,6 +400,7 @@ kernel_interface_t *kernel_interface_create() this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h index 8c58c959a..c4a273a34 100644 --- a/src/charon/kernel/kernel_interface.h +++ b/src/charon/kernel/kernel_interface.h @@ -141,6 +141,19 @@ struct kernel_interface_t { bool encap, bool new_encap); /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param[out] bytes the number of bytes processed by SA + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + + /** * Delete a previously installed SA from the SAD. * * @param src source address for this SA diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h index 6e8c5bc63..d6438c197 100644 --- a/src/charon/kernel/kernel_ipsec.h +++ b/src/charon/kernel/kernel_ipsec.h @@ -171,6 +171,19 @@ struct kernel_ipsec_t { bool encap, bool new_encap); /** + * Query the number of bytes processed by an SA from the SAD. + * + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param[out] bytes the number of bytes processed by SA + * @return SUCCESS if operation completed + */ + status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + + /** * Delete a previusly installed SA from the SAD. * * @param src source address for this SA diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c index 4910fe2e8..19f589115 100644 --- a/src/charon/network/sender.c +++ b/src/charon/network/sender.c @@ -139,9 +139,9 @@ sender_t * sender_create() this->public.destroy = (void(*)(sender_t*)) destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->got = condvar_create(CONDVAR_DEFAULT); - this->sent = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->got = condvar_create(CONDVAR_TYPE_DEFAULT); + this->sent = condvar_create(CONDVAR_TYPE_DEFAULT); this->job = callback_job_create((callback_job_cb_t)send_packets, this, NULL, NULL); diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c index 8627ca76d..97c88be79 100644 --- a/src/charon/network/socket.c +++ b/src/charon/network/socket.c @@ -18,6 +18,10 @@ /* for struct in6_pktinfo */ #define _GNU_SOURCE +#ifdef __sun +#define _XPG4_2 +#define __EXTENSIONS__ +#endif #include <pthread.h> #include <sys/types.h> @@ -34,6 +38,9 @@ #include <netinet/ip6.h> #include <netinet/udp.h> #include <net/if.h> +#ifdef __APPLE__ +#include <sys/sysctl.h> +#endif #include "socket.h" @@ -431,7 +438,6 @@ status_t sender(private_socket_t *this, packet_t *packet) static int open_socket(private_socket_t *this, int family, u_int16_t port) { int on = TRUE; - int type = UDP_ENCAP_ESPINUDP; struct sockaddr_storage addr; socklen_t addrlen; u_int sol, pktinfo = 0; @@ -502,13 +508,18 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port) return 0; } } - - /* enable UDP decapsulation globally, only for one socket needed */ - if (family == AF_INET && port == IKEV2_NATT_PORT && - setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) + +#ifndef __APPLE__ { - DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno)); + /* enable UDP decapsulation globally, only for one socket needed */ + int type = UDP_ENCAP_ESPINUDP; + if (family == AF_INET && port == IKEV2_NATT_PORT && + setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0) + { + DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno)); + } } +#endif return skt; } @@ -611,6 +622,18 @@ socket_t *socket_create() this->ipv6 = 0; this->ipv4_natt = 0; this->ipv6_natt = 0; + +#ifdef __APPLE__ + { + int natt_port = IKEV2_NATT_PORT; + if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port, + sizeof(natt_port)) != 0) + { + DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s", + natt_port, strerror(errno)); + } + } +#endif this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT); if (this->ipv4 == 0) diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am index d5eb99d9f..b4b3b7da6 100644 --- a/src/charon/plugins/attr/Makefile.am +++ b/src/charon/plugins/attr/Makefile.am @@ -6,4 +6,4 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in index c0467054e..5c94771e1 100644 --- a/src/charon/plugins/attr/Makefile.in +++ b/src/charon/plugins/attr/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am index e1ad1eaf9..1a3ea1857 100644 --- a/src/charon/plugins/eap_aka/Makefile.am +++ b/src/charon/plugins/eap_aka/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in index 74d49ac73..2d2405379 100644 --- a/src/charon/plugins/eap_aka/Makefile.in +++ b/src/charon/plugins/eap_aka/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp all: all-am diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am index 1057bd506..547a8dfc5 100644 --- a/src/charon/plugins/eap_gtc/Makefile.am +++ b/src/charon/plugins/eap_gtc/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in index 19d648bbd..46d438a97 100644 --- a/src/charon/plugins/eap_gtc/Makefile.in +++ b/src/charon/plugins/eap_gtc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am index dbf66e74b..79ddee3e8 100644 --- a/src/charon/plugins/eap_identity/Makefile.am +++ b/src/charon/plugins/eap_identity/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in index f275cd770..0adb9ce10 100644 --- a/src/charon/plugins/eap_identity/Makefile.in +++ b/src/charon/plugins/eap_identity/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am index d7964fee9..8bad64368 100644 --- a/src/charon/plugins/eap_md5/Makefile.am +++ b/src/charon/plugins/eap_md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in index 372b80b3e..c11837b91 100644 --- a/src/charon/plugins/eap_md5/Makefile.in +++ b/src/charon/plugins/eap_md5/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am index 6ab931905..179da70fc 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.am +++ b/src/charon/plugins/eap_mschapv2/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in index 5ae41d896..d6dd74b88 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.in +++ b/src/charon/plugins/eap_mschapv2/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am index f7de2f14f..df5c94656 100644 --- a/src/charon/plugins/eap_radius/Makefile.am +++ b/src/charon/plugins/eap_radius/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapradius_la_SOURCES = \ eap_radius.h eap_radius.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in index e7a4cd0f8..c30111fad 100644 --- a/src/charon/plugins/eap_radius/Makefile.in +++ b/src/charon/plugins/eap_radius/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_eapradius_la_SOURCES = \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c index ee2477440..deb3b648b 100644 --- a/src/charon/plugins/eap_radius/eap_radius.c +++ b/src/charon/plugins/eap_radius/eap_radius.c @@ -66,6 +66,11 @@ struct private_eap_radius_t { * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly */ bool eap_start; + + /** + * Prefix to prepend to EAP identity + */ + char *id_prefix; }; /** @@ -86,18 +91,20 @@ static void add_eap_identity(private_eap_radius_t *this, /** identity data */ u_int8_t data[]; } __attribute__((__packed__)) *hdr; - chunk_t id; + chunk_t id, prefix; size_t len; id = this->peer->get_encoding(this->peer); - len = sizeof(*hdr) + id.len; + prefix = chunk_create(this->id_prefix, strlen(this->id_prefix)); + len = sizeof(*hdr) + prefix.len + id.len; hdr = alloca(len); hdr->code = EAP_RESPONSE; hdr->identifier = 0; hdr->length = htons(len); hdr->type = EAP_IDENTITY; - memcpy(hdr->data, id.ptr, id.len); + memcpy(hdr->data, prefix.ptr, prefix.len); + memcpy(hdr->data + prefix.len, id.ptr, id.len); request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len)); } @@ -136,9 +143,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; + chunk_t username; request = radius_message_create_request(); - request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); + username = chunk_create(this->id_prefix, strlen(this->id_prefix)); + username = chunk_cata("cc", username, this->peer->get_encoding(this->peer)); + request->add(request, RAT_USER_NAME, username); if (this->eap_start) { @@ -283,7 +293,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer this->msk = chunk_empty; this->eap_start = lib->settings->get_bool(lib->settings, "charon.plugins.eap_radius.eap_start", FALSE); - + this->id_prefix = lib->settings->get_str(lib->settings, + "charon.plugins.eap_radius.id_prefix", ""); return &this->public; } diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c index 57d3f8f21..de1bafc6d 100644 --- a/src/charon/plugins/eap_radius/radius_client.c +++ b/src/charon/plugins/eap_radius/radius_client.c @@ -161,8 +161,8 @@ bool radius_client_init() "charon.plugins.eap_radius.sockets", 1); sockets = linked_list_create(); - mutex = mutex_create(MUTEX_DEFAULT); - condvar = condvar_create(CONDVAR_DEFAULT); + mutex = mutex_create(MUTEX_TYPE_DEFAULT); + condvar = condvar_create(CONDVAR_TYPE_DEFAULT); for (i = 0; i < count; i++) { fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); @@ -353,6 +353,7 @@ static radius_message_t* request(private_radius_client_t *this, } DBG1(DBG_CFG, "RADIUS server is not responding"); put_socket(socket); + charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); return NULL; } diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am index 6cb53ebb5..e503bddab 100644 --- a/src/charon/plugins/eap_sim/Makefile.am +++ b/src/charon/plugins/eap_sim/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in index 2374567bc..8f6daacad 100644 --- a/src/charon/plugins/eap_sim/Makefile.in +++ b/src/charon/plugins/eap_sim/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am index fc3a0fa14..1cd1dd9e2 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.am +++ b/src/charon/plugins/eap_sim_file/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_card.h eap_sim_file_card.c \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in index 554b3a7bc..b19cc839f 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.in +++ b/src/charon/plugins/eap_sim_file/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index d093851c2..e27ed6860 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -251,7 +251,7 @@ eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file) this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy; this->triplets = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); read_triplets(this, file); diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am index dc0234775..0c0987cca 100644 --- a/src/charon/plugins/kernel_klips/Makefile.am +++ b/src/charon/plugins/kernel_klips/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in index a1efe9d5a..4b1c27352 100644 --- a/src/charon/plugins/kernel_klips/Makefile.in +++ b/src/charon/plugins/kernel_klips/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index c69ce4c9a..9a903d027 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1934,6 +1934,16 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; /* TODO */ +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, @@ -2609,6 +2619,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2621,8 +2632,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->allocated_spis = linked_list_create(); this->installed_sas = linked_list_create(); this->ipsec_devices = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am index e0efe5779..6351280d6 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.am +++ b/src/charon/plugins/kernel_netlink/Makefile.am @@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in index b97738bff..46d2a1c65 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.in +++ b/src/charon/plugins/kernel_netlink/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9322d8dfe..2051316f6 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, break; case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV16: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV12: case ENCR_AES_GCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV12: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV8: case ENCR_AES_GCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV8: { - rthdr->rta_type = XFRMA_ALG_AEAD; + struct xfrm_algo_aead *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); + algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; algo->alg_icv_len = icv_size; strcpy(algo->alg_name, alg_name); @@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } default: { - rthdr->rta_type = XFRMA_ALG_CRYPT; + struct xfrm_algo *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); rthdr = XFRM_RTA_NEXT(rthdr); - break; } } @@ -1230,6 +1236,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + netlink_buf_t request; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = proto_ike2kernel(protocol); + sa_id->family = dst->get_family(dst); + + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", + ntohl(spi), strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (sa == NULL) + { + DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = sa->curlft.bytes; + + free(out); + return SUCCESS; +} +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, @@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() /* private members */ this->policies = hashtable_create((hashtable_hash_t)policy_hash, (hashtable_equals_t)policy_equals, 32); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 32154a7ea..e5c0b5da7 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); timerclear(&this->last_roam); this->routing_table = lib->settings->get_int(lib->settings, "charon.routing_table", IPSEC_ROUTING_TABLE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index 7ef7cc56e..ec1187083 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) { /* private members */ this->seq = 200; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am index c9d66b5de..e03a0ca02 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.am +++ b/src/charon/plugins/kernel_pfkey/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in index df2492ef7..e01510127 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.in +++ b/src/charon/plugins/kernel_pfkey/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 56f0320dc..1f83e8f39 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -17,6 +17,10 @@ #include <sys/types.h> #include <sys/socket.h> +#ifdef __FreeBSD__ +#include <limits.h> /* for LONG_MAX */ +#endif + #ifdef HAVE_NET_PFKEYV2_H #include <net/pfkeyv2.h> #else @@ -37,11 +41,11 @@ #endif #ifdef HAVE_NATT -#ifdef HAVE_NETINET_UDP_H -#include <netinet/udp.h> -#else +#ifdef HAVE_LINUX_UDP_H #include <linux/udp.h> -#endif /*HAVE_NETINET_UDP_H*/ +#else +#include <netinet/udp.h> +#endif /*HAVE_LINUX_UDP_H*/ #endif /*HAVE_NATT*/ #include <unistd.h> @@ -89,7 +93,7 @@ #define IP_IPSEC_POLICY 16 #endif -/* missing on uclibc */ +/** missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 #endif @@ -98,6 +102,17 @@ #define PRIO_LOW 3000 #define PRIO_HIGH 2000 +#ifdef __APPLE__ +/** from xnu/bsd/net/pfkeyv2.h */ +#define SADB_X_EXT_NATT 0x002 + struct sadb_sa_2 { + struct sadb_sa sa; + u_int16_t sadb_sa_natt_port; + u_int16_t sadb_reserved0; + u_int32_t sadb_reserved1; + }; +#endif + /** buffer size for PF_KEY messages */ #define PFKEY_BUFFER_SIZE 4096 @@ -467,7 +482,7 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_FWD; #endif default: - return dir; + return IPSEC_DIR_INVALID; } } @@ -693,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) { - DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); + DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || ext->sadb_ext_len > len) { @@ -740,6 +755,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket this->mutex_pfkey->lock(this->mutex_pfkey); + /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, + * in particular the behavior in response to an SADB_ACQUIRE. */ in->sadb_msg_seq = ++this->seq; in->sadb_msg_pid = getpid(); @@ -801,14 +818,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } if (msg->sadb_msg_seq != this->seq) { - DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, " - "was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq < this->seq) + DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence " + "number, was %d expected %d", msg->sadb_msg_seq, this->seq); + if (msg->sadb_msg_seq == 0) + { + /* FreeBSD and Mac OS X do this for the response to + * SADB_X_SPDGET (but not for the response to SADB_GET). + * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ + } + else if (msg->sadb_msg_seq < this->seq) { continue; } - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; + else + { + this->mutex_pfkey->unlock(this->mutex_pfkey); + return FAILED; + } } if (msg->sadb_msg_type != in->sadb_msg_type) { @@ -1223,10 +1249,25 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + +#ifdef __APPLE__ + if (encap) + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sadb_sa_natt_port = dst->get_port(dst); + sa = &sa_2->sa; + sa->sadb_sa_flags |= SADB_X_EXT_NATT; + len = sizeof(struct sadb_sa_2); + } + else +#endif + { + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + len = sizeof(struct sadb_sa); + } sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_len = PFKEY_LEN(len); sa->sadb_sa_spi = spi; sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32; sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg); @@ -1403,7 +1444,21 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); +#ifdef __APPLE__ + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2)); + memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa)); + if (encap) + { + sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst); + sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT; + } + } +#else PFKEY_EXT_COPY(msg, response.sa); +#endif PFKEY_EXT_COPY(msg, response.x_sa2); PFKEY_EXT_COPY(msg, response.src); @@ -1421,7 +1476,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + #ifdef HAVE_NATT if (new_encap) { @@ -1449,6 +1504,65 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + unsigned char request[PFKEY_BUFFER_SIZE]; + struct sadb_msg *msg, *out; + struct sadb_sa *sa; + pfkey_msg_t response; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + msg = (struct sadb_msg*)request; + msg->sadb_msg_version = PF_KEY_V2; + msg->sadb_msg_type = SADB_GET; + msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); + + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + sa->sadb_sa_exttype = SADB_EXT_SA; + sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_spi = spi; + PFKEY_EXT_ADD(msg, sa); + + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); + add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); + + if (pfkey_send(this, msg, &out, &len) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + return FAILED; + } + else if (out->sadb_msg_errno) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", + ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); + free(out); + return FAILED; + } + else if (parse_pfkey_message(out, &response) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = response.lft_current->sadb_lifetime_bytes; + + free(out); + return SUCCESS; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, @@ -1476,7 +1590,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); @@ -1518,6 +1634,12 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction, reqid); @@ -1594,6 +1716,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, policy->dst.mask); +#ifdef __FreeBSD__ + { /* on FreeBSD a lifetime has to be defined to be able to later query + * the current use time. */ + struct sadb_lifetime *lft; + lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); + lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; + lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); + lft->sadb_lifetime_addtime = LONG_MAX; + PFKEY_EXT_ADD(msg, lft); + } +#endif + this->mutex->unlock(this->mutex); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1700,6 +1834,12 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return NOT_FOUND; + } + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1764,6 +1904,13 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, free(out); return FAILED; } + else if (response.lft_current == NULL) + { + DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no " + "use time", src_ts, dst_ts, policy_dir_names, direction); + free(out); + return FAILED; + } *use_time = response.lft_current->sadb_lifetime_usetime; @@ -1787,6 +1934,12 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, route_entry_t *route; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1995,6 +2148,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2004,8 +2158,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() /* private members */ this->policies = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am index 3ad445c09..b6e6587a7 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.am +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in index e585a7db2..05da8e271 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.in +++ b/src/charon/plugins/kernel_pfroute/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c index c2b35a5ce..d5a864b1c 100644 --- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -681,8 +681,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT); this->seq = 0; diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am index 121f0b080..e6e04229a 100644 --- a/src/charon/plugins/load_tester/Makefile.am +++ b/src/charon/plugins/load_tester/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in index 056ac16d3..3b494cea2 100644 --- a/src/charon/plugins/load_tester/Makefile.in +++ b/src/charon/plugins/load_tester/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -233,7 +238,7 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index d37f7a7bd..e463d2adc 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -84,6 +84,16 @@ static status_t update_sa(private_load_tester_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, @@ -151,6 +161,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c index 12ac7b090..93ed2e3c5 100644 --- a/src/charon/plugins/load_tester/load_tester_plugin.c +++ b/src/charon/plugins/load_tester/load_tester_plugin.c @@ -202,8 +202,8 @@ plugin_t *plugin_create() shutdown_on = this->iterations * this->initiators; } - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->config = load_tester_config_create(); this->creds = load_tester_creds_create(); this->listener = load_tester_listener_create(shutdown_on); diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am index f15950af9..a5f018f82 100644 --- a/src/charon/plugins/medcli/Makefile.am +++ b/src/charon/plugins/medcli/Makefile.am @@ -8,5 +8,5 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_creds.h medcli_creds.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in index cef486411..9a2b3f889 100644 --- a/src/charon/plugins/medcli/Makefile.in +++ b/src/charon/plugins/medcli/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am index 476da1878..f3611a79e 100644 --- a/src/charon/plugins/medsrv/Makefile.am +++ b/src/charon/plugins/medsrv/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-medsrv.la libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in index ec537e505..ba599499b 100644 --- a/src/charon/plugins/medsrv/Makefile.in +++ b/src/charon/plugins/medsrv/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am index 9a0b48cd2..b74a4e46f 100644 --- a/src/charon/plugins/nm/Makefile.am +++ b/src/charon/plugins/nm/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_nm_la_SOURCES = \ nm_service.h nm_service.c \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in index a75af8a0f..c7c428c2a 100644 --- a/src/charon/plugins/nm/Makefile.in +++ b/src/charon/plugins/nm/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_nm_la_SOURCES = \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} all: all-am diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c index d93b81c9a..4ea2c36dd 100644 --- a/src/charon/plugins/nm/nm_creds.c +++ b/src/charon/plugins/nm/nm_creds.c @@ -322,7 +322,7 @@ nm_creds_t *nm_creds_create() this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cert = NULL; this->user = NULL; diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c index bca4d9e09..88a3cc95e 100644 --- a/src/charon/plugins/nm/nm_service.c +++ b/src/charon/plugins/nm/nm_service.c @@ -14,6 +14,7 @@ */ #include <nm-setting-vpn.h> +#include <nm-setting-connection.h> #include "nm_service.h" #include <daemon.h> @@ -25,8 +26,6 @@ #include <stdio.h> -#define CONFIG_NAME "NetworkManager" - G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN) /** @@ -43,6 +42,8 @@ typedef struct { nm_creds_t *creds; /* attribute handler for DNS/NBNS server information */ nm_handler_t *handler; + /* name of the connection */ + char *name; } NMStrongswanPluginPrivate; #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \ @@ -121,14 +122,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin, /** * signal failure to NM, connecting failed */ -static void signal_failure(NMVPNPlugin *plugin) +static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure) { nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler; handler->reset(handler); /* TODO: NM does not handle this failure!? */ - nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + nm_vpn_plugin_failure(plugin, failure); nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED); } @@ -140,16 +141,10 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa, { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; - if (private->ike_sa == ike_sa) + if (private->ike_sa == ike_sa && state == IKE_DESTROYING) { - switch (state) - { - case IKE_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; - } + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + return FALSE; } return TRUE; } @@ -161,32 +156,63 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; + } + return TRUE; +} +/** + * Implementation of listener_t.child_updown + */ +static bool child_updown(listener_t *listener, ike_sa_t *ike_sa, + child_sa_t *child_sa, bool up) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + if (private->ike_sa == ike_sa) { - switch (state) + if (up) + { /* disable initiate-failure-detection hooks */ + private->listener.ike_state_change = NULL; + private->listener.child_state_change = NULL; + signal_ipv4_config(private->plugin, ike_sa, child_sa); + } + else { - case CHILD_INSTALLED: - signal_ipv4_config(private->plugin, ike_sa, child_sa); - return FALSE; - case CHILD_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; } } return TRUE; } /** + * Implementation of listener_t.ike_rekey + */ +static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == old) + { /* follow a rekeyed IKE_SA */ + private->ike_sa = new; + } + return TRUE; +} + +/** * Connect function called from NM via DBUS */ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, GError **err) { - nm_creds_t *creds; - NMSettingVPN *settings; + NMStrongswanPluginPrivate *priv; + NMSettingConnection *conn; + NMSettingVPN *vpn; identification_t *user = NULL, *gateway; const char *address, *str; bool virtual, encap, ipcomp; @@ -204,25 +230,34 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Read parameters */ - settings = NM_SETTING_VPN(nm_connection_get_setting(connection, - NM_TYPE_SETTING_VPN)); - - DBG4(DBG_CFG, "received NetworkManager connection: %s", - nm_setting_to_string(NM_SETTING(settings))); - address = nm_setting_vpn_get_data_item(settings, "address"); + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection, + NM_TYPE_SETTING_CONNECTION)); + vpn = NM_SETTING_VPN(nm_connection_get_setting(connection, + NM_TYPE_SETTING_VPN)); + if (priv->name) + { + free(priv->name); + } + priv->name = strdup(nm_setting_connection_get_id(conn)); + DBG1(DBG_CFG, "received initiate for NetworkManager connection %s", + priv->name); + DBG4(DBG_CFG, "%s", + nm_setting_to_string(NM_SETTING(vpn))); + address = nm_setting_vpn_get_data_item(vpn, "address"); if (!address || !*address) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, "Gateway address missing."); return FALSE; } - str = nm_setting_vpn_get_data_item(settings, "virtual"); + str = nm_setting_vpn_get_data_item(vpn, "virtual"); virtual = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "encap"); + str = nm_setting_vpn_get_data_item(vpn, "encap"); encap = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "ipcomp"); + str = nm_setting_vpn_get_data_item(vpn, "ipcomp"); ipcomp = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "method"); + str = nm_setting_vpn_get_data_item(vpn, "method"); if (str) { if (streq(str, "psk")) @@ -243,16 +278,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Register credentials */ - creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds; - creds->clear(creds); + priv->creds->clear(priv->creds); /* gateway/CA cert */ - str = nm_setting_vpn_get_data_item(settings, "certificate"); + str = nm_setting_vpn_get_data_item(vpn, "certificate"); if (str) { cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, str, BUILD_END); - creds->set_certificate(creds, cert); + priv->creds->set_certificate(priv->creds, cert); } if (!cert) { @@ -279,19 +313,19 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, if (auth_class == AUTH_CLASS_EAP) { /* username/password authentication ... */ - str = nm_setting_vpn_get_data_item(settings, "user"); + str = nm_setting_vpn_get_data_item(vpn, "user"); if (str) { user = identification_create_from_string((char*)str); - str = nm_setting_vpn_get_secret(settings, "password"); - creds->set_username_password(creds, user, (char*)str); + str = nm_setting_vpn_get_secret(vpn, "password"); + priv->creds->set_username_password(priv->creds, user, (char*)str); } } if (auth_class == AUTH_CLASS_PUBKEY) { /* ... or certificate/private key authenitcation */ - str = nm_setting_vpn_get_data_item(settings, "usercert"); + str = nm_setting_vpn_get_data_item(vpn, "usercert"); if (str) { public_key_t *public; @@ -308,7 +342,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, return FALSE; } /* try agent */ - str = nm_setting_vpn_get_secret(settings, "agent"); + str = nm_setting_vpn_get_secret(vpn, "agent"); if (agent && str) { public = cert->get_public_key(cert); @@ -329,14 +363,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, } } /* ... or key file */ - str = nm_setting_vpn_get_data_item(settings, "userkey"); + str = nm_setting_vpn_get_data_item(vpn, "userkey"); if (!agent && str) { chunk_t secret, chunk; bool pgp = FALSE; - secret.ptr = (char*)nm_setting_vpn_get_secret(settings, - "password"); + secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password"); if (secret.ptr) { secret.len = strlen(secret.ptr); @@ -358,7 +391,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { user = cert->get_subject(cert); user = user->clone(user); - creds->set_cert_and_key(creds, cert, private); + priv->creds->set_cert_and_key(priv->creds, cert, private); } else { @@ -382,7 +415,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, */ ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg, + peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ 36000, 0, /* rekey 10h, reauth none */ 600, 600, /* jitter, over 10min */ @@ -398,11 +431,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, auth->add(auth, AUTH_RULE_IDENTITY, gateway); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - child_cfg = child_cfg_create(CONFIG_NAME, + child_cfg = child_cfg_create(priv->name, 10800, 10200, /* lifetime 3h, rekey 2h50min */ 300, /* jitter 5min */ NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_RESTART, ipcomp); + ACTION_NONE, ACTION_NONE, ipcomp); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -413,7 +446,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, peer_cfg->add_child_cfg(peer_cfg, child_cfg); /** - * Start to initiate + * Prepare IKE_SA */ ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, peer_cfg); @@ -425,21 +458,27 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { peer_cfg->destroy(peer_cfg); } + + /** + * Register listener, enable initiate-failure-detection hooks + */ + priv->ike_sa = ike_sa; + priv->listener.ike_state_change = ike_state_change; + priv->listener.child_state_change = child_state_change; + charon->bus->add_listener(charon->bus, &priv->listener); + + /** + * Initiate + */ if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) { + charon->bus->remove_listener(charon->bus, &priv->listener); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, "Initiating failed."); return FALSE; } - - /** - * Register listener - */ - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa; - charon->bus->add_listener(charon->bus, - &NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); return TRUE; } @@ -501,14 +540,16 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, */ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) { + NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); enumerator_t *enumerator; ike_sa_t *ike_sa; u_int id; + /* our ike_sa pointer might be invalid, lookup sa */ enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) { - if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa))) + if (priv->ike_sa == ike_sa) { id = ike_sa->get_unique_id(ike_sa); enumerator->destroy(enumerator); @@ -529,13 +570,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) */ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) { - NMStrongswanPluginPrivate *private; + NMStrongswanPluginPrivate *priv; - private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - private->plugin = NM_VPN_PLUGIN(plugin); - memset(&private->listener.log, 0, sizeof(listener_t)); - private->listener.ike_state_change = ike_state_change; - private->listener.child_state_change = child_state_change; + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->plugin = NM_VPN_PLUGIN(plugin); + memset(&priv->listener.log, 0, sizeof(listener_t)); + priv->listener.child_updown = child_updown; + priv->listener.ike_rekey = ike_rekey; } /** @@ -565,8 +606,12 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds, NULL); if (plugin) { - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds; - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler; + NMStrongswanPluginPrivate *priv; + + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->creds = creds; + priv->handler = handler; + priv->name = NULL; } return plugin; } diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am index 917964f93..be7f862f2 100644 --- a/src/charon/plugins/resolv_conf/Makefile.am +++ b/src/charon/plugins/resolv_conf/Makefile.am @@ -8,6 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-resolv-conf.la libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in index 91ddae582..19c20467a 100644 --- a/src/charon/plugins/resolv_conf/Makefile.in +++ b/src/charon/plugins/resolv_conf/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index 19e3b3275..749cfbc5b 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -183,7 +183,7 @@ resolv_conf_handler_t *resolv_conf_handler_create() this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release; this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->file = lib->settings->get_str(lib->settings, "charon.plugins.resolv-conf.file", RESOLV_CONF); diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am index 1679f1c68..a434b388b 100644 --- a/src/charon/plugins/smp/Makefile.am +++ b/src/charon/plugins/smp/Makefile.am @@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in index f06321ba7..d23d2d001 100644 --- a/src/charon/plugins/smp/Makefile.in +++ b/src/charon/plugins/smp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CF AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} all: all-am diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am index ea39ce0d5..bf4963f29 100644 --- a/src/charon/plugins/sql/Makefile.am +++ b/src/charon/plugins/sql/Makefile.am @@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = pool pool_SOURCES = pool.c diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in index 0848ea0dd..f6fd8e4f7 100644 --- a/src/charon/plugins/sql/Makefile.in +++ b/src/charon/plugins/sql/Makefile.in @@ -82,12 +82,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -192,7 +195,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version pool_SOURCES = pool.c pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index 7d393b6f7..ebcc9adc7 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -637,8 +637,19 @@ int main(int argc, char *argv[]) } operation = OP_USAGE; dbg = dbg_stderr; - library_init(STRONGSWAN_CONF); atexit(library_deinit); + + /* initialize library */ + if (!library_init(STRONGSWAN_CONF)) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pool", argv[0])) + { + fprintf(stderr, "integrity check of pool failed\n"); + exit(SS_RC_DAEMON_INTEGRITY); + } lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pool.load", PLUGINS)); diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c index 95d0d30d4..77601e612 100644 --- a/src/charon/plugins/sql/sql_attribute.c +++ b/src/charon/plugins/sql/sql_attribute.c @@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout) } /** - * Lookup a lease + * Look up an existing lease */ -static host_t *get_address(private_sql_attribute_t *this, char *name, - u_int pool, u_int timeout, u_int identity) +static host_t* check_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int identity) { - enumerator_t *e; - u_int id; - chunk_t address; - host_t *host; - time_t now = time(NULL); - - /* We check for leases for that identity first and for other expired - * leases afterwards. We select an address as a candidate, but double - * check if it is still valid in the update. This allows us to work - * without locking. */ - - /* check for an existing lease for that identity */ while (TRUE) { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", @@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } address = chunk_clonea(address); e->destroy(e); + if (this->db->execute(this->db, NULL, "UPDATE addresses SET acquired = ?, released = 0 " "WHERE id = ? AND identity = ? AND released != 0", DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } } - - /* check for an expired lease */ + return NULL; +} + +/** + * We check for unallocated addresses or expired leases. First we select an + * address as a candidate, but double check later on if it is still available + * during the update operation. This allows us to work without locking. + */ +static host_t* get_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int timeout, u_int identity) +{ while (TRUE) { - e = this->db->query(this->db, + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + int hits; + + if (timeout) + { + /* check for an expired lease */ + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); + } + else + { + /* with static leases, check for an unallocated address */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = 0 LIMIT 1", + DB_UINT, pool, DB_UINT, DB_BLOB); + + } + if (!e || !e->enumerate(e, &id, &address)) { DESTROY_IF(e); @@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, address = chunk_clonea(address); e->destroy(e); - if (this->db->execute(this->db, NULL, - "UPDATE addresses SET " - "acquired = ?, released = 0, identity = ? " - "WHERE id = ? AND released != 0 AND released < ?", - DB_UINT, now, DB_UINT, identity, - DB_UINT, id, DB_UINT, now - timeout) > 0) + if (timeout) + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND released != 0 AND released < ?", + DB_UINT, now, DB_UINT, identity, + DB_UINT, id, DB_UINT, now - timeout); + } + else { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND identity = 0", + DB_UINT, now, DB_UINT, identity, DB_UINT, id); + } + if (hits > 0) + { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } DBG1(DBG_CFG, "no available address found in pool '%s'", name); - return 0; + return NULL; } /** * Implementation of attribute_provider_t.acquire_address */ static host_t* acquire_address(private_sql_attribute_t *this, - char *name, identification_t *id, + char *names, identification_t *id, host_t *requested) { - enumerator_t *enumerator; - u_int pool, timeout, identity; host_t *address = NULL; - + u_int identity, pool, timeout; + identity = get_identity(this, id); if (identity) { - enumerator = enumerator_create_token(name, ",", " "); - while (enumerator->enumerate(enumerator, &name)) + /* check for a single pool first (no concatenation and enumeration) */ + if (strchr(names, ',') == NULL) { - pool = get_pool(this, name, &timeout); + pool = get_pool(this, names, &timeout); if (pool) { - address = get_address(this, name, pool, timeout, identity); - if (address) + /* check for an existing lease */ + address = check_lease(this, names, pool, identity); + if (address == NULL) + { + /* get an unallocated address or expired lease */ + address = get_lease(this, names, pool, timeout, identity); + } + } + } + else + { + enumerator_t *enumerator; + char *name; + + /* in a first step check for an existing lease over all pools */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) + { + address = check_lease(this, name, pool, identity); + if (address) + { + enumerator->destroy(enumerator); + return address; + } + } + } + enumerator->destroy(enumerator); + + /* in a second step get an unallocated address or expired lease */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) { - break; + address = get_lease(this, name, pool, timeout, identity); + if (address) + { + break; + } } } + enumerator->destroy(enumerator); } - enumerator->destroy(enumerator); } return address; } diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c index 3e5efce34..e7dfe573b 100644 --- a/src/charon/plugins/sql/sql_config.c +++ b/src/charon/plugins/sql/sql_config.c @@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, mediation, mediated_cfg, peer_id); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method); - auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id)); + auth->add(auth, AUTH_RULE_IDENTITY, local_id); peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id)); + auth->add(auth, AUTH_RULE_IDENTITY, remote_id); if (eap_type) { auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am index fb58ba62b..79a63f2c2 100644 --- a/src/charon/plugins/stroke/Makefile.am +++ b/src/charon/plugins/stroke/Makefile.am @@ -18,5 +18,5 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in index f246286a0..19822ebc8 100644 --- a/src/charon/plugins/stroke/Makefile.in +++ b/src/charon/plugins/stroke/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a7925ce3e..d3211fd67 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -539,7 +539,7 @@ stroke_attribute_t *stroke_attribute_create() this->public.destroy = (void(*)(stroke_attribute_t*))destroy; this->pools = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index fab06e6c5..c354d8cb8 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -447,7 +447,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_ca_t*))destroy; this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cred = cred; return &this->public; diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 028e71e71..0b6a4ac31 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -924,7 +924,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_config_t*))destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->ca = ca; this->cred = cred; diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index dc73299b8..31bcfe9f4 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -16,6 +16,8 @@ #include <sys/stat.h> #include <limits.h> +#include <glob.h> +#include <libgen.h> #include "stroke_cred.h" #include "stroke_shared_key.h" @@ -41,6 +43,8 @@ #define CRL_DIR IPSEC_D_DIR "/crls" #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" +#define MAX_SECRETS_RECURSION 10 + typedef struct private_stroke_cred_t private_stroke_cred_t; /** @@ -691,7 +695,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) /** * reload ipsec.secrets */ -static void load_secrets(private_stroke_cred_t *this) +static void load_secrets(private_stroke_cred_t *this, char *file, int level) { size_t bytes; int line_nr = 0; @@ -700,9 +704,9 @@ static void load_secrets(private_stroke_cred_t *this) private_key_t *private; shared_key_t *shared; - DBG1(DBG_CFG, "loading secrets from '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "loading secrets from '%s'", file); - fd = fopen(SECRETS_FILE, "r"); + fd = fopen(file, "r"); if (fd == NULL) { DBG1(DBG_CFG, "opening secrets file '%s' failed"); @@ -719,15 +723,19 @@ static void load_secrets(private_stroke_cred_t *this) src = chunk; this->lock->write_lock(this->lock); - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) + if (level == 0) { - private->destroy(private); + /* flush secrets on non-recursive invocation */ + while (this->shared->remove_last(this->shared, + (void**)&shared) == SUCCESS) + { + shared->destroy(shared); + } + while (this->private->remove_last(this->private, + (void**)&private) == SUCCESS) + { + private->destroy(private); + } } while (fetchline(&src, &line)) @@ -741,6 +749,66 @@ static void load_secrets(private_stroke_cred_t *this) { continue; } + if (line.len > strlen("include ") && + strneq(line.ptr, "include ", strlen("include "))) + { + glob_t buf; + char **expanded, *dir, pattern[PATH_MAX]; + u_char *pos; + + if (level > MAX_SECRETS_RECURSION) + { + DBG1(DBG_CFG, "maximum level of %d includes reached, ignored", + MAX_SECRETS_RECURSION); + continue; + } + /* terminate filename by space */ + line = chunk_skip(line, strlen("include ")); + pos = memchr(line.ptr, ' ', line.len); + if (pos) + { + line.len = pos - line.ptr; + } + if (line.len && line.ptr[0] == '/') + { + if (line.len + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + continue; + } + snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr); + } + else + { /* use directory of current file if relative */ + dir = strdup(file); + dir = dirname(dir); + + if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + free(dir); + continue; + } + snprintf(pattern, sizeof(pattern), "%s/%.*s", + dir, line.len, line.ptr); + free(dir); + } + if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) + { + DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); + globfree(&buf); + } + else + { + for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) + { + load_secrets(this, *expanded, level + 1); + } + } + globfree(&buf); + continue; + } + if (line.len > 2 && strneq(": ", line.ptr, 2)) { /* no ids, skip the ':' */ @@ -989,7 +1057,7 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg) if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); } if (msg->reread.flags & REREAD_CACERTS) { @@ -1057,10 +1125,10 @@ stroke_cred_t *stroke_cred_create() this->certs = linked_list_create(); this->shared = linked_list_create(); this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); load_certs(this); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); this->cachecrl = FALSE; diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 564a511a1..6f421bd30 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -146,8 +146,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) */ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { - u_int32_t rekey, now = time(NULL); - u_int32_t use_in, use_out; + time_t use_in, use_out, rekey, now = time(NULL); + u_int64_t bytes_in, bytes_out; proposal_t *proposal; child_cfg_t *config = child_sa->get_config(child_sa); @@ -205,6 +205,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } } } + + child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in); + fprintf(out, ", %llu bytes_i", bytes_in); + if (use_in) + { + fprintf(out, " (%ds ago)", now - use_in); + } + + child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out); + fprintf(out, ", %llu bytes_o", bytes_out); + if (use_out) + { + fprintf(out, " (%ds ago)", now - use_out); + } fprintf(out, ", rekeying "); rekey = child_sa->get_lifetime(child_sa, FALSE); @@ -224,25 +238,6 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) fprintf(out, "disabled"); } - fprintf(out, ", last use: "); - use_in = child_sa->get_usetime(child_sa, TRUE); - if (use_in) - { - fprintf(out, "%ds_i ", now - use_in); - } - else - { - fprintf(out, "no_i "); - } - use_out = child_sa->get_usetime(child_sa, FALSE); - if (use_out) - { - fprintf(out, "%ds_o ", now - use_out); - } - else - { - fprintf(out, "no_o "); - } } } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index f61171e22..9b6a8a3a7 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -27,6 +27,7 @@ #include <processing/jobs/callback_job.h> #include <daemon.h> +#include <utils/mutex.h> /* for Mac OS X compatible accept */ #include "stroke_config.h" #include "stroke_control.h" diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am index 0136bf5e9..9fdbfb709 100644 --- a/src/charon/plugins/uci/Makefile.am +++ b/src/charon/plugins/uci/Makefile.am @@ -8,7 +8,7 @@ libstrongswan_uci_la_SOURCES = \ uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in index e599135cb..c4fb335d7 100644 --- a/src/charon/plugins/uci/Makefile.in +++ b/src/charon/plugins/uci/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_uci_la_SOURCES = \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci all: all-am diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am index 50c5e0362..64846f995 100644 --- a/src/charon/plugins/unit_tester/Makefile.am +++ b/src/charon/plugins/unit_tester/Makefile.am @@ -20,5 +20,5 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in index 2ee5e48d8..0bf0cf301 100644 --- a/src/charon/plugins/unit_tester/Makefile.in +++ b/src/charon/plugins/unit_tester/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -241,7 +246,7 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h index dcf2a5d18..b99940c1a 100644 --- a/src/charon/plugins/unit_tester/tests.h +++ b/src/charon/plugins/unit_tester/tests.h @@ -36,5 +36,8 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE) DEFINE_TEST("IP pool", test_pool, FALSE) DEFINE_TEST("SSH agent", test_agent, FALSE) DEFINE_TEST("ID parts", test_id_parts, FALSE) +DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE) +DEFINE_TEST("ID equals", test_id_equals, FALSE) +DEFINE_TEST("ID matches", test_id_matches, FALSE) /** @}*/ diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c index 56dab2421..a1ef76be8 100644 --- a/src/charon/plugins/unit_tester/tests/test_id.c +++ b/src/charon/plugins/unit_tester/tests/test_id.c @@ -67,3 +67,183 @@ bool test_id_parts() return TRUE; } +/******************************************************************************* + * identification contains_wildcards() test + ******************************************************************************/ + +static bool test_id_wildcards_has(char *string) +{ + identification_t *id; + bool contains; + + id = identification_create_from_string(string); + contains = id->contains_wildcards(id); + id->destroy(id); + return contains; +} + +bool test_id_wildcards() +{ + if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw")) + { + return FALSE; + } + if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*")) + { + return FALSE; + } + if (test_id_wildcards_has("C=**, O=a*, CN=*a")) + { + return FALSE; + } + if (!test_id_wildcards_has("*@strongswan.org")) + { + return FALSE; + } + if (!test_id_wildcards_has("*.strongswan.org")) + { + return FALSE; + } + return TRUE; +} + +/******************************************************************************* + * identification equals test + ******************************************************************************/ + +static bool test_id_equals_one(identification_t *a, char *b_str) +{ + identification_t *b; + bool equals; + + b = identification_create_from_string(b_str); + equals = a->equals(a, b); + b->destroy(b); + return equals; +} + +bool test_id_equals() +{ + identification_t *a; + chunk_t encoding, fuzzed; + int i; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + encoding = chunk_clone(a->get_encoding(a)); + a->destroy(a); + + /* simple fuzzing, increment each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { /* skip ASN.1 type fields, as equals() handles them graceful */ + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]++; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + + /* and decrement each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]--; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + free(encoding.ptr); + return TRUE; +} + +/******************************************************************************* + * identification matches test + ******************************************************************************/ + +static id_match_t test_id_matches_one(identification_t *a, char *b_str) +{ + identification_t *b; + id_match_t match; + + b = identification_create_from_string(b_str); + match = a->matches(a, b); + b->destroy(b); + return match; +} + +bool test_id_matches() +{ + identification_t *a; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin") + != ID_MATCH_PERFECT) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE) + { + return FALSE; + } + a->destroy(a); + return TRUE; +} diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c index a305d5082..cb315276b 100644 --- a/src/charon/plugins/unit_tester/tests/test_mutex.c +++ b/src/charon/plugins/unit_tester/tests/test_mutex.c @@ -65,7 +65,7 @@ bool test_mutex() int i; pthread_t threads[THREADS]; - mutex = mutex_create(MUTEX_RECURSIVE); + mutex = mutex_create(MUTEX_TYPE_RECURSIVE); for (i = 0; i < 10; i++) { diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am index de60d9fbf..fe6e0bb52 100644 --- a/src/charon/plugins/updown/Makefile.am +++ b/src/charon/plugins/updown/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-updown.la libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in index d0aac79f9..b1b6fb497 100644 --- a/src/charon/plugins/updown/Makefile.in +++ b/src/charon/plugins/updown/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c index 82b4643eb..f4beb5abd 100644 --- a/src/charon/processing/jobs/callback_job.c +++ b/src/charon/processing/jobs/callback_job.c @@ -182,7 +182,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data, this->public.cancel = (void(*)(callback_job_t*))cancel; /* private variables */ - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->callback = cb; this->data = data; this->cleanup = cleanup; diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c index eb1db331b..4a3943323 100644 --- a/src/charon/processing/processor.c +++ b/src/charon/processing/processor.c @@ -240,9 +240,9 @@ processor_t *processor_create(size_t pool_size) this->public.destroy = (void(*)(processor_t*))destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->job_added = condvar_create(CONDVAR_DEFAULT); - this->thread_terminated = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT); + this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT); this->total_threads = 0; this->desired_threads = 0; this->idle_threads = 0; diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c index b3633f263..1f59205af 100644 --- a/src/charon/processing/scheduler.c +++ b/src/charon/processing/scheduler.c @@ -347,8 +347,8 @@ scheduler_t * scheduler_create() this->heap_size = HEAP_SIZE_DEFAULT; this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*)); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c index b8316036e..24a4fd6ed 100644 --- a/src/charon/sa/authenticators/eap/eap_manager.c +++ b/src/charon/sa/authenticators/eap/eap_manager.c @@ -163,7 +163,7 @@ eap_manager_t *eap_manager_create() this->public.destroy = (void(*)(eap_manager_t*))destroy; this->methods = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index 9202e972e..14d174ab5 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -136,6 +136,26 @@ struct private_child_sa_t { * config used to create this child */ child_cfg_t *config; + + /** + * time of last use in seconds (inbound) + */ + u_int32_t my_usetime; + + /** + * time of last use in seconds (outbound) + */ + u_int32_t other_usetime; + + /** + * last number of inbound bytes + */ + u_int64_t my_usebytes; + + /** + * last number of outbound bytes + */ + u_int64_t other_usebytes; }; /** @@ -355,20 +375,72 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this) } /** - * Implementation of child_sa_t.get_usetime + * update the cached usebytes + * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs + * are available, and NOT_SUPPORTED if the kernel interface does not support + * querying the usebytes. + */ +static status_t update_usebytes(private_child_sa_t *this, bool inbound) +{ + status_t status = FAILED; + u_int64_t bytes; + + if (inbound) + { + if (this->my_spi) + { + status = charon->kernel_interface->query_sa( + charon->kernel_interface, + this->other_addr, this->my_addr, + this->my_spi, this->protocol, &bytes); + if (status == SUCCESS) + { + if (bytes > this->my_usebytes) + { + this->my_usebytes = bytes; + return SUCCESS; + } + return FAILED; + } + } + } + else + { + if (this->other_spi) + { + status = charon->kernel_interface->query_sa( + charon->kernel_interface, + this->my_addr, this->other_addr, + this->other_spi, this->protocol, &bytes); + if (status == SUCCESS) + { + if (bytes > this->other_usebytes) + { + this->other_usebytes = bytes; + return SUCCESS; + } + return FAILED; + } + } + } + return status; +} + +/** + * updates the cached usetime */ -static u_int32_t get_usetime(private_child_sa_t *this, bool inbound) +static void update_usetime(private_child_sa_t *this, bool inbound) { enumerator_t *enumerator; traffic_selector_t *my_ts, *other_ts; u_int32_t last_use = 0; - + enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { u_int32_t in, out, fwd; - if (inbound) + if (inbound) { if (charon->kernel_interface->query_policy(charon->kernel_interface, other_ts, my_ts, POLICY_IN, &in) == SUCCESS) @@ -394,7 +466,42 @@ static u_int32_t get_usetime(private_child_sa_t *this, bool inbound) } } enumerator->destroy(enumerator); - return last_use; + + if (last_use == 0) + { + return; + } + if (inbound) + { + this->my_usetime = last_use; + } + else + { + this->other_usetime = last_use; + } +} + +/** + * Implementation of child_sa_t.get_usestats + */ +static void get_usestats(private_child_sa_t *this, bool inbound, + time_t *time, u_int64_t *bytes) +{ + if (update_usebytes(this, inbound) != FAILED) + { + /* there was traffic since last update or the kernel interface + * does not support querying the number of usebytes. + */ + update_usetime(this, inbound); + } + if (time) + { + *time = inbound ? this->my_usetime : this->other_usetime; + } + if (bytes) + { + *bytes = inbound ? this->my_usebytes : this->other_usebytes; + } } /** @@ -566,13 +673,13 @@ static status_t add_policies(private_child_sa_t *this, * Implementation of child_sa_t.update. */ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, - host_t *vip, bool encap) + host_t *vip, bool encap) { child_sa_state_t old; bool transport_proxy_mode; /* anything changed at all? */ - if (me->equals(me, this->my_addr) && + if (me->equals(me, this->my_addr) && other->equals(other, this->other_addr) && this->encap == encap) { return SUCCESS; @@ -661,7 +768,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, this->protocol, this->reqid, this->mode, this->ipcomp, this->other_cpi, FALSE); - charon->kernel_interface->add_policy(charon->kernel_interface, + charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, this->my_spi, this->protocol, this->reqid, this->mode, this->ipcomp, this->my_cpi, FALSE); @@ -775,7 +882,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal; this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal; this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime; - this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime; + this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats; this->public.has_encap = (bool(*)(child_sa_t*))has_encap; this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp; this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp; @@ -798,6 +905,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->encap = encap; this->ipcomp = IPCOMP_NONE; this->state = CHILD_CREATED; + this->my_usetime = 0; + this->other_usetime = 0; + this->my_usebytes = 0; + this->other_usebytes = 0; /* reuse old reqid if we are rekeying an existing CHILD_SA */ this->reqid = rekey ? rekey : ++reqid; this->my_ts = linked_list_create(); @@ -810,7 +921,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->config = config; config->get_ref(config); - /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ + /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && config->use_proxy_mode(config)) { @@ -837,7 +948,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, host = host_create_from_chunk(family, addr, 0); free(addr.ptr); DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H", - this->my_addr, host); + this->my_addr, host); this->my_addr->destroy(this->my_addr); this->my_addr = host; } @@ -858,7 +969,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, host = host_create_from_chunk(family, addr, 0); free(addr.ptr); DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H", - this->other_addr, host); + this->other_addr, host); this->other_addr->destroy(this->other_addr); this->other_addr = host; } diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h index ec9b36dab..698da8bc7 100644 --- a/src/charon/sa/child_sa.h +++ b/src/charon/sa/child_sa.h @@ -85,11 +85,11 @@ extern enum_name_t *child_sa_state_names; /** * Represents an IPsec SAs between two hosts. - * + * * A child_sa_t contains two SAs. SAs for both * directions are managed in one child_sa_t object. Both * SAs and the policies have the same reqid. - * + * * The procedure for child sa setup is as follows: * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc * - A send the proposals with the allocated SPIs to B @@ -98,7 +98,7 @@ extern enum_name_t *child_sa_state_names; * - B calls child_sa_t.install for both, the allocated and received SPI * - B sends the proposal with the allocated SPI to A * - A calls child_sa_t.install for both, the allocated and recevied SPI - * + * * Once SAs are set up, policies can be added using add_policies. */ struct child_sa_t { @@ -112,7 +112,7 @@ struct child_sa_t { /** * Get the reqid of the CHILD SA. - * + * * Every CHILD_SA has a reqid. The kernel uses this ID to * identify it. * @@ -131,19 +131,19 @@ struct child_sa_t { * Get the state of the CHILD_SA. * * @return CHILD_SA state - */ + */ child_sa_state_t (*get_state) (child_sa_t *this); /** * Set the state of the CHILD_SA. * * @param state state to set on CHILD_SA - */ + */ void (*set_state) (child_sa_t *this, child_sa_state_t state); /** * Get the SPI of this CHILD_SA. - * + * * Set the boolean parameter inbound to TRUE to * get the SPI for which we receive packets, use * FALSE to get those we use for sending packets. @@ -155,7 +155,7 @@ struct child_sa_t { /** * Get the CPI of this CHILD_SA. - * + * * Set the boolean parameter inbound to TRUE to * get the CPI for which we receive packets, use * FALSE to get those we use for sending packets. @@ -202,7 +202,7 @@ struct child_sa_t { /** * Set the IPComp algorithm to use. - * + * * @param ipcomp the IPComp transform to use */ void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); @@ -219,7 +219,7 @@ struct child_sa_t { * * @param proposal selected proposal */ - void (*set_proposal)(child_sa_t *this, proposal_t *proposal); + void (*set_proposal)(child_sa_t *this, proposal_t *proposal); /** * Check if this CHILD_SA uses UDP encapsulation. @@ -237,19 +237,21 @@ struct child_sa_t { u_int32_t (*get_lifetime)(child_sa_t *this, bool hard); /** - * Get last use time of the CHILD_SA. + * Get last use time and the number of bytes processed. * - * @param inbound TRUE for inbound traffic, FALSE for outbound - * @return time of last use in seconds + * @param inbound TRUE for inbound traffic, FALSE for outbound + * @param[out] time time of last use in seconds (NULL to ignore) + * @param[out] bytes number of processed bytes (NULL to ignore) */ - u_int32_t (*get_usetime)(child_sa_t *this, bool inbound); + void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time, + u_int64_t *bytes); /** * Get the traffic selectors list added for one side. * * @param local TRUE for own traffic selectors, FALSE for remote * @return list of traffic selectors - */ + */ linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local); /** @@ -296,7 +298,7 @@ struct child_sa_t { * @param my_ts traffic selectors for local site * @param other_ts traffic selectors for remote site * @return SUCCESS or FAILED - */ + */ status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list); /** diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c index a1b037de4..f26cf9405 100644 --- a/src/charon/sa/connect_manager.c +++ b/src/charon/sa/connect_manager.c @@ -1568,7 +1568,7 @@ connect_manager_t *connect_manager_create() this->checklists = linked_list_create(); this->initiated = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return (connect_manager_t*)this; } diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 6b7fa3582..be973a2ce 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -260,7 +260,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) { enumerator_t *enumerator; child_sa_t *child_sa; - time_t use_time; + time_t use_time, current; if (inbound) { @@ -273,7 +273,8 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) enumerator = this->child_sas->create_enumerator(this->child_sas); while (enumerator->enumerate(enumerator, &child_sa)) { - use_time = max(use_time, child_sa->get_usetime(child_sa, inbound)); + child_sa->get_usestats(child_sa, inbound, ¤t, NULL); + use_time = max(use_time, current); } enumerator->destroy(enumerator); @@ -1169,7 +1170,8 @@ static status_t initiate(private_ike_sa_t *this, #endif /* ME */ { /* normal IKE_SA with CHILD_SA */ - task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr); + task = (task_t*)child_create_create(&this->public, child_cfg, FALSE, + tsi, tsr); child_cfg->destroy(child_cfg); if (reqid) { @@ -1747,6 +1749,7 @@ static status_t roam(private_ike_sa_t *this, bool address) { case IKE_CREATED: case IKE_DELETING: + case IKE_DESTROYING: case IKE_PASSIVE: return SUCCESS; default: @@ -1775,10 +1778,46 @@ static status_t roam(private_ike_sa_t *this, bool address) DBG2(DBG_IKE, "keeping connection path %H - %H", src, this->other_host); src->destroy(src); + set_condition(this, COND_STALE, FALSE); + return SUCCESS; + } + src->destroy(src); + + } + else + { + /* check if we find a route at all */ + enumerator_t *enumerator; + host_t *addr; + + src = charon->kernel_interface->get_source_addr(charon->kernel_interface, + this->other_host, NULL); + if (!src) + { + enumerator = this->additional_addresses->create_enumerator( + this->additional_addresses); + while (enumerator->enumerate(enumerator, &addr)) + { + DBG1(DBG_IKE, "looking for a route to %H ...", addr); + src = charon->kernel_interface->get_source_addr( + charon->kernel_interface, addr, NULL); + if (src) + { + break; + } + } + enumerator->destroy(enumerator); + } + if (!src) + { + DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", + this->other_host); + set_condition(this, COND_STALE, TRUE); return SUCCESS; } src->destroy(src); } + set_condition(this, COND_STALE, FALSE); /* update addresses with mobike, if supported ... */ if (supports_extension(this, EXT_MOBIKE)) diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index b751bda0c..41d7a7976 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -127,6 +127,11 @@ enum ike_condition_t { * Local peer is the "original" IKE initiator. Unaffected from rekeying. */ COND_ORIGINAL_INITIATOR = (1<<6), + + /** + * IKE_SA is stale, the peer is currently unreachable (MOBIKE) + */ + COND_STALE = (1<<7), }; /** diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index efe7c228c..ec1a7f741 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -133,7 +133,7 @@ static entry_t *entry_create() entry_t *this = malloc_thing(entry_t); this->waiting_threads = 0; - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); /* we set checkout flag when we really give it out */ this->checked_out = FALSE; @@ -1050,7 +1050,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, enumerator_t *enumerator; entry_t *entry; ike_sa_t *ike_sa = NULL; - peer_cfg_t *current_cfg; + peer_cfg_t *current_peer; + ike_cfg_t *current_ike; u_int segment; if (!this->reuse_ikesa) @@ -1072,14 +1073,18 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, continue; } - current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa); - if (current_cfg && current_cfg->equals(current_cfg, peer_cfg)) + current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa); + if (current_peer && current_peer->equals(current_peer, peer_cfg)) { - DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", - current_cfg->get_name(current_cfg)); - entry->checked_out = TRUE; - ike_sa = entry->ike_sa; - break; + current_ike = current_peer->get_ike_cfg(current_peer); + if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) + { + DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", + current_peer->get_name(current_peer)); + entry->checked_out = TRUE; + ike_sa = entry->ike_sa; + break; + } } } enumerator->destroy(enumerator); @@ -1554,6 +1559,17 @@ static void flush(private_ike_sa_manager_t *this) while (enumerator->enumerate(enumerator, &entry, &segment)) { charon->bus->set_sa(charon->bus, entry->ike_sa); + /* as the delete never gets processed, fire down events */ + switch (entry->ike_sa->get_state(entry->ike_sa)) + { + case IKE_ESTABLISHED: + case IKE_REKEYING: + case IKE_DELETING: + charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE); + break; + default: + break; + } entry->ike_sa->delete(entry->ike_sa); } enumerator->destroy(enumerator); @@ -1695,7 +1711,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->segments[i].mutex = mutex_create(MUTEX_RECURSIVE); + this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->segments[i].count = 0; } @@ -1704,7 +1720,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->half_open_segments[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->half_open_segments[i].count = 0; } @@ -1713,7 +1729,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); for (i = 0; i < this->segment_count; ++i) { - this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_DEFAULT); + this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->connected_peers_segments[i].count = 0; } diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c index 117d260ba..46fb79587 100644 --- a/src/charon/sa/keymat.c +++ b/src/charon/sa/keymat.c @@ -419,6 +419,9 @@ static bool derive_child_keys(private_keymat_t *this, case ENCR_AES_CCM_ICV8: case ENCR_AES_CCM_ICV12: case ENCR_AES_CCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV16: enc_size += 3; break; case ENCR_AES_GCM_ICV8: diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c index 890e567c7..a69c00173 100644 --- a/src/charon/sa/mediation_manager.c +++ b/src/charon/sa/mediation_manager.c @@ -331,7 +331,7 @@ mediation_manager_t *mediation_manager_create() this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register; this->peers = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return (mediation_manager_t*)this; } diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c index 2cd9532eb..f33fcd6d4 100644 --- a/src/charon/sa/task_manager.c +++ b/src/charon/sa/task_manager.c @@ -220,6 +220,10 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); + if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) + { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } return DESTROY_ME; } @@ -240,6 +244,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) { DBG1(DBG_IKE, "giving up after %d path probings", this->initiating.retransmitted - 1); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -431,6 +436,12 @@ static status_t build_request(private_task_manager_t *this) break; case FAILED: default: + if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING) + { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->destroy(iterator); message->destroy(message); @@ -451,6 +462,7 @@ static status_t build_request(private_task_manager_t *this) * close the SA */ message->destroy(message); flush(this); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -474,6 +486,7 @@ static status_t process_response(private_task_manager_t *this, DBG1(DBG_IKE, "received %N response, but expected %N", exchange_type_names, message->get_exchange_type(message), exchange_type_names, this->initiating.type); + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -494,6 +507,9 @@ static status_t process_response(private_task_manager_t *this, break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->remove(iterator); iterator->destroy(iterator); @@ -604,6 +620,9 @@ static status_t build_response(private_task_manager_t *this, message_t *request) break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* destroy IKE_SA, but SEND response first */ delete = TRUE; break; @@ -631,6 +650,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request) message->destroy(message); if (status != SUCCESS) { + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); return DESTROY_ME; } @@ -678,7 +698,8 @@ static status_t process_request(private_task_manager_t *this, this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)ike_config_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); - task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL); + task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE, + NULL, NULL); this->passive_tasks->insert_last(this->passive_tasks, task); task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE); this->passive_tasks->insert_last(this->passive_tasks, task); @@ -726,8 +747,8 @@ static status_t process_request(private_task_manager_t *this, } else { - task = (task_t*)child_create_create(this->ike_sa, - NULL, NULL, NULL); + task = (task_t*)child_create_create(this->ike_sa, NULL, + FALSE, NULL, NULL); } } else @@ -831,6 +852,9 @@ static status_t process_request(private_task_manager_t *this, break; case FAILED: default: + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + /* FALL */ + case DESTROY_ME: /* critical failure, destroy IKE_SA */ iterator->remove(iterator); iterator->destroy(iterator); diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index f51443738..558938f2e 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -158,6 +158,11 @@ struct private_child_create_t { * successfully established the CHILD? */ bool established; + + /** + * whether the CHILD_SA rekeys an existing one + */ + bool rekey; }; /** @@ -249,7 +254,7 @@ static bool allocate_spi(private_child_create_t *this) */ static status_t select_and_install(private_child_create_t *this, bool no_dh) { - status_t status; + status_t status, status_i, status_o; chunk_t nonce_i, nonce_r; chunk_t encr_i = chunk_empty, encr_r = chunk_empty; chunk_t integ_i = chunk_empty, integ_r = chunk_empty; @@ -401,22 +406,22 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) this->my_cpi = this->other_cpi = 0; this->ipcomp = IPCOMP_NONE; } - status = FAILED; + status_i = status_o = FAILED; if (this->keymat->derive_child_keys(this->keymat, this->proposal, this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r)) { if (this->initiator) { - status = this->child_sa->install(this->child_sa, encr_r, integ_r, + status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, this->my_spi, this->my_cpi, TRUE); - status = this->child_sa->install(this->child_sa, encr_i, integ_i, + status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, this->other_spi, this->other_cpi, FALSE); } else { - status = this->child_sa->install(this->child_sa, encr_i, integ_i, + status_i = this->child_sa->install(this->child_sa, encr_i, integ_i, this->my_spi, this->my_cpi, TRUE); - status = this->child_sa->install(this->child_sa, encr_r, integ_r, + status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, this->other_spi, this->other_cpi, FALSE); } } @@ -425,9 +430,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) chunk_clear(&encr_i); chunk_clear(&encr_r); - if (status != SUCCESS) + if (status_i != SUCCESS || status_o != SUCCESS) { - DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel"); + DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel", + (status_i != SUCCESS) ? "inbound " : "", + (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "", + (status_o != SUCCESS) ? "outbound " : ""); return FAILED; } @@ -939,7 +947,11 @@ static status_t build_r(private_child_create_t *this, message_t *message) ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), this->child_sa->get_traffic_selectors(this->child_sa, TRUE), this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); - + + if (!this->rekey) + { /* invoke the child_up() hook if we are not rekeying */ + charon->bus->child_updown(charon->bus, this->child_sa, TRUE); + } return SUCCESS; } @@ -1052,6 +1064,11 @@ static status_t process_i(private_child_create_t *this, message_t *message) ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), this->child_sa->get_traffic_selectors(this->child_sa, TRUE), this->child_sa->get_traffic_selectors(this->child_sa, FALSE)); + + if (!this->rekey) + { /* invoke the child_up() hook if we are not rekeying */ + charon->bus->child_updown(charon->bus, this->child_sa, TRUE); + } } else { @@ -1174,7 +1191,8 @@ static void destroy(private_child_create_t *this) /* * Described in header. */ -child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, +child_create_t *child_create_create(ike_sa_t *ike_sa, + child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { private_child_create_t *this = malloc_thing(private_child_create_t); @@ -1222,6 +1240,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, this->other_cpi = 0; this->reqid = 0; this->established = FALSE; + this->rekey = rekey; return &this->public; } diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h index ce2829a9a..41f4fe2c8 100644 --- a/src/charon/sa/tasks/child_create.h +++ b/src/charon/sa/tasks/child_create.h @@ -71,11 +71,13 @@ struct child_create_t { * * @param ike_sa IKE_SA this task works for * @param config child_cfg if task initiator, NULL if responder + * @param rekey whether we do a rekey or not * @param tsi source of triggering packet, or NULL * @param tsr destination of triggering packet, or NULL * @return child_create task to handle by the task_manager */ -child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, +child_create_t *child_create_create(ike_sa_t *ike_sa, + child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr); #endif /** CHILD_CREATE_H_ @}*/ diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c index 0d89c148e..7abb07a84 100644 --- a/src/charon/sa/tasks/child_delete.c +++ b/src/charon/sa/tasks/child_delete.c @@ -52,11 +52,16 @@ struct private_child_delete_t { u_int32_t spi; /** - * wheter to enforce delete action policy + * whether to enforce delete action policy */ bool check_delete_action; /** + * is this delete exchange following a rekey? + */ + bool rekeyed; + + /** * CHILD_SAs which get deleted */ linked_list_t *child_sas; @@ -148,6 +153,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message) switch (child_sa->get_state(child_sa)) { case CHILD_REKEYING: + this->rekeyed = TRUE; /* we reply as usual, rekeying will fail */ break; case CHILD_DELETING: @@ -190,6 +196,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { + /* signal child down event if we are not rekeying */ + if (!this->rekeyed) + { + charon->bus->child_updown(charon->bus, child_sa, FALSE); + } spi = child_sa->get_spi(child_sa, TRUE); protocol = child_sa->get_protocol(child_sa); child_cfg = child_sa->get_config(child_sa); @@ -229,15 +240,19 @@ static void log_children(private_child_delete_t *this) { iterator_t *iterator; child_sa_t *child_sa; + u_int64_t bytes_in, bytes_out; iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->iterate(iterator, (void**)&child_sa)) { + child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in); + child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out); + DBG0(DBG_IKE, "closing CHILD_SA %s{%d} " - "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", + "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R", child_sa->get_name(child_sa), child_sa->get_reqid(child_sa), - ntohl(child_sa->get_spi(child_sa, TRUE)), - ntohl(child_sa->get_spi(child_sa, FALSE)), + ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in, + ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out, child_sa->get_traffic_selectors(child_sa, TRUE), child_sa->get_traffic_selectors(child_sa, FALSE)); } @@ -258,7 +273,10 @@ static status_t build_i(private_child_delete_t *this, message_t *message) return SUCCESS; } this->child_sas->insert_last(this->child_sas, child_sa); - + if (child_sa->get_state(child_sa) == CHILD_REKEYING) + { + this->rekeyed = TRUE; + } log_children(this); build_payloads(this, message); return NEED_MORE; @@ -359,6 +377,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol, this->child_sas = linked_list_create(); this->protocol = protocol; this->spi = spi; + this->rekeyed = FALSE; if (protocol != PROTO_NONE) { diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c index 6ab00dc5b..601e054ea 100644 --- a/src/charon/sa/tasks/child_rekey.c +++ b/src/charon/sa/tasks/child_rekey.c @@ -157,7 +157,8 @@ static status_t build_i(private_child_rekey_t *this, message_t *message) /* ... our CHILD_CREATE task does the hard work for us. */ reqid = this->child_sa->get_reqid(this->child_sa); - this->child_create = child_create_create(this->ike_sa, config, NULL, NULL); + this->child_create = child_create_create(this->ike_sa, config, TRUE, + NULL, NULL); this->child_create->use_reqid(this->child_create, reqid); this->child_create->task.build(&this->child_create->task, message); @@ -207,6 +208,10 @@ static status_t build_r(private_child_rekey_t *this, message_t *message) } this->child_sa->set_state(this->child_sa, CHILD_REKEYING); + + /* invoke rekey hook */ + charon->bus->child_rekey(charon->bus, this->child_sa, + this->child_create->get_child(this->child_create)); return SUCCESS; } @@ -303,6 +308,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) } } + if (to_delete != this->child_create->get_child(this->child_create)) + { /* invoke rekey hook if rekeying successful */ + charon->bus->child_rekey(charon->bus, this->child_sa, + this->child_create->get_child(this->child_create)); + } + spi = to_delete->get_spi(to_delete, TRUE); protocol = to_delete->get_protocol(to_delete); @@ -416,7 +427,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol, this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; this->initiator = FALSE; - this->child_create = child_create_create(ike_sa, NULL, NULL, NULL); + this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL); } this->ike_sa = ike_sa; diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c index 8d6cd56bd..d0b2a7e91 100644 --- a/src/charon/sa/tasks/ike_auth.c +++ b/src/charon/sa/tasks/ike_auth.c @@ -738,6 +738,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE; @@ -916,6 +917,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->ike_sa->get_my_id(this->ike_sa), this->ike_sa->get_other_host(this->ike_sa), this->ike_sa->get_other_id(this->ike_sa)); + charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE; diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c index f308a6358..cde117934 100644 --- a/src/charon/sa/tasks/ike_delete.c +++ b/src/charon/sa/tasks/ike_delete.c @@ -21,7 +21,7 @@ typedef struct private_ike_delete_t private_ike_delete_t; -/**file +/** * Private members of a ike_delete_t task. */ struct private_ike_delete_t { @@ -42,6 +42,11 @@ struct private_ike_delete_t { bool initiator; /** + * are we deleting a rekeyed SA? + */ + bool rekeyed; + + /** * are we responding to a delete, but have initated our own? */ bool simultaneous; @@ -64,6 +69,11 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) delete_payload = delete_payload_create(PROTO_IKE); message->add_payload(message, (payload_t*)delete_payload); + + if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING) + { + this->rekeyed = TRUE; + } this->ike_sa->set_state(this->ike_sa, IKE_DELETING); DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]", @@ -79,8 +89,12 @@ static status_t build_i(private_ike_delete_t *this, message_t *message) static status_t process_i(private_ike_delete_t *this, message_t *message) { DBG0(DBG_IKE, "IKE_SA deleted"); - /* completed, delete IKE_SA by returning FAILED */ - return FAILED; + if (!this->rekeyed) + { /* invoke ike_down() hook if SA has not been rekeyed */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* completed, delete IKE_SA by returning DESTROY_ME */ + return DESTROY_ME; } /** @@ -106,14 +120,17 @@ static status_t process_r(private_ike_delete_t *this, message_t *message) case IKE_ESTABLISHED: this->ike_sa->set_state(this->ike_sa, IKE_DELETING); this->ike_sa->reestablish(this->ike_sa); + return NEED_MORE; + case IKE_REKEYING: + this->rekeyed = TRUE; break; case IKE_DELETING: this->simultaneous = TRUE; - /* FALL */ + break; default: - this->ike_sa->set_state(this->ike_sa, IKE_DELETING); break; } + this->ike_sa->set_state(this->ike_sa, IKE_DELETING); return NEED_MORE; } @@ -129,8 +146,12 @@ static status_t build_r(private_ike_delete_t *this, message_t *message) /* wait for peer's response for our delete request, but set a timeout */ return SUCCESS; } - /* completed, delete IKE_SA by returning FAILED */ - return FAILED; + if (!this->rekeyed) + { /* invoke ike_down() hook if SA has not been rekeyed */ + charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); + } + /* completed, delete IKE_SA by returning DESTROY_ME */ + return DESTROY_ME; } /** @@ -182,6 +203,7 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator) this->ike_sa = ike_sa; this->initiator = initiator; + this->rekeyed = FALSE; this->simultaneous = FALSE; return &this->public; diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index bead408a6..3a049b566 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -367,6 +367,8 @@ static void destroy(private_ike_rekey_t *this) if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED && this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME) { + /* invoke hook if rekeying was successful */ + charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa); charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); } else diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h index f9b409f35..3d2014599 100644 --- a/src/charon/sa/tasks/task.h +++ b/src/charon/sa/tasks/task.h @@ -100,7 +100,8 @@ struct task_t { * * @param message message to add payloads to * @return - * - FAILED if a critical error occured + * - FAILED if a critical error occured + * - DESTROY_ME if IKE_SA has been properly deleted * - NEED_MORE if another call to build/process needed * - SUCCESS if task completed */ @@ -112,6 +113,7 @@ struct task_t { * @param message message to read payloads from * @return * - FAILED if a critical error occured + * - DESTROY_ME if IKE_SA has been properly deleted * - NEED_MORE if another call to build/process needed * - SUCCESS if task completed */ diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c index a74fab93f..570335eb4 100644 --- a/src/charon/sa/trap_manager.c +++ b/src/charon/sa/trap_manager.c @@ -156,6 +156,10 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer, me->destroy(me); other->destroy(other); + /* while we don't know the finally negotiated protocol (ESP|AH), we + * could iterate all proposals for a best guest (TODO). But as we + * support ESP only for now, we set here. */ + child_sa->set_protocol(child_sa, PROTO_ESP); child_sa->set_mode(child_sa, child->get_mode(child)); status = child_sa->add_policies(child_sa, my_ts, other_ts); my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -358,7 +362,7 @@ trap_manager_t *trap_manager_create() this->public.destroy = (void(*)(trap_manager_t*))destroy; this->traps = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); /* register listener for IKE state changes */ this->listener.traps = this; diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am new file mode 100644 index 000000000..bd42c231f --- /dev/null +++ b/src/checksum/Makefile.am @@ -0,0 +1,36 @@ +ipsec_LTLIBRARIES = libchecksum.la +noinst_PROGRAMS = checksum_builder + +nodist_libchecksum_la_SOURCES = checksum.c +libchecksum_la_LDFLAGS = -module -avoid-version + +checksum_builder_SOURCES = checksum_builder.c +checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la + +BUILT_SOURCES = checksum.c +CLEANFILES = checksum.c +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic + +libs = $(shell find $(top_builddir)/src/libstrongswan $(top_builddir)/src/charon \ + -name 'libstrongswan*.so') + +if USE_CHARON + libs += $(top_builddir)/src/charon/.libs/charon +endif + +if USE_PLUTO + libs += $(top_builddir)/src/pluto/.libs/pluto +endif + +if USE_TOOLS + libs += $(top_builddir)/src/openac/.libs/openac + libs += $(top_builddir)/src/scepclient/.libs/scepclient +endif + +if USE_SQL + libs += $(top_builddir)/src/charon/plugins/sql/.libs/pool +endif + +checksum.c : checksum_builder $(libs) + ./checksum_builder $(libs) > checksum.c diff --git a/src/libstrongswan/fips/Makefile.in b/src/checksum/Makefile.in index cdced9423..4d38df2dd 100644 --- a/src/libstrongswan/fips/Makefile.in +++ b/src/checksum/Makefile.in @@ -14,6 +14,7 @@ @SET_MAKE@ + VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -32,10 +33,14 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -noinst_PROGRAMS = fips_signer$(EXEEXT) -@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1 -@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL -subdir = src/libstrongswan/fips +noinst_PROGRAMS = checksum_builder$(EXEEXT) +@USE_CHARON_TRUE@am__append_1 = $(top_builddir)/src/charon/.libs/charon +@USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto +@USE_TOOLS_TRUE@am__append_3 = \ +@USE_TOOLS_TRUE@ $(top_builddir)/src/openac/.libs/openac \ +@USE_TOOLS_TRUE@ $(top_builddir)/src/scepclient/.libs/scepclient +@USE_SQL_TRUE@am__append_4 = $(top_builddir)/src/charon/plugins/sql/.libs/pool +subdir = src/checksum DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.in @@ -43,10 +48,26 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(ipsecdir)" +ipsecLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(ipsec_LTLIBRARIES) +libchecksum_la_LIBADD = +nodist_libchecksum_la_OBJECTS = checksum.lo +libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS) +libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@ PROGRAMS = $(noinst_PROGRAMS) -am_fips_signer_OBJECTS = fips_signer.$(OBJEXT) -fips_signer_OBJECTS = $(am_fips_signer_OBJECTS) -fips_signer_DEPENDENCIES = ../libstrongswan.la +am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT) +checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS) +checksum_builder_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -59,18 +80,20 @@ CCLD = $(CC) LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ -SOURCES = $(fips_signer_SOURCES) -DIST_SOURCES = $(fips_signer_SOURCES) +SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES) +DIST_SOURCES = $(checksum_builder_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -135,6 +158,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -175,7 +199,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -209,14 +235,19 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer +ipsec_LTLIBRARIES = libchecksum.la +nodist_libchecksum_la_SOURCES = checksum.c +libchecksum_la_LDFLAGS = -module -avoid-version +checksum_builder_SOURCES = checksum_builder.c +checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +BUILT_SOURCES = checksum.c +CLEANFILES = checksum.c INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \ - $(am__append_1) $(am__append_2) +AM_CFLAGS = -rdynamic +libs = $(shell find $(top_builddir)/src/libstrongswan \ + $(top_builddir)/src/charon -name 'libstrongswan*.so') \ + $(am__append_1) $(am__append_2) $(am__append_3) \ + $(am__append_4) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am @@ -231,9 +262,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile'; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/checksum/Makefile'; \ cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile + $(AUTOMAKE) --gnu src/checksum/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -251,6 +282,35 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-ipsecLTLIBRARIES: $(ipsec_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \ + else :; fi; \ + done + +uninstall-ipsecLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$p"; \ + done + +clean-ipsecLTLIBRARIES: + -test -z "$(ipsec_LTLIBRARIES)" || rm -f $(ipsec_LTLIBRARIES) + @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES) + $(libchecksum_la_LINK) -rpath $(ipsecdir) $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS) clean-noinstPROGRAMS: @list='$(noinst_PROGRAMS)'; for p in $$list; do \ @@ -258,9 +318,9 @@ clean-noinstPROGRAMS: echo " rm -f $$p $$f"; \ rm -f $$p $$f ; \ done -fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES) - @rm -f fips_signer$(EXEEXT) - $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS) +checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES) + @rm -f checksum_builder$(EXEEXT) + $(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -268,7 +328,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -373,8 +434,11 @@ distdir: $(DISTFILES) check-am: all-am check: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) check-am -all-am: Makefile $(PROGRAMS) +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) installdirs: + for dir in "$(DESTDIR)$(ipsecdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-am install-exec: install-exec-am @@ -404,8 +468,8 @@ maintainer-clean-generic: -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ - mostlyclean-am +clean-am: clean-generic clean-ipsecLTLIBRARIES clean-libtool \ + clean-noinstPROGRAMS mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -423,7 +487,7 @@ info: info-am info-am: -install-data-am: +install-data-am: install-ipsecLTLIBRARIES install-dvi: install-dvi-am @@ -459,26 +523,28 @@ ps: ps-am ps-am: -uninstall-am: +uninstall-am: uninstall-ipsecLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstPROGRAMS ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am install-man \ + clean-ipsecLTLIBRARIES clean-libtool clean-noinstPROGRAMS \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-ipsecLTLIBRARIES install-man \ install-pdf install-pdf-am install-ps install-ps-am \ install-strip installcheck installcheck-am installdirs \ maintainer-clean maintainer-clean-generic mostlyclean \ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-ipsecLTLIBRARIES -fips_signature.h : fips_signer - ./fips_signer +checksum.c : checksum_builder $(libs) + ./checksum_builder $(libs) > checksum.c # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c new file mode 100644 index 000000000..a713eb526 --- /dev/null +++ b/src/checksum/checksum_builder.c @@ -0,0 +1,135 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdlib.h> +#include <stdio.h> +#include <dlfcn.h> + +#include <library.h> + +/* we need to fake some charon symbols to dlopen() its plugins */ +void *charon, *eap_type_names, *auth_class_names, *protocol_id_names, +*action_names, *ipsec_mode_names, *ike_sa_state_names, *child_sa_state_names, +*policy_dir_names, *ipcomp_transform_names, *debug_names, *controller_cb_empty; + +int main(int argc, char* argv[]) +{ + int i; + integrity_checker_t *integrity; + + /* avoid confusing leak reports in build process */ + setenv("LEAK_DETECTIVE_DISABLE", "1", 0); + library_init(NULL); + atexit(library_deinit); + + integrity = integrity_checker_create(NULL); + + printf("/**\n"); + printf(" * checksums of files and loaded code segments.\n"); + printf(" * created by %s\n", argv[0]); + printf(" */\n"); + printf("\n"); + printf("#include <library.h>\n"); + printf("\n"); + printf("integrity_checksum_t checksums[] = {\n"); + fprintf(stderr, "integrity test data:\n"); + fprintf(stderr, "module name, file size / checksum segment size / checksum\n"); + for (i = 1; i < argc; i++) + { + char *name, *path, *sname = NULL; + void *handle, *symbol; + u_int32_t fsum, ssum; + size_t fsize = 0; + size_t ssize = 0; + + path = argv[i]; + + if ((name = strstr(path, "libstrongswan-"))) + { + name = strdup(name + strlen("libstrongswan-")); + name[strlen(name) - 3] = '"'; + name[strlen(name) - 2] = ','; + name[strlen(name) - 1] = '\0'; + sname = "plugin_create"; + } + else if (strstr(path, "libstrongswan.so")) + { + name = strdup("libstrongswan\","); + sname = "library_init"; + } + else if (strstr(path, "pool")) + { + name = strdup("pool\","); + } + else if (strstr(path, "charon")) + { + name = strdup("charon\","); + } + else if (strstr(path, "pluto")) + { + name = strdup("pluto\","); + } + else if (strstr(path, "openac")) + { + name = strdup("openac\","); + } + else if (strstr(path, "scepclient")) + { + name = strdup("scepclient\","); + } + else + { + fprintf(stderr, "don't know how to handle '%s', ignored", path); + continue; + } + + fsum = integrity->build_file(integrity, path, &fsize); + ssum = 0; + if (sname) + { + handle = dlopen(path, RTLD_LAZY); + if (handle) + { + symbol = dlsym(handle, sname); + if (symbol) + { + ssum = integrity->build_segment(integrity, symbol, &ssize); + } + else + { + fprintf(stderr, "symbol lookup failed: %s\n", dlerror()); + } + dlclose(handle); + } + else + { + fprintf(stderr, "dlopen failed: %s\n", dlerror()); + } + } + printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n", + name, fsize, fsum, ssize, ssum); + fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n", + name, fsize, fsum, ssize, ssum); + free(name); + } + printf("};\n"); + printf("\n"); + printf("int checksum_count = countof(checksums);\n"); + printf("\n"); + integrity->destroy(integrity); + + exit(0); +} + diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index fdbf41f47..817e31104 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -83,12 +83,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -193,7 +196,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c index 72d6d1b5e..2ed96d562 100644 --- a/src/dumm/mconsole.c +++ b/src/dumm/mconsole.c @@ -149,7 +149,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t), { if (reply.len && *reply.data) { - DBG1("received mconsole error %d: %*.s", + DBG1("received mconsole error %d: %.*s", reply.err, reply.len, reply.data); } break; diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 7ee0793ec..495d02cc2 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -43,12 +43,14 @@ SOURCES = DIST_SOURCES = DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -113,6 +115,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -153,7 +156,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index d5a6dc82f..de069b928 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -51,12 +51,14 @@ NROFF = nroff MANS = $(dist_man8_MANS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -161,7 +164,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 98f5ddd88..266898984 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -71,12 +71,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -181,7 +184,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 37c32b9fa..31ea3a634 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -83,12 +83,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -193,7 +196,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c index 2e9fa2787..f2eb8d07a 100644 --- a/src/libfreeswan/anyaddr.c +++ b/src/libfreeswan/anyaddr.c @@ -17,12 +17,13 @@ #include "internal.h" #include "freeswan.h" -/* these are mostly fallbacks for the no-IPv6-support-in-library case */ -#ifndef IN6ADDR_ANY_INIT -#define IN6ADDR_ANY_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }} -#endif -#ifndef IN6ADDR_LOOPBACK_INIT -#define IN6ADDR_LOOPBACK_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }} +/* OpenSolaris defines strange versions of these macros */ +#ifdef __sun +#undef IN6ADDR_ANY_INIT +#define IN6ADDR_ANY_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}} + +#undef IN6ADDR_LOOPBACK_INIT +#define IN6ADDR_LOOPBACK_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}} #endif static struct in6_addr v6any = IN6ADDR_ANY_INIT; diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3 index fce8884e4..10da2691c 100644 --- a/src/libfreeswan/atoaddr.3 +++ b/src/libfreeswan/atoaddr.3 @@ -54,7 +54,7 @@ on a big-endian host and .B 4.3.2.1 on a little-endian host), a DNS name to be looked up via -.IR gethostbyname (3), +.IR getaddrinfo (3), or an old-style network name to be looked up via .IR getnetbyname (3). .PP @@ -91,10 +91,8 @@ DNS names may be complete (optionally terminated with a ``.'') or incomplete, and are looked up as specified by local system configuration (see .IR resolver (5)). -The -.I h_addr -value returned by -.IR gethostbyname (3) +The first value returned by +.IR getaddrinfo (3) is used, so with current DNS implementations, the result when the name corresponds to more than one address is @@ -102,7 +100,7 @@ difficult to predict. Name lookup resorts to .IR getnetbyname (3) only if -.IR gethostbyname (3) +.IR getaddrinfo (3) fails. .PP A subnet specification is of the form \fInetwork\fB/\fImask\fR. diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c index dd73be7f3..cbda541d3 100644 --- a/src/libfreeswan/atoaddr.c +++ b/src/libfreeswan/atoaddr.c @@ -12,6 +12,8 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public * License for more details. */ +#include <sys/socket.h> + #include "internal.h" #include "freeswan.h" @@ -41,7 +43,7 @@ const char *src; size_t srclen; /* 0 means "apply strlen" */ struct in_addr *addrp; { - struct hostent *h; + struct addrinfo hints, *res; struct netent *ne = NULL; const char *oops; # define HEXLEN 10 /* strlen("0x11223344") */ @@ -51,6 +53,7 @@ struct in_addr *addrp; char namebuf[ATOADDRBUF]; char *p = namebuf; char *q; + int error; if (srclen == 0) srclen = strlen(src); @@ -87,18 +90,34 @@ struct in_addr *addrp; return "illegal (non-DNS-name) character in name"; /* try as host name, failing that as /etc/networks network name */ - h = gethostbyname(p); - if (h == NULL) + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; + error = getaddrinfo(p, NULL, &hints, &res); + if (error != 0) + { ne = getnetbyname(p); + if (ne == NULL) + { + if (p != namebuf) + { + FREE(p); + } + return "name lookup failed"; + } + addrp->s_addr = htonl(ne->n_net); + } + else + { + struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr; + memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr)); + freeaddrinfo(res); + } + if (p != namebuf) + { FREE(p); - if (h == NULL && ne == NULL) - return "name lookup failed"; + } - if (h != NULL) - memcpy(&addrp->s_addr, h->h_addr, sizeof(addrp->s_addr)); - else - addrp->s_addr = htonl(ne->n_net); return NULL; } diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index cb14cd678..77ce8f2be 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -20,11 +20,6 @@ # include <stdio.h> # include <netinet/in.h> -# define uint8_t u_int8_t -# define uint16_t u_int16_t -# define uint32_t u_int32_t -# define uint64_t u_int64_t - # define DEBUG_NO_STATIC static #include <ipsec_param.h> diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h index 5ef5e747c..461299c78 100644 --- a/src/libfreeswan/pfkeyv2.h +++ b/src/libfreeswan/pfkeyv2.h @@ -303,33 +303,40 @@ struct sadb_protocol { #define SADB_SASTATE_DEAD 3 #define SADB_SASTATE_MAX 3 -#define SADB_SAFLAGS_PFS 1 +#define SADB_SAFLAGS_PFS 1 #define SADB_X_SAFLAGS_REPLACEFLOW 2 #define SADB_X_SAFLAGS_CLEARFLOW 4 #define SADB_X_SAFLAGS_INFLOW 8 /* Authentication algorithms */ -#define SADB_AALG_NONE 0 -#define SADB_AALG_MD5HMAC 2 -#define SADB_AALG_SHA1HMAC 3 +#define SADB_AALG_NONE 0 +#define SADB_AALG_MD5HMAC 2 +#define SADB_AALG_SHA1HMAC 3 #define SADB_X_AALG_SHA2_256HMAC 5 #define SADB_X_AALG_SHA2_384HMAC 6 #define SADB_X_AALG_SHA2_512HMAC 7 #define SADB_X_AALG_RIPEMD160HMAC 8 #define SADB_X_AALG_AES_XCBC_MAC 9 -#define SADB_X_AALG_NULL 251 /* kame */ -#define SADB_AALG_MAX 251 +#define SADB_X_AALG_NULL 251 /* kame */ +#define SADB_AALG_MAX 251 /* Encryption algorithms */ -#define SADB_EALG_NONE 0 -#define SADB_EALG_DESCBC 2 -#define SADB_EALG_3DESCBC 3 -#define SADB_X_EALG_CASTCBC 6 +#define SADB_EALG_NONE 0 +#define SADB_EALG_DESCBC 2 +#define SADB_EALG_3DESCBC 3 +#define SADB_X_EALG_CASTCBC 6 #define SADB_X_EALG_BLOWFISHCBC 7 -#define SADB_EALG_NULL 11 -#define SADB_X_EALG_AESCBC 12 +#define SADB_EALG_NULL 11 +#define SADB_X_EALG_AESCBC 12 +#define SADB_X_EALG_AESCTR 13 +#define SADB_X_EALG_AES_CCM_ICV8 14 +#define SADB_X_EALG_AES_CCM_ICV12 15 +#define SADB_X_EALG_AES_CCM_ICV16 16 +#define SADB_X_EALG_AES_GCM_ICV8 18 +#define SADB_X_EALG_AES_GCM_ICV12 19 +#define SADB_X_EALG_AES_GCM_ICV16 20 #define SADB_X_EALG_CAMELLIACBC 22 -#define SADB_EALG_MAX 253 /* last EALG */ +#define SADB_EALG_MAX 253 /* last EALG */ /* private allocations should use 249-255 (RFC2407) */ #define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ #define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */ diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3 index 70671145e..d43d2b16f 100644 --- a/src/libfreeswan/ttoaddr.3 +++ b/src/libfreeswan/ttoaddr.3 @@ -59,7 +59,7 @@ on a big-endian host and .B 4.3.2.1 on a little-endian host), a DNS name to be looked up via -.IR gethostbyname (3), +.IR getaddrinfo (3), or an old-style network name to be looked up via .IR getnetbyname (3). .PP @@ -100,7 +100,7 @@ abbreviating at most one subsequence of multiple zeros (e.g. which is synonymous with .BR 99:ab:0:0:0:0:54:68 ), or a DNS name to be looked up via -.IR gethostbyname (3). +.IR getaddrinfo (3). The result of applying .I addrtot to an IPv6 address will use @@ -115,10 +115,8 @@ DNS names may be complete (optionally terminated with a ``.'') or incomplete, and are looked up as specified by local system configuration (see .IR resolver (5)). -The -.I h_addr -value returned by -.IR gethostbyname2 (3) +The first value returned by +.IR getaddrinfo (3) is used, so with current DNS implementations, the result when the name corresponds to more than one address is @@ -126,7 +124,7 @@ difficult to predict. IPv4 name lookup resorts to .IR getnetbyname (3) only if -.IR gethostbyname2 (3) +.IR getaddrinfo (3) fails. .PP A subnet specification is of the form \fInetwork\fB/\fImask\fR. diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c index e4ceec863..bda2be5ed 100644 --- a/src/libfreeswan/ttoaddr.c +++ b/src/libfreeswan/ttoaddr.c @@ -157,12 +157,15 @@ int nultermd; /* is it known to be NUL-terminated? */ int af; ip_address *dst; { - struct hostent *h; + struct addrinfo hints, *res; struct netent *ne = NULL; char namebuf[100]; /* enough for most DNS names */ const char *cp; char *p = namebuf; + unsigned char *addr = NULL; size_t n; + int error; + err_t err = NULL; for (cp = src, n = srclen; n > 0; cp++, n--) if (ISASCII(*cp) && strchr(namechars, *cp) == NULL) @@ -181,25 +184,67 @@ ip_address *dst; cp = (const char *)p; } - h = gethostbyname2(cp, af); - if (h == NULL && af == AF_INET) - ne = getnetbyname(cp); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + error = getaddrinfo(cp, NULL, &hints, &res); + if (error != 0) + { /* getaddrinfo failed, try getnetbyname */ + if (af == AF_INET) + { + ne = getnetbyname(cp); + if (ne != NULL) + { + ne->n_net = htonl(ne->n_net); + addr = (unsigned char*)&ne->n_net; + err = initaddr(addr, sizeof(ne->n_net), af, dst); + } + } + } + else + { + struct addrinfo *r = res; + while (r) + { + size_t addr_len; + switch (r->ai_family) + { + case AF_INET: + { + struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr; + addr_len = 4; + addr = (unsigned char*)&in->sin_addr.s_addr; + break; + } + case AF_INET6: + { + struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr; + addr_len = 16; + addr = (unsigned char*)&in6->sin6_addr.s6_addr; + break; + } + default: + { /* unknown family, try next result */ + r = r->ai_next; + continue; + } + } + err = initaddr(addr, addr_len, r->ai_family, dst); + break; + } + freeaddrinfo(res); + } + if (p != namebuf) + { FREE(p); - if (h == NULL && ne == NULL) - return "does not look numeric and name lookup failed"; + } - if (h != NULL) { - if (h->h_addrtype != af) - return "address-type mismatch from gethostbyname2!!!"; - return initaddr((unsigned char *)h->h_addr, h->h_length, af, dst); - } else { - if (ne->n_addrtype != af) - return "address-type mismatch from getnetbyname!!!"; - ne->n_net = htonl(ne->n_net); - return initaddr((unsigned char *)&ne->n_net, sizeof(ne->n_net), - af, dst); + if (addr == NULL) + { + return "does not look numeric and name lookup failed"; } + + return err; } /* diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 212b9547d..ee6996558 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -1,14 +1,6 @@ lib_LTLIBRARIES = libstrongswan.la -if USE_INTEGRITY_TEST - libstrongswan_la_SOURCES = \ - fips/fips_canister_start.c \ - fips/fips.c fips/fips.h -else - libstrongswan_la_SOURCES = -endif - -libstrongswan_la_SOURCES += \ +libstrongswan_la_SOURCES = \ library.c library.h \ chunk.c chunk.h \ debug.c debug.h \ @@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \ utils/backtrace.c utils/backtrace.h \ plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h -libstrongswan_la_LIBADD = -lpthread $(DLLIB) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ @@ -76,8 +68,9 @@ if USE_LOCK_PROFILER endif if USE_INTEGRITY_TEST + AM_CFLAGS += -DINTEGRITY_TEST libstrongswan_la_SOURCES += \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h endif if USE_VSTR @@ -204,7 +197,3 @@ endif if USE_TEST_VECTORS SUBDIRS += plugins/test_vectors endif - -if USE_INTEGRITY_TEST - SUBDIRS += fips -endif diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index dd25f0526..ae751c098 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -37,31 +37,34 @@ host_triplet = @host@ @USE_LEAK_DETECTIVE_TRUE@ utils/leak_detective.c utils/leak_detective.h @USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER -@USE_VSTR_TRUE@am__append_4 = -lvstr -@USE_AES_TRUE@am__append_5 = plugins/aes -@USE_DES_TRUE@am__append_6 = plugins/des -@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish -@USE_MD4_TRUE@am__append_8 = plugins/md4 -@USE_MD5_TRUE@am__append_9 = plugins/md5 -@USE_SHA1_TRUE@am__append_10 = plugins/sha1 -@USE_SHA2_TRUE@am__append_11 = plugins/sha2 -@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf -@USE_GMP_TRUE@am__append_13 = plugins/gmp -@USE_RANDOM_TRUE@am__append_14 = plugins/random -@USE_HMAC_TRUE@am__append_15 = plugins/hmac -@USE_XCBC_TRUE@am__append_16 = plugins/xcbc -@USE_X509_TRUE@am__append_17 = plugins/x509 -@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey -@USE_CURL_TRUE@am__append_19 = plugins/curl -@USE_LDAP_TRUE@am__append_20 = plugins/ldap -@USE_MYSQL_TRUE@am__append_21 = plugins/mysql -@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite -@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock -@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl -@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt -@USE_AGENT_TRUE@am__append_26 = plugins/agent -@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors -@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips +@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST +@USE_INTEGRITY_TEST_TRUE@am__append_5 = \ +@USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h + +@USE_VSTR_TRUE@am__append_6 = -lvstr +@USE_AES_TRUE@am__append_7 = plugins/aes +@USE_DES_TRUE@am__append_8 = plugins/des +@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish +@USE_MD4_TRUE@am__append_10 = plugins/md4 +@USE_MD5_TRUE@am__append_11 = plugins/md5 +@USE_SHA1_TRUE@am__append_12 = plugins/sha1 +@USE_SHA2_TRUE@am__append_13 = plugins/sha2 +@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf +@USE_GMP_TRUE@am__append_15 = plugins/gmp +@USE_RANDOM_TRUE@am__append_16 = plugins/random +@USE_HMAC_TRUE@am__append_17 = plugins/hmac +@USE_XCBC_TRUE@am__append_18 = plugins/xcbc +@USE_X509_TRUE@am__append_19 = plugins/x509 +@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey +@USE_CURL_TRUE@am__append_21 = plugins/curl +@USE_LDAP_TRUE@am__append_22 = plugins/ldap +@USE_MYSQL_TRUE@am__append_23 = plugins/mysql +@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite +@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock +@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl +@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt +@USE_AGENT_TRUE@am__append_28 = plugins/agent +@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ @@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ utils/backtrace.h plugins/plugin_loader.c \ plugins/plugin_loader.h plugins/plugin.h \ utils/leak_detective.c utils/leak_detective.h \ - fips/fips_canister_start.c fips/fips.c fips/fips.h \ - fips/fips_canister_end.c + integrity_checker.c integrity_checker.h @USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo -@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \ -@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_FALSE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_FALSE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_FALSE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_FALSE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_FALSE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_FALSE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_FALSE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_FALSE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_FALSE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_FALSE@ database_factory.lo \ -@USE_INTEGRITY_TEST_FALSE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_FALSE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_FALSE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_FALSE@ plugin_loader.lo $(am__objects_1) -@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \ -@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \ -@USE_INTEGRITY_TEST_TRUE@ settings.lo printf_hook.lo asn1.lo \ -@USE_INTEGRITY_TEST_TRUE@ asn1_parser.lo oid.lo pem.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypter.lo hasher.lo pkcs9.lo \ -@USE_INTEGRITY_TEST_TRUE@ proposal_keywords.lo prf.lo rng.lo \ -@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo signer.lo \ -@USE_INTEGRITY_TEST_TRUE@ crypto_factory.lo crypto_tester.lo \ -@USE_INTEGRITY_TEST_TRUE@ diffie_hellman.lo transform.lo \ -@USE_INTEGRITY_TEST_TRUE@ credential_factory.lo builder.lo \ -@USE_INTEGRITY_TEST_TRUE@ private_key.lo public_key.lo \ -@USE_INTEGRITY_TEST_TRUE@ shared_key.lo certificate.lo x509.lo \ -@USE_INTEGRITY_TEST_TRUE@ crl.lo ocsp_response.lo \ -@USE_INTEGRITY_TEST_TRUE@ database_factory.lo \ -@USE_INTEGRITY_TEST_TRUE@ fetcher_manager.lo pgp.lo utils.lo \ -@USE_INTEGRITY_TEST_TRUE@ host.lo identification.lo \ -@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_TRUE@ hashtable.lo enumerator.lo \ -@USE_INTEGRITY_TEST_TRUE@ optionsfrom.lo mutex.lo backtrace.lo \ -@USE_INTEGRITY_TEST_TRUE@ plugin_loader.lo $(am__objects_1) \ -@USE_INTEGRITY_TEST_TRUE@ fips_canister_end.lo +@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo +am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ + settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \ + pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \ + prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \ + crypto_tester.lo diffie_hellman.lo transform.lo \ + credential_factory.lo builder.lo private_key.lo public_key.lo \ + shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \ + database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \ + identification.lo lexparser.lo linked_list.lo hashtable.lo \ + enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \ + plugin_loader.lo $(am__objects_1) $(am__objects_2) libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/gmp plugins/random plugins/hmac plugins/xcbc \ plugins/x509 plugins/pubkey plugins/curl plugins/ldap \ plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/agent plugins/test_vectors fips + plugins/gcrypt plugins/agent plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -312,7 +288,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ lib_LTLIBRARIES = libstrongswan.la -@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \ -@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_FALSE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/asn1_parser.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/asn1_parser.h asn1/oid.c \ -@USE_INTEGRITY_TEST_FALSE@ asn1/oid.h asn1/pem.c asn1/pem.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.c \ -@USE_INTEGRITY_TEST_FALSE@ crypto/transform.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_FALSE@ database/database.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_FALSE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_FALSE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/hashtable.c utils/hashtable.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_FALSE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_FALSE@ plugins/plugin.h $(am__append_2) -@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h library.c \ -@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \ -@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h settings.h \ -@USE_INTEGRITY_TEST_TRUE@ settings.c printf_hook.c \ -@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/asn1_parser.c asn1/asn1_parser.h \ -@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \ -@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h crypto/crypters/crypter.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.c crypto/pkcs9.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/rngs/rng.c crypto/rngs/rng.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \ -@USE_INTEGRITY_TEST_TRUE@ crypto/transform.c crypto/transform.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/builder.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ac.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.c \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_request.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.h \ -@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.c \ -@USE_INTEGRITY_TEST_TRUE@ database/database.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.h \ -@USE_INTEGRITY_TEST_TRUE@ database/database_factory.c \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.h \ -@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.c pgp/pgp.c \ -@USE_INTEGRITY_TEST_TRUE@ pgp/pgp.h utils.h utils.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/host.c utils/host.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h utils/lexparser.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.h utils/linked_list.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h utils/hashtable.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/hashtable.h utils/enumerator.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.h \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h utils/mutex.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/mutex.h utils/backtrace.c \ -@USE_INTEGRITY_TEST_TRUE@ utils/backtrace.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.c \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.h \ -@USE_INTEGRITY_TEST_TRUE@ plugins/plugin.h $(am__append_2) \ -@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c -libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4) +libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ + debug.h enum.c enum.h settings.h settings.c printf_hook.c \ + printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \ + asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \ + crypto/crypters/crypter.c crypto/crypters/crypter.h \ + crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \ + crypto/pkcs9.h crypto/proposal/proposal_keywords.c \ + crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \ + crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \ + crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \ + crypto/signers/signer.h crypto/crypto_factory.c \ + crypto/crypto_factory.h crypto/crypto_tester.c \ + crypto/crypto_tester.h crypto/diffie_hellman.c \ + crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ + credentials/credential_factory.c \ + credentials/credential_factory.h credentials/builder.c \ + credentials/builder.h credentials/keys/private_key.c \ + credentials/keys/private_key.h credentials/keys/public_key.c \ + credentials/keys/public_key.h credentials/keys/shared_key.c \ + credentials/keys/shared_key.h \ + credentials/certificates/certificate.c \ + credentials/certificates/certificate.h \ + credentials/certificates/x509.h \ + credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/crl.h credentials/certificates/crl.c \ + credentials/certificates/ocsp_request.h \ + credentials/certificates/ocsp_response.h \ + credentials/certificates/ocsp_response.c database/database.h \ + database/database_factory.h database/database_factory.c \ + fetcher/fetcher.h fetcher/fetcher_manager.h \ + fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \ + utils/host.c utils/host.h utils/identification.c \ + utils/identification.h utils/iterator.h utils/lexparser.c \ + utils/lexparser.h utils/linked_list.c utils/linked_list.h \ + utils/hashtable.c utils/hashtable.h utils/enumerator.c \ + utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \ + utils/mutex.c utils/mutex.h utils/backtrace.c \ + utils/backtrace.h plugins/plugin_loader.c \ + plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \ + $(am__append_5) +libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \ + $(am__append_6) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \ - $(am__append_3) + $(am__append_3) $(am__append_4) EXTRA_DIST = \ asn1/oid.txt asn1/oid.pl \ crypto/proposal/proposal_keywords.txt @@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c # build plugins with their own Makefile ####################################### -SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \ - $(am__append_8) $(am__append_9) $(am__append_10) \ - $(am__append_11) $(am__append_12) $(am__append_13) \ - $(am__append_14) $(am__append_15) $(am__append_16) \ - $(am__append_17) $(am__append_18) $(am__append_19) \ - $(am__append_20) $(am__append_21) $(am__append_22) \ - $(am__append_23) $(am__append_24) $(am__append_25) \ - $(am__append_26) $(am__append_27) $(am__append_28) +SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \ + $(am__append_10) $(am__append_11) $(am__append_12) \ + $(am__append_13) $(am__append_14) $(am__append_15) \ + $(am__append_16) $(am__append_17) $(am__append_18) \ + $(am__append_19) $(am__append_20) $(am__append_21) \ + $(am__append_22) $(am__append_23) $(am__append_24) \ + $(am__append_25) $(am__append_26) $(am__append_27) \ + $(am__append_28) $(am__append_29) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -605,13 +481,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c -fips_canister_start.lo: fips/fips_canister_start.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c - -fips.lo: fips/fips.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c - -fips_canister_end.lo: fips/fips_canister_end.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c - mostlyclean-libtool: -rm -f *.lo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index d2078cbbc..ec46b165b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob) u_char n; size_t len; - /* advance from tag field on to length field */ - blob->ptr++; - blob->len--; + if (blob->len < 2) + { + DBG2("insufficient number of octets to parse ASN.1 length"); + return ASN1_INVALID_LENGTH; + } - /* read first octet of length field */ - n = *blob->ptr++; - blob->len--; + /* read length field, skip tag and length */ + n = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); if ((n & 0x80) == 0) - {/* single length octet */ + { /* single length octet */ + if (n > blob->len) + { + DBG2("length is larger than remaining blob size"); + return ASN1_INVALID_LENGTH; + } return n; } /* composite length, determine number of length octets */ n &= 0x7f; - if (n > blob->len) + if (n == 0 || n > blob->len) { - DBG2("number of length octets is larger than ASN.1 object"); + DBG2("number of length octets invalid"); return ASN1_INVALID_LENGTH; } @@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob) return len; } +/* + * See header. + */ +int asn1_unwrap(chunk_t *blob, chunk_t *inner) +{ + chunk_t res; + u_char len; + int type; + + if (blob->len < 2) + { + return ASN1_INVALID; + } + type = blob->ptr[0]; + len = blob->ptr[1]; + *blob = chunk_skip(*blob, 2); + + if ((len & 0x80) == 0) + { /* single length octet */ + res.len = len; + } + else + { /* composite length, determine number of length octets */ + len &= 0x7f; + if (len == 0 || len > sizeof(res.len)) + { + return ASN1_INVALID; + } + res.len = 0; + while (len-- > 0) + { + res.len = 256 * res.len + blob->ptr[0]; + *blob = chunk_skip(*blob, 1); + } + } + if (res.len > blob->len) + { + return ASN1_INVALID; + } + res.ptr = blob->ptr; + *blob = chunk_skip(*blob, res.len); + /* updating inner not before we are finished allows a caller to pass + * blob = inner */ + *inner = res; + return type; +} + #define TIME_MAX 0x7fffffff static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 }; diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 6a2b594c0..8072d62d6 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -74,7 +74,9 @@ typedef enum { ASN1_CONTEXT_C_2 = 0xA2, ASN1_CONTEXT_C_3 = 0xA3, ASN1_CONTEXT_C_4 = 0xA4, - ASN1_CONTEXT_C_5 = 0xA5 + ASN1_CONTEXT_C_5 = 0xA5, + + ASN1_INVALID = 0x100, } asn1_t; #define ASN1_INVALID_LENGTH 0xffffffff @@ -123,6 +125,15 @@ chunk_t asn1_build_known_oid(int n); size_t asn1_length(chunk_t *blob); /** + * Unwrap the inner content of an ASN.1 type/length wrapped object. + * + * @param blob blob to parse header from, moved behind parsed content + * @param content inner content + * @return parsed type, ASN1_INVALID if length parsing failed + */ +int asn1_unwrap(chunk_t *blob, chunk_t *content); + +/** * Parses an ASN.1 algorithmIdentifier object * * @param blob ASN.1 coded blob diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 53657b514..391d65e89 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -62,7 +62,7 @@ const oid_t oid_names[] = { { 0x25, 50, 0, 2, "extendedKeyUsage" }, /* 49 */ { 0x37, 51, 0, 2, "targetInformation" }, /* 50 */ { 0x38, 0, 0, 2, "noRevAvail" }, /* 51 */ - {0x2A, 143, 1, 0, "" }, /* 52 */ + {0x2A, 149, 1, 0, "" }, /* 52 */ { 0x83, 65, 1, 1, "" }, /* 53 */ { 0x08, 0, 1, 2, "jp" }, /* 54 */ { 0x8C, 0, 1, 3, "" }, /* 55 */ @@ -77,7 +77,7 @@ const oid_t oid_names[] = { { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 64 */ { 0x86, 0, 1, 1, "" }, /* 65 */ { 0x48, 0, 1, 2, "us" }, /* 66 */ - { 0x86, 107, 1, 3, "" }, /* 67 */ + { 0x86, 108, 1, 3, "" }, /* 67 */ { 0xF6, 73, 1, 4, "" }, /* 68 */ { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 69 */ { 0x07, 0, 1, 6, "Entrust" }, /* 70 */ @@ -85,225 +85,231 @@ const oid_t oid_names[] = { { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 72 */ { 0xF7, 0, 1, 4, "" }, /* 73 */ { 0x0D, 0, 1, 5, "RSADSI" }, /* 74 */ - { 0x01, 102, 1, 6, "PKCS" }, /* 75 */ - { 0x01, 84, 1, 7, "PKCS-1" }, /* 76 */ + { 0x01, 103, 1, 6, "PKCS" }, /* 75 */ + { 0x01, 85, 1, 7, "PKCS-1" }, /* 76 */ { 0x01, 78, 0, 8, "rsaEncryption" }, /* 77 */ { 0x02, 79, 0, 8, "md2WithRSAEncryption" }, /* 78 */ { 0x04, 80, 0, 8, "md5WithRSAEncryption" }, /* 79 */ { 0x05, 81, 0, 8, "sha-1WithRSAEncryption" }, /* 80 */ { 0x0B, 82, 0, 8, "sha256WithRSAEncryption" }, /* 81 */ { 0x0C, 83, 0, 8, "sha384WithRSAEncryption" }, /* 82 */ - { 0x0D, 0, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ - { 0x07, 91, 1, 7, "PKCS-7" }, /* 84 */ - { 0x01, 86, 0, 8, "data" }, /* 85 */ - { 0x02, 87, 0, 8, "signedData" }, /* 86 */ - { 0x03, 88, 0, 8, "envelopedData" }, /* 87 */ - { 0x04, 89, 0, 8, "signedAndEnvelopedData" }, /* 88 */ - { 0x05, 90, 0, 8, "digestedData" }, /* 89 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 90 */ - { 0x09, 0, 1, 7, "PKCS-9" }, /* 91 */ - { 0x01, 93, 0, 8, "E" }, /* 92 */ - { 0x02, 94, 0, 8, "unstructuredName" }, /* 93 */ - { 0x03, 95, 0, 8, "contentType" }, /* 94 */ - { 0x04, 96, 0, 8, "messageDigest" }, /* 95 */ - { 0x05, 97, 0, 8, "signingTime" }, /* 96 */ - { 0x06, 98, 0, 8, "counterSignature" }, /* 97 */ - { 0x07, 99, 0, 8, "challengePassword" }, /* 98 */ - { 0x08, 100, 0, 8, "unstructuredAddress" }, /* 99 */ - { 0x0E, 101, 0, 8, "extensionRequest" }, /* 100 */ - { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 101 */ - { 0x02, 105, 1, 6, "digestAlgorithm" }, /* 102 */ - { 0x02, 104, 0, 7, "md2" }, /* 103 */ - { 0x05, 0, 0, 7, "md5" }, /* 104 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 105 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 106 */ - { 0xCE, 0, 1, 3, "" }, /* 107 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 108 */ - { 0x02, 111, 1, 5, "id-publicKeyType" }, /* 109 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 110 */ - { 0x03, 141, 1, 5, "ellipticCurve" }, /* 111 */ - { 0x00, 133, 1, 6, "c-TwoCurve" }, /* 112 */ - { 0x01, 114, 0, 7, "c2pnb163v1" }, /* 113 */ - { 0x02, 115, 0, 7, "c2pnb163v2" }, /* 114 */ - { 0x03, 116, 0, 7, "c2pnb163v3" }, /* 115 */ - { 0x04, 117, 0, 7, "c2pnb176w1" }, /* 116 */ - { 0x05, 118, 0, 7, "c2tnb191v1" }, /* 117 */ - { 0x06, 119, 0, 7, "c2tnb191v2" }, /* 118 */ - { 0x07, 120, 0, 7, "c2tnb191v3" }, /* 119 */ - { 0x08, 121, 0, 7, "c2onb191v4" }, /* 120 */ - { 0x09, 122, 0, 7, "c2onb191v5" }, /* 121 */ - { 0x0A, 123, 0, 7, "c2pnb208w1" }, /* 122 */ - { 0x0B, 124, 0, 7, "c2tnb239v1" }, /* 123 */ - { 0x0C, 125, 0, 7, "c2tnb239v2" }, /* 124 */ - { 0x0D, 126, 0, 7, "c2tnb239v3" }, /* 125 */ - { 0x0E, 127, 0, 7, "c2onb239v4" }, /* 126 */ - { 0x0F, 128, 0, 7, "c2onb239v5" }, /* 127 */ - { 0x10, 129, 0, 7, "c2pnb272w1" }, /* 128 */ - { 0x11, 130, 0, 7, "c2pnb304w1" }, /* 129 */ - { 0x12, 131, 0, 7, "c2tnb359v1" }, /* 130 */ - { 0x13, 132, 0, 7, "c2pnb368w1" }, /* 131 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 132 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 133 */ - { 0x01, 135, 0, 7, "prime192v1" }, /* 134 */ - { 0x02, 136, 0, 7, "prime192v2" }, /* 135 */ - { 0x03, 137, 0, 7, "prime192v3" }, /* 136 */ - { 0x04, 138, 0, 7, "prime239v1" }, /* 137 */ - { 0x05, 139, 0, 7, "prime239v2" }, /* 138 */ - { 0x06, 140, 0, 7, "prime239v3" }, /* 139 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 140 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 141 */ - { 0x01, 0, 0, 6, "ecdsa-with-SHA1" }, /* 142 */ - {0x2B, 243, 1, 0, "" }, /* 143 */ - { 0x06, 196, 1, 1, "dod" }, /* 144 */ - { 0x01, 0, 1, 2, "internet" }, /* 145 */ - { 0x04, 164, 1, 3, "private" }, /* 146 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 147 */ - { 0x82, 157, 1, 5, "" }, /* 148 */ - { 0x37, 0, 1, 6, "Microsoft" }, /* 149 */ - { 0x0A, 154, 1, 7, "" }, /* 150 */ - { 0x03, 0, 1, 8, "" }, /* 151 */ - { 0x03, 153, 0, 9, "msSGC" }, /* 152 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 153 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 154 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 155 */ - { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 156 */ - { 0x89, 0, 1, 5, "" }, /* 157 */ - { 0x31, 0, 1, 6, "" }, /* 158 */ - { 0x01, 0, 1, 7, "" }, /* 159 */ - { 0x01, 0, 1, 8, "" }, /* 160 */ - { 0x02, 0, 1, 9, "" }, /* 161 */ - { 0x02, 163, 0, 10, "" }, /* 162 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 163 */ - { 0x05, 0, 1, 3, "security" }, /* 164 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 165 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 166 */ - { 0x01, 169, 1, 6, "id-pe" }, /* 167 */ - { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 168 */ - { 0x03, 179, 1, 6, "id-kp" }, /* 169 */ - { 0x01, 171, 0, 7, "serverAuth" }, /* 170 */ - { 0x02, 172, 0, 7, "clientAuth" }, /* 171 */ - { 0x03, 173, 0, 7, "codeSigning" }, /* 172 */ - { 0x04, 174, 0, 7, "emailProtection" }, /* 173 */ - { 0x05, 175, 0, 7, "ipsecEndSystem" }, /* 174 */ - { 0x06, 176, 0, 7, "ipsecTunnel" }, /* 175 */ - { 0x07, 177, 0, 7, "ipsecUser" }, /* 176 */ - { 0x08, 178, 0, 7, "timeStamping" }, /* 177 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 178 */ - { 0x08, 181, 1, 6, "id-otherNames" }, /* 179 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 180 */ - { 0x0A, 186, 1, 6, "id-aca" }, /* 181 */ - { 0x01, 183, 0, 7, "authenticationInfo" }, /* 182 */ - { 0x02, 184, 0, 7, "accessIdentity" }, /* 183 */ - { 0x03, 185, 0, 7, "chargingIdentity" }, /* 184 */ - { 0x04, 0, 0, 7, "group" }, /* 185 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 186 */ - { 0x01, 195, 1, 7, "ocsp" }, /* 187 */ - { 0x01, 189, 0, 8, "basic" }, /* 188 */ - { 0x02, 190, 0, 8, "nonce" }, /* 189 */ - { 0x03, 191, 0, 8, "crl" }, /* 190 */ - { 0x04, 192, 0, 8, "response" }, /* 191 */ - { 0x05, 193, 0, 8, "noCheck" }, /* 192 */ - { 0x06, 194, 0, 8, "archiveCutoff" }, /* 193 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 194 */ - { 0x02, 0, 0, 7, "caIssuers" }, /* 195 */ - { 0x0E, 202, 1, 1, "oiw" }, /* 196 */ - { 0x03, 0, 1, 2, "secsig" }, /* 197 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 198 */ - { 0x07, 200, 0, 4, "des-cbc" }, /* 199 */ - { 0x1A, 201, 0, 4, "sha-1" }, /* 200 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 201 */ - { 0x24, 209, 1, 1, "TeleTrusT" }, /* 202 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 203 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 204 */ - { 0x01, 0, 1, 4, "rsaSignature" }, /* 205 */ - { 0x02, 207, 0, 5, "rsaSigWithripemd160" }, /* 206 */ - { 0x03, 208, 0, 5, "rsaSigWithripemd128" }, /* 207 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 208 */ - { 0x81, 0, 1, 1, "" }, /* 209 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 210 */ - { 0x00, 0, 1, 3, "curve" }, /* 211 */ - { 0x01, 213, 0, 4, "sect163k1" }, /* 212 */ - { 0x02, 214, 0, 4, "sect163r1" }, /* 213 */ - { 0x03, 215, 0, 4, "sect239k1" }, /* 214 */ - { 0x04, 216, 0, 4, "sect113r1" }, /* 215 */ - { 0x05, 217, 0, 4, "sect113r2" }, /* 216 */ - { 0x06, 218, 0, 4, "secp112r1" }, /* 217 */ - { 0x07, 219, 0, 4, "secp112r2" }, /* 218 */ - { 0x08, 220, 0, 4, "secp160r1" }, /* 219 */ - { 0x09, 221, 0, 4, "secp160k1" }, /* 220 */ - { 0x0A, 222, 0, 4, "secp256k1" }, /* 221 */ - { 0x0F, 223, 0, 4, "sect163r2" }, /* 222 */ - { 0x10, 224, 0, 4, "sect283k1" }, /* 223 */ - { 0x11, 225, 0, 4, "sect283r1" }, /* 224 */ - { 0x16, 226, 0, 4, "sect131r1" }, /* 225 */ - { 0x17, 227, 0, 4, "sect131r2" }, /* 226 */ - { 0x18, 228, 0, 4, "sect193r1" }, /* 227 */ - { 0x19, 229, 0, 4, "sect193r2" }, /* 228 */ - { 0x1A, 230, 0, 4, "sect233k1" }, /* 229 */ - { 0x1B, 231, 0, 4, "sect233r1" }, /* 230 */ - { 0x1C, 232, 0, 4, "secp128r1" }, /* 231 */ - { 0x1D, 233, 0, 4, "secp128r2" }, /* 232 */ - { 0x1E, 234, 0, 4, "secp160r2" }, /* 233 */ - { 0x1F, 235, 0, 4, "secp192k1" }, /* 234 */ - { 0x20, 236, 0, 4, "secp224k1" }, /* 235 */ - { 0x21, 237, 0, 4, "secp224r1" }, /* 236 */ - { 0x22, 238, 0, 4, "secp384r1" }, /* 237 */ - { 0x23, 239, 0, 4, "secp521r1" }, /* 238 */ - { 0x24, 240, 0, 4, "sect409k1" }, /* 239 */ - { 0x25, 241, 0, 4, "sect409r1" }, /* 240 */ - { 0x26, 242, 0, 4, "sect571k1" }, /* 241 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 242 */ - {0x60, 0, 1, 0, "" }, /* 243 */ - { 0x86, 0, 1, 1, "" }, /* 244 */ - { 0x48, 0, 1, 2, "" }, /* 245 */ - { 0x01, 289, 1, 3, "organization" }, /* 246 */ - { 0x65, 265, 1, 4, "gov" }, /* 247 */ - { 0x03, 0, 1, 5, "csor" }, /* 248 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 249 */ - { 0x01, 260, 1, 7, "aes" }, /* 250 */ - { 0x02, 252, 0, 8, "id-aes128-CBC" }, /* 251 */ - { 0x06, 253, 0, 8, "id-aes128-GCM" }, /* 252 */ - { 0x07, 254, 0, 8, "id-aes128-CCM" }, /* 253 */ - { 0x16, 255, 0, 8, "id-aes192-CBC" }, /* 254 */ - { 0x1A, 256, 0, 8, "id-aes192-GCM" }, /* 255 */ - { 0x1B, 257, 0, 8, "id-aes192-CCM" }, /* 256 */ - { 0x2A, 258, 0, 8, "id-aes256-CBC" }, /* 257 */ - { 0x2E, 259, 0, 8, "id-aes256-GCM" }, /* 258 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 259 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 260 */ - { 0x01, 262, 0, 8, "id-SHA-256" }, /* 261 */ - { 0x02, 263, 0, 8, "id-SHA-384" }, /* 262 */ - { 0x03, 264, 0, 8, "id-SHA-512" }, /* 263 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 264 */ - { 0x86, 0, 1, 4, "" }, /* 265 */ - { 0xf8, 0, 1, 5, "" }, /* 266 */ - { 0x42, 279, 1, 6, "netscape" }, /* 267 */ - { 0x01, 274, 1, 7, "" }, /* 268 */ - { 0x01, 270, 0, 8, "nsCertType" }, /* 269 */ - { 0x03, 271, 0, 8, "nsRevocationUrl" }, /* 270 */ - { 0x04, 272, 0, 8, "nsCaRevocationUrl" }, /* 271 */ - { 0x08, 273, 0, 8, "nsCaPolicyUrl" }, /* 272 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 273 */ - { 0x03, 277, 1, 7, "directory" }, /* 274 */ - { 0x01, 0, 1, 8, "" }, /* 275 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 276 */ - { 0x04, 0, 1, 7, "policy" }, /* 277 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 278 */ - { 0x45, 0, 1, 6, "verisign" }, /* 279 */ - { 0x01, 0, 1, 7, "pki" }, /* 280 */ - { 0x09, 0, 1, 8, "attributes" }, /* 281 */ - { 0x02, 283, 0, 9, "messageType" }, /* 282 */ - { 0x03, 284, 0, 9, "pkiStatus" }, /* 283 */ - { 0x04, 285, 0, 9, "failInfo" }, /* 284 */ - { 0x05, 286, 0, 9, "senderNonce" }, /* 285 */ - { 0x06, 287, 0, 9, "recipientNonce" }, /* 286 */ - { 0x07, 288, 0, 9, "transID" }, /* 287 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 288 */ - { 0x86, 0, 1, 3, "old-netscape" }, /* 289 */ - { 0xF7, 0, 1, 4, "" }, /* 290 */ - { 0x0D, 0, 1, 5, "" }, /* 291 */ - { 0x01, 0, 1, 6, "" }, /* 292 */ - { 0x09, 0, 1, 7, "" }, /* 293 */ - { 0x01, 295, 0, 8, "emailAddress" }, /* 294 */ - { 0x02, 0, 0, 8, "unstructuredName" } /* 295 */ + { 0x0D, 84, 0, 8, "sha512WithRSAEncryption" }, /* 83 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 84 */ + { 0x07, 92, 1, 7, "PKCS-7" }, /* 85 */ + { 0x01, 87, 0, 8, "data" }, /* 86 */ + { 0x02, 88, 0, 8, "signedData" }, /* 87 */ + { 0x03, 89, 0, 8, "envelopedData" }, /* 88 */ + { 0x04, 90, 0, 8, "signedAndEnvelopedData" }, /* 89 */ + { 0x05, 91, 0, 8, "digestedData" }, /* 90 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 91 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 92 */ + { 0x01, 94, 0, 8, "E" }, /* 93 */ + { 0x02, 95, 0, 8, "unstructuredName" }, /* 94 */ + { 0x03, 96, 0, 8, "contentType" }, /* 95 */ + { 0x04, 97, 0, 8, "messageDigest" }, /* 96 */ + { 0x05, 98, 0, 8, "signingTime" }, /* 97 */ + { 0x06, 99, 0, 8, "counterSignature" }, /* 98 */ + { 0x07, 100, 0, 8, "challengePassword" }, /* 99 */ + { 0x08, 101, 0, 8, "unstructuredAddress" }, /* 100 */ + { 0x0E, 102, 0, 8, "extensionRequest" }, /* 101 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 102 */ + { 0x02, 106, 1, 6, "digestAlgorithm" }, /* 103 */ + { 0x02, 105, 0, 7, "md2" }, /* 104 */ + { 0x05, 0, 0, 7, "md5" }, /* 105 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 106 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 107 */ + { 0xCE, 0, 1, 3, "" }, /* 108 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 109 */ + { 0x02, 112, 1, 5, "id-publicKeyType" }, /* 110 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 111 */ + { 0x03, 142, 1, 5, "ellipticCurve" }, /* 112 */ + { 0x00, 134, 1, 6, "c-TwoCurve" }, /* 113 */ + { 0x01, 115, 0, 7, "c2pnb163v1" }, /* 114 */ + { 0x02, 116, 0, 7, "c2pnb163v2" }, /* 115 */ + { 0x03, 117, 0, 7, "c2pnb163v3" }, /* 116 */ + { 0x04, 118, 0, 7, "c2pnb176w1" }, /* 117 */ + { 0x05, 119, 0, 7, "c2tnb191v1" }, /* 118 */ + { 0x06, 120, 0, 7, "c2tnb191v2" }, /* 119 */ + { 0x07, 121, 0, 7, "c2tnb191v3" }, /* 120 */ + { 0x08, 122, 0, 7, "c2onb191v4" }, /* 121 */ + { 0x09, 123, 0, 7, "c2onb191v5" }, /* 122 */ + { 0x0A, 124, 0, 7, "c2pnb208w1" }, /* 123 */ + { 0x0B, 125, 0, 7, "c2tnb239v1" }, /* 124 */ + { 0x0C, 126, 0, 7, "c2tnb239v2" }, /* 125 */ + { 0x0D, 127, 0, 7, "c2tnb239v3" }, /* 126 */ + { 0x0E, 128, 0, 7, "c2onb239v4" }, /* 127 */ + { 0x0F, 129, 0, 7, "c2onb239v5" }, /* 128 */ + { 0x10, 130, 0, 7, "c2pnb272w1" }, /* 129 */ + { 0x11, 131, 0, 7, "c2pnb304w1" }, /* 130 */ + { 0x12, 132, 0, 7, "c2tnb359v1" }, /* 131 */ + { 0x13, 133, 0, 7, "c2pnb368w1" }, /* 132 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 133 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 134 */ + { 0x01, 136, 0, 7, "prime192v1" }, /* 135 */ + { 0x02, 137, 0, 7, "prime192v2" }, /* 136 */ + { 0x03, 138, 0, 7, "prime192v3" }, /* 137 */ + { 0x04, 139, 0, 7, "prime239v1" }, /* 138 */ + { 0x05, 140, 0, 7, "prime239v2" }, /* 139 */ + { 0x06, 141, 0, 7, "prime239v3" }, /* 140 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 141 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 142 */ + { 0x01, 144, 0, 6, "ecdsa-with-SHA1" }, /* 143 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 144 */ + { 0x01, 146, 0, 7, "ecdsa-with-SHA224" }, /* 145 */ + { 0x02, 147, 0, 7, "ecdsa-with-SHA256" }, /* 146 */ + { 0x03, 148, 0, 7, "ecdsa-with-SHA384" }, /* 147 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 148 */ + {0x2B, 249, 1, 0, "" }, /* 149 */ + { 0x06, 202, 1, 1, "dod" }, /* 150 */ + { 0x01, 0, 1, 2, "internet" }, /* 151 */ + { 0x04, 170, 1, 3, "private" }, /* 152 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 153 */ + { 0x82, 163, 1, 5, "" }, /* 154 */ + { 0x37, 0, 1, 6, "Microsoft" }, /* 155 */ + { 0x0A, 160, 1, 7, "" }, /* 156 */ + { 0x03, 0, 1, 8, "" }, /* 157 */ + { 0x03, 159, 0, 9, "msSGC" }, /* 158 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 159 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 160 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 161 */ + { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 162 */ + { 0x89, 0, 1, 5, "" }, /* 163 */ + { 0x31, 0, 1, 6, "" }, /* 164 */ + { 0x01, 0, 1, 7, "" }, /* 165 */ + { 0x01, 0, 1, 8, "" }, /* 166 */ + { 0x02, 0, 1, 9, "" }, /* 167 */ + { 0x02, 169, 0, 10, "" }, /* 168 */ + { 0x4B, 0, 0, 10, "TCGID" }, /* 169 */ + { 0x05, 0, 1, 3, "security" }, /* 170 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 171 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 172 */ + { 0x01, 175, 1, 6, "id-pe" }, /* 173 */ + { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 174 */ + { 0x03, 185, 1, 6, "id-kp" }, /* 175 */ + { 0x01, 177, 0, 7, "serverAuth" }, /* 176 */ + { 0x02, 178, 0, 7, "clientAuth" }, /* 177 */ + { 0x03, 179, 0, 7, "codeSigning" }, /* 178 */ + { 0x04, 180, 0, 7, "emailProtection" }, /* 179 */ + { 0x05, 181, 0, 7, "ipsecEndSystem" }, /* 180 */ + { 0x06, 182, 0, 7, "ipsecTunnel" }, /* 181 */ + { 0x07, 183, 0, 7, "ipsecUser" }, /* 182 */ + { 0x08, 184, 0, 7, "timeStamping" }, /* 183 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 184 */ + { 0x08, 187, 1, 6, "id-otherNames" }, /* 185 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 186 */ + { 0x0A, 192, 1, 6, "id-aca" }, /* 187 */ + { 0x01, 189, 0, 7, "authenticationInfo" }, /* 188 */ + { 0x02, 190, 0, 7, "accessIdentity" }, /* 189 */ + { 0x03, 191, 0, 7, "chargingIdentity" }, /* 190 */ + { 0x04, 0, 0, 7, "group" }, /* 191 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 192 */ + { 0x01, 201, 1, 7, "ocsp" }, /* 193 */ + { 0x01, 195, 0, 8, "basic" }, /* 194 */ + { 0x02, 196, 0, 8, "nonce" }, /* 195 */ + { 0x03, 197, 0, 8, "crl" }, /* 196 */ + { 0x04, 198, 0, 8, "response" }, /* 197 */ + { 0x05, 199, 0, 8, "noCheck" }, /* 198 */ + { 0x06, 200, 0, 8, "archiveCutoff" }, /* 199 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 200 */ + { 0x02, 0, 0, 7, "caIssuers" }, /* 201 */ + { 0x0E, 208, 1, 1, "oiw" }, /* 202 */ + { 0x03, 0, 1, 2, "secsig" }, /* 203 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 204 */ + { 0x07, 206, 0, 4, "des-cbc" }, /* 205 */ + { 0x1A, 207, 0, 4, "sha-1" }, /* 206 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 207 */ + { 0x24, 215, 1, 1, "TeleTrusT" }, /* 208 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 209 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 210 */ + { 0x01, 0, 1, 4, "rsaSignature" }, /* 211 */ + { 0x02, 213, 0, 5, "rsaSigWithripemd160" }, /* 212 */ + { 0x03, 214, 0, 5, "rsaSigWithripemd128" }, /* 213 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 214 */ + { 0x81, 0, 1, 1, "" }, /* 215 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 216 */ + { 0x00, 0, 1, 3, "curve" }, /* 217 */ + { 0x01, 219, 0, 4, "sect163k1" }, /* 218 */ + { 0x02, 220, 0, 4, "sect163r1" }, /* 219 */ + { 0x03, 221, 0, 4, "sect239k1" }, /* 220 */ + { 0x04, 222, 0, 4, "sect113r1" }, /* 221 */ + { 0x05, 223, 0, 4, "sect113r2" }, /* 222 */ + { 0x06, 224, 0, 4, "secp112r1" }, /* 223 */ + { 0x07, 225, 0, 4, "secp112r2" }, /* 224 */ + { 0x08, 226, 0, 4, "secp160r1" }, /* 225 */ + { 0x09, 227, 0, 4, "secp160k1" }, /* 226 */ + { 0x0A, 228, 0, 4, "secp256k1" }, /* 227 */ + { 0x0F, 229, 0, 4, "sect163r2" }, /* 228 */ + { 0x10, 230, 0, 4, "sect283k1" }, /* 229 */ + { 0x11, 231, 0, 4, "sect283r1" }, /* 230 */ + { 0x16, 232, 0, 4, "sect131r1" }, /* 231 */ + { 0x17, 233, 0, 4, "sect131r2" }, /* 232 */ + { 0x18, 234, 0, 4, "sect193r1" }, /* 233 */ + { 0x19, 235, 0, 4, "sect193r2" }, /* 234 */ + { 0x1A, 236, 0, 4, "sect233k1" }, /* 235 */ + { 0x1B, 237, 0, 4, "sect233r1" }, /* 236 */ + { 0x1C, 238, 0, 4, "secp128r1" }, /* 237 */ + { 0x1D, 239, 0, 4, "secp128r2" }, /* 238 */ + { 0x1E, 240, 0, 4, "secp160r2" }, /* 239 */ + { 0x1F, 241, 0, 4, "secp192k1" }, /* 240 */ + { 0x20, 242, 0, 4, "secp224k1" }, /* 241 */ + { 0x21, 243, 0, 4, "secp224r1" }, /* 242 */ + { 0x22, 244, 0, 4, "secp384r1" }, /* 243 */ + { 0x23, 245, 0, 4, "secp521r1" }, /* 244 */ + { 0x24, 246, 0, 4, "sect409k1" }, /* 245 */ + { 0x25, 247, 0, 4, "sect409r1" }, /* 246 */ + { 0x26, 248, 0, 4, "sect571k1" }, /* 247 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 248 */ + {0x60, 0, 1, 0, "" }, /* 249 */ + { 0x86, 0, 1, 1, "" }, /* 250 */ + { 0x48, 0, 1, 2, "" }, /* 251 */ + { 0x01, 295, 1, 3, "organization" }, /* 252 */ + { 0x65, 271, 1, 4, "gov" }, /* 253 */ + { 0x03, 0, 1, 5, "csor" }, /* 254 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 255 */ + { 0x01, 266, 1, 7, "aes" }, /* 256 */ + { 0x02, 258, 0, 8, "id-aes128-CBC" }, /* 257 */ + { 0x06, 259, 0, 8, "id-aes128-GCM" }, /* 258 */ + { 0x07, 260, 0, 8, "id-aes128-CCM" }, /* 259 */ + { 0x16, 261, 0, 8, "id-aes192-CBC" }, /* 260 */ + { 0x1A, 262, 0, 8, "id-aes192-GCM" }, /* 261 */ + { 0x1B, 263, 0, 8, "id-aes192-CCM" }, /* 262 */ + { 0x2A, 264, 0, 8, "id-aes256-CBC" }, /* 263 */ + { 0x2E, 265, 0, 8, "id-aes256-GCM" }, /* 264 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 265 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 266 */ + { 0x01, 268, 0, 8, "id-SHA-256" }, /* 267 */ + { 0x02, 269, 0, 8, "id-SHA-384" }, /* 268 */ + { 0x03, 270, 0, 8, "id-SHA-512" }, /* 269 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 270 */ + { 0x86, 0, 1, 4, "" }, /* 271 */ + { 0xf8, 0, 1, 5, "" }, /* 272 */ + { 0x42, 285, 1, 6, "netscape" }, /* 273 */ + { 0x01, 280, 1, 7, "" }, /* 274 */ + { 0x01, 276, 0, 8, "nsCertType" }, /* 275 */ + { 0x03, 277, 0, 8, "nsRevocationUrl" }, /* 276 */ + { 0x04, 278, 0, 8, "nsCaRevocationUrl" }, /* 277 */ + { 0x08, 279, 0, 8, "nsCaPolicyUrl" }, /* 278 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 279 */ + { 0x03, 283, 1, 7, "directory" }, /* 280 */ + { 0x01, 0, 1, 8, "" }, /* 281 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 282 */ + { 0x04, 0, 1, 7, "policy" }, /* 283 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 284 */ + { 0x45, 0, 1, 6, "verisign" }, /* 285 */ + { 0x01, 0, 1, 7, "pki" }, /* 286 */ + { 0x09, 0, 1, 8, "attributes" }, /* 287 */ + { 0x02, 289, 0, 9, "messageType" }, /* 288 */ + { 0x03, 290, 0, 9, "pkiStatus" }, /* 289 */ + { 0x04, 291, 0, 9, "failInfo" }, /* 290 */ + { 0x05, 292, 0, 9, "senderNonce" }, /* 291 */ + { 0x06, 293, 0, 9, "recipientNonce" }, /* 292 */ + { 0x07, 294, 0, 9, "transID" }, /* 293 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 294 */ + { 0x86, 0, 1, 3, "old-netscape" }, /* 295 */ + { 0xF7, 0, 1, 4, "" }, /* 296 */ + { 0x0D, 0, 1, 5, "" }, /* 297 */ + { 0x01, 0, 1, 6, "" }, /* 298 */ + { 0x09, 0, 1, 7, "" }, /* 299 */ + { 0x01, 301, 0, 8, "emailAddress" }, /* 300 */ + { 0x02, 0, 0, 8, "unstructuredName" } /* 301 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 477789b62..b7241af8d 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -60,126 +60,131 @@ extern const oid_t oid_names[]; #define OID_SHA256_WITH_RSA 81 #define OID_SHA384_WITH_RSA 82 #define OID_SHA512_WITH_RSA 83 -#define OID_PKCS7_DATA 85 -#define OID_PKCS7_SIGNED_DATA 86 -#define OID_PKCS7_ENVELOPED_DATA 87 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 88 -#define OID_PKCS7_DIGESTED_DATA 89 -#define OID_PKCS7_ENCRYPTED_DATA 90 -#define OID_PKCS9_EMAIL 92 -#define OID_PKCS9_CONTENT_TYPE 94 -#define OID_PKCS9_MESSAGE_DIGEST 95 -#define OID_PKCS9_SIGNING_TIME 96 -#define OID_MD2 103 -#define OID_MD5 104 -#define OID_3DES_EDE_CBC 106 -#define OID_EC_PUBLICKEY 110 -#define OID_C2PNB163V1 113 -#define OID_C2PNB163V2 114 -#define OID_C2PNB163V3 115 -#define OID_C2PNB176W1 116 -#define OID_C2PNB191V1 117 -#define OID_C2PNB191V2 118 -#define OID_C2PNB191V3 119 -#define OID_C2PNB191V4 120 -#define OID_C2PNB191V5 121 -#define OID_C2PNB208W1 122 -#define OID_C2PNB239V1 123 -#define OID_C2PNB239V2 124 -#define OID_C2PNB239V3 125 -#define OID_C2PNB239V4 126 -#define OID_C2PNB239V5 127 -#define OID_C2PNB272W1 128 -#define OID_C2PNB304W1 129 -#define OID_C2PNB359V1 130 -#define OID_C2PNB368W1 131 -#define OID_C2PNB431R1 132 -#define OID_PRIME192V1 134 -#define OID_PRIME192V2 135 -#define OID_PRIME192V3 136 -#define OID_PRIME239V1 137 -#define OID_PRIME239V2 138 -#define OID_PRIME239V3 139 -#define OID_PRIME256V1 140 -#define OID_ECDSA_WITH_SHA1 142 -#define OID_TCGID 163 -#define OID_AUTHORITY_INFO_ACCESS 168 -#define OID_OCSP_SIGNING 178 -#define OID_XMPP_ADDR 180 -#define OID_AUTHENTICATION_INFO 182 -#define OID_ACCESS_IDENTITY 183 -#define OID_CHARGING_IDENTITY 184 -#define OID_GROUP 185 -#define OID_OCSP 187 -#define OID_BASIC 188 -#define OID_NONCE 189 -#define OID_CRL 190 -#define OID_RESPONSE 191 -#define OID_NO_CHECK 192 -#define OID_ARCHIVE_CUTOFF 193 -#define OID_SERVICE_LOCATOR 194 -#define OID_CA_ISSUERS 195 -#define OID_DES_CBC 199 -#define OID_SHA1 200 -#define OID_SHA1_WITH_RSA_OIW 201 -#define OID_SECT163K1 212 -#define OID_SECT163R1 213 -#define OID_SECT239K1 214 -#define OID_SECT113R1 215 -#define OID_SECT113R2 216 -#define OID_SECT112R1 217 -#define OID_SECT112R2 218 -#define OID_SECT160R1 219 -#define OID_SECT160K1 220 -#define OID_SECT256K1 221 -#define OID_SECT163R2 222 -#define OID_SECT283K1 223 -#define OID_SECT283R1 224 -#define OID_SECT131R1 225 -#define OID_SECT131R2 226 -#define OID_SECT193R1 227 -#define OID_SECT193R2 228 -#define OID_SECT233K1 229 -#define OID_SECT233R1 230 -#define OID_SECT128R1 231 -#define OID_SECT128R2 232 -#define OID_SECT160R2 233 -#define OID_SECT192K1 234 -#define OID_SECT224K1 235 -#define OID_SECT224R1 236 -#define OID_SECT384R1 237 -#define OID_SECT521R1 238 -#define OID_SECT409K1 239 -#define OID_SECT409R1 240 -#define OID_SECT571K1 241 -#define OID_SECT571R1 242 -#define OID_AES128_CBC 251 -#define OID_AES128_GCM 252 -#define OID_AES128_CCM 253 -#define OID_AES192_CBC 254 -#define OID_AES192_GCM 255 -#define OID_AES192_CCM 256 -#define OID_AES256_CBC 257 -#define OID_AES256_GCM 258 -#define OID_AES256_CCM 259 -#define OID_SHA256 261 -#define OID_SHA384 262 -#define OID_SHA512 263 -#define OID_SHA224 264 -#define OID_NS_REVOCATION_URL 270 -#define OID_NS_CA_REVOCATION_URL 271 -#define OID_NS_CA_POLICY_URL 272 -#define OID_NS_COMMENT 273 -#define OID_EMPLOYEE_NUMBER 276 -#define OID_PKI_MESSAGE_TYPE 282 -#define OID_PKI_STATUS 283 -#define OID_PKI_FAIL_INFO 284 -#define OID_PKI_SENDER_NONCE 285 -#define OID_PKI_RECIPIENT_NONCE 286 -#define OID_PKI_TRANS_ID 287 -#define OID_EMAIL_ADDRESS 294 -#define OID_UNSTRUCTURED_NAME 295 +#define OID_SHA224_WITH_RSA 84 +#define OID_PKCS7_DATA 86 +#define OID_PKCS7_SIGNED_DATA 87 +#define OID_PKCS7_ENVELOPED_DATA 88 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 89 +#define OID_PKCS7_DIGESTED_DATA 90 +#define OID_PKCS7_ENCRYPTED_DATA 91 +#define OID_PKCS9_EMAIL 93 +#define OID_PKCS9_CONTENT_TYPE 95 +#define OID_PKCS9_MESSAGE_DIGEST 96 +#define OID_PKCS9_SIGNING_TIME 97 +#define OID_MD2 104 +#define OID_MD5 105 +#define OID_3DES_EDE_CBC 107 +#define OID_EC_PUBLICKEY 111 +#define OID_C2PNB163V1 114 +#define OID_C2PNB163V2 115 +#define OID_C2PNB163V3 116 +#define OID_C2PNB176W1 117 +#define OID_C2PNB191V1 118 +#define OID_C2PNB191V2 119 +#define OID_C2PNB191V3 120 +#define OID_C2PNB191V4 121 +#define OID_C2PNB191V5 122 +#define OID_C2PNB208W1 123 +#define OID_C2PNB239V1 124 +#define OID_C2PNB239V2 125 +#define OID_C2PNB239V3 126 +#define OID_C2PNB239V4 127 +#define OID_C2PNB239V5 128 +#define OID_C2PNB272W1 129 +#define OID_C2PNB304W1 130 +#define OID_C2PNB359V1 131 +#define OID_C2PNB368W1 132 +#define OID_C2PNB431R1 133 +#define OID_PRIME192V1 135 +#define OID_PRIME192V2 136 +#define OID_PRIME192V3 137 +#define OID_PRIME239V1 138 +#define OID_PRIME239V2 139 +#define OID_PRIME239V3 140 +#define OID_PRIME256V1 141 +#define OID_ECDSA_WITH_SHA1 143 +#define OID_ECDSA_WITH_SHA224 145 +#define OID_ECDSA_WITH_SHA256 146 +#define OID_ECDSA_WITH_SHA384 147 +#define OID_ECDSA_WITH_SHA512 148 +#define OID_TCGID 169 +#define OID_AUTHORITY_INFO_ACCESS 174 +#define OID_OCSP_SIGNING 184 +#define OID_XMPP_ADDR 186 +#define OID_AUTHENTICATION_INFO 188 +#define OID_ACCESS_IDENTITY 189 +#define OID_CHARGING_IDENTITY 190 +#define OID_GROUP 191 +#define OID_OCSP 193 +#define OID_BASIC 194 +#define OID_NONCE 195 +#define OID_CRL 196 +#define OID_RESPONSE 197 +#define OID_NO_CHECK 198 +#define OID_ARCHIVE_CUTOFF 199 +#define OID_SERVICE_LOCATOR 200 +#define OID_CA_ISSUERS 201 +#define OID_DES_CBC 205 +#define OID_SHA1 206 +#define OID_SHA1_WITH_RSA_OIW 207 +#define OID_SECT163K1 218 +#define OID_SECT163R1 219 +#define OID_SECT239K1 220 +#define OID_SECT113R1 221 +#define OID_SECT113R2 222 +#define OID_SECT112R1 223 +#define OID_SECT112R2 224 +#define OID_SECT160R1 225 +#define OID_SECT160K1 226 +#define OID_SECT256K1 227 +#define OID_SECT163R2 228 +#define OID_SECT283K1 229 +#define OID_SECT283R1 230 +#define OID_SECT131R1 231 +#define OID_SECT131R2 232 +#define OID_SECT193R1 233 +#define OID_SECT193R2 234 +#define OID_SECT233K1 235 +#define OID_SECT233R1 236 +#define OID_SECT128R1 237 +#define OID_SECT128R2 238 +#define OID_SECT160R2 239 +#define OID_SECT192K1 240 +#define OID_SECT224K1 241 +#define OID_SECT224R1 242 +#define OID_SECT384R1 243 +#define OID_SECT521R1 244 +#define OID_SECT409K1 245 +#define OID_SECT409R1 246 +#define OID_SECT571K1 247 +#define OID_SECT571R1 248 +#define OID_AES128_CBC 257 +#define OID_AES128_GCM 258 +#define OID_AES128_CCM 259 +#define OID_AES192_CBC 260 +#define OID_AES192_GCM 261 +#define OID_AES192_CCM 262 +#define OID_AES256_CBC 263 +#define OID_AES256_GCM 264 +#define OID_AES256_CCM 265 +#define OID_SHA256 267 +#define OID_SHA384 268 +#define OID_SHA512 269 +#define OID_SHA224 270 +#define OID_NS_REVOCATION_URL 276 +#define OID_NS_CA_REVOCATION_URL 277 +#define OID_NS_CA_POLICY_URL 278 +#define OID_NS_COMMENT 279 +#define OID_EMPLOYEE_NUMBER 282 +#define OID_PKI_MESSAGE_TYPE 288 +#define OID_PKI_STATUS 289 +#define OID_PKI_FAIL_INFO 290 +#define OID_PKI_SENDER_NONCE 291 +#define OID_PKI_RECIPIENT_NONCE 292 +#define OID_PKI_TRANS_ID 293 +#define OID_EMAIL_ADDRESS 300 +#define OID_UNSTRUCTURED_NAME 301 -#define OID_MAX 296 +#define OID_MAX 302 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 1514f179f..5adca6289 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -82,6 +82,7 @@ 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA + 0x0E "sha224WithRSAEncryption" OID_SHA224_WITH_RSA 0x07 "PKCS-7" 0x01 "data" OID_PKCS7_DATA 0x02 "signedData" OID_PKCS7_SIGNED_DATA @@ -141,6 +142,11 @@ 0x07 "prime256v1" OID_PRIME256V1 0x04 "id-ecSigType" 0x01 "ecdsa-with-SHA1" OID_ECDSA_WITH_SHA1 + 0x03 "ecdsa-with-Specified" + 0x01 "ecdsa-with-SHA224" OID_ECDSA_WITH_SHA224 + 0x02 "ecdsa-with-SHA256" OID_ECDSA_WITH_SHA256 + 0x03 "ecdsa-with-SHA384" OID_ECDSA_WITH_SHA384 + 0x04 "ecdsa-with-SHA512" OID_ECDSA_WITH_SHA512 0x2B "" 0x06 "dod" 0x01 "internet" diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index c9c181f87..40a93e21a 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -19,6 +19,7 @@ #include <sys/stat.h> #include <unistd.h> #include <errno.h> +#include <ctype.h> #include "chunk.h" @@ -442,6 +443,32 @@ int chunk_compare(chunk_t a, chunk_t b) }; /** + * Remove non-printable characters from a chunk. + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace) +{ + bool printable = TRUE; + int i; + + if (sane) + { + *sane = chunk_clone(chunk); + } + for (i = 0; i < chunk.len; i++) + { + if (!isprint(chunk.ptr[i])) + { + if (sane) + { + sane->ptr[i] = replace; + } + printable = FALSE; + } + } + return printable; +} + +/** * Described in header. * * The implementation is based on Paul Hsieh's SuperFastHash: diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index 3d8c360c5..66c3f26a2 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -26,6 +26,9 @@ #include <string.h> #include <stdarg.h> #include <sys/types.h> +#ifdef HAVE_ALLOCA_H +#include <alloca.h> +#endif typedef struct chunk_t chunk_t; @@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...); void chunk_split(chunk_t chunk, const char *mode, ...); /** - * Write the binary contents of a chunk_t to a file - * + * Write the binary contents of a chunk_t to a file + * + * @param chunk contents to write to file * @param path path where file is written to * @param label label specifying file type * @param mask file mode creation mask @@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force * The resulting string is '\\0' terminated, but the chunk does not include * the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1). * + * @param chunk data to convert to hex encoding * @param buf buffer to write to, NULL to malloc * @param uppercase TRUE to use uppercase letters * @return chunk of encoded data @@ -232,6 +237,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b) } /** + * Check if a chunk has printable characters only. + * + * If sane is given, chunk is cloned into sane and all non printable characters + * get replaced by "replace". + * + * @param chunk chunk to check for printability + * @param sane pointer where sane version is allocated, or NULL + * @param replace character to use for replaceing unprintable characters + * @return TRUE if all characters in chunk are printable + */ +bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace); + +/** * Computes a 32 bit hash of the given chunk. * Note: This hash is only intended for hash tables not for cryptographic purposes. */ diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c index 2e9a541d4..e55df0398 100644 --- a/src/libstrongswan/credentials/credential_factory.c +++ b/src/libstrongswan/credentials/credential_factory.c @@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create() this->constructors = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index c94c27f0a..a5f547038 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, "RSA_EMSA_PKCS1_NULL", "RSA_EMSA_PKCS1_MD5", "RSA_EMSA_PKCS1_SHA1", + "RSA_EMSA_PKCS1_SHA224", "RSA_EMSA_PKCS1_SHA256", "RSA_EMSA_PKCS1_SHA384", "RSA_EMSA_PKCS1_SHA512", @@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_SHA1_WITH_RSA: case OID_SHA1: return SIGN_RSA_EMSA_PKCS1_SHA1; + case OID_SHA224_WITH_RSA: + case OID_SHA224: + return SIGN_RSA_EMSA_PKCS1_SHA224; case OID_SHA256_WITH_RSA: case OID_SHA256: return SIGN_RSA_EMSA_PKCS1_SHA256; @@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid) case OID_ECDSA_WITH_SHA1: case OID_EC_PUBLICKEY: return SIGN_ECDSA_WITH_SHA1; + case OID_ECDSA_WITH_SHA256: + return SIGN_ECDSA_256; + case OID_ECDSA_WITH_SHA384: + return SIGN_ECDSA_384; + case OID_ECDSA_WITH_SHA512: + return SIGN_ECDSA_521; default: return SIGN_UNKNOWN; } diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index c58531b73..be5f3bde6 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -66,6 +66,8 @@ enum signature_scheme_t { SIGN_RSA_EMSA_PKCS1_MD5, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */ SIGN_RSA_EMSA_PKCS1_SHA1, + /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */ + SIGN_RSA_EMSA_PKCS1_SHA224, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */ SIGN_RSA_EMSA_PKCS1_SHA256, /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index fea8d0793..e928e8cdf 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create() this->prfs = linked_list_create(); this->rngs = linked_list_create(); this->dhs = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->tester = crypto_tester_create(); this->test_on_add = lib->settings->get_bool(lib->settings, "libstrongswan.crypto_test.on_add", FALSE); diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index b0b5aa969..4d13474a1 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this, crypter->destroy(crypter); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", encryption_algorithm_names, alg, tested); break; } @@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", encryption_algorithm_names, alg, tested); } return !failed; @@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this, signer->destroy(signer); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", integrity_algorithm_names, alg, tested); break; } @@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", integrity_algorithm_names, alg, tested); } return !failed; @@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, hasher->destroy(hasher); if (failed) { - DBG1("disabled %N: test vector %d failed", - hash_algorithm_names, alg), tested; + DBG1("disabled %N: test vector %u failed", + hash_algorithm_names, alg, tested); break; } } @@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", hash_algorithm_names, alg, tested); } return !failed; @@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this, prf->destroy(prf); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", pseudo_random_function_names, alg, tested); break; } @@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", pseudo_random_function_names, alg, tested); } return !failed; @@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, rng->destroy(rng); if (failed) { - DBG1("disabled %N: test vector %d failed", + DBG1("disabled %N: test vector %u failed", rng_quality_names, quality, tested); break; } @@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality, } if (!failed) { - DBG1("enabled %N: successfully passed %d test vectors", + DBG1("enabled %N: passed %u test vectors", rng_quality_names, quality, tested); } return !failed; diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index c58c2ad42..4d6904e47 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512, "HASH_MD4", "HASH_MD5", "HASH_SHA1", + "HASH_SHA224", "HASH_SHA256", "HASH_SHA384", "HASH_SHA512" @@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) case OID_SHA1: case OID_SHA1_WITH_RSA: return HASH_SHA1; + case OID_SHA224: + case OID_SHA224_WITH_RSA: + return HASH_SHA224; case OID_SHA256: case OID_SHA256_WITH_RSA: return HASH_SHA256; @@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1; break; + case HASH_SHA224: + oid = OID_SHA224; + break; case HASH_SHA256: oid = OID_SHA256; break; @@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg) case HASH_SHA1: oid = OID_SHA1_WITH_RSA; break; + case HASH_SHA224: + oid = OID_SHA224_WITH_RSA; + break; case HASH_SHA256: oid = OID_SHA256_WITH_RSA; break; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 098739fa3..6deed37ab 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -40,15 +40,17 @@ enum hash_algorithm_t { HASH_MD4 = 3, HASH_MD5 = 4, HASH_SHA1 = 5, - HASH_SHA256 = 6, - HASH_SHA384 = 7, - HASH_SHA512 = 8 + HASH_SHA224 = 6, + HASH_SHA256 = 7, + HASH_SHA384 = 8, + HASH_SHA512 = 9 }; #define HASH_SIZE_MD2 16 #define HASH_SIZE_MD4 16 #define HASH_SIZE_MD5 16 #define HASH_SIZE_SHA1 20 +#define HASH_SIZE_SHA224 28 #define HASH_SIZE_SHA256 32 #define HASH_SIZE_SHA384 48 #define HASH_SIZE_SHA512 64 diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c index 76e0a4e89..ef6927874 100644 --- a/src/libstrongswan/database/database_factory.c +++ b/src/libstrongswan/database/database_factory.c @@ -110,7 +110,7 @@ database_factory_t *database_factory_create() this->public.destroy = (void(*)(database_factory_t*))destroy; this->databases = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index a30012bb1..1f87412c8 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create() this->public.destroy = (void(*)(fetcher_manager_t*))destroy; this->fetchers = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); return &this->public; } diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am deleted file mode 100644 index 22a35701b..000000000 --- a/src/libstrongswan/fips/Makefile.am +++ /dev/null @@ -1,19 +0,0 @@ -noinst_PROGRAMS = fips_signer -fips_signer_SOURCES = fips_signer.c -fips_signer_LDADD = ../libstrongswan.la - -BUILT_SOURCES = fips_signature.h -CLEANFILES = fips_signature.h fips_signer -INCLUDES = -I$(top_srcdir)/src/libstrongswan -AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \ - -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" -if USE_SHA1 - AM_CFLAGS += -DUSE_SHA1 -endif - -if USE_OPENSSL - AM_CFLAGS += -DUSE_OPENSSL -endif - -fips_signature.h : fips_signer - ./fips_signer diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c deleted file mode 100644 index d2296e5e9..000000000 --- a/src/libstrongswan/fips/fips.c +++ /dev/null @@ -1,96 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <debug.h> -#include <crypto/signers/signer.h> -#include "fips.h" - -extern const u_char FIPS_rodata_start[]; -extern const u_char FIPS_rodata_end[]; -extern const void *FIPS_text_start(); -extern const void *FIPS_text_end(); - -/** - * Described in header - */ -bool fips_compute_hmac_signature(const char *key, char *signature) -{ - u_char *text_start = (u_char *)FIPS_text_start(); - u_char *text_end = (u_char *)FIPS_text_end(); - size_t text_len, rodata_len; - signer_t *signer; - - if (text_start > text_end) - { - DBG1(" TEXT start (%p) > TEXT end (%p", - text_start, text_end); - return FALSE; - } - text_len = text_end - text_start; - DBG1(" TEXT: %p + %6d = %p", - text_start, (int)text_len, text_end); - - if (FIPS_rodata_start > FIPS_rodata_end) - { - DBG1(" RODATA start (%p) > RODATA end (%p", - FIPS_rodata_start, FIPS_rodata_end); - return FALSE; - } - rodata_len = FIPS_rodata_end - FIPS_rodata_start; - DBG1(" RODATA: %p + %6d = %p", - FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end); - - signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128); - if (signer == NULL) - { - DBG1(" SHA-1 HMAC signer could not be created"); - return FALSE; - } - else - { - chunk_t hmac_key = { (u_char *)key, strlen(key) }; - chunk_t text_chunk = { text_start, text_len }; - chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len }; - chunk_t signature_chunk = chunk_empty; - - signer->set_key(signer, hmac_key); - signer->allocate_signature(signer, text_chunk, NULL); - signer->allocate_signature(signer, rodata_chunk, &signature_chunk); - signer->destroy(signer); - - sprintf(signature, "%#B", &signature_chunk); - DBG1(" SHA-1 HMAC key: %s", key); - DBG1(" SHA-1 HMAC sig: %s", signature); - free(signature_chunk.ptr); - return TRUE; - } -} - -/** - * Described in header - */ -bool fips_verify_hmac_signature(const char *key, - const char *signature) -{ - char current_signature[BUF_LEN]; - - if (!fips_compute_hmac_signature(key, current_signature)) - { - return FALSE; - } - return streq(signature, current_signature); -} diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h deleted file mode 100644 index aae18e3b2..000000000 --- a/src/libstrongswan/fips/fips.h +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup fips1 fips - * @{ @ingroup fips - */ - -#ifndef FIPS_H_ -#define FIPS_H_ - -#include <library.h> - -/** - * compute HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature HMAC signature in HEX string format - * @return TRUE if HMAC signature computation was successful - */ -bool fips_compute_hmac_signature(const char *key, char *signature); - -/** - * verify HMAC signature over RODATA and TEXT sections of libstrongswan - * - * @param key key used for HMAC signature in ASCII string format - * @param signature signature value from fips_signature.h in HEX string format - * @return TRUE if signatures agree - */ -bool fips_verify_hmac_signature(const char *key, const char *signature); - -#endif /** FIPS_H_ @}*/ diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c deleted file mode 100644 index 247d48927..000000000 --- a/src/libstrongswan/fips/fips_canister_end.c +++ /dev/null @@ -1,166 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - -#define FIPS_ref_point FIPS_text_end -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_end[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c deleted file mode 100644 index 4a5528a94..000000000 --- a/src/libstrongswan/fips/fips_canister_start.c +++ /dev/null @@ -1,167 +0,0 @@ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution - * and usage in source and binary forms are granted according to the - * OpenSSL license. - */ - -#include <stdio.h> -#if defined(__DECC) -# include <c_asm.h> -# pragma __nostandard -#endif - -#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) -# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \ - (defined(__sgi) && (defined(__mips) || defined(mips))) || \ - (defined(__osf__) && defined(__alpha)) || \ - (defined(__linux) && (defined(__arm) || defined(__arm__))) || \ - (defined(__i386) || defined(__i386__)) || \ - (defined(__x86_64) || defined(__x86_64__)) || \ - (defined(vax) || defined(__vax__)) -# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION -# endif -#endif - - -#define FIPS_ref_point FIPS_text_start -/* Some compilers put string literals into a separate segment. As we - * are mostly interested to hash AES tables in .rodata, we declare - * reference points accordingly. In case you wonder, the values are - * big-endian encoded variable names, just to prevent these arrays - * from being merged by linker. */ -const unsigned int FIPS_rodata_start[]= - { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 }; - - -/* - * I declare reference function as static in order to avoid certain - * pitfalls in -dynamic linker behaviour... - */ -static void *instruction_pointer(void) -{ - void *ret = NULL; - -/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means - * that they are designed to work under any OS running on particular - * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in - * this function. */ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - INSTRUCTION_POINTER_IMPLEMENTED(ret); -#elif defined(__GNUC__) && __GNUC__>=2 -# if defined(__alpha) || defined(__alpha__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) ); -# elif defined(__i386) || defined(__i386__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# elif defined(__ia64) || defined(__ia64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "mov %0=ip" : "=r"(ret) ); -# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* mask privilege level */ -# elif defined(__mips) || defined(__mips__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "move %1,$31\n\t" /* save ra */ - "bal .+8; nop\n\t" - "move %0,$31\n\t" - "move $31,%1" /* restore ra */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \ - defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \ - defined(__PPC64__) || defined(__powerpc64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mfspr %1,8\n\t" /* save lr */ - "bl .+4\n\t" - "mfspr %0,8\n\t" /* mflr ret */ - "mtspr 8,%1" /* restore lr */ - : "=r"(ret),"=r"(scratch) ); -# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9) -# define INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - __asm __volatile ( "mov %%o7,%1\n\t" - "call .+8; nop\n\t" - "mov %%o7,%0\n\t" - "mov %1,%%o7" - : "=r"(ret),"=r"(scratch) ); -# elif defined(__x86_64) || defined(__x86_64__) -# define INSTRUCTION_POINTER_IMPLEMENTED - __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) ); - ret = (void *)((size_t)ret&~3UL); /* align for better performance */ -# endif -#elif defined(__DECC) && defined(__alpha) -# define INSTRUCTION_POINTER_IMPLEMENTED - ret = (void *)(size_t)asm("br %v0,1f\n1:"); -#elif defined(_MSC_VER) && defined(_M_IX86) -# undef INSTRUCTION_POINTER_IMPLEMENTED - void *scratch; - _asm { - call self - self: pop eax - mov scratch,eax - } - ret = (void *)((size_t)scratch&~3UL); -#endif - return ret; -} - -/* - * This function returns pointer to an instruction in the vicinity of - * its entry point, but not outside this object module. This guarantees - * that sequestered code is covered... - */ -void *FIPS_ref_point() -{ -#if defined(INSTRUCTION_POINTER_IMPLEMENTED) - return instruction_pointer(); -/* Below we essentially cover vendor compilers which do not support - * inline assembler... */ -#elif defined(_AIX) - struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_HPUX_SOURCE) -# if defined(__hppa) || defined(__hppa__) - struct { void *i[4]; } *p = (void *)FIPS_ref_point; - - if (sizeof(p) == 8) /* 64-bit */ - return p->i[2]; - else if ((size_t)p & 2) - { p = (void *)((size_t)p&~3UL); - return p->i[0]; - } - else - return (void *)p; -# elif defined(__ia64) || defined(__ia64__) - struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -# endif -#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__)) - /* applies to both alpha and ia64 */ - struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer; - return (void *)(size_t)p->ip; -#elif defined(__VOS__) - /* applies to both pa-risc and ia32 */ - struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer; - return p->ip; -#elif defined(_WIN32) -# if defined(_WIN64) && defined(_M_IA64) - struct { void *ip,*gp; } *p = (void *)FIPS_ref_point; - return p->ip; -# else - return (void *)FIPS_ref_point; -# endif -/* - * In case you wonder why there is no #ifdef __linux. All Linux targets - * are GCC-based and therefore are covered by instruction_pointer above - * [well, some are covered by by the one below]... - */ -#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION) - return (void *)instruction_pointer; -#else - return NULL; -#endif -} diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c deleted file mode 100644 index 6f5fdcecf..000000000 --- a/src/libstrongswan/fips/fips_signer.c +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (C) 2007 Bruno Krieg, Daniel Wydler - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include <crypto/hashers/hasher.h> -#include "fips.h" - -int main(int argc, char* argv[]) -{ - FILE *f; - char *hmac_key = "strongSwan Version " VERSION; - char hmac_signature[BUF_LEN]; - - /* initialize library */ - library_init(STRONGSWAN_CONF); -#ifdef USE_SHA1 - lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1"); -#endif -#ifdef USE_OPENSSL - lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl"); -#endif - lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac"); - - if (!fips_compute_hmac_signature(hmac_key, hmac_signature)) - { - exit(1); - } - - /** - * write computed HMAC signature to fips_signature.h - */ - f = fopen("fips_signature.h", "wt"); - - if (f == NULL) - { - exit(1); - } - fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n"); - fprintf(f, " *\n"); - fprintf(f, " * This file has been automatically generated by fips_signer\n"); - fprintf(f, " * Do not edit manually!\n"); - fprintf(f, " */\n"); - fprintf(f, "\n"); - fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n"); - fprintf(f, "#define FIPS_SIGNATURE_H_\n"); - fprintf(f, "\n"); - fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key); - fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature); - fprintf(f, "\n"); - fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n"); - fclose(f); - - library_deinit(); - exit(0); -} diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c new file mode 100644 index 000000000..32a296d79 --- /dev/null +++ b/src/libstrongswan/integrity_checker.c @@ -0,0 +1,332 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE + +#include "integrity_checker.h" + +#include <dlfcn.h> +#include <link.h> +#include <fcntl.h> +#include <errno.h> +#include <unistd.h> +#include <sys/mman.h> +#include <sys/stat.h> +#include <sys/types.h> + +#include <debug.h> +#include <library.h> + +typedef struct private_integrity_checker_t private_integrity_checker_t; + +/** + * Private data of an integrity_checker_t object. + */ +struct private_integrity_checker_t { + + /** + * Public integrity_checker_t interface. + */ + integrity_checker_t public; + + /** + * dlopen handle to checksum library + */ + void *handle; + + /** + * checksum array + */ + integrity_checksum_t *checksums; + + /** + * number of checksums in array + */ + int checksum_count; +}; + +/** + * Implementation of integrity_checker_t.build_file + */ +static u_int32_t build_file(private_integrity_checker_t *this, char *file, + size_t *len) +{ + u_int32_t checksum; + chunk_t contents; + struct stat sb; + void *addr; + int fd; + + fd = open(file, O_RDONLY); + if (fd == -1) + { + DBG1(" opening '%s' failed: %s", file, strerror(errno)); + return 0; + } + + if (fstat(fd, &sb) == -1) + { + DBG1(" getting file size of '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(" mapping '%s' failed: %s", file, strerror(errno)); + close(fd); + return 0; + } + + *len = sb.st_size; + contents = chunk_create(addr, sb.st_size); + checksum = chunk_hash(contents); + + munmap(addr, sb.st_size); + close(fd); + + return checksum; +} + +/** + * dl_iterate_phdr callback function + */ +static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) +{ + /* We are looking for the dlpi_addr matching the address of our dladdr(). + * dl_iterate_phdr() returns such an address for other (unknown) objects + * in very rare cases (e.g. in a chrooted gentoo, but only if + * the checksum_builder is invoked by 'make'). As a workaround, we filter + * objects by dlpi_name; valid objects have a library name. + */ + if (dli->dli_fbase == (void*)dlpi->dlpi_addr && + dlpi->dlpi_name && *dlpi->dlpi_name) + { + int i; + + for (i = 0; i < dlpi->dlpi_phnum; i++) + { + const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i]; + + /* we are interested in the executable LOAD segment */ + if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X)) + { + /* safe begin of segment in dli_fbase */ + dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr; + /* safe end of segment in dli_saddr */ + dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz; + return 1; + } + } + } + return 0; +} + +/** + * Implementation of integrity_checker_t.build_segment + */ +static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, + size_t *len) +{ + chunk_t segment; + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1(" unable to locate symbol: %s", dlerror()); + return 0; + } + /* we reuse the Dl_info struct as in/out parameter */ + if (!dl_iterate_phdr((void*)callback, &dli)) + { + DBG1(" executable section not found"); + return 0; + } + + segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase); + *len = segment.len; + return chunk_hash(segment); +} + +/** + * Find a checksum by its name + */ +static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, + char *name) +{ + int i; + + for (i = 0; i < this->checksum_count; i++) + { + if (streq(this->checksums[i].name, name)) + { + return &this->checksums[i]; + } + } + return NULL; +} + +/** + * Implementation of integrity_checker_t.check_file + */ +static bool check_file(private_integrity_checker_t *this, + char *name, char *file) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' file checksum not found", name); + return FALSE; + } + sum = build_file(this, file, &len); + if (!sum) + { + return FALSE; + } + if (cs->file_len != len) + { + DBG1(" invalid '%s' file size: %u bytes, expected %u bytes", + name, len, cs->file_len); + return FALSE; + } + if (cs->file != sum) + { + DBG1(" invalid '%s' file checksum: %08x, expected %08x", + name, sum, cs->file); + return FALSE; + } + DBG2(" valid '%s' file checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check_segment + */ +static bool check_segment(private_integrity_checker_t *this, + char *name, void *sym) +{ + integrity_checksum_t *cs; + u_int32_t sum; + size_t len = 0; + + cs = find_checksum(this, name); + if (!cs) + { + DBG1(" '%s' segment checksum not found", name); + return FALSE; + } + sum = build_segment(this, sym, &len); + if (!sum) + { + return FALSE; + } + if (cs->segment_len != len) + { + DBG1(" invalid '%s' segment size: %u bytes, expected %u bytes", + name, len, cs->segment_len); + return FALSE; + } + if (cs->segment != sum) + { + DBG1(" invalid '%s' segment checksum: %08x, expected %08x", + name, sum, cs->segment); + return FALSE; + } + DBG2(" valid '%s' segment checksum: %08x", name, sum); + return TRUE; +} + +/** + * Implementation of integrity_checker_t.check + */ +static bool check(private_integrity_checker_t *this, char *name, void *sym) +{ + Dl_info dli; + + if (dladdr(sym, &dli) == 0) + { + DBG1("unable to locate symbol: %s", dlerror()); + return FALSE; + } + if (!check_file(this, name, (char*)dli.dli_fname)) + { + return FALSE; + } + if (!check_segment(this, name, sym)) + { + return FALSE; + } + return TRUE; +} + +/** + * Implementation of integrity_checker_t.destroy. + */ +static void destroy(private_integrity_checker_t *this) +{ + if (this->handle) + { + dlclose(this->handle); + } + free(this); +} + +/** + * See header + */ +integrity_checker_t *integrity_checker_create(char *checksum_library) +{ + private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); + + this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; + this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; + this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; + this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; + this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; + this->public.destroy = (void(*)(integrity_checker_t*))destroy; + + this->checksum_count = 0; + this->handle = NULL; + if (checksum_library) + { + this->handle = dlopen(checksum_library, RTLD_LAZY); + if (this->handle) + { + int *checksum_count; + + this->checksums = dlsym(this->handle, "checksums"); + checksum_count = dlsym(this->handle, "checksum_count"); + if (this->checksums && checksum_count) + { + this->checksum_count = *checksum_count; + } + else + { + DBG1("checksum library '%s' invalid", checksum_library); + } + } + else + { + DBG1("loading checksum library '%s' failed", checksum_library); + } + } + return &this->public; +} + diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h new file mode 100644 index 000000000..d078dd6fb --- /dev/null +++ b/src/libstrongswan/integrity_checker.h @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup integrity_checker integrity_checker + * @{ @ingroup libstrongswan + */ + +#ifndef INTEGRITY_CHECKER_H_ +#define INTEGRITY_CHECKER_H_ + +#include <utils.h> +#include <plugins/plugin.h> + +typedef struct integrity_checker_t integrity_checker_t; +typedef struct integrity_checksum_t integrity_checksum_t; + +/** + * Struct to hold a precalculated checksum, implemented in the checksum library. + */ +struct integrity_checksum_t { + /* name of the checksum */ + char *name; + /* size in bytes of the file on disk */ + size_t file_len; + /* checksum of the file on disk */ + u_int32_t file; + /* size in bytes of executable segment in memory */ + size_t segment_len; + /* checksum of the executable segment in memory */ + u_int32_t segment; +}; + +/** + * Code integrity checker to detect non-malicious file manipulation. + * + * The integrity checker reads the checksums from a separate library + * libchecksum.so to compare the checksums. + */ +struct integrity_checker_t { + + /** + * Check the integrity of a file on disk. + * + * @param name name to lookup checksum + * @param file path to file + * @return TRUE if integrity tested successfully + */ + bool (*check_file)(integrity_checker_t *this, char *name, char *file); + + /** + * Build the integrity checksum of a file on disk. + * + * @param file path to file + * @param len return length in bytes of file + * @return checksum, 0 on error + */ + u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len); + + /** + * Check the integrity of the code segment in memory. + * + * @param name name to lookup checksum + * @param sym a symbol in the segment to check + * @return TRUE if integrity tested successfully + */ + bool (*check_segment)(integrity_checker_t *this, char *name, void *sym); + /** + * Build the integrity checksum of a code segment in memory. + * + * @param sym a symbol in the segment to check + * @param len return length in bytes of code segment in memory + * @return checksum, 0 on error + */ + u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len); + + /** + * Check both, on disk file integrity and loaded segment. + * + * @param name name to lookup checksum + * @param sym a symbol to look up library and segment + * @return TRUE if integrity tested successfully + */ + bool (*check)(integrity_checker_t *this, char *name, void *sym); + + /** + * Destroy a integrity_checker_t. + */ + void (*destroy)(integrity_checker_t *this); +}; + +/** + * Create a integrity_checker instance. + * + * @param checksum_library library containing checksums + */ +integrity_checker_t *integrity_checker_create(char *checksum_library); + +#endif /* INTEGRITY_CHECKER_H_ @}*/ diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 8e5a8a611..832c8b607 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -20,12 +20,15 @@ #include <utils.h> #include <chunk.h> +#include <debug.h> #include <utils/identification.h> #include <utils/host.h> #ifdef LEAK_DETECTIVE #include <utils/leak_detective.h> #endif +#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so" + typedef struct private_library_t private_library_t; /** @@ -65,6 +68,10 @@ void library_deinit() this->public.fetcher->destroy(this->public.fetcher); this->public.db->destroy(this->public.db); this->public.printf_hook->destroy(this->public.printf_hook); + if (this->public.integrity) + { + this->public.integrity->destroy(this->public.integrity); + } #ifdef LEAK_DETECTIVE if (this->detective) @@ -79,7 +86,7 @@ void library_deinit() /* * see header file */ -void library_init(char *settings) +bool library_init(char *settings) { printf_hook_t *pfh; private_library_t *this = malloc_thing(private_library_t); @@ -119,5 +126,23 @@ void library_init(char *settings) this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); this->public.plugins = plugin_loader_create(); + this->public.integrity = NULL; + + if (lib->settings->get_bool(lib->settings, + "libstrongswan.integrity_test", FALSE)) + { +#ifdef INTEGRITY_TEST + this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY); + if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init)) + { + DBG1("integrity check of libstrongswan failed"); + return FALSE; + } +#else /* !INTEGRITY_TEST */ + DBG1("integrity test enabled, but not supported"); + return FALSE; +#endif /* INTEGRITY_TEST */ + } + return TRUE; } diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 35c6b686a..df4121803 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -19,6 +19,9 @@ * @defgroup asn1 asn1 * @ingroup libstrongswan * + * @defgroup pgp pgp + * @ingroup libstrongswan + * * @defgroup credentials credentials * @ingroup libstrongswan * @@ -30,19 +33,16 @@ * * @defgroup crypto crypto * @ingroup libstrongswan - + * * @defgroup database database * @ingroup libstrongswan - + * * @defgroup fetcher fetcher * @ingroup libstrongswan - - * @defgroup fips fips - * @ingroup libstrongswan - + * * @defgroup plugins plugins * @ingroup libstrongswan - + * * @defgroup utils utils * @ingroup libstrongswan */ @@ -59,6 +59,7 @@ #include <utils.h> #include <chunk.h> #include <settings.h> +#include <integrity_checker.h> #include <plugins/plugin_loader.h> #include <crypto/crypto_factory.h> #include <fetcher/fetcher_manager.h> @@ -108,6 +109,11 @@ struct library_t { settings_t *settings; /** + * integrity checker to verify code integrity + */ + integrity_checker_t *integrity; + + /** * is leak detective running? */ bool leak_detective; @@ -117,8 +123,9 @@ struct library_t { * Initialize library, creates "lib" instance. * * @param settings file to read settings from, may be NULL for none + * @return FALSE if integrity check failed */ -void library_init(char *settings); +bool library_init(char *settings); /** * Deinitialize library, destroys "lib" instance. diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am index e73040f27..a3101172f 100644 --- a/src/libstrongswan/plugins/aes/Makefile.am +++ b/src/libstrongswan/plugins/aes/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 19d3249b5..4414b2ede 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-aes.la libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h -libstrongswan_aes_la_LDFLAGS = -module +libstrongswan_aes_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am index bc022aa26..e1000e562 100644 --- a/src/libstrongswan/plugins/agent/Makefile.am +++ b/src/libstrongswan/plugins/agent/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 5a5202262..a73edb362 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \ agent_private_key.c agent_private_key.h -libstrongswan_agent_la_LDFLAGS = -module +libstrongswan_agent_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am index 6bb82169e..3fbc5893b 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.am +++ b/src/libstrongswan/plugins/blowfish/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index 25cea73df..e536b5fc6 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \ blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \ bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c -libstrongswan_blowfish_la_LDFLAGS = -module +libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am index 1b44516b2..f0a41e4ad 100644 --- a/src/libstrongswan/plugins/curl/Makefile.am +++ b/src/libstrongswan/plugins/curl/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index b413e035e..21d77ac8f 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-curl.la libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h -libstrongswan_curl_la_LDFLAGS = -module +libstrongswan_curl_la_LDFLAGS = -module -avoid-version libstrongswan_curl_la_LIBADD = -lcurl all: all-am diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am index ea94eda8a..76cfbc419 100644 --- a/src/libstrongswan/plugins/des/Makefile.am +++ b/src/libstrongswan/plugins/des/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index bbca6a032..19da339fe 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-des.la libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h -libstrongswan_des_la_LDFLAGS = -module +libstrongswan_des_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am index 73f28825a..d9431947e 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.am +++ b/src/libstrongswan/plugins/fips_prf/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 881d7a36e..5dcae7f27 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-fips-prf.la libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h -libstrongswan_fips_prf_la_LDFLAGS = -module +libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am index 72cc409fc..7394676e2 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.am +++ b/src/libstrongswan/plugins/gcrypt/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 49994c593..e3d27f7f8 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \ gcrypt_crypter.h gcrypt_crypter.c \ gcrypt_hasher.h gcrypt_hasher.c -libstrongswan_gcrypt_la_LDFLAGS = -module +libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS) all: all-am diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c index 785ebda90..41e17c897 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c @@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo) case HASH_SHA1: gcrypt_alg = GCRY_MD_SHA1; break; + case HASH_SHA224: + gcrypt_alg = GCRY_MD_SHA224; + break; case HASH_SHA256: gcrypt_alg = GCRY_MD_SHA256; break; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 547329dde..939e0886c 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t { */ static int mutex_init(void **lock) { - *lock = mutex_create(MUTEX_DEFAULT); + *lock = mutex_create(MUTEX_TYPE_DEFAULT); return 0; } @@ -148,6 +148,8 @@ plugin_t *plugin_create() (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)gcrypt_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)gcrypt_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 611ab2467..e0e8015db 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t { public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key); /** - * find a token in a S-expression + * find a token in a S-expression. If a key is given, its length is used to + * pad the output to a given length. */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key) { gcry_sexp_t token; - chunk_t data = chunk_empty; + chunk_t data = chunk_empty, tmp; + size_t len = 0; token = gcry_sexp_find_token(sexp, name, 1); if (token) @@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name) { data.len = 0; } - data = chunk_clone(data); + else + { + if (key) + { + /* gcrypt might return more bytes than necessary. Truncate + * to key lenght if key given, or prepend zeros if needed */ + len = gcry_pk_get_nbits(key); + len = len / 8 + (len % 8 ? 1 : 0); + if (len > data.len) + { + tmp = chunk_alloc(len); + len -= data.len; + memset(tmp.ptr, 0, tmp.len - len); + memcpy(tmp.ptr + len, data.ptr, data.len); + data = tmp; + } + else if (len < data.len) + { + data = chunk_clone(chunk_skip(data, data.len - len)); + } + else + { + data = chunk_clone(data); + } + } + else + { + data = chunk_clone(data); + } + } gcry_sexp_release(token); } return data; @@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this, DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err)); return FALSE; } - *signature = gcrypt_rsa_find_token(out, "s"); + *signature = gcrypt_rsa_find_token(out, "s", this->key); gcry_sexp_release(out); return !!signature->len; } @@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche return sign_raw(this, data, sig); case SIGN_RSA_EMSA_PKCS1_SHA1: return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA256: return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) gcry_error_t err; /* p and q are swapped, gcrypt expects p < q */ - cp = gcrypt_rsa_find_token(this->key, "q"); - cq = gcrypt_rsa_find_token(this->key, "p"); - cd = gcrypt_rsa_find_token(this->key, "d"); + cp = gcrypt_rsa_find_token(this->key, "q", NULL); + cq = gcrypt_rsa_find_token(this->key, "p", NULL); + cd = gcrypt_rsa_find_token(this->key, "d", NULL); err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL) | gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL) @@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this) } return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0, - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)), asn1_integer("m", cd), asn1_integer("m", cp), asn1_integer("m", cq), asn1_integer("m", cexp1), asn1_integer("m", cexp2), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "u"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL))); } /** @@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, return FALSE; } publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL))); hasher->allocate_hash(hasher, publicKey, &hash); *keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash); chunk_free(&hash); diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 8024f58a7..4d9c88c6d 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t { /** * Implemented in gcrypt_rsa_private_key.c */ -chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name); +chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key); bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid, identification_t **keyid_info); @@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this, return verify_pkcs1(this, HASH_MD5, "md5", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain, DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err)); return FALSE; } - *encrypted = gcrypt_rsa_find_token(out, "a"); + *encrypted = gcrypt_rsa_find_token(out, "a", this->key); gcry_sexp_release(out); return !!encrypted->len; } @@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this, static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this) { return asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")), - asn1_integer("m", gcrypt_rsa_find_token(this->key, "e"))); + asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)), + asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL))); } /** @@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key) chunk_t n, e; this = gcrypt_rsa_public_key_create_empty(); - n = gcrypt_rsa_find_token(key, "n"); - e = gcrypt_rsa_find_token(key, "e"); + n = gcrypt_rsa_find_token(key, "n", NULL); + e = gcrypt_rsa_find_token(key, "e", NULL); err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))", n.len, n.ptr, e.len, e.ptr); diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am index f073b5d48..1ab358328 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.am +++ b/src/libstrongswan/plugins/gmp/Makefile.am @@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index a60cd998c..8d5dff34b 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \ gmp_rsa_private_key.c gmp_rsa_private_key.h \ gmp_rsa_public_key.c gmp_rsa_public_key.h -libstrongswan_gmp_la_LDFLAGS = -module +libstrongswan_gmp_la_LDFLAGS = -module -avoid-version libstrongswan_gmp_la_LIBADD = -lgmp all: all-am diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index cbc112762..259c8e9ad 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme, return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 1f3e3072f..c26187c64 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: @@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this) /** * Build the PGP version 3 RSA key identifier from n and e using - * MD5 hashed modulus and exponent. Also used in rsa_private_key.c. + * MD5 hashed modulus and exponent. */ static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e) { diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am index 89e0638f3..1856cad2d 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.am +++ b/src/libstrongswan/plugins/hmac/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index fc36bd9fa..389bde8f9 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \ hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c -libstrongswan_hmac_la_LDFLAGS = -module +libstrongswan_hmac_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am index ac6b4be00..6ad073d97 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.am +++ b/src/libstrongswan/plugins/ldap/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 6eefc8546..93fc9a0c1 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-ldap.la libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c -libstrongswan_ldap_la_LDFLAGS = -module +libstrongswan_ldap_la_LDFLAGS = -module -avoid-version libstrongswan_ldap_la_LIBADD = -lldap -llber all: all-am diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am index f984322a6..a47da2e8e 100644 --- a/src/libstrongswan/plugins/md4/Makefile.am +++ b/src/libstrongswan/plugins/md4/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index efdb64e90..7ca6a20cc 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md4.la libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h -libstrongswan_md4_la_LDFLAGS = -module +libstrongswan_md4_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am index 0a9c5cbf4..ce0611c13 100644 --- a/src/libstrongswan/plugins/md5/Makefile.am +++ b/src/libstrongswan/plugins/md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 15c98aba4..fb9bc4b4d 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-md5.la libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h -libstrongswan_md5_la_LDFLAGS = -module +libstrongswan_md5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am index ec94b8fda..0daf7655b 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.am +++ b/src/libstrongswan/plugins/mysql/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 26b514ad6..21fe61923 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \ mysql_database.h mysql_database.c -libstrongswan_mysql_la_LDFLAGS = -module +libstrongswan_mysql_la_LDFLAGS = -module -avoid-version libstrongswan_mysql_la_LIBADD = -lmysqlclient_r all: all-am diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index d0d5a3d15..341217dd4 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri) free(this); return NULL; } - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->pool = linked_list_create(); /* check connectivity */ diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index f331a78eb..25cc5aa1d 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index 0ebb5acf0..e6d7b479b 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \ openssl_ec_private_key.c openssl_ec_private_key.h \ openssl_ec_public_key.c openssl_ec_public_key.h -libstrongswan_openssl_la_LDFLAGS = -module +libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto all: all-am diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c index 7f48f1009..424fec60a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crypter.c +++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c @@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = { /* {ENCR_DES_IV32, "***", 0, 0}, */ /* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */ +/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */ /* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */ {END_OF_LIST, NULL, 0, 0}, }; @@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo, return NULL; } break; + case ENCR_CAMELLIA_CBC: + switch (key_size) + { + case 16: /* CAMELLIA 128 */ + this->cipher = EVP_get_cipherbyname("camellia128"); + break; + case 24: /* CAMELLIA 192 */ + this->cipher = EVP_get_cipherbyname("camellia192"); + break; + case 32: /* CAMELLIA 256 */ + this->cipher = EVP_get_cipherbyname("camellia256"); + break; + default: + free(this); + return NULL; + } + break; case ENCR_DES_ECB: this->cipher = EVP_des_ecb(); break; diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index c93acb75c..082aed9ca 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -108,7 +108,8 @@ error: * Convert an EC_POINT to a chunk by concatenating the x and y coordinates of * the point. This function allocates memory for the chunk. */ -static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk) +static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, + chunk_t *chunk, bool x_coordinate_only) { BN_CTX *ctx; BIGNUM *x, *y; @@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu goto error; } + if (x_coordinate_only) + { + y = NULL; + } if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk)) { goto error; @@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ { const BIGNUM *priv_key; EC_POINT *secret = NULL; - bool ret = FALSE; + bool x_coordinate_only, ret = FALSE; priv_key = EC_KEY_get0_private_key(this->key); if (!priv_key) @@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_ goto error; } - if (!ecp2chunk(this->ec_group, secret, shared_secret)) + /* + * The default setting ecp_x_coordinate_only = TRUE + * applies the following errata for RFC 4753: + * http://www.rfc-editor.org/errata_search.php?eid=9 + */ + x_coordinate_only = lib->settings->get_bool(lib->settings, + "libstrongswan.ecp_x_coordinate_only", TRUE); + if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only)) { goto error; } @@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch */ static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value) { - ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value); + ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE); } /** diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c index ed3e57957..90a5229d5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_hasher.c +++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c @@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = { {HASH_MD2, "md2"}, {HASH_MD5, "md5"}, {HASH_SHA1, "sha1"}, + {HASH_SHA224, "sha224"}, {HASH_SHA256, "sha256"}, {HASH_SHA384, "sha384"}, {HASH_SHA512, "sha512"}, diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index a90dff7f1..ce6716f5a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line) struct CRYPTO_dynlock_value *lock; lock = malloc_thing(struct CRYPTO_dynlock_value); - lock->mutex = mutex_create(MUTEX_DEFAULT); + lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT); return lock; } @@ -140,7 +140,7 @@ static void threading_init() mutex = malloc(sizeof(mutex_t*) * num_locks); for (i = 0; i < num_locks; i++) { - mutex[i] = mutex_create(MUTEX_DEFAULT); + mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT); } } @@ -212,6 +212,8 @@ plugin_t *plugin_create() /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, (crypter_constructor_t)openssl_crypter_create); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_3DES, (crypter_constructor_t)openssl_crypter_create); lib->crypto->add_crypter(lib->crypto, ENCR_RC5, @@ -238,6 +240,8 @@ plugin_t *plugin_create() (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_MD5, (hasher_constructor_t)openssl_hasher_create); + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)openssl_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index c5d4142da..95c0ffdc8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch return build_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return build_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return build_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return build_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index 89912f24c..bc1ba35b6 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc return verify_emsa_pkcs1_signature(this, NID_undef, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA1: return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature); + case SIGN_RSA_EMSA_PKCS1_SHA224: + return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA256: return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature); case SIGN_RSA_EMSA_PKCS1_SHA384: diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index bb0c296e1..c8c453f64 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk) { int offset; - chunk->len = len * 2; + chunk->len = len + (b ? len : 0); chunk->ptr = malloc(chunk->len); memset(chunk->ptr, 0, chunk->len); + /* convert a */ offset = len - BN_num_bytes(a); if (!BN_bn2bin(a, chunk->ptr + offset)) { goto error; } - offset = len - BN_num_bytes(b); - if (!BN_bn2bin(b, chunk->ptr + len + offset)) + /* optionally convert and concatenate b */ + if (b) { - goto error; - } + offset = len - BN_num_bytes(b); + if (!BN_bn2bin(b, chunk->ptr + len + offset)) + { + goto error; + } + } return TRUE; error: diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am index e7c3ba486..b2b1f9d85 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.am +++ b/src/libstrongswan/plugins/padlock/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_aes_crypter.c padlock_aes_crypter.h \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 7fe0cc198..44f533744 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \ padlock_sha1_hasher.c padlock_sha1_hasher.h \ padlock_rng.c padlock_rng.h -libstrongswan_padlock_la_LDFLAGS = -module +libstrongswan_padlock_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index dddb73551..e241b59be 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features() return d; } } - DBG1("Padlock not found, CPU is %s\n", vendor); + DBG1("Padlock not found, CPU is %s", vendor); return 0; } diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index ad5a9e240..459ba9ba9 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -22,6 +22,7 @@ #include <stdio.h> #include <debug.h> +#include <integrity_checker.h> #include <utils/linked_list.h> #include <plugins/plugin.h> @@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name); + if (lib->integrity) + { + if (!lib->integrity->check_file(lib->integrity, name, file)) + { + DBG1("plugin '%s': failed file integrity test of '%s'", name, file); + return NULL; + } + } handle = dlopen(file, RTLD_LAZY); if (handle == NULL) { - DBG1("loading plugin '%s' failed: %s", name, dlerror()); + DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror()); return NULL; } constructor = dlsym(handle, "plugin_create"); if (constructor == NULL) { - DBG1("loading plugin '%s' failed: no plugin_create() function", name); + DBG1("plugin '%s': failed to load - no plugin_create() function", name); dlclose(handle); return NULL; } + if (lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1("plugin '%s': failed segment integrity test", name); + dlclose(handle); + return NULL; + } + DBG1("plugin '%s': passed file and segment integrity tests", name); + } plugin = constructor(); if (plugin == NULL) { - DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name); + DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name); dlclose(handle); return NULL; } - DBG2("plugin '%s' loaded successfully", name); + DBG2("plugin '%s': loaded successfully", name); /* we do not store or free dlopen() handles, leak_detective requires * the modules to keep loaded until leak report */ diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am index 3b512614f..9423e6689 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.am +++ b/src/libstrongswan/plugins/pubkey/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 4514424f2..a672e2ea8 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \ pubkey_cert.h pubkey_cert.c\ pubkey_public_key.h pubkey_public_key.c -libstrongswan_pubkey_la_LDFLAGS = -module +libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am index 8b61d7094..9a11b8567 100644 --- a/src/libstrongswan/plugins/random/Makefile.am +++ b/src/libstrongswan/plugins/random/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 0bed27468..a2869fb51 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \ random_rng.c random_rng.h -libstrongswan_random_la_LDFLAGS = -module +libstrongswan_random_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am index 5de45e4e8..ead51a45a 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.am +++ b/src/libstrongswan/plugins/sha1/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index c8b8905bb..f1f5807ab 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \ sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h -libstrongswan_sha1_la_LDFLAGS = -module +libstrongswan_sha1_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am index 066e49476..5422e1d4e 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.am +++ b/src/libstrongswan/plugins/sha2/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index f37c93502..b34286813 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-sha2.la libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h -libstrongswan_sha2_la_LDFLAGS = -module +libstrongswan_sha2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c index 0e8811cca..645f4d786 100644 --- a/src/libstrongswan/plugins/sha2/sha2_hasher.c +++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c @@ -58,6 +58,11 @@ struct private_sha256_hasher_t { }; +static const u_int32_t sha224_hashInit[8] = { + 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, + 0x64f98fa7, 0xbefa4fa4 +}; + static const u_int32_t sha256_hashInit[8] = { 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 @@ -422,6 +427,21 @@ static void sha512_final(private_sha512_hasher_t *ctx) } /** + * Implementation of hasher_t.get_hash for SHA224. + */ +static void get_hash224(private_sha256_hasher_t *this, + chunk_t chunk, u_int8_t *buffer) +{ + sha256_write(this, chunk.ptr, chunk.len); + if (buffer != NULL) + { + sha256_final(this); + memcpy(buffer, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + } +} + +/** * Implementation of hasher_t.get_hash for SHA256. */ static void get_hash256(private_sha256_hasher_t *this, @@ -467,6 +487,25 @@ static void get_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.allocate_hash for SHA224. + */ +static void allocate_hash224(private_sha256_hasher_t *this, + chunk_t chunk, chunk_t *hash) +{ + chunk_t allocated_hash; + + sha256_write(this, chunk.ptr, chunk.len); + if (hash != NULL) + { + sha256_final(this); + allocated_hash = chunk_alloc(HASH_SIZE_SHA224); + memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224); + this->public.hasher_interface.reset(&(this->public.hasher_interface)); + *hash = allocated_hash; + } +} + +/** * Implementation of hasher_t.allocate_hash for SHA256. */ static void allocate_hash256(private_sha256_hasher_t *this, @@ -524,6 +563,14 @@ static void allocate_hash512(private_sha512_hasher_t *this, } /** + * Implementation of hasher_t.get_hash_size for SHA224. + */ +static size_t get_hash_size224(private_sha256_hasher_t *this) +{ + return HASH_SIZE_SHA224; +} + +/** * Implementation of hasher_t.get_hash_size for SHA256. */ static size_t get_hash_size256(private_sha256_hasher_t *this) @@ -548,6 +595,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this) } /** + * Implementation of hasher_t.reset for SHA224 + */ +static void reset224(private_sha256_hasher_t *ctx) +{ + memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H)); + ctx->sha_blocks = 0; + ctx->sha_bufCnt = 0; +} + +/** * Implementation of hasher_t.reset for SHA256 */ static void reset256(private_sha256_hasher_t *ctx) @@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm) switch (algorithm) { + case HASH_SHA224: + this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); + this->hasher_interface.reset = (void(*)(hasher_t*))reset224; + this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224; + this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224; + this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224; + break; case HASH_SHA256: this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t); this->hasher_interface.reset = (void(*)(hasher_t*))reset256; diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index 21bc592dc..0743f7b1a 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -50,6 +50,8 @@ plugin_t *plugin_create() this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA256, (hasher_constructor_t)sha2_hasher_create); lib->crypto->add_hasher(lib->crypto, HASH_SHA384, diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am index 7c3017abf..f26e31294 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.am +++ b/src/libstrongswan/plugins/sqlite/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 547548bd7..b59a1c343 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \ sqlite_database.h sqlite_database.c -libstrongswan_sqlite_la_LDFLAGS = -module +libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version libstrongswan_sqlite_la_LIBADD = -lsqlite3 all: all-am diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index ce873b714..6e4951f2d 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri) this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; this->public.db.destroy = (void(*)(database_t*))destroy; - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); if (sqlite3_open(file, &this->db) != SQLITE_OK) { diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am index 27d17c084..6028805c4 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.am +++ b/src/libstrongswan/plugins/test_vectors/Makefile.am @@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/sha2_hmac.c \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index bb877620c..0e408ba7e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \ test_vectors/fips_prf.c \ test_vectors/rng.c -libstrongswan_test_vectors_la_LDFLAGS = -module +libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h index df5a9c9a8..b182dd829 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors.h +++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h @@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7) TEST_VECTOR_HASHER(sha1_1) TEST_VECTOR_HASHER(sha1_2) TEST_VECTOR_HASHER(sha1_3) +TEST_VECTOR_HASHER(sha224_1) +TEST_VECTOR_HASHER(sha224_2) +TEST_VECTOR_HASHER(sha224_3) TEST_VECTOR_HASHER(sha256_1) TEST_VECTOR_HASHER(sha256_2) TEST_VECTOR_HASHER(sha256_3) diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c index e2bd42240..4679c26b3 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c @@ -16,6 +16,41 @@ #include <crypto/crypto_tester.h> /** + * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" + */ +hasher_test_vector_t sha224_1 = { + .alg = HASH_SHA224, .len = 1, + .data = "\x07", + .hash = "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53" + "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a" + +}; + +hasher_test_vector_t sha224_2 = { + .alg = HASH_SHA224, .len = 16, + .data = "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62", + .hash = "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac" + "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1" +}; + +hasher_test_vector_t sha224_3 = { + .alg = HASH_SHA224, .len = 163, + .data = "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5" + "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab" + "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37" + "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a" + "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74" + "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47" + "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14" + "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b" + "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d" + "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c" + "\x87\x82\x73", + .hash = "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a" + "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4" +}; + +/** * SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)" */ hasher_test_vector_t sha256_1 = { diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am index 3f9f85c36..e9668b4e4 100644 --- a/src/libstrongswan/plugins/x509/Makefile.am +++ b/src/libstrongswan/plugins/x509/Makefile.am @@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_request.h x509_ocsp_request.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 0c62ad3b3..56cb04769 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \ x509_ocsp_response.h x509_ocsp_response.c \ ietf_attr_list.h ietf_attr_list.c -libstrongswan_x509_la_LDFLAGS = -module +libstrongswan_x509_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am index 1b10d21f8..515b75031 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.am +++ b/src/libstrongswan/plugins/xcbc/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 82ef55bd5..1d4e39586 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \ xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c -libstrongswan_xcbc_la_LDFLAGS = -module +libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index 4a0eff45f..305841172 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -20,6 +20,7 @@ #include <string.h> #include <stdio.h> #include <unistd.h> +#include <stdint.h> #include <limits.h> #include <dirent.h> #include <time.h> @@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size) /** * Described in header. */ -void memxor(u_int8_t dest[], u_int8_t src[], size_t n) +void memxor(u_int8_t dst[], u_int8_t src[], size_t n) { - int i = 0, m; + int m, i; - m = n - sizeof(long); - while (i < m) + /* byte wise XOR until dst aligned */ + for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++) { - *(long*)(dest + i) ^= *(long*)(src + i); - i += sizeof(long); + dst[i] ^= src[i]; } - while (i < n) + /* try to use words if src shares an aligment with dst */ + switch (((uintptr_t)&src[i] % sizeof(long))) { - dest[i] ^= src[i]; - i++; + case 0: + for (m = n - sizeof(long); i <= m; i += sizeof(long)) + { + *(long*)&dst[i] ^= *(long*)&src[i]; + } + break; + case sizeof(int): + for (m = n - sizeof(int); i <= m; i += sizeof(int)) + { + *(int*)&dst[i] ^= *(int*)&src[i]; + } + break; + case sizeof(short): + for (m = n - sizeof(short); i <= m; i += sizeof(short)) + { + *(short*)&dst[i] ^= *(short*)&src[i]; + } + break; + default: + break; + } + /* byte wise XOR of the rest */ + for (; i < n; i++) + { + dst[i] ^= src[i]; } } diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index debd0145b..5d273d272 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -29,6 +29,16 @@ #include <enum.h> /** + * strongSwan program return codes + */ +#define SS_RC_LIBSTRONGSWAN_INTEGRITY 64 +#define SS_RC_DAEMON_INTEGRITY 65 +#define SS_RC_INITIALIZATION_FAILED 66 + +#define SS_RC_FIRST SS_RC_LIBSTRONGSWAN_INTEGRITY +#define SS_RC_LAST SS_RC_INITIALIZATION_FAILED + +/** * Number of bits in a byte */ #define BITS_PER_BYTE 8 @@ -134,6 +144,19 @@ # define TRUE true #endif /* TRUE */ +/** + * define some missing fixed width int types on OpenSolaris. + * TODO: since the uintXX_t types are defined by the C99 standard we should + * probably use those anyway + */ +#ifdef __sun + #include <stdint.h> + typedef uint8_t u_int8_t; + typedef uint16_t u_int16_t; + typedef uint32_t u_int32_t; + typedef uint64_t u_int64_t; +#endif + typedef enum status_t status_t; /** diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c index 24bafe66a..08522b8d5 100644 --- a/src/libstrongswan/utils/enumerator.c +++ b/src/libstrongswan/utils/enumerator.c @@ -408,7 +408,7 @@ typedef struct { /** * Implementation of enumerator_create_filter().destroy */ -void destroy_filter(filter_enumerator_t *this) +static void destroy_filter(filter_enumerator_t *this) { if (this->destructor) { @@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this) /** * Implementation of enumerator_create_filter().enumerate */ -bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, - void *o3, void *o4, void *o5) +static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2, + void *o3, void *o4, void *o5) { void *i1, *i2, *i3, *i4, *i5; diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 484de5e54..661bec315 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -17,6 +17,7 @@ */ #define _GNU_SOURCE +#include <sys/socket.h> #include <netdb.h> #include <string.h> @@ -433,16 +434,40 @@ host_t *host_create_from_string(char *string, u_int16_t port) /* * Described in header. */ +host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) +{ + private_host_t *this = host_create_empty(); + + switch (sockaddr->sa_family) + { + case AF_INET: + { + memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); + this->socklen = sizeof(struct sockaddr_in); + return &this->public; + } + case AF_INET6: + { + memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); + this->socklen = sizeof(struct sockaddr_in6); + return &this->public; + } + default: + break; + } + free(this); + return NULL; +} + +/* + * Described in header. + */ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { private_host_t *this; - struct hostent *ptr; - int ret = 0, err; -#ifdef HAVE_GETHOSTBYNAME_R - struct hostent host; - char buf[512]; -#endif - + struct addrinfo hints, *result; + int error; + if (streq(string, "%any")) { return host_create_any_port(af ? af : AF_INET, port); @@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } - else if (strchr(string, ':')) - { - /* gethostbyname does not like IPv6 addresses - fallback */ - return host_create_from_string(string, port); - } - -#ifdef HAVE_GETHOSTBYNAME_R - if (af) - { - ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err); - } - else - { - ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err); - } -#else - /* Some systems (e.g. Mac OS X) do not support gethostbyname_r */ - if (af) - { - ptr = gethostbyname2(string, af); - } - else - { - ptr = gethostbyname(string); - } - if (ptr == NULL) - { - err = h_errno; - } -#endif - if (ret != 0 || ptr == NULL) + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = af; + error = getaddrinfo(string, NULL, &hints, &result); + if (error != 0) { - DBG1("resolving '%s' failed: %s", string, hstrerror(err)); + DBG1("resolving '%s' failed: %s", string, gai_strerror(error)); return NULL; } - this = host_create_empty(); - this->address.sa_family = ptr->h_addrtype; - switch (this->address.sa_family) + /* result is a linked list, but we use only the first address */ + this = (private_host_t*)host_create_from_sockaddr(result->ai_addr); + freeaddrinfo(result); + if (this) { - case AF_INET: - memcpy(&this->address4.sin_addr.s_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address4.sin_port = htons(port); - this->socklen = sizeof(struct sockaddr_in); - break; - case AF_INET6: - memcpy(&this->address6.sin6_addr.s6_addr, - ptr->h_addr_list[0], ptr->h_length); - this->address6.sin6_port = htons(port); - this->socklen = sizeof(struct sockaddr_in6); - break; - default: - free(this); - return NULL; + switch (this->address.sa_family) + { + case AF_INET: + this->address4.sin_port = htons(port); + break; + case AF_INET6: + this->address6.sin6_port = htons(port); + break; + } + return &this->public; } - return &this->public; + return NULL; } /* @@ -569,34 +564,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) /* * Described in header. */ -host_t *host_create_from_sockaddr(sockaddr_t *sockaddr) -{ - private_host_t *this = host_create_empty(); - - switch (sockaddr->sa_family) - { - case AF_INET: - { - memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in)); - this->socklen = sizeof(struct sockaddr_in); - return &this->public; - } - case AF_INET6: - { - memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6)); - this->socklen = sizeof(struct sockaddr_in6); - return &this->public; - } - default: - break; - } - free(this); - return NULL; -} - -/* - * Described in header. - */ host_t *host_create_any(int family) { private_host_t *this = host_create_empty(); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 1c04c97ef..10daf4679 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -21,7 +21,6 @@ #include <arpa/inet.h> #include <string.h> #include <stdio.h> -#include <ctype.h> #include "identification.h" @@ -122,365 +121,216 @@ struct private_identification_t { id_type_t type; }; -static private_identification_t *identification_create(void); - /** - * updates a chunk (!????) - * TODO: We should reconsider this stuff, its not really clear + * Enumerator over RDNs */ -static void update_chunk(chunk_t *ch, int n) -{ - n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1; - ch->ptr += n; ch->len -= n; -} +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* next set to parse, if any */ + chunk_t sets; + /* next sequence in set, if any */ + chunk_t seqs; +} rdn_enumerator_t; /** - * Remove any malicious characters from a chunk. We are very restrictive, but - * whe use these strings only to present it to the user. + * Implementation of rdn_enumerator_t.enumerate */ -static bool sanitize_chunk(chunk_t chunk, chunk_t *clone) +static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid, + u_char *type, chunk_t *data) { - char *pos; - bool all_printable = TRUE; - - *clone = chunk_clone(chunk); + chunk_t rdn; - for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++) + /* a DN contains one or more SET, each containing one or more SEQUENCES, + * each containing a OID/value RDN */ + if (!this->seqs.len) { - if (!isprint(*pos)) + /* no SEQUENCEs in current SET, parse next SET */ + if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET) { - *pos = '?'; - all_printable = FALSE; + return FALSE; + } + } + if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE && + asn1_unwrap(&rdn, oid) == ASN1_OID) + { + int t = asn1_unwrap(&rdn, data); + + if (t != ASN1_INVALID) + { + *type = t; + return TRUE; } } - return all_printable; + return FALSE; } /** - * Pointer is set to the first RDN in a DN + * Create an enumerator over all RDNs (oid, string type, data) of a DN */ -static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next) +static enumerator_t* create_rdn_enumerator(chunk_t dn) { - *rdn = chunk_empty; - *attribute = chunk_empty; + rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - /* a DN is a SEQUENCE OF RDNs */ - if (*dn.ptr != ASN1_SEQUENCE) - { - /* DN is not a SEQUENCE */ - return FALSE; - } + e->public.enumerate = (void*)rdn_enumerate; + e->public.destroy = (void*)free; - rdn->len = asn1_length(&dn); - - if (rdn->len == ASN1_INVALID_LENGTH) + /* a DN is a SEQUENCE, get the first SET of it */ + if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE) { - /* Invalid RDN length */ - return FALSE; + e->seqs = chunk_empty; + return &e->public; } - - rdn->ptr = dn.ptr; - - /* are there any RDNs ? */ - *next = rdn->len > 0; - - return TRUE; + free(e); + return enumerator_create_empty(); } /** - * Fetches the next RDN in a DN + * Part enumerator over RDNs + */ +typedef struct { + /* implements enumerator interface */ + enumerator_t public; + /* inner RDN enumerator */ + enumerator_t *inner; +} rdn_part_enumerator_t; + +/** + * Implementation of rdn_part_enumerator_t.enumerate(). */ -static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid, - chunk_t *value, asn1_t *type, bool *next) +static bool rdn_part_enumerate(rdn_part_enumerator_t *this, + id_part_t *type, chunk_t *data) { - chunk_t body; + int i, known_oid, strtype; + chunk_t oid, inner_data; + static const struct { + int oid; + id_part_t type; + } oid2part[] = { + {OID_COMMON_NAME, ID_PART_RDN_CN}, + {OID_SURNAME, ID_PART_RDN_S}, + {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, + {OID_COUNTRY, ID_PART_RDN_C}, + {OID_LOCALITY, ID_PART_RDN_L}, + {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, + {OID_ORGANIZATION, ID_PART_RDN_O}, + {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU}, + {OID_TITLE, ID_PART_RDN_T}, + {OID_DESCRIPTION, ID_PART_RDN_D}, + {OID_NAME, ID_PART_RDN_N}, + {OID_GIVEN_NAME, ID_PART_RDN_G}, + {OID_INITIALS, ID_PART_RDN_I}, + {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID}, + {OID_EMAIL_ADDRESS, ID_PART_RDN_E}, + {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN}, + }; - /* initialize return values */ - *oid = chunk_empty; - *value = chunk_empty; - - /* if all attributes have been parsed, get next rdn */ - if (attribute->len <= 0) + while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data)) { - /* an RDN is a SET OF attributeTypeAndValue */ - if (*rdn->ptr != ASN1_SET) + known_oid = asn1_known_oid(oid); + for (i = 0; i < countof(oid2part); i++) { - /* RDN is not a SET */ - return FALSE; - } - attribute->len = asn1_length(rdn); - if (attribute->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute length */ - return FALSE; + if (oid2part[i].oid == known_oid) + { + *type = oid2part[i].type; + *data = inner_data; + return TRUE; + } } - attribute->ptr = rdn->ptr; - /* advance to start of next RDN */ - rdn->ptr += attribute->len; - rdn->len -= attribute->len; - } - - /* an attributeTypeAndValue is a SEQUENCE */ - if (*attribute->ptr != ASN1_SEQUENCE) - { - /* attributeTypeAndValue is not a SEQUENCE */ - return FALSE; } - - /* extract the attribute body */ - body.len = asn1_length(attribute); - - if (body.len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute body length */ - return FALSE; - } - - body.ptr = attribute->ptr; - - /* advance to start of next attribute */ - attribute->ptr += body.len; - attribute->len -= body.len; - - /* attribute type is an OID */ - if (*body.ptr != ASN1_OID) - { - /* attributeType is not an OID */ - return FALSE; - } - /* extract OID */ - oid->len = asn1_length(&body); - - if (oid->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute OID length */ - return FALSE; - } - oid->ptr = body.ptr; - - /* advance to the attribute value */ - body.ptr += oid->len; - body.len -= oid->len; - - /* extract string type */ - *type = *body.ptr; - - /* extract string value */ - value->len = asn1_length(&body); - - if (value->len == ASN1_INVALID_LENGTH) - { - /* Invalid attribute string length */ - return FALSE; - } - value->ptr = body.ptr; - - /* are there any RDNs left? */ - *next = rdn->len > 0 || attribute->len > 0; - return TRUE; + return FALSE; } /** - * Parses an ASN.1 distinguished name int its OID/value pairs + * Implementation of rdn_part_enumerator_t.destroy(). */ -static bool dntoa(chunk_t dn, chunk_t *str) +static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this) { - chunk_t rdn, oid, attribute, value, proper; - asn1_t type; - int oid_code; - bool next; - bool first = TRUE; - - if (!init_rdn(dn, &rdn, &attribute, &next)) - { - return FALSE; - } - - while (next) - { - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - - if (first) - { /* first OID/value pair */ - first = FALSE; - } - else - { /* separate OID/value pair by a comma */ - update_chunk(str, snprintf(str->ptr,str->len,", ")); - } - - /* print OID */ - oid_code = asn1_known_oid(oid); - if (oid_code == OID_UNKNOWN) - { - update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid)); - } - else - { - update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name)); - } - /* print value */ - sanitize_chunk(value, &proper); - update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr)); - chunk_free(&proper); - } - return TRUE; + this->inner->destroy(this->inner); + free(this); } /** - * compare two distinguished names by - * comparing the individual RDNs + * Implementation of identification_t.create_part_enumerator */ -static bool same_dn(chunk_t a, chunk_t b) +static enumerator_t* create_part_enumerator(private_identification_t *this) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* same lengths for the DNs */ - if (a.len != b.len) - { - return FALSE; - } - /* try a binary comparison first */ - if (memeq(a.ptr, b.ptr, b.len)) - { - return TRUE; - } - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } - - /* fetch next RDN pair */ - while (next_a && next_b) + switch (this->type) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) - { - return FALSE; - } - - /* OIDs must agree */ - if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len)) - { - return FALSE; - } - - /* same lengths for values */ - if (value_a.len != value_b.len) - { - return FALSE; - } - - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) - { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } - } - else + case ID_DER_ASN1_DN: { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t); + + e->inner = create_rdn_enumerator(this->encoded); + e->public.enumerate = (void*)rdn_part_enumerate; + e->public.destroy = (void*)rdn_part_enumerator_destroy; + + return &e->public; } + case ID_RFC822_ADDR: + /* TODO */ + case ID_FQDN: + /* TODO */ + default: + return enumerator_create_empty(); } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) - { - return FALSE; - } - /* the two DNs are equal! */ - return TRUE; } - /** - * compare two distinguished names by comparing the individual RDNs. - * A single'*' character designates a wildcard RDN in DN b. - * TODO: Add support for different RDN order in DN !! + * Print a DN with all its RDN in a buffer to present it to the user */ -bool match_dn(chunk_t a, chunk_t b, int *wildcards) +static void dntoa(chunk_t dn, char *buf, size_t len) { - chunk_t rdn_a, rdn_b, attribute_a, attribute_b; - chunk_t oid_a, oid_b, value_a, value_b; - asn1_t type_a, type_b; - bool next_a, next_b; - - /* initialize wildcard counter */ - *wildcards = 0; - - /* initialize DN parsing */ - if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) || - !init_rdn(b, &rdn_b, &attribute_b, &next_b)) - { - return FALSE; - } + enumerator_t *e; + chunk_t oid_data, data; + u_char type; + int oid, written; + bool finished = FALSE; - /* fetch next RDN pair */ - while (next_a && next_b) + e = create_rdn_enumerator(dn); + while (e->enumerate(e, &oid_data, &type, &data)) { - /* parse next RDNs and check for errors */ - if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) || - !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b)) + oid = asn1_known_oid(oid_data); + + if (oid == OID_UNKNOWN) { - return FALSE; + written = snprintf(buf, len, "%#B=", &oid_data); } - /* OIDs must agree */ - if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0) + else { - return FALSE; + written = snprintf(buf, len,"%s=", oid_names[oid].name); } + buf += written; + len -= written; - /* does rdn_b contain a wildcard? */ - if (value_b.len == 1 && *value_b.ptr == '*') + if (chunk_printable(data, NULL, '?')) { - (*wildcards)++; - continue; + written = snprintf(buf, len, "%.*s", data.len, data.ptr); } - /* same lengths for values */ - if (value_a.len != value_b.len) + else { - return FALSE; + written = snprintf(buf, len, "%#B", &data); } + buf += written; + len -= written; - /* printableStrings and email RDNs require uppercase comparison */ - if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING || - (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL))) + if (data.ptr + data.len != dn.ptr + dn.len) { - if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0) - { - return FALSE; - } + written = snprintf(buf, len, ", "); + buf += written; + len -= written; } else { - if (!strneq(value_a.ptr, value_b.ptr, value_b.len)) - { - return FALSE; - } + finished = TRUE; + break; } } - /* both DNs must have same number of RDNs */ - if (next_a || next_b) + if (!finished) { - return FALSE; + snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } - /* the two DNs match! */ - *wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); - return TRUE; + e->destroy(e); } /** @@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this) } /** - * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN. + * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN. */ static bool contains_wildcards_dn(private_identification_t *this) { - chunk_t rdn, attribute; - chunk_t oid, value; - asn1_t type; - bool next; + enumerator_t *enumerator; + bool contains = FALSE; + id_part_t type; + chunk_t data; - if (!init_rdn(this->encoded, &rdn, &attribute, &next)) - { - return FALSE; - } - /* fetch next RDN */ - while (next) + enumerator = create_part_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &data)) { - /* parse next RDN and check for errors */ - if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next)) - { - return FALSE; - } - /* check if RDN is a wildcard */ - if (value.len == 1 && *value.ptr == '*') + if (data.len == 1 && data.ptr[0] == '*') { - return TRUE; + contains = TRUE; + break; } } - return FALSE; + enumerator->destroy(enumerator); + return contains; } /** - * Implementation of identification_t.contains_wildcards. + * Implementation of identification_t.contains_wildcards using memchr(*). */ -static bool contains_wildcards(private_identification_t *this) +static bool contains_wildcards_memchr(private_identification_t *this) { - switch (this->type) - { - case ID_ANY: - return TRUE; - case ID_FQDN: - case ID_RFC822_ADDR: - return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; - case ID_DER_ASN1_DN: - return contains_wildcards_dn(this); - default: - return FALSE; - } + return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL; } /** @@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification } return chunk_equals(this->encoded, other->encoded); } - return FALSE; + return FALSE; +} + +/** + * Compare to DNs, for equality if wc == NULL, for match otherwise + */ +static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc) +{ + enumerator_t *t, *o; + chunk_t t_oid, o_oid, t_data, o_data; + u_char t_type, o_type; + bool t_next, o_next, finished = FALSE; + + if (wc) + { + *wc = 0; + } + else + { + if (t_dn.len != o_dn.len) + { + return FALSE; + } + } + /* try a binary compare */ + if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len)) + { + return TRUE; + } + + t = create_rdn_enumerator(t_dn); + o = create_rdn_enumerator(o_dn); + while (TRUE) + { + t_next = t->enumerate(t, &t_oid, &t_type, &t_data); + o_next = o->enumerate(o, &o_oid, &o_type, &o_data); + + if (!o_next && !t_next) + { + break; + } + finished = FALSE; + if (o_next != t_next) + { + break; + } + if (!chunk_equals(t_oid, o_oid)) + { + break; + } + if (wc && o_data.len == 1 && o_data.ptr[0] == '*') + { + (*wc)++; + } + else + { + if (t_data.len != o_data.len) + { + break; + } + if (t_type == o_type && + (t_type == ASN1_PRINTABLESTRING || + (t_type == ASN1_IA5STRING && + (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL || + asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS)))) + { /* ignore case for printableStrings and email RDNs */ + if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0) + { + break; + } + } + else + { /* respect case and length for everything else */ + if (!memeq(t_data.ptr, o_data.ptr, t_data.len)) + { + break; + } + } + } + /* the enumerator returns FALSE on parse error, we are finished + * if we have reached the end of the DN only */ + if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) && + (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len)) + { + finished = TRUE; + } + } + t->destroy(t); + o->destroy(o); + return finished; } /** @@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification static bool equals_dn(private_identification_t *this, private_identification_t *other) { - return same_dn(this->encoded, other->encoded); + return compare_dn(this->encoded, other->encoded, NULL); } /** @@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this, * Checks for a wildcard in other-string, and compares it against this-string. */ static id_match_t matches_string(private_identification_t *this, - private_identification_t *other) + private_identification_t *other) { u_int len = other->encoded.len; @@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this, private_identification_t *other) { int wc; - + if (other->type == ID_ANY) { return ID_MATCH_ANY; @@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this, if (this->type == other->type) { - if (match_dn(this->encoded, other->encoded, &wc)) + if (compare_dn(this->encoded, other->encoded, &wc)) { + wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS); return ID_MATCH_PERFECT - wc; } } @@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, const void *const *args) { private_identification_t *this = *((private_identification_t**)(args[0])); - char buf[BUF_LEN]; - chunk_t proper, buf_chunk = chunk_from_buf(buf); + chunk_t proper; + char buf[512]; if (this == NULL) { @@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: case ID_IETF_ATTR_STRING: - sanitize_chunk(this->encoded, &proper); + chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: - if (!dntoa(this->encoded, &buf_chunk)) - { - snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)"); - } + dntoa(this->encoded, buf, sizeof(buf)); break; case ID_DER_ASN1_GN: snprintf(buf, sizeof(buf), "(ASN.1 general Name"); break; case ID_KEY_ID: - if (sanitize_chunk(this->encoded, &proper)) + if (chunk_printable(this->encoded, NULL, '?')) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); + snprintf(buf, sizeof(buf), "%.*s", + this->encoded.len, this->encoded.ptr); } else { /* not printable, hex dump */ snprintf(buf, sizeof(buf), "%#B", &this->encoded); } - chunk_free(&proper); break; case ID_PUBKEY_INFO_SHA1: case ID_PUBKEY_SHA1: @@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, } return print_in_hook(dst, len, "%*s", spec->width, buf); } - -/** - * Enumerator over RDNs - */ -typedef struct { - /* implements enumerator interface */ - enumerator_t public; - /* current RDN */ - chunk_t rdn; - /* current attribute */ - chunk_t attr; - /** have another RDN? */ - bool next; -} rdn_enumerator_t; - -/** - * Implementation of rdn_enumerator_t.enumerate - */ -static bool rdn_enumerate(rdn_enumerator_t *this, - id_part_t *type, chunk_t *data) -{ - chunk_t oid, value; - asn1_t asn1_type; - - while (this->next) - { - if (!get_next_rdn(&this->rdn, &this->attr, &oid, - &value, &asn1_type, &this->next)) - { - return FALSE; - } - switch (asn1_known_oid(oid)) - { - case OID_COMMON_NAME: - *type = ID_PART_RDN_CN; - break; - case OID_SURNAME: - *type = ID_PART_RDN_S; - break; - case OID_SERIAL_NUMBER: - *type = ID_PART_RDN_SN; - break; - case OID_COUNTRY: - *type = ID_PART_RDN_C; - break; - case OID_LOCALITY: - *type = ID_PART_RDN_L; - break; - case OID_STATE_OR_PROVINCE: - *type = ID_PART_RDN_ST; - break; - case OID_ORGANIZATION: - *type = ID_PART_RDN_O; - break; - case OID_ORGANIZATION_UNIT: - *type = ID_PART_RDN_OU; - break; - case OID_TITLE: - *type = ID_PART_RDN_T; - break; - case OID_DESCRIPTION: - *type = ID_PART_RDN_D; - break; - case OID_NAME: - *type = ID_PART_RDN_N; - break; - case OID_GIVEN_NAME: - *type = ID_PART_RDN_G; - break; - case OID_INITIALS: - *type = ID_PART_RDN_I; - break; - case OID_UNIQUE_IDENTIFIER: - *type = ID_PART_RDN_ID; - break; - case OID_EMAIL_ADDRESS: - *type = ID_PART_RDN_E; - break; - case OID_EMPLOYEE_NUMBER: - *type = ID_PART_RDN_EN; - break; - default: - continue; - } - *data = value; - return TRUE; - } - return FALSE; -} - -/** - * Implementation of identification_t.create_part_enumerator - */ -static enumerator_t* create_part_enumerator(private_identification_t *this) -{ - switch (this->type) - { - case ID_DER_ASN1_DN: - { - rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t); - - e->public.enumerate = (void*)rdn_enumerate; - e->public.destroy = (void*)free; - if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next)) - { - return &e->public; - } - free(e); - /* FALL */ - } - case ID_RFC822_ADDR: - /* TODO */ - case ID_FQDN: - /* TODO */ - default: - return enumerator_create_empty(); - } -} - /** * Implementation of identification_t.clone. */ static identification_t *clone_(private_identification_t *this) { - private_identification_t *clone = identification_create(); + private_identification_t *clone = malloc_thing(private_identification_t); - clone->type = this->type; + memcpy(clone, this, sizeof(private_identification_t)); if (this->encoded.len) { clone->encoded = chunk_clone(this->encoded); } - clone->public.equals = this->public.equals; - clone->public.matches = this->public.matches; - return &clone->public; } @@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this) /** * Generic constructor used for the other constructors. */ -static private_identification_t *identification_create(void) +static private_identification_t *identification_create(id_type_t type) { private_identification_t *this = malloc_thing(private_identification_t); this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding; this->public.get_type = (id_type_t (*) (identification_t*))get_type; - this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards; this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator; this->public.clone = (identification_t* (*) (identification_t*))clone_; this->public.destroy = (void (*) (identification_t*))destroy; - /* we use these as defaults, the may be overloaded for special ID types */ - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + switch (type) + { + case ID_ANY: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any; + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_true; + break; + case ID_FQDN: + case ID_RFC822_ADDR: + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string; + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr; + break; + case ID_DER_ASN1_DN: + this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn; + this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn; + this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn; + break; + default: + this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary; + this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary; + this->public.contains_wildcards = (bool (*) (identification_t *this))return_false; + break; + } + + this->type = type; this->encoded = chunk_empty; return this; @@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void) */ identification_t *identification_create_from_string(char *string) { - private_identification_t *this = identification_create(); - + private_identification_t *this; + chunk_t encoded; + if (string == NULL) { string = "%any"; @@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string) /* we interpret this as an ASCII X.501 ID_DER_ASN1_DN. * convert from LDAP style or openssl x509 -subject style to ASN.1 DN */ - if (atodn(string, &this->encoded) != SUCCESS) + if (atodn(string, &encoded) == SUCCESS) + { + this = identification_create(ID_DER_ASN1_DN); + this->encoded = encoded; + } + else { - this->type = ID_KEY_ID; + this = identification_create(ID_KEY_ID); this->encoded = chunk_clone(chunk_create(string, strlen(string))); - return &this->public; } - this->type = ID_DER_ASN1_DN; - this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn; return &this->public; } else if (strchr(string, '@') == NULL) @@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string) || streq(string, "0::0")) { /* any ID will be accepted */ - this->type = ID_ANY; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; + this = identification_create(ID_ANY); return &this->public; } else { if (strchr(string, ':') == NULL) { - /* try IPv4 */ struct in_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET, string, &address) <= 0) - { - /* not IPv4, mostly FQDN */ - this->type = ID_FQDN; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - return &this->public; + if (inet_pton(AF_INET, string, &address) > 0) + { /* is IPv4 */ + this = identification_create(ID_IPV4_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4, mostly FQDN */ + this = identification_create(ID_FQDN); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV4_ADDR; return &this->public; } else { - /* try IPv6 */ struct in6_addr address; chunk_t chunk = {(void*)&address, sizeof(address)}; - if (inet_pton(AF_INET6, string, &address) <= 0) - { - this->type = ID_KEY_ID; - this->encoded = chunk_clone(chunk_create(string, - strlen(string))); - return &this->public; + if (inet_pton(AF_INET6, string, &address) > 0) + { /* is IPv6 */ + this = identification_create(ID_IPV6_ADDR); + this->encoded = chunk_clone(chunk); + } + else + { /* not IPv4/6 fallback to KEY_ID */ + this = identification_create(ID_KEY_ID); + this->encoded = chunk_create(strdup(string), strlen(string)); } - this->encoded = chunk_clone(chunk); - this->type = ID_IPV6_ADDR; return &this->public; } } @@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string) { if (*(string + 1) == '#') { + this = identification_create(ID_KEY_ID); string += 2; - this->type = ID_KEY_ID; this->encoded = chunk_from_hex( chunk_create(string, strlen(string)), NULL); return &this->public; } else { - this->type = ID_FQDN; - this->encoded.ptr = strdup(string + 1); - this->encoded.len = strlen(string + 1); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_FQDN); + string += 1; + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } else { - this->type = ID_RFC822_ADDR; - this->encoded.ptr = strdup(string); - this->encoded.len = strlen(string); - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; + this = identification_create(ID_RFC822_ADDR); + this->encoded = chunk_create(strdup(string), strlen(string)); return &this->public; } } @@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string) /* * Described in header. */ -identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded) +identification_t *identification_create_from_encoding(id_type_t type, + chunk_t encoded) { - private_identification_t *this = identification_create(); - - this->type = type; - switch (type) - { - case ID_ANY: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_any; - break; - case ID_FQDN: - case ID_RFC822_ADDR: - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_string; - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_strcasecmp; - break; - case ID_DER_ASN1_DN: - this->public.equals = (bool (*) - (identification_t*,identification_t*))equals_dn; - this->public.matches = (id_match_t (*) - (identification_t*,identification_t*))matches_dn; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - case ID_DER_ASN1_GN: - case ID_KEY_ID: - case ID_DER_ASN1_GN_URI: - case ID_PUBKEY_INFO_SHA1: - case ID_PUBKEY_SHA1: - case ID_CERT_DER_SHA1: - case ID_IETF_ATTR_STRING: - default: - break; - } + private_identification_t *this = identification_create(type); /* apply encoded chunk */ if (type != ID_ANY) diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c index 8b3a25201..a6c39e94c 100644 --- a/src/libstrongswan/utils/mutex.c +++ b/src/libstrongswan/utils/mutex.c @@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type) { switch (type) { - case MUTEX_RECURSIVE: + case MUTEX_TYPE_RECURSIVE: { private_r_mutex_t *this = malloc_thing(private_r_mutex_t); @@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type) return &this->generic.public; } - case MUTEX_DEFAULT: + case MUTEX_TYPE_DEFAULT: default: { private_mutex_t *this = malloc_thing(private_mutex_t); @@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type) { switch (type) { - case CONDVAR_DEFAULT: + case CONDVAR_TYPE_DEFAULT: default: { private_condvar_t *this = malloc_thing(private_condvar_t); @@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type) { switch (type) { - case RWLOCK_DEFAULT: + case RWLOCK_TYPE_DEFAULT: default: { private_rwlock_t *this = malloc_thing(private_rwlock_t); diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h index c5c667992..273f56b47 100644 --- a/src/libstrongswan/utils/mutex.h +++ b/src/libstrongswan/utils/mutex.h @@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t; #include <library.h> +#ifdef __APPLE__ +/* on Mac OS X 10.5 several system calls we use are no cancellation points. + * fortunately, select isn't one of them, so we wrap some of the others with + * calls to select(2). + */ +#include <sys/socket.h> +#include <sys/select.h> + +#define WRAP_WITH_SELECT(func, socket, ...)\ + fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\ + if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\ + return func(socket, __VA_ARGS__) + +static inline int cancellable_accept(int socket, struct sockaddr *address, + socklen_t *address_len) +{ + WRAP_WITH_SELECT(accept, socket, address, address_len); +} +#define accept cancellable_accept +static inline int cancellable_recvfrom(int socket, void *buffer, size_t length, + int flags, struct sockaddr *address, socklen_t *address_len) +{ + WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len); +} +#define recvfrom cancellable_recvfrom +#endif /* __APPLE__ */ + /** * Type of mutex. */ enum mutex_type_t { /** default mutex */ - MUTEX_DEFAULT = 0, + MUTEX_TYPE_DEFAULT = 0, /** allow recursive locking of the mutex */ - MUTEX_RECURSIVE = 1, + MUTEX_TYPE_RECURSIVE = 1, }; /** @@ -46,7 +73,7 @@ enum mutex_type_t { */ enum condvar_type_t { /** default condvar */ - CONDVAR_DEFAULT = 0, + CONDVAR_TYPE_DEFAULT = 0, }; /** @@ -54,7 +81,7 @@ enum condvar_type_t { */ enum rwlock_type_t { /** default condvar */ - RWLOCK_DEFAULT = 0, + RWLOCK_TYPE_DEFAULT = 0, }; /** diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 49376379e..2252f57ec 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -98,12 +98,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -168,6 +170,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -208,7 +211,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index a9ef57922..239923c40 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -84,12 +84,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -154,6 +156,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -194,7 +197,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 7bf71b08f..d8d590eb2 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -70,12 +70,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -140,6 +142,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -180,7 +183,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/openac/openac.c b/src/openac/openac.c index 3686c07ac..a8f75e093 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -40,11 +40,6 @@ #include <credentials/keys/private_key.h> #include <utils/optionsfrom.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips_signature.h> -#endif /* INTEGRITY_TEST */ - #define OPENAC_PATH IPSEC_CONFDIR "/openac" #define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial" @@ -223,15 +218,16 @@ static void openac_dbg(int level, char *fmt, ...) if (level <= debug_level) { - va_start(args, fmt); - if (!stderr_quiet) { + va_start(args, fmt); vfprintf(stderr, fmt, args); fprintf(stderr, "\n"); + va_end(args); } /* write in memory buffer first */ + va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); va_end(args); @@ -287,7 +283,18 @@ int main(int argc, char **argv) openlog("openac", 0, LOG_AUTHPRIV); /* initialize library */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "openac", argv[0])) + { + fprintf(stderr, "integrity check of openac failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "openac.load", PLUGINS)); @@ -482,20 +489,6 @@ int main(int argc, char **argv) DBG1("starting openac (strongSwan Version %s)", VERSION); -#ifdef INTEGRITY_TEST - DBG1("integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(" integrity test passed"); - } - else - { - DBG1(" integrity test failed"); - status = 3; - goto end; - } -#endif /* INTEGRITY_TEST */ - /* load the signer's RSA private key */ if (keyfile != NULL) { diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index 01237305b..c9cb6651f 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -110,11 +110,6 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif -# This compile option activates the integrity test of libstrongswan -if USE_INTEGRITY_TEST - AM_CFLAGS += -DINTEGRITY_TEST -endif - if USE_CAPABILITIES pluto_LDADD += -lcap endif diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 01bda8540..871f0c905 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD - -# This compile option activates the integrity test of libstrongswan -@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST -@USE_CAPABILITIES_TRUE@am__append_7 = -lcap -@USE_THREADS_TRUE@am__append_8 = -DTHREADS +@USE_CAPABILITIES_TRUE@am__append_6 = -lcap +@USE_THREADS_TRUE@am__append_7 = -DTHREADS subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -116,12 +113,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -226,7 +226,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \ -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_6) \ - $(am__append_8) + $(am__append_4) $(am__append_5) $(am__append_7) pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \ - $(am__append_7) + $(am__append_6) _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c index a85a18905..c25418fc1 100644 --- a/src/pluto/alg_info.c +++ b/src/pluto/alg_info.c @@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id, ) } +/** + * Returns true if the given alg is an authenticated encryption algorithm + */ +static bool is_authenticated_encryption(int ealg_id) +{ + switch (ealg_id) + { + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + return TRUE; + } + return FALSE; +} + /* * Add ESP alg info _with_ logic (policy): */ @@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } if (ealg_id > 0) { - if (aalg_id > 0) + if (is_authenticated_encryption(ealg_id)) + { + __alg_info_esp_add((struct alg_info_esp *)alg_info, + ealg_id, ek_bits, + AUTH_ALGORITHM_NONE, 0); + } + else if (aalg_id > 0) { __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, @@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id, } else { - /* Policy: default to MD5 and SHA1 */ + /* Policy: default to SHA-1 and MD5 */ __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_MD5, ak_bits); + AUTH_ALGORITHM_HMAC_SHA1, ak_bits); __alg_info_esp_add((struct alg_info_esp *)alg_info, ealg_id, ek_bits, - AUTH_ALGORITHM_HMAC_SHA1, ak_bits); + AUTH_ALGORITHM_HMAC_MD5, ak_bits); } } } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 4deb722f7..b800b1665 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -1,5 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/constants.c b/src/pluto/constants.c index adcd77131..e46728d84 100644 --- a/src/pluto/constants.c +++ b/src/pluto/constants.c @@ -663,6 +663,7 @@ enum_names enc_mode_names = /* Auth Algorithm attribute */ static const char *const auth_alg_name[] = { + "AUTH_NONE", "HMAC_MD5", "HMAC_SHA1", "DES_MAC", @@ -683,7 +684,7 @@ enum_names extended_auth_alg_names = { AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL }; enum_names auth_alg_names = - { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name + { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name , &extended_auth_alg_names }; /* From draft-beaulieu-ike-xauth */ diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 1adccc74e..f47ad1eeb 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = { ke_size: 2*224 / BITS_PER_BYTE }; -void init_crypto(void) +bool init_crypto(void) { enumerator_t *enumerator; encryption_algorithm_t encryption_alg; @@ -275,13 +275,13 @@ void init_crypto(void) } enumerator->destroy(enumerator); - if (no_sha1) + if (no_sha1 || no_md5) { - exit_log("pluto cannot run without a SHA-1 hasher"); - } - if (no_md5) - { - exit_log("pluto cannot run without an MD5 hasher"); + plog("pluto cannot run without a %s%s%s hasher", + (no_sha1) ? "SHA-1" : "", + (no_sha1 && no_md5) ? " and " : "", + (no_md5) ? "MD5" : ""); + return FALSE; } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); @@ -363,6 +363,7 @@ void init_crypto(void) ike_alg_add((struct ike_alg *)desc); } enumerator->destroy(enumerator); + return TRUE; } void free_crypto(void) diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h index 06c4e1d1a..019ba5764 100644 --- a/src/pluto/crypto.h +++ b/src/pluto/crypto.h @@ -20,7 +20,7 @@ #include "ike_alg.h" -extern void init_crypto(void); +extern bool init_crypto(void); extern void free_crypto(void); extern const struct dh_desc unset_group; /* magic signifier */ diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 929768ee9..57f4fb54b 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid, */ switch (protoid) { - case PROTO_IPSEC_ESP: + case PROTO_IPSEC_ESP: + { + needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid); + + if (needed_len && pi->attrs.key_len) + { + needed_len = pi->attrs.key_len / BITS_PER_BYTE; + } + switch (pi->attrs.transid) { - case ESP_NULL: - needed_len = 0; - break; - case ESP_DES: - needed_len = DES_CBC_BLOCK_SIZE; - break; - case ESP_3DES: - needed_len = DES_CBC_BLOCK_SIZE * 3; - break; - default: -#ifndef NO_KERNEL_ALG - if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) { - /* XXX: check key_len "coupling with kernel.c's */ - if (pi->attrs.key_len) { - needed_len=pi->attrs.key_len/8; - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "key_len=%d from peer", - (int)needed_len)); - } - break; - } -#endif - bad_case(pi->attrs.transid); + case ESP_NULL: + needed_len = 0; + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + needed_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + needed_len += 4; + break; + default: + if (needed_len == 0) + { + bad_case(pi->attrs.transid); + } } -#ifndef NO_KERNEL_ALG - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP enc)=%d", - (int)needed_len)); - if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) { + if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) + { needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth); - } else -#endif - switch (pi->attrs.auth) + } + else { - case AUTH_ALGORITHM_NONE: - break; - case AUTH_ALGORITHM_HMAC_MD5: - needed_len += HMAC_MD5_KEY_LEN; - break; - case AUTH_ALGORITHM_HMAC_SHA1: - needed_len += HMAC_SHA1_KEY_LEN; - break; - case AUTH_ALGORITHM_DES_MAC: - default: - bad_case(pi->attrs.auth); + switch (pi->attrs.auth) + { + case AUTH_ALGORITHM_NONE: + break; + case AUTH_ALGORITHM_HMAC_MD5: + needed_len += HMAC_MD5_KEY_LEN; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + needed_len += HMAC_SHA1_KEY_LEN; + break; + case AUTH_ALGORITHM_DES_MAC: + default: + bad_case(pi->attrs.auth); + } } - DBG(DBG_PARSING, DBG_log("compute_proto_keymat:" - "needed_len (after ESP auth)=%d", - (int)needed_len)); break; - - case PROTO_IPSEC_AH: + } + case PROTO_IPSEC_AH: + { switch (pi->attrs.transid) { - case AH_MD5: - needed_len = HMAC_MD5_KEY_LEN; - break; - case AH_SHA: - needed_len = HMAC_SHA1_KEY_LEN; - break; - default: - bad_case(pi->attrs.transid); + case AH_MD5: + needed_len = HMAC_MD5_KEY_LEN; + break; + case AH_SHA: + needed_len = HMAC_SHA1_KEY_LEN; + break; + default: + bad_case(pi->attrs.transid); } break; - - default: - bad_case(protoid); + } + default: + bad_case(protoid); } pi->keymat_len = needed_len; @@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n, if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno) { loglog(RC_LOG_SERIOUS - , "DPD: R_U_THERE_ACK has unexpected sequence number"); + , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)" + , seqno, st->st_dpd_expectseqno); return STF_FAIL + PAYLOAD_MALFORMED; } diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index f698de2c8..46edac1cd 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1,6 +1,7 @@ /* routines that interface with the kernel's IPsec mechanism * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2002 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (st->nat_traversal & NAT_T_DETECTED) { natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ? - ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; + ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE; natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port; natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port; natt_oa = st->nat_oa; @@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (ei == &esp_info[countof(esp_info)]) { /* Check for additional kernel alg */ -#ifndef NO_KERNEL_ALG if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid, - st->st_esp.attrs.auth))!=NULL) { - break; + st->st_esp.attrs.auth))!=NULL) + { + break; } -#endif /* note: enum_show may use a static buffer, so two * calls in one printf would be a mistake. @@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) goto fail; } - if (st->st_esp.attrs.transid == ei->transid - && st->st_esp.attrs.auth == ei->auth) + if (st->st_esp.attrs.transid == ei->transid && + st->st_esp.attrs.auth == ei->auth) + { break; + } } key_len = st->st_esp.attrs.key_len/8; @@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) { key_len = ei->enckeylen; } - /* Grrrrr.... f*cking 7 bits jurassic algos */ - - /* 168 bits in kernel, need 192 bits for keymat_len */ - if (ei->transid == ESP_3DES && key_len == 21) - key_len = 24; - /* 56 bits in kernel, need 64 bits for keymat_len */ - if (ei->transid == ESP_DES && key_len == 7) - key_len = 8; + switch (ei->transid) + { + case ESP_3DES: + /* 168 bits in kernel, need 192 bits for keymat_len */ + if (key_len == 21) + { + key_len = 24; + } + break; + case ESP_DES: + /* 56 bits in kernel, need 64 bits for keymat_len */ + if (key_len == 7) + { + key_len = 8; + } + break; + case ESP_AES_CCM_8: + case ESP_AES_CCM_12: + case ESP_AES_CCM_16: + key_len += 3; + break; + case ESP_AES_GCM_8: + case ESP_AES_GCM_12: + case ESP_AES_GCM_16: + case ESP_AES_CTR: + key_len += 4; + break; + default: + break; + } /* divide up keying material */ - /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */ - DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, - if(st->st_esp.keymat_len != key_len + ei->authkeylen) - DBG_log("keymat_len=%d key_len=%d authkeylen=%d", - st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen); - ) - passert(st->st_esp.keymat_len == key_len + ei->authkeylen); - set_text_said(text_said, &dst.addr, esp_spi, SA_ESP); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = esp_spi; said_next->satype = SADB_SATYPE_ESP; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = ei->authalg; said_next->authkeylen = ei->authkeylen; - /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */ said_next->authkey = esp_dst_keymat + key_len; said_next->encalg = ei->encryptalg; - /* said_next->enckeylen = ei->enckeylen; */ said_next->enckeylen = key_len; said_next->enckey = esp_dst_keymat; said_next->encapsulation = encapsulation; @@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) switch (st->st_ah.attrs.auth) { - case AUTH_ALGORITHM_HMAC_MD5: - authalg = SADB_AALG_MD5HMAC; - break; - - case AUTH_ALGORITHM_HMAC_SHA1: - authalg = SADB_AALG_SHA1HMAC; - break; - - default: - loglog(RC_LOG_SERIOUS, "%s not implemented yet" - , enum_show(&auth_alg_names, st->st_ah.attrs.auth)); + case AUTH_ALGORITHM_HMAC_MD5: + authalg = SADB_AALG_MD5HMAC; + break; + case AUTH_ALGORITHM_HMAC_SHA1: + authalg = SADB_AALG_SHA1HMAC; + break; + default: + loglog(RC_LOG_SERIOUS, "%s not implemented yet", + enum_show(&auth_alg_names, st->st_ah.attrs.auth)); goto fail; } set_text_said(text_said, &dst.addr, ah_spi, SA_AH); - said_next->src = &src.addr; said_next->dst = &dst.addr; said_next->src_client = &src_client; said_next->dst_client = &dst_client; said_next->spi = ah_spi; said_next->satype = SADB_SATYPE_AH; - said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM; + said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? + REPLAY_WINDOW : REPLAY_WINDOW_XFRM; said_next->authalg = authalg; said_next->authkeylen = st->st_ah.keymat_len; said_next->authkey = ah_dst_keymat; @@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) said_next->text_said = text_said; if (!kernel_ops->add_sa(said_next, replace)) + { goto fail; - + } said_next++; - encapsulation = ENCAPSULATION_MODE_TRANSPORT; } @@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) s[1].text_said = text_said1; if (!kernel_ops->grp_sa(s + 1, s)) + { goto fail; + } } /* could update said, but it will not be used */ } @@ -2104,8 +2118,10 @@ fail: { /* undo the done SPIs */ while (said_next-- != said) - (void) del_spi(said_next->spi, said_next->proto - , &src.addr, said_next->dst); + { + (void) del_spi(said_next->spi, said_next->proto, &src.addr, + said_next->dst); + } return FALSE; } } @@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) *use_time = UNDEFINED_TIME; if (kernel_ops->get_sa == NULL || !st->st_esp.present) + { return FALSE; - + } memset(&sa, 0, sizeof(sa)); sa.proto = SA_ESP; @@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) DBG_log("get %s", text_said) ) if (!kernel_ops->get_sa(&sa, bytes)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" current: %d bytes", *bytes) ) @@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time) sa.dst_client = &c->spd.that.client; } if (!kernel_ops->get_policy(&sa, inbound, use_time)) + { return FALSE; + } DBG(DBG_KLIPS, DBG_log(" use_time: %T", use_time, FALSE) ) @@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st) struct connection *o = route_owner(c, &esr, NULL, NULL); if (o == NULL) + { break; /* nobody has a route */ + } /* note: we ignore the client addresses at this end */ - if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) - && o->interface == c->interface) + if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) && + o->interface == c->interface) + { break; /* existing route is compatible */ + } if (o->kind == CK_TEMPLATE && streq(o->name, c->name)) + { break; /* ??? is this good enough?? */ + } loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route" , o->name, ip_str(&o->spd.that.host_addr)); @@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st) /* check that we will be able to route and eroute */ switch (could_route(c)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } #ifdef KLIPS @@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, /* if no state provided, then install a shunt for later */ if (st == NULL) + { eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE , ERO_ADD, "add"); + } else + { eroute_installed = sag_eroute(st, sr, ERO_ADD, "add"); + } } /* notify the firewall of a new tunnel */ @@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, (void) do_command(c, sr, "prepare"); /* just in case; ignore failure */ route_installed = do_command(c, sr, "route"); } - else if (routed(sr->routing) - || routes_agree(ro, c)) + else if (routed(sr->routing) || routes_agree(ro, c)) { route_installed = TRUE; /* nothing to be done */ } @@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS, { /* there was no previous eroute: delete whatever we installed */ if (st == NULL) - (void) shunt_eroute(c, sr - , sr->routing, ERO_DELETE, "delete"); + { + (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete"); + } else - (void) sag_eroute(st, sr - , ERO_DELETE, "delete"); + { + (void) sag_eroute(st, sr, ERO_DELETE, "delete"); + } } } @@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } /* (attempt to) actually set up the SA group */ - if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) - || !setup_half_ipsec_sa(st, FALSE)) + if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) || + !setup_half_ipsec_sa(st, FALSE)) + { return FALSE; + } for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next) { @@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS) switch (could_route(st->st_connection)) { - case route_easy: - case route_nearconflict: - break; - - default: - return FALSE; + case route_easy: + case route_nearconflict: + break; + default: + return FALSE; } @@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS, ? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE; (void) do_command(c, sr, "down"); - if ((c->policy & POLICY_DONT_REKEY) - && c->kind == CK_INSTANCE) + if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE) { /* in this special case, even if the connection * is still alive (due to an ISAKMP SA), @@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time) /* Can't open the file, perhaps were are on 26sec? */ time_t use_time; - if (get_sa_info(st, TRUE, &bytes, &use_time) - && use_time != UNDEFINED_TIME) + if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME) { *idle_time = time(NULL) - use_time; ret = *idle_time >= idle_max; diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 1590bdf02..7e7d25872 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) sadb.msg++; - while(msglen) + while (msglen) { int supp_exttype = sadb.supported->sadb_supported_exttype; int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN; @@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) supp_len; supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++) { - int ret = kernel_alg_add(satype, supp_exttype, sadb.alg); + kernel_alg_add(satype, supp_exttype, sadb.alg); DBG(DBG_KLIPS, DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: " "alg[%d], exttype=%d, satype=%d, alg_id=%d, " "alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, " - "res=%d, ret=%d" - , satype==SADB_SATYPE_ESP? "ESP" : "AH" + "res=%d" + , satype == SADB_SATYPE_ESP? "ESP" : "AH" , i , supp_exttype , satype @@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen) , sadb.alg->sadb_alg_ivlen , sadb.alg->sadb_alg_minbits , sadb.alg->sadb_alg_maxbits - , sadb.alg->sadb_alg_reserved - , ret) + , sadb.alg->sadb_alg_reserved) ) + /* if AES_CBC is registered then also register AES_CCM and AES_GCM */ + if (satype == SADB_SATYPE_ESP && + sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC) + { + struct sadb_alg alg = *sadb.alg; + int alg_id; + + for (alg_id = SADB_X_EALG_AES_CCM_ICV8; + alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++) + { + if (alg_id != ESP_UNASSIGNED_17) + { + alg.sadb_alg_id = alg_id; + kernel_alg_add(satype, supp_exttype, &alg); + } + } + } } } } @@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) u_int keylen = 0; if (!ESP_EALG_PRESENT(alg_id)) + { goto none; - + } keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE; switch (alg_id) @@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id) none: DBG(DBG_KLIPS, - DBG_log("kernel_alg_esp_enc_keylen():" - "alg_id=%d, keylen=%d", + DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d", alg_id, keylen) ) return keylen; @@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance) } bool kernel_alg_esp_auth_ok(u_int auth, - struct alg_info_esp *alg_info __attribute__((unused))) + struct alg_info_esp *alg_info __attribute__((unused))) { return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth)); } @@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, return FALSE; } - if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */ + if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */ + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) { aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id); if (!ESP_AALG_PRESENT(aalg_id)) { - DBG_log("kernel_alg_db_add() kernel auth " - "aalg_id=%d not present", aalg_id); + DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present", + aalg_id); return FALSE; } } @@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx, /* open new transformation */ db_trans_add(db_ctx, ealg_id); - /* add ESP auth attr */ - if (!(policy & POLICY_AUTHENTICATE)) + /* add ESP auth attr if not AH or AEAD */ + if (!(policy & POLICY_AUTHENTICATE) && + esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE) + { db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id); + } - /* add keylegth if specified in esp= string */ + /* add keylength if specified in esp= string */ if (esp_info->esp_ealg_keylen) + { db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen); + } return TRUE; } diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c index b4b4774c7..0376e817b 100644 --- a/src/pluto/kernel_netlink.c +++ b/src/pluto/kernel_netlink.c @@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD; #define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */ static sparse_names xfrm_type_names = { - NE(NLMSG_NOOP), - NE(NLMSG_ERROR), - NE(NLMSG_DONE), - NE(NLMSG_OVERRUN), + NE(NLMSG_NOOP), + NE(NLMSG_ERROR), + NE(NLMSG_DONE), + NE(NLMSG_OVERRUN), - NE(XFRM_MSG_NEWSA), - NE(XFRM_MSG_DELSA), - NE(XFRM_MSG_GETSA), + NE(XFRM_MSG_NEWSA), + NE(XFRM_MSG_DELSA), + NE(XFRM_MSG_GETSA), - NE(XFRM_MSG_NEWPOLICY), - NE(XFRM_MSG_DELPOLICY), - NE(XFRM_MSG_GETPOLICY), + NE(XFRM_MSG_NEWPOLICY), + NE(XFRM_MSG_DELPOLICY), + NE(XFRM_MSG_GETPOLICY), - NE(XFRM_MSG_ALLOCSPI), - NE(XFRM_MSG_ACQUIRE), - NE(XFRM_MSG_EXPIRE), + NE(XFRM_MSG_ALLOCSPI), + NE(XFRM_MSG_ACQUIRE), + NE(XFRM_MSG_EXPIRE), - NE(XFRM_MSG_UPDPOLICY), - NE(XFRM_MSG_UPDSA), + NE(XFRM_MSG_UPDPOLICY), + NE(XFRM_MSG_UPDSA), - NE(XFRM_MSG_POLEXPIRE), + NE(XFRM_MSG_POLEXPIRE), - NE(XFRM_MSG_MAX), + NE(XFRM_MSG_MAX), - { 0, sparse_end } + { 0, sparse_end } }; #undef NE /* Authentication algorithms */ static sparse_names aalg_list = { - { SADB_X_AALG_NULL, "digest_null" }, - { SADB_AALG_MD5HMAC, "md5" }, - { SADB_AALG_SHA1HMAC, "sha1" }, - { SADB_X_AALG_SHA2_256HMAC, "sha256" }, - { SADB_X_AALG_SHA2_384HMAC, "sha384" }, - { SADB_X_AALG_SHA2_512HMAC, "sha512" }, - { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, - { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, - { SADB_X_AALG_NULL, "null" }, - { 0, sparse_end } + { SADB_X_AALG_NULL, "digest_null" }, + { SADB_AALG_MD5HMAC, "md5" }, + { SADB_AALG_SHA1HMAC, "sha1" }, + { SADB_X_AALG_SHA2_256HMAC, "sha256" }, + { SADB_X_AALG_SHA2_384HMAC, "sha384" }, + { SADB_X_AALG_SHA2_512HMAC, "sha512" }, + { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" }, + { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"}, + { SADB_X_AALG_NULL, "null" }, + { 0, sparse_end } }; /* Encryption algorithms */ static sparse_names ealg_list = { - { SADB_EALG_NULL, "cipher_null" }, - { SADB_EALG_DESCBC, "des" }, - { SADB_EALG_3DESCBC, "des3_ede" }, - { SADB_X_EALG_CASTCBC, "cast128" }, - { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, - { SADB_X_EALG_AESCBC, "aes" }, - { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, - { SADB_X_EALG_SERPENTCBC, "serpent" }, - { SADB_X_EALG_TWOFISHCBC, "twofish" }, - { 0, sparse_end } + { SADB_EALG_NULL, "cipher_null" }, + { SADB_EALG_DESCBC, "des" }, + { SADB_EALG_3DESCBC, "des3_ede" }, + { SADB_X_EALG_CASTCBC, "cast128" }, + { SADB_X_EALG_BLOWFISHCBC, "blowfish" }, + { SADB_X_EALG_AESCBC, "aes" }, + { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" }, + { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" }, + { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" }, + { SADB_X_EALG_SERPENTCBC, "serpent" }, + { SADB_X_EALG_TWOFISHCBC, "twofish" }, + { 0, sparse_end } }; /* Compression algorithms */ static sparse_names calg_list = { - { SADB_X_CALG_DEFLATE, "deflate" }, - { SADB_X_CALG_LZS, "lzs" }, - { SADB_X_CALG_LZJH, "lzjh" }, - { 0, sparse_end } + { SADB_X_CALG_DEFLATE, "deflate" }, + { SADB_X_CALG_LZS, "lzs" }, + { SADB_X_CALG_LZJH, "lzjh" }, + { 0, sparse_end } }; /** ip2xfrm - Take an IP address and convert to an xfrm. @@ -119,8 +126,7 @@ static sparse_names calg_list = { * @param addr ip_address * @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here. */ -static void -ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) +static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) { if (addr->u.v4.sin_family == AF_INET) { @@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr) /** init_netlink - Initialize the netlink inferface. Opens the sockets and * then binds to the broadcast socket. */ -static void -init_netlink(void) +static void init_netlink(void) { struct sockaddr_nl addr; netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlinkfd < 0) + { exit_log_errno((e, "socket() in init_netlink()")); - + } if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()")); - + } netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM); if (netlink_bcast_fd < 0) + { exit_log_errno((e, "socket() for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0) + { exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()")); - + } if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0) + { exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()")); - + } addr.nl_family = AF_NETLINK; addr.nl_pid = getpid(); addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) + { exit_log_errno((e, "Failed to bind bcast socket in init_netlink()")); + } } /** send_netlink_msg @@ -176,9 +188,9 @@ init_netlink(void) * @param text_said - String * @return bool True if the message was succesfully sent. */ -static bool -send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len -, const char *description, const char *text_said) +static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, + size_t rbuf_len, const char *description, + const char *text_said) { struct { struct nlmsghdr n; @@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len len = hdr->nlmsg_len; do { r = write(netlinkfd, hdr, len); - } while (r < 0 && errno == EINTR); + } + while (r < 0 && errno == EINTR); + if (r < 0) { log_errno((e @@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len return FALSE; } - for (;;) { + for (;;) + { socklen_t alen; alen = sizeof(addr); @@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len * @param text_said - String * @return boolean */ -static bool -netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) +static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, + const char *text_said) { struct { struct nlmsghdr n; @@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said) * @param ip int * @return boolean True if successful */ -static bool -netlink_raw_eroute(const ip_address *this_host - , const ip_subnet *this_client - , const ip_address *that_host - , const ip_subnet *that_client - , ipsec_spi_t spi - , unsigned int satype - , unsigned int transport_proto - , const struct pfkey_proto_info *proto_info - , time_t use_lifetime UNUSED - , unsigned int op - , const char *text_said) +static bool netlink_raw_eroute(const ip_address *this_host + , const ip_subnet *this_client + , const ip_address *that_host + , const ip_subnet *that_client + , ipsec_spi_t spi + , unsigned int satype + , unsigned int transport_proto + , const struct pfkey_proto_info *proto_info + , time_t use_lifetime UNUSED + , unsigned int op + , const char *text_said) { struct { struct nlmsghdr n; @@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host * @param replace boolean - true if this replaces an existing SA * @return bool True if successfull */ -static bool -netlink_add_sa(const struct kernel_sa *sa, bool replace) +static bool netlink_add_sa(const struct kernel_sa *sa, bool replace) { struct { struct nlmsghdr n; @@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) char data[1024]; } req; struct rtattr *attr; + u_int16_t icv_size = 64; memset(&req, 0, sizeof(req)); req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; @@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(aalg_list, sa->authalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u" , sa->authalg); return FALSE; } + DBG(DBG_CRYPT, + DBG_log("configured authentication algorithm %s with key size %d", + enum_show(&auth_alg_names, sa->authalg), + sa->authkeylen * BITS_PER_BYTE) + ) strcpy(algo.alg_name, name); algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE; @@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) attr = (struct rtattr *)((char *)attr + attr->rta_len); } - if (sa->encalg) + switch (sa->encalg) { - struct xfrm_algo algo; - const char *name; + case SADB_EALG_NONE: + /* no encryption */ + break; + case SADB_X_EALG_AES_CCM_ICV16: + case SADB_X_EALG_AES_GCM_ICV16: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV12: + case SADB_X_EALG_AES_GCM_ICV12: + icv_size += 32; + /* FALL */ + case SADB_X_EALG_AES_CCM_ICV8: + case SADB_X_EALG_AES_GCM_ICV8: + { + struct xfrm_algo_aead *algo; + const char *name; - name = sparse_name(ealg_list, sa->encalg); - if (!name) { - loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u" - , sa->encalg); - return FALSE; + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_AEAD; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo_aead*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + algo->alg_icv_len = icv_size; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + break; } + default: + { + struct xfrm_algo *algo; + const char *name; - strcpy(algo.alg_name, name); - algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE; - - attr->rta_type = XFRMA_ALG_CRYPT; - attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen); - - memcpy(RTA_DATA(attr), &algo, sizeof(algo)); - memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey - , sa->enckeylen); - - req.n.nlmsg_len += attr->rta_len; - attr = (struct rtattr *)((char *)attr + attr->rta_len); + name = sparse_name(ealg_list, sa->encalg); + if (!name) + { + loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u", + sa->encalg); + return FALSE; + } + DBG(DBG_CRYPT, + DBG_log("configured esp encryption algorithm %s with key size %d", + enum_show(&esp_transformid_names, sa->encalg), + sa->enckeylen * BITS_PER_BYTE) + ) + attr->rta_type = XFRMA_ALG_CRYPT; + attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen); + req.n.nlmsg_len += attr->rta_len; + + algo = (struct xfrm_algo*)RTA_DATA(attr); + algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE; + strcpy(algo->alg_name, name); + memcpy(algo->alg_key, sa->enckey, sa->enckeylen); + + attr = (struct rtattr *)((char *)attr + attr->rta_len); + } } if (sa->compalg) @@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) const char *name; name = sparse_name(calg_list, sa->compalg); - if (!name) { + if (!name) + { loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u" , sa->compalg); return FALSE; @@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace) * @param sa Kernel SA to be deleted * @return bool True if successfull */ -static bool -netlink_del_sa(const struct kernel_sa *sa) +static bool netlink_del_sa(const struct kernel_sa *sa) { struct { struct nlmsghdr n; @@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa) return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said); } -static bool -netlink_error(const char *req_type, const struct nlmsghdr *n -, const struct nlmsgerr *e, int rsp_size) +static bool netlink_error(const char *req_type, const struct nlmsghdr *n, + const struct nlmsgerr *e, int rsp_size) { if (n->nlmsg_type == NLMSG_ERROR) { @@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n return FALSE; } -static bool -netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) +static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound, + time_t *use_time) { struct { struct nlmsghdr n; @@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *use_time = (time_t)rsp.u.info.curlft.use_time; if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL) @@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) req.id.dir = XFRM_POLICY_FWD; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } use_time_fwd = (time_t)rsp.u.info.curlft.use_time; *use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd; } @@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time) * @param sa Kernel SA to be queried * @return bool True if successfull */ -static bool -netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) +static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) { struct { struct nlmsghdr n; @@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes) rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said)) + { return FALSE; - + } if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info))) + { return FALSE; - + } *bytes = (u_int) rsp.u.info.curlft.bytes; - return TRUE; } -static void -linux_pfkey_register_response(const struct sadb_msg *msg) +static void linux_pfkey_register_response(const struct sadb_msg *msg) { switch (msg->sadb_msg_satype) { @@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg) /** linux_pfkey_register - Register via PFKEY our capabilities * */ -static void -linux_pfkey_register(void) +static void linux_pfkey_register(void) { pfkey_register_proto(SADB_SATYPE_AH, "AH"); pfkey_register_proto(SADB_SATYPE_ESP, "ESP"); @@ -898,8 +967,8 @@ linux_pfkey_register(void) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) +static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, + ip_address *dst) { switch (family) { @@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst) * @param dst ip_address formatted destination * @return err_t NULL if okay, otherwise an error */ -static err_t -xfrm_sel_to_ip_pair(const struct xfrm_selector *sel - , ip_address *src - , ip_address *dst) +static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel, + ip_address *src, ip_address *dst) { int family; err_t ugh; @@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src)) || (ugh = xfrm_to_ip_address(family, &sel->daddr, dst))) + { return ugh; + } /* family has been verified in xfrm_to_ip_address. */ if (family == AF_INET) @@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel return NULL; } -static void -netlink_acquire(struct nlmsghdr *n) +static void netlink_acquire(struct nlmsghdr *n) { struct xfrm_user_acquire *acquire; ip_address src, dst; @@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n) if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst)) && !(ugh = addrtosubnet(&src, &ours)) && !(ugh = addrtosubnet(&dst, &his))) + { record_and_initiate_opportunistic(&ours, &his, transport_proto , "%acquire-netlink"); - + } if (ugh != NULL) + { plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh); + } } -static void -netlink_shunt_expire(struct xfrm_userpolicy_info *pol) +static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol) { ip_address src, dst; unsigned transport_proto; @@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol) , "delete expired bare shunt"); } -static void -netlink_policy_expire(struct nlmsghdr *n) +static void netlink_policy_expire(struct nlmsghdr *n) { struct xfrm_user_polexpire *upe; struct { @@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n) rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?")) + { return; - + } if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol))) + { return; - + } if (req.id.index != rsp.u.pol.index) { DBG(DBG_KLIPS, @@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n) } } -static bool -netlink_get(void) +static bool netlink_get(void) { struct { struct nlmsghdr n; @@ -1137,22 +1207,15 @@ netlink_get(void) return TRUE; } -static void -netlink_process_msg(void) +static void netlink_process_msg(void) { - while (netlink_get()) - ; + while (netlink_get()); } -static ipsec_spi_t -netlink_get_spi(const ip_address *src -, const ip_address *dst -, int proto -, bool tunnel_mode -, unsigned reqid -, ipsec_spi_t min -, ipsec_spi_t max -, const char *text_said) +static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst, + int proto, bool tunnel_mode, unsigned reqid, + ipsec_spi_t min, ipsec_spi_t max, + const char *text_said) { struct { struct nlmsghdr n; @@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src rsp.n.nlmsg_type = XFRM_MSG_NEWSA; if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said)) + { return 0; - + } if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa))) + { return 0; - + } DBG(DBG_KLIPS, DBG_log("netlink_get_spi: allocated 0x%x for %s" , ntohl(rsp.u.sa.id.spi), text_said)); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 6dfbd6732..516872e8e 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -1,5 +1,6 @@ /* mechanisms for preshared keys (public, private, and preshared secrets) * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) } *key = load_private_key(filename, &pass, type); - return key ? NULL : "Private key file -- could not be loaded"; + return *key ? NULL : "Private key file -- could not be loaded"; } /** diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 80164fa1d..8e428a759 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1,6 +1,6 @@ /* Support of the Online Certificate Status Protocol (OCSP) * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen - * Zuercher Hochschule Winterthur + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/pem.c b/src/pluto/pem.c index 646447c1a..1a4a99af7 100644 --- a/src/pluto/pem.c +++ b/src/pluto/pem.c @@ -1,5 +1,6 @@ /* Loading of PEM encoded files with optional encryption * Copyright (C) 2001-2009 Andreas Steffen + * * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c index 7fb8232d5..1d5b14b26 100644 --- a/src/pluto/pgpcert.c +++ b/src/pluto/pgpcert.c @@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob) } /** - * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440 + * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880 */ static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert) { @@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert) */ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { - pgp_pubkey_alg_t pubkey_alg; - public_key_t *key; + chunk_t pubkey_packet = *packet; + pgp_pubkey_alg_t pubkey_alg; if (!parse_pgp_pubkey_version_validity(packet, cert)) { @@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert) { case PGP_PUBKEY_ALG_RSA: case PGP_PUBKEY_ALG_RSA_SIGN_ONLY: - key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, - BUILD_BLOB_PGP, *packet, - BUILD_END); - if (key == NULL) + cert->public_key = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_RSA, + BUILD_BLOB_PGP, *packet, + BUILD_END); + if (cert->public_key == NULL) { return FALSE; } - cert->public_key = key; - - if (cert->version == 3) - { - cert->fingerprint = key->get_id(key, ID_KEY_ID); - if (cert->fingerprint == NULL) - { - return FALSE; - } - } - else - { - plog(" computation of V4 key ID not implemented yet"); - return FALSE; - } break; default: plog(" non RSA public keys not supported"); return FALSE; } + + /* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */ + if (cert->version == 4) + { + char pubkey_packet_header_buf[] = { + 0x99, pubkey_packet.len / 256, pubkey_packet.len % 256 + }; + chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf); + chunk_t hash; + hasher_t *hasher; + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher == NULL) + { + plog("no SHA-1 hasher available"); + return FALSE; + } + hasher->allocate_hash(hasher, pubkey_packet_header, NULL); + hasher->allocate_hash(hasher, pubkey_packet, &hash); + hasher->destroy(hasher); + cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash); + free(hash.ptr); + } + else + { + /* V3 fingerprint is computed by public_key_t class */ + cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID); + if (cert->fingerprint == NULL) + { + return FALSE; + } + } return TRUE; } diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index 39367cafa..5d0e008f3 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -43,11 +43,6 @@ #include <utils/enumerator.h> #include <utils/optionsfrom.h> -#ifdef INTEGRITY_TEST -#include <fips/fips.h> -#include <fips/fips_signature.h> -#endif /* INTEGRITY_TEST */ - #include <pfkeyv2.h> #include <pfkey.h> @@ -265,7 +260,18 @@ int main(int argc, char **argv) #endif /* CAPABILITIES */ /* initialize library and optionsfrom */ - library_init(STRONGSWAN_CONF); + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pluto", argv[0])) + { + fprintf(stderr, "integrity check of pluto failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } options = options_create(); /* handle arguments */ @@ -637,31 +643,28 @@ int main(int argc, char **argv) plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s", compile_time_interop_options); + if (lib->integrity) + { + plog("integrity tests enabled:"); + plog("lib 'libstrongswan': passed file and segment integrity tests"); + plog("daemon 'pluto': passed file integrity test"); + } + /* load plugins, further infrastructure may need it */ lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pluto.load", PLUGINS)); print_plugins(); -#ifdef INTEGRITY_TEST - DBG1("integrity test of libstrongswan code"); - if (fips_verify_hmac_signature(hmac_key, hmac_signature)) - { - DBG1(" integrity test passed"); - } - else + if (!init_secret() || !init_crypto()) { - DBG1(" integrity test failed"); - abort(); + plog("initialization failed - aborting pluto"); + exit_pluto(SS_RC_INITIALIZATION_FAILED); } -#endif /* INTEGRITY_TEST */ - init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); scx_init(pkcs11_module_path, pkcs11_init_args); xauth_init(); - init_secret(); init_states(); - init_crypto(); init_demux(); init_kernel(); init_adns(); diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c index b8f4a3c23..a86c9f215 100644 --- a/src/pluto/spdb.c +++ b/src/pluto/spdb.c @@ -473,14 +473,13 @@ out_sa(pb_stream *outs if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs)) return_on(ret, FALSE); - /* Within tranform: Attributes. */ + /* Within transform: Attributes. */ /* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is * automatically generated because it must be the same * in every transform. Except IPCOMP. */ - if (p->protoid != PROTO_IPCOMP - && st->st_pfs_group != NULL) + if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL) { passert(!oakley_mode); passert(st->st_pfs_group != &unset_group); @@ -582,8 +581,7 @@ return_out: * The code is can only handle values that can fit in unsigned long. * "Clamping" is probably an acceptable way to impose this limitation. */ -static u_int32_t -decode_long_duration(pb_stream *pbs) +static u_int32_t decode_long_duration(pb_stream *pbs) { u_int32_t val = 0; @@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa /* Situation */ if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL)) + { return SITUATION_NOT_SUPPORTED; - + } if (*ipsecdoisit != SIT_IDENTITY_ONLY) { loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)" @@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa * There may well be multiple transforms. */ if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs)) + { return PAYLOAD_MALFORMED; - + } if (proposal->isap_np != ISAKMP_NEXT_NONE) { loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal" @@ -711,35 +711,31 @@ static struct { u_int8_t *roof; } backup; -/* - * backup the pointer into a pb_stream +/** + * Backup the pointer into a pb_stream */ -void -backup_pbs(pb_stream *pbs) +void backup_pbs(pb_stream *pbs) { backup.start = pbs->start; backup.cur = pbs->cur; backup.roof = pbs->roof; } -/* - * restore the pointer into a pb_stream +/** + * Restore the pointer into a pb_stream */ -void -restore_pbs(pb_stream *pbs) +void restore_pbs(pb_stream *pbs) { pbs->start = backup.start; pbs->cur = backup.cur; pbs->roof = backup.roof; } -/* +/** * Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies */ -notification_t -parse_isakmp_policy(pb_stream *proposal_pbs - , u_int notrans - , lset_t *policy) +notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans, + lset_t *policy) { int last_transnum = -1; @@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs struct isakmp_transform trans; if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } if (trans.isat_transnum <= last_transnum) { /* picky, picky, picky */ @@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs pb_stream attr_pbs; if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs)) + { return BAD_PROPOSAL_SYNTAX; - + } passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32); switch (a.isaat_af_type) @@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs return NOTHING_WRONG; } -/* - * check that we can find a preshared secret +/** + * Check that we can find a preshared secret */ -static err_t -find_preshared_key(struct state* st) +static err_t find_preshared_key(struct state* st) { err_t ugh = NULL; struct connection *c = st->st_connection; @@ -842,9 +839,13 @@ find_preshared_key(struct state* st) idtoa(&c->spd.this.id, my_id, sizeof(my_id)); if (his_id_was_instantiated(c)) + { strcpy(his_id, "%any"); + } else + { idtoa(&c->spd.that.id, his_id, sizeof(his_id)); + } ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'" , my_id, his_id); } @@ -860,13 +861,12 @@ find_preshared_key(struct state* st) * * This routine is used by main_inI1_outR1() and main_inR1_outI2(). */ -notification_t -parse_isakmp_sa_body(u_int32_t ipsecdoisit - , pb_stream *proposal_pbs - , struct isakmp_proposal *proposal - , pb_stream *r_sa_pbs - , struct state *st - , bool initiator) +notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit, + pb_stream *proposal_pbs, + struct isakmp_proposal *proposal, + pb_stream *r_sa_pbs, + struct state *st, + bool initiator) { struct connection *c = st->st_connection; unsigned no_trans_left; @@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = { 0, /* key_rounds */ }; -static bool -parse_ipsec_transform(struct isakmp_transform *trans -, struct ipsec_trans_attrs *attrs -, pb_stream *prop_pbs -, pb_stream *trans_pbs -, struct_desc *trans_desc -, int previous_transnum /* or -1 if none */ -, bool selection -, bool is_last -, bool is_ipcomp -, struct state *st) /* current state object */ +static bool parse_ipsec_transform(struct isakmp_transform *trans, + struct ipsec_trans_attrs *attrs, + pb_stream *prop_pbs, + pb_stream *trans_pbs, + struct_desc *trans_desc, + int previous_transnum, /* or -1 if none */ + bool selection, bool is_last, bool is_ipcomp, + struct state *st) /* current state object */ { lset_t seen_attrs = 0; lset_t seen_durations = 0; @@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans const struct dh_desc *pfs_group = NULL; if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs)) + { return FALSE; - + } if (trans->isat_transnum <= previous_transnum) { loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing"); diff --git a/src/pluto/state.c b/src/pluto/state.c index 6ce0d50e5..5bef36c5c 100644 --- a/src/pluto/state.c +++ b/src/pluto/state.c @@ -1,6 +1,7 @@ /* routines for state objects * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the diff --git a/src/pluto/timer.c b/src/pluto/timer.c index ecbee740f..89082f88e 100644 --- a/src/pluto/timer.c +++ b/src/pluto/timer.c @@ -1,6 +1,7 @@ /* timer event handling * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st) * Generate the secret value for responder cookies, and * schedule an event for refresh. */ -void init_secret(void) +bool init_secret(void) { rng_t *rng; rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG); + + if (rng == NULL) + { + plog("secret initialization failed, no RNG supported"); + return FALSE; + } rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day); rng->destroy(rng); event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL); + return true; } /** diff --git a/src/pluto/timer.h b/src/pluto/timer.h index 322aeba6a..c8e9b727c 100644 --- a/src/pluto/timer.h +++ b/src/pluto/timer.h @@ -31,4 +31,4 @@ extern void delete_event(struct state *st); extern void delete_dpd_event(struct state *st); extern void daily_log_event(void); extern void free_events(void); -extern void init_secret(void); +extern bool init_secret(void); diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index ff145eb38..a532e50f2 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.2") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.4") + DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3") + DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2") DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1") DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0") + DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17") + DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16") DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15") DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14") DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13") @@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = { DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1") DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0") + DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11") + DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10") DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9") DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8") DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index 164c1aa6d..8aa2f6348 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -92,6 +92,8 @@ enum known_vendorid { VID_STRONGSWAN_2_8_7 = 73, VID_STRONGSWAN_2_8_8 = 74, VID_STRONGSWAN_2_8_9 = 75, + VID_STRONGSWAN_2_8_10 = 76, + VID_STRONGSWAN_2_8_11 = 77, VID_STRONGSWAN_4_0_0 = 80, VID_STRONGSWAN_4_0_1 = 81, @@ -130,8 +132,12 @@ enum known_vendorid { VID_STRONGSWAN_4_2_13 =113, VID_STRONGSWAN_4_2_14 =114, VID_STRONGSWAN_4_2_15 =115, - VID_STRONGSWAN_4_3_0 =116, - VID_STRONGSWAN_4_3_1 =117, + VID_STRONGSWAN_4_2_16 =116, + VID_STRONGSWAN_4_2_17 =117, + VID_STRONGSWAN_4_3_0 =118, + VID_STRONGSWAN_4_3_1 =119, + VID_STRONGSWAN_4_3_2 =120, + VID_STRONGSWAN_4_3_3 =121, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =151, diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 3919583ef..72cefb3b6 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c index b14e72ecb..87041f114 100644 --- a/src/scepclient/loglite.c +++ b/src/scepclient/loglite.c @@ -68,21 +68,23 @@ static void scepclient_dbg(int level, char *fmt, ...) if (level <= debug_level) { - va_start(args, fmt); - if (log_to_stderr) { if (level > 1) { fprintf(stderr, "| "); } + va_start(args, fmt); vfprintf(stderr, fmt, args); + va_end(args); fprintf(stderr, "\n"); } if (log_to_syslog) { /* write in memory buffer first */ + va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); /* do a syslog with every line */ while (current) @@ -96,7 +98,6 @@ static void scepclient_dbg(int level, char *fmt, ...) current = next; } } - va_end(args); } } diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index d9bf8e4cc..4b5234da2 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -149,16 +149,22 @@ Change symmetric algorithm to use for encryption of certificate Request. The default is \fB3des\-cbc\fP. .PP Supported values for \fIalgo\fP: -.IP "\fBdes\-cbc\fP" 12 -DES CBC encryption (key size = 56 bit). -.IP "\fB3des\-cbc\fP" 12 +.IP "\fBdes\fP" 12 +DES-CBC encryption (key size = 56 bit). +.IP "\fB3des\fP" 12 Triple DES-EDE-CBC encryption (key size = 168 bit). -.IP "\fBaes128\-cbc\fP" 12 +.IP "\fBaes128\fP" 12 AES-CBC encryption (key size = 128 bit). -.IP "\fBaes192\-cbc\fP" 12 +.IP "\fBaes192\fP" 12 AES-CBC encryption (key size = 192 bit). -.IP "\fBaes256\-cbc\fP" 12 +.IP "\fBaes256\fP" 12 AES-CBC encryption (key size = 256 bit). +.IP "\fBcamellia128\fP" 12 +Camellia-CBC encryption (key size = 128 bit). +.IP "\fBcamellia192\fP" 12 +Camelllia-CBC encryption (key size = 192 bit). +.IP "\fBcamellia256\fP" 12 +Camellia-CBC encryption (key size = 256 bit). .RE .PP .B \-o, \-\-out \fItype\fP[=\fIfilename\fP] diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 0e7ae3e40..6c0166d66 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -41,6 +41,8 @@ #include <asn1/oid.h> #include <utils/optionsfrom.h> #include <utils/enumerator.h> +#include <crypto/crypters/crypter.h> +#include <crypto/proposal/proposal_keywords.h> #include <credentials/keys/private_key.h> #include <credentials/keys/public_key.h> @@ -246,9 +248,8 @@ usage(const char *message) " --password (-p) <pw> challenge password\n" " - if pw is '%%prompt', password gets prompted for\n" " --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n" - " <algo> = des-cbc | 3des-cbc (default) | \n" - " aes128-cbc | aes192-cbc | aes256-cbc | \n" - " camellia128-cbc | camellia192-cbc | camellia256-cbc\n" + " <algo> = des | 3des (default) | aes128| aes192 | \n" + " aes256 | camellia128 | camellia192 | camellia256\n" "\n" "Options for enrollment (cert):\n" " --url (-u) <url> url of the SCEP server\n" @@ -385,8 +386,21 @@ int main(int argc, char **argv) scep_response = chunk_empty; log_to_stderr = TRUE; - /* initialize library and optionsfrom */ - library_init(STRONGSWAN_CONF); + /* initialize library */ + if (!library_init(STRONGSWAN_CONF)) + { + library_deinit(); + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "scepclient", argv[0])) + { + fprintf(stderr, "integrity check of scepclient failed\n"); + library_deinit(); + exit(SS_RC_DAEMON_INTEGRITY); + } + + /* initialize optionsfrom */ options = options_create(); for (;;) @@ -698,43 +712,22 @@ int main(int argc, char **argv) continue; case 'a': /*--algorithm */ - if (strcaseeq("des-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_DES_CBC; - } - else if (strcaseeq("3des-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_3DES_EDE_CBC; - } - else if (strcaseeq("aes128-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES128_CBC; - } - else if (strcaseeq("aes192-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES192_CBC; - } - else if (strcaseeq("aes256-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_AES256_CBC; - } - else if (strcaseeq("camellia128-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC; - } - else if (strcaseeq("camellia192-cbc", optarg)) - { - pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC; - } - else if (strcaseeq("camellia256-cbc", optarg)) + { + const proposal_token_t *token; + + token = proposal_get_token(optarg, strlen(optarg)); + if (token == NULL || token->type != ENCRYPTION_ALGORITHM) { - pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC; + usage("invalid algorithm specified"); } - else + pkcs7_symmetric_cipher = encryption_algorithm_to_oid( + token->algorithm, token->keysize); + if (pkcs7_symmetric_cipher == OID_UNKNOWN) { - usage("invalid encryption algorithm specified"); + usage("unsupported encryption algorithm specified"); } continue; + } #ifdef DEBUG case 'A': /* --debug-all */ base_debugging |= DBG_ALL; diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 439a7785a..3355b3afb 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -20,7 +20,7 @@ AM_CFLAGS = \ -DIPSEC_EAPDIR=\"${eapdir}\" \ -DDEBUG -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -52,14 +52,14 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 4e6bffdeb..a839c20b1 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -55,9 +55,11 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \ lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT) starter_OBJECTS = $(am_starter_OBJECTS) +am__DEPENDENCIES_1 = starter_DEPENDENCIES = defs.o \ $(top_builddir)/src/libfreeswan/libfreeswan.a \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -80,12 +82,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -150,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -190,7 +195,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -241,7 +248,7 @@ INCLUDES = \ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \ -DDEBUG $(am__append_1) $(am__append_2) -starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la +starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf dist_man_MANS = ipsec.conf.5 starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c @@ -653,16 +660,16 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/starter/args.c b/src/starter/args.c index f9d1824d8..990d7588b 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -261,8 +261,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, iface), NULL } }; -static void -free_list(char **list) +static void free_list(char **list) { char **s; @@ -273,22 +272,25 @@ free_list(char **list) free(list); } -char ** -new_list(char *value) +char** new_list(char *value) { char *val, *b, *e, *end, **ret; int count; val = value ? clone_str(value) : NULL; if (!val) + { return NULL; + } end = val + strlen(val); for (b = val, count = 0; b < end;) { for (e = b; ((*e != ' ') && (*e != '\0')); e++); *e = '\0'; if (e != b) + { count++; + } b = e + 1; } if (count == 0) @@ -302,7 +304,9 @@ new_list(char *value) { for (e = b; (*e != '\0'); e++); if (e != b) + { ret[count++] = clone_str(b); + } b = e + 1; } ret[count] = NULL; @@ -314,9 +318,8 @@ new_list(char *value) /* * assigns an argument value to a struct field */ -bool -assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base - , bool *assigned) +bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base, + bool *assigned) { char *p = base + token_info[token].offset; const char **list = token_info[token].list; @@ -435,8 +438,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* time in seconds? */ if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0')) + { break; - + } if (endptr[1] == '\0') { if (*endptr == 'm') /* time in minutes? */ @@ -475,8 +479,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* free any existing list */ if (*listp != NULL) + { free_list(*listp); - + } /* create a new list and assign values */ *listp = new_list(kw->value); @@ -514,8 +519,7 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base /* * frees all dynamically allocated arguments in a struct */ -void -free_args(kw_token_t first, kw_token_t last, char *base) +void free_args(kw_token_t first, kw_token_t last, char *base) { kw_token_t token; @@ -553,8 +557,7 @@ free_args(kw_token_t first, kw_token_t last, char *base) /* * clone all dynamically allocated arguments in a struct */ -void -clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) +void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) { kw_token_t token; @@ -570,22 +573,29 @@ clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2) } } -static bool -cmp_list(char **list1, char **list2) +static bool cmp_list(char **list1, char **list2) { if ((list1 == NULL) && (list2 == NULL)) + { return TRUE; + } if ((list1 == NULL) || (list2 == NULL)) + { return FALSE; + } for ( ; *list1 && *list2; list1++, list2++) { if (strcmp(*list1,*list2) != 0) + { return FALSE; + } } if ((*list1 != NULL) || (*list2 != NULL)) + { return FALSE; + } return TRUE; } @@ -593,8 +603,7 @@ cmp_list(char **list1, char **list2) /* * compare all arguments in a struct */ -bool -cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) +bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) { kw_token_t token; @@ -606,12 +615,25 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) switch (token_info[token].type) { case ARG_ENUM: + if (token_info[token].list == LST_bool) + { + bool *b1 = (bool *)p1; + bool *b2 = (bool *)p2; + + if (*b1 != *b2) + { + return FALSE; + } + } + else { int *i1 = (int *)p1; int *i2 = (int *)p2; if (*i1 != *i2) + { return FALSE; + } } break; case ARG_UINT: @@ -620,7 +642,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) u_int *u2 = (u_int *)p2; if (*u1 != *u2) + { return FALSE; + } } break; case ARG_ULNG: @@ -630,7 +654,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) unsigned long *l2 = (unsigned long *)p2; if (*l1 != *l2) + { return FALSE; + } } break; case ARG_TIME: @@ -639,7 +665,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) time_t *t2 = (time_t *)p2; if (*t1 != *t2) + { return FALSE; + } } break; case ARG_STR: @@ -648,9 +676,13 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) char **cp2 = (char **)p2; if (*cp1 == NULL && *cp2 == NULL) + { break; + } if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0) + { return FALSE; + } } break; case ARG_LST: @@ -659,7 +691,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2) char ***listp2 = (char ***)p2; if (!cmp_list(*listp1, *listp2)) + { return FALSE; + } } break; default: diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c index 034eac317..3fff65be7 100644 --- a/src/starter/interfaces.c +++ b/src/starter/interfaces.c @@ -14,6 +14,10 @@ #include <sys/socket.h> #include <sys/ioctl.h> +#ifdef HAVE_SYS_SOCKIO_H +#include <sys/sockio.h> +#endif + #include <stdlib.h> #include <string.h> #include <unistd.h> diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c index 804467cea..1eb2a0332 100644 --- a/src/starter/invokecharon.c +++ b/src/starter/invokecharon.c @@ -36,18 +36,28 @@ static int _charon_pid = 0; static int _stop_requested; -pid_t -starter_charon_pid(void) +pid_t starter_charon_pid(void) { return _charon_pid; } -void -starter_charon_sigchild(pid_t pid) +void starter_charon_sigchild(pid_t pid, int status) { - if (pid == _charon_pid) + if (pid == _charon_pid) { - _charon_pid = 0; + _charon_pid = 0; + if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || + status == SS_RC_DAEMON_INTEGRITY) + { + plog("charon has quit: integrity test of %s failed", + (status == 64) ? "libstrongswan" : "charon"); + _stop_requested = 1; + } + else if (status == SS_RC_INITIALIZATION_FAILED) + { + plog("charon has quit: initialization failed"); + _stop_requested = 1; + } if (!_stop_requested) { plog("charon has died -- restart scheduled (%dsec)" @@ -58,8 +68,7 @@ starter_charon_sigchild(pid_t pid) } } -int -starter_stop_charon (void) +int starter_stop_charon (void) { int i; pid_t pid = _charon_pid; @@ -106,8 +115,7 @@ starter_stop_charon (void) } -int -starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) +int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb) { struct stat stb; int pid, i; diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h index f0f470a8d..aaf913c9b 100644 --- a/src/starter/invokecharon.h +++ b/src/starter/invokecharon.h @@ -20,7 +20,7 @@ #define CHARON_RESTART_DELAY 5 -extern void starter_charon_sigchild (pid_t pid); +extern void starter_charon_sigchild (pid_t pid, int status); extern pid_t starter_charon_pid (void); extern int starter_stop_charon (void); extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb); diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c index 28bd93c5d..08fb0657a 100644 --- a/src/starter/invokepluto.c +++ b/src/starter/invokepluto.c @@ -42,11 +42,23 @@ starter_pluto_pid(void) } void -starter_pluto_sigchild(pid_t pid) +starter_pluto_sigchild(pid_t pid, int status) { if (pid == _pluto_pid) { _pluto_pid = 0; + if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY || + status == SS_RC_DAEMON_INTEGRITY) + { + plog("pluto has quit: integrity test of %s failed", + (status == 64) ? "libstrongswan" : "pluto"); + _stop_requested = 1; + } + else if (status == SS_RC_INITIALIZATION_FAILED) + { + plog("pluto has quit: initialization failed"); + _stop_requested = 1; + } if (!_stop_requested) { plog("pluto has died -- restart scheduled (%dsec)" diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h index b0c89b1f1..c87f50c2a 100644 --- a/src/starter/invokepluto.h +++ b/src/starter/invokepluto.h @@ -17,7 +17,7 @@ #define PLUTO_RESTART_DELAY 5 -extern void starter_pluto_sigchild (pid_t pid); +extern void starter_pluto_sigchild (pid_t pid, int status); extern pid_t starter_pluto_pid (void); extern int starter_stop_pluto (void); extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb); diff --git a/src/starter/keywords.h b/src/starter/keywords.h index ae9a6d15f..3a115d15d 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -122,11 +122,16 @@ typedef enum { KW_HOSTACCESS, KW_ALLOWANY, KW_UPDOWN, + KW_AUTH1, + KW_AUTH2, KW_ID, + KW_ID2, KW_RSASIGKEY, KW_CERT, + KW_CERT2, KW_SENDCERT, KW_CA, + KW_CA2, KW_GROUPS, KW_IFACE, diff --git a/src/starter/loglite.c b/src/starter/loglite.c index 415cf931c..c88b33bfd 100644 --- a/src/starter/loglite.c +++ b/src/starter/loglite.c @@ -33,6 +33,10 @@ #include <log.h> #include <whack.h> +#ifndef LOG_AUTHPRIV +#define LOG_AUTHPRIV LOG_AUTH +#endif + bool log_to_stderr = FALSE, /* should log go to stderr? */ log_to_syslog = TRUE; /* should log go to syslog? */ diff --git a/src/starter/starter.c b/src/starter/starter.c index 2d2f452b5..b675ccf1c 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -66,46 +66,66 @@ static unsigned int _action_ = 0; -static void -fsig(int signal) +static void fsig(int signal) { switch (signal) { case SIGCHLD: { - int status; + int status, exit_status = 0; pid_t pid; char *name = NULL; while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { if (pid == starter_pluto_pid()) + { name = " (Pluto)"; + } if (pid == starter_charon_pid()) + { name = " (Charon)"; + } if (WIFSIGNALED(status)) + { DBG(DBG_CONTROL, DBG_log("child %d%s has been killed by sig %d\n", pid, name?name:"", WTERMSIG(status)) ) + } else if (WIFSTOPPED(status)) + { DBG(DBG_CONTROL, DBG_log("child %d%s has been stopped by sig %d\n", pid, name?name:"", WSTOPSIG(status)) ) + } else if (WIFEXITED(status)) + { + exit_status = WEXITSTATUS(status); + if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST) + { + _action_ = FLAG_ACTION_QUIT; + } DBG(DBG_CONTROL, DBG_log("child %d%s has quit (exit code %d)\n", - pid, name?name:"", WEXITSTATUS(status)) + pid, name?name:"", exit_status) ) + } else + { DBG(DBG_CONTROL, DBG_log("child %d%s has quit", pid, name?name:"") ) + } if (pid == starter_pluto_pid()) - starter_pluto_sigchild(pid); + { + starter_pluto_sigchild(pid, exit_status); + } if (pid == starter_charon_pid()) - starter_charon_sigchild(pid); + { + starter_charon_sigchild(pid, exit_status); + } } } break; @@ -196,8 +216,7 @@ static void generate_selfcert() } } -static void -usage(char *name) +static void usage(char *name) { fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] " "[--debug|--debug-more|--debug-all]\n"); @@ -392,9 +411,13 @@ int main (int argc, char **argv) if (_action_ & FLAG_ACTION_QUIT) { if (starter_pluto_pid()) + { starter_stop_pluto(); + } if (starter_charon_pid()) + { starter_stop_charon(); + } starter_netkey_cleanup(); confread_free(cfg); unlink(STARTER_PID_FILE); diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am index afca95fce..363cde717 100644 --- a/src/stroke/Makefile.am +++ b/src/stroke/Makefile.am @@ -1,6 +1,7 @@ ipsec_PROGRAMS = stroke stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h +stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt BUILT_SOURCES = stroke_keywords.c diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index dde80348e..e2ed28afe 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -46,7 +46,10 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM) PROGRAMS = $(ipsec_PROGRAMS) am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT) stroke_OBJECTS = $(am_stroke_OBJECTS) -stroke_LDADD = $(LDADD) +am__DEPENDENCIES_1 = +stroke_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(am__DEPENDENCIES_1) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -65,12 +68,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -135,6 +140,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -175,7 +181,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -210,6 +218,7 @@ top_srcdir = @top_srcdir@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h +stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) INCLUDES = -I$(top_srcdir)/src/libstrongswan EXTRA_DIST = stroke_keywords.txt BUILT_SOURCES = stroke_keywords.c diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 704c88c58..abf285a86 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -25,6 +25,8 @@ #include <sys/types.h> +#include <library.h> + /** * Socket which is used to communicate between charon and stroke */ diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 7e2be4d1b..88b066379 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -67,12 +67,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -137,6 +139,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -177,7 +180,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/testing/INSTALL b/testing/INSTALL index 87bb787c8..e70edf44f 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,22 +53,22 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.29.4.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.30.2.tar.bz2 * The Linux kernel 2.6.29 does not require any patches for the uml guest kernel to successfully start up. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.29 + http://download.strongswan.org/uml/.config-2.6.30 * A gentoo-based UML file system (compressed size 130 MBytes) found at - http://download.strongswan.org/uml/gentoo-fs-20090325.tar.bz2 + http://download.strongswan.org/uml/gentoo-fs-20090615.tar.bz2 * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.3.2.tar.bz2 + http://download.strongswan.org/strongswan-4.3.4.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index c242c9d7f..3ace3a55f 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -46,12 +46,14 @@ SOURCES = DIST_SOURCES = DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -116,6 +118,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -156,7 +159,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ diff --git a/testing/testing.conf b/testing/testing.conf index 39bff6805..1a62d7cac 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.30.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.30.2.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` @@ -31,7 +31,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.30 #UMLPATCH=$UMLTESTDIR/aead_init.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.3.2.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.3.4.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -54,7 +54,7 @@ USE_TEST_VECTORS="yes" USE_GCRYPT="yes" # Gentoo linux root filesystem -ROOTFS=$UMLTESTDIR/gentoo-fs-20090325.tar.bz2 +ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2 # Size of the finished root filesystem in MB ROOTFSSIZE=600 diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 0840260c3..9536a85be 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf index fdfb0003f..80952cb41 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 0840260c3..9536a85be 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index edb7e40d1..6cf472ed3 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f4b6dfdb9..b946aa004 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index edb7e40d1..6cf472ed3 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf index f1dcd52e9..263978c99 100644 --- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf index 7133aef00..147e381b1 100644 --- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -9,6 +9,7 @@ pluto { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt new file mode 100644 index 000000000..9fe03b010 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively +<b>esp=aes128ccm96-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat new file mode 100644 index 000000000..27a5207a1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_CCM_12_128::YES +carol::ipsec statusall::AES_CCM_12_128::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..f8baa00e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-modp2048! + esp=aes128ccm96-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d4f0c3adc --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-modp2048! + esp=aes128ccm12-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt new file mode 100644 index 000000000..fbcc48022 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat new file mode 100644 index 000000000..6f1cd4c49 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES +carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES +moon::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..acb4126cf --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256ctr-aesxcbc-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b5baa2b5d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256ctr-aesxcbc-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt new file mode 100644 index 000000000..bd9521e0d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively +<b>esp=aes256gcm128-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat new file mode 100644 index 000000000..d7d4666ed --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_GCM_16_256::YES +carol::ipsec statusall::AES_GCM_16_256::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5026e0d9e --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256gcm128-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5fa07962e --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256gcm16-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf index fe74cc285..9af94a18e 100755 --- a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control crypt" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf index 33871d484..3501319a5 100755 --- a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control crypt" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/net2net-pgp/description.txt b/testing/tests/ikev1/net2net-pgp-v3/description.txt index c85f2e5d0..bd680b57a 100644 --- a/testing/tests/ikev1/net2net-pgp/description.txt +++ b/testing/tests/ikev1/net2net-pgp-v3/description.txt @@ -1,5 +1,5 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>OpenPGP keys</b>. Upon the successful +The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> diff --git a/testing/tests/ikev1/net2net-pgp/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat index 7cbf92687..7cbf92687 100644 --- a/testing/tests/ikev1/net2net-pgp/evaltest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf index a54482489..a54482489 100755 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc index 135cfaec0..135cfaec0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc index 32f204b10..32f204b10 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc index 6524773e0..6524773e0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets index afb1ff927..afb1ff927 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf index 419adc2f2..419adc2f2 100755 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc index 135cfaec0..135cfaec0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc index 32f204b10..32f204b10 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc index de2393649..de2393649 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets index ee98b1611..ee98b1611 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev1/net2net-pgp/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat index fafcde975..fafcde975 100644 --- a/testing/tests/ikev1/net2net-pgp/posttest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat diff --git a/testing/tests/ikev1/net2net-pgp/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat index 9e40684ab..9e40684ab 100644 --- a/testing/tests/ikev1/net2net-pgp/pretest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat diff --git a/testing/tests/ikev1/net2net-pgp/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf index f74d0f7d6..f74d0f7d6 100644 --- a/testing/tests/ikev1/net2net-pgp/test.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/test.conf diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/ikev1/net2net-pgp-v4/description.txt new file mode 100644 index 000000000..c82eec9ba --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a54482489 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..a512f8f52 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh +bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA +CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K +N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K +1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y +D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk +/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv +1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK +CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc +ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt +21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX +mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb +G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D +spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz +=j2hu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..5117cbb04 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu +Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK +CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g +0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 +eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D +RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG +6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j +vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ +EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg +Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t +mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m +t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT +gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf +lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= +=tAh4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..59de821d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,32 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx +nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/ +Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX +BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK +BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN +S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI +MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O +GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8 +mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi +RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey +iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv +vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC +AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3 +Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o +Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC +GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL +ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94 +N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk +mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS +26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs +AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O +MzxgEWTtyNTtGw== +=Vb4y +-----END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..419adc2f2 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..a512f8f52 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh +bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA +CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K +N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K +1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y +D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk +/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv +1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK +CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc +ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt +21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX +mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb +G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D +spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz +=j2hu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..5117cbb04 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu +Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK +CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g +0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 +eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D +RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG +6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j +vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ +EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg +Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t +mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m +t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT +gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf +lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= +=tAh4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..68899ae37 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,32 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt +Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh +9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn +VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN +P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw +bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV +5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy +0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR +mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H +1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB +P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt +EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd +B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr +GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv +JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb +AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs +QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY +6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa +WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR +jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV +aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr +J0tAsvODgc8b +=QOF4 +-----END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat new file mode 100644 index 000000000..fafcde975 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt new file mode 100644 index 000000000..6443a348f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat new file mode 100644 index 000000000..d5260da68 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES +carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES +moon::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..02ca66b75 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ctr-aesxcbc-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1c19714b9 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ctr-aesxcbc-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-split-pools-db/description.txt b/testing/tests/ikev2/ip-split-pools-db/description.txt new file mode 100644 index 000000000..0c11c7eed --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from two disjoint pools named +<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the +single address <b>10.3.1.1</b> predefined in the SQL database. diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat new file mode 100644 index 000000000..8fd47dc34 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..c0f9756e4 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=%pool0,pool1 + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b77ff97fb --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat new file mode 100644 index 000000000..32b445090 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::ipsec pool --del pool0 2> /dev/null +moon::ipsec pool --del pool1 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat new file mode 100644 index 000000000..5691f0f0d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat @@ -0,0 +1,12 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null +moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null +moon::ipsec pool --status 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index e2a83185b..ef1b92f3c 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf index 2ba85bb98..825f6fee8 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 28d9ab3ba..a3ad70a45 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt new file mode 100644 index 000000000..b3515c333 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as +the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat new file mode 100644 index 000000000..aad3becc7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..37f8a7ecf --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c110dd516 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8d7e3fe9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c110dd516 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index 7ffdcc204..eb0ba532d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index 7ffdcc204..eb0ba532d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 195bcf046..4e8a1219d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f4b6dfdb9..b946aa004 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 166e24e7c..ebecace94 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/ip-split-pools-db-restart/description.txt b/testing/tests/sql/ip-split-pools-db-restart/description.txt new file mode 100644 index 000000000..7005c810d --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> restart a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon reassigns the static and reserved virtual IP addresses +from two disjoint pools named <b>pool0</b> and <b>pool1</b> predefined in the SQL database. + diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat new file mode 100644 index 000000000..6c912eb47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat @@ -0,0 +1,14 @@ +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..2170e41af --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,204 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'pool0,pool1' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool0', X'0a030001', X'0a030002', 0 +); + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool1', X'0a030101', X'0a030102', 0 +); + +INSERT INTO addresses ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 6, 1247817255, 1247817277 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030002' +); + +INSERT INTO addresses ( + pool, address, identity, acquired, released +) VALUES ( + 2, X'0a030101', 7, 1247817257, 1247817278 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 2, X'0a030102' +); + +INSERT INTO leases ( + address, identity, acquired, released +) VALUES ( + 1, 6, 1247817255, 1247817277 +); + +INSERT INTO leases ( + address, identity, acquired, released +) VALUES ( + 3, 7, 1247817257, 1247817278 +); + + + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a747a6cb1 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +pool { + load = sqlite +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat new file mode 100644 index 000000000..5ff7b9d47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat new file mode 100644 index 000000000..8b30de8c4 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --status 2> /dev/null +moon::ipsec pool --leases 2> /dev/null +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-split-pools-db/description.txt b/testing/tests/sql/ip-split-pools-db/description.txt new file mode 100644 index 000000000..0c11c7eed --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from two disjoint pools named +<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the +single address <b>10.3.1.1</b> predefined in the SQL database. diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat new file mode 100644 index 000000000..f358b62c8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..51704fc98 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,166 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'pool0,pool1' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool0', X'0a030001', X'0a030001', 0 +); + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool1', X'0a030101', X'0a030101', 0 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030001' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 2, X'0a030101' +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a747a6cb1 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +pool { + load = sqlite +} diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat new file mode 100644 index 000000000..5ff7b9d47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat new file mode 100644 index 000000000..e1dcb9d51 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -0,0 +1,17 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --status 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } |