diff options
| author | Yves-Alexis Perez <corsac@corsac.net> | 2018-02-19 18:17:21 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@corsac.net> | 2018-02-19 18:17:21 +0100 |
| commit | 7793611ee71b576dd9c66dee327349fa64e38740 (patch) | |
| tree | f1379ec1aed52a3c772874d4ed690b90975b9623 | |
| parent | e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (diff) | |
| download | vyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.tar.gz vyos-strongswan-7793611ee71b576dd9c66dee327349fa64e38740.zip | |
New upstream version 5.6.2
265 files changed, 11140 insertions, 1312 deletions
diff --git a/Android.common.mk b/Android.common.mk index 19d654e0c..1d3068c14 100644 --- a/Android.common.mk +++ b/Android.common.mk @@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \ ) # strongSwan version, replaced by top Makefile -strongswan_VERSION := "5.6.1" +strongswan_VERSION := "5.6.2" @@ -1,3 +1,54 @@ +strongswan-5.6.2 +---------------- + +- Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS signatures that + was caused by insufficient input validation. One of the configurable + parameters in algorithm identifier structures for RSASSA-PSS signatures is the + mask generation function (MGF). Only MGF1 is currently specified for this + purpose. However, this in turn takes itself a parameter that specifies the + underlying hash function. strongSwan's parser did not correctly handle the + case of this parameter being absent, causing an undefined data read. + This vulnerability has been registered as CVE-2018-6459. + +- The previously negotiated DH group is reused when rekeying an SA, instead of + using the first group in the configured proposals, which avoids an additional + exchange if the peer selected a different group via INVALID_KE_PAYLOAD when + the SA was created initially. + The selected DH group is also moved to the front of all sent proposals that + contain it and all proposals that don't are moved to the back in order to + convey the preference for this group to the peer. + +- Handling of MOBIKE task queuing has been improved. In particular, the response + to an address update is not ignored anymore if only an address list update or + DPD is queued. + +- The fallback drop policies installed to avoid traffic leaks when replacing + addresses in installed policies are now replaced by temporary drop policies, + which also prevent acquires because we currently delete and reinstall IPsec + SAs to update their addresses. + +- Access X.509 certificates held in non-volatile storage of a TPM 2.0 + referenced via the NV index. + +- Adding the --keyid parameter to pki --print allows to print private keys + or certificates stored in a smartcard or a TPM 2.0. + +- Fixed proposal selection if a peer incorrectly sends DH groups in the ESP + proposals during IKE_AUTH and also if a DH group is configured in the local + ESP proposal and charon.prefer_configured_proposals is disabled. + +- MSKs received via RADIUS are now padded to 64 bytes to avoid compatibility + issues with EAP-MSCHAPv2 and PRFs that have a block size < 64 bytes (e.g. + AES-XCBC-PRF-128). + +- The tpm_extendpcr command line tool extends a digest into a TPM PCR. + +- Ported the NetworkManager backend from the deprecated libnm-glib to libnm. + +- The save-keys debugging/development plugin saves IKE and/or ESP keys to files + compatible with Wireshark. + + strongswan-5.6.1 ---------------- @@ -1370,7 +1421,7 @@ strongswan-4.4.1 - The openssl plugin now supports X.509 certificate and CRL functions. - OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled - by default. Plase update manual load directives in strongswan.conf. + by default. Please update manual load directives in strongswan.conf. - RFC3779 ipAddrBlock constraint checking has been moved to the addrblock plugin, disabled by default. Enable it and update manual load directives @@ -1832,7 +1883,7 @@ strongswan-4.2.8 - Several MOBIKE improvements: Detect changes in NAT mappings in DPD exchanges, handle events if kernel detects NAT mapping changes in UDP-encapsulated - ESP packets (requires kernel patch), reuse old addesses in MOBIKE updates as + ESP packets (requires kernel patch), reuse old addresses in MOBIKE updates as long as possible and other fixes. - Fixed a bug in addr_in_subnet() which caused insertion of wrong source @@ -2111,7 +2162,7 @@ strongswan-4.1.7 - In NAT traversal situations and multiple queued Quick Modes, those pending connections inserted by auto=start after the - port floating from 500 to 4500 were erronously deleted. + port floating from 500 to 4500 were erroneously deleted. - Added a "forceencaps" connection parameter to enforce UDP encapsulation to surmount restrictive firewalls. NAT detection payloads are faked to @@ -2705,7 +2756,7 @@ strongswan-2.6.0 strongswan-2.5.7 ---------------- -- CA certicates are now automatically loaded from a smartcard +- CA certificates are now automatically loaded from a smartcard or USB crypto token and appear in the ipsec auto --listcacerts listing. @@ -2818,7 +2869,7 @@ strongswan-2.5.1 - Under the native IPsec of the Linux 2.6 kernel, a %trap eroute installed either by setting auto=route in ipsec.conf or by a connection put into hold, generates an XFRM_AQUIRE event - for each packet that wants to use the not-yet exisiting + for each packet that wants to use the not-yet existing tunnel. Up to now each XFRM_AQUIRE event led to an entry in the Quick Mode queue, causing multiple IPsec SA to be established in rapid succession. Starting with strongswan-2.5.1 @@ -36,7 +36,7 @@ Configuration on gateway _moon_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/priv/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -66,7 +66,7 @@ Configuration on gateway _sun_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/sunCert.pem - /etc/swanctl/priv/sunKey.pem + /etc/swanctl/private/sunKey.pem /etc/swanctl/swanctl.conf: @@ -120,7 +120,7 @@ connections we will use the default IPsec tunnel mode. /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/priv/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -148,7 +148,7 @@ Configuration on host _sun_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/sunCert.pem - /etc/swanctl/priv/sunKey.pem + /etc/swanctl/private/sunKey.pem /etc/swanctl/swanctl.conf: @@ -185,7 +185,7 @@ Configuration on gateway _moon_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/priv/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -211,7 +211,7 @@ Configuration on roadwarrior _carol_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/carolCert.pem - /etc/swanctl/priv/carolKey.pem + /etc/swanctl/private/carolKey.pem /etc/swanctl/swanctl.conf: @@ -277,7 +277,7 @@ Configuration on gateway _moon_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/rsa/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -311,7 +311,7 @@ Configuration on roadwarrior _carol_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/carolCert.pem - /etc/swanctl/priv/carolKey.pem + /etc/swanctl/private/carolKey.pem /etc/swanctl/swanctl.conf: @@ -352,7 +352,7 @@ Configuration on gateway _moon_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/priv/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -437,7 +437,7 @@ Configuration on gateway _moon_: /etc/swanctl/x509ca/strongswanCert.pem /etc/swanctl/x509/moonCert.pem - /etc/swanctl/priv/moonKey.pem + /etc/swanctl/private/moonKey.pem /etc/swanctl/swanctl.conf: @@ -571,7 +571,7 @@ In a next step the command pki --req --type priv --in moonKey.pem \ --dn "C=CH, O=strongswan, CN=moon.strongswan.org \ - --san moon.strongswan.org -- outform pem > moonReq.pem + --san moon.strongswan.org --outform pem > moonReq.pem creates a PKCS#10 certificate request that has to be signed by the CA. Through the [multiple] use of the `--san` parameter any number of desired diff --git a/conf/Makefile.am b/conf/Makefile.am index 38181db2c..eb662c2e0 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -87,6 +87,7 @@ plugins = \ plugins/random.opt \ plugins/resolve.opt \ plugins/revocation.opt \ + plugins/save-keys.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ diff --git a/conf/Makefile.in b/conf/Makefile.in index c2cb213f7..e83d3b98f 100644 --- a/conf/Makefile.in +++ b/conf/Makefile.in @@ -493,6 +493,7 @@ plugins = \ plugins/random.opt \ plugins/resolve.opt \ plugins/revocation.opt \ + plugins/save-keys.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ diff --git a/conf/options/charon.conf b/conf/options/charon.conf index cef9fe36c..93dff172d 100644 --- a/conf/options/charon.conf +++ b/conf/options/charon.conf @@ -7,9 +7,9 @@ charon { # Maximum number of half-open IKE_SAs for a single peer IP. # block_threshold = 5 - # Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should - # be saved under a unique file name derived from the public key of the - # Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or # /etc/swanctl/x509crl (vici), respectively. # cache_crls = no diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 161ebb724..fcde5f0b5 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -31,7 +31,7 @@ charon.cert_cache = yes memory. charon.cache_crls = no - Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should + Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or **/etc/swanctl/x509crl** (vici), respectively. diff --git a/conf/plugins/ha.opt b/conf/plugins/ha.opt index 77d5b7888..c821a880b 100644 --- a/conf/plugins/ha.opt +++ b/conf/plugins/ha.opt @@ -2,6 +2,13 @@ charon.plugins.ha.autobalance = 0 Interval in seconds to automatically balance handled segments between nodes. Set to 0 to disable. +charon.plugin.ha.buflen = 2048 + Buffer size for received HA messages. + + Buffer size for received HA messages. For IKEv1 the public DH factors are + also transmitted so depending on the DH group the HA messages can get quite + big (the default should be fine up to _modp4096_). + charon.plugins.ha.fifo_interface = yes charon.plugins.ha.heartbeat_delay = 1000 diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt index 4f559f2b9..6c1da5e89 100644 --- a/conf/plugins/imc-os.opt +++ b/conf/plugins/imc-os.opt @@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id = Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) +libimcv.plugins.imc-os.device_handle = + Manually set handle to a private key bound to a smartcard or TPM + (e.g. 0x81010004) + libimcv.plugins.imc-os.device_pubkey = Manually set the path to the client device public key (e.g. /etc/pts/aikPub.der) diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf index 22d94ee38..9827b2282 100644 --- a/conf/plugins/kernel-netlink.conf +++ b/conf/plugins/kernel-netlink.conf @@ -35,6 +35,9 @@ kernel-netlink { # Whether to use port or socket based IKE XFRM bypass policies. # port_bypass = no + # Whether to process changes in routing rules to trigger roam events. + # process_rules = no + # Maximum Netlink socket receive buffer in bytes. # receive_buffer_size = 0 diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt index 3d9c4a7a9..0e368ca1e 100644 --- a/conf/plugins/kernel-netlink.opt +++ b/conf/plugins/kernel-netlink.opt @@ -7,7 +7,7 @@ charon.plugins.kernel-netlink.force_receive_buffer_size = no If the maximum Netlink socket receive buffer in bytes set by _receive_buffer_size_ exceeds the system-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. - Enabling this option requires special priviliges (CAP_NET_ADMIN). + Enabling this option requires special privileges (CAP_NET_ADMIN). charon.plugins.kernel-netlink.fwmark = Firewall mark to set on the routing rule that directs traffic to our routing @@ -47,6 +47,13 @@ charon.plugins.kernel-netlink.port_bypass = no port based policies use global XFRM bypass policies for the used IKE UDP ports. +charon.plugins.kernel-netlink.process_rules = no + Whether to process changes in routing rules to trigger roam events. + + Whether to process changes in routing rules to trigger roam events. This is + currently only useful if the kernel based route lookup is used (i.e. if + route installation is disabled or an inverted fwmark match is configured). + charon.plugins.kernel-netlink.receive_buffer_size = 0 Maximum Netlink socket receive buffer in bytes. diff --git a/conf/plugins/save-keys.conf b/conf/plugins/save-keys.conf new file mode 100644 index 000000000..c38cdcf69 --- /dev/null +++ b/conf/plugins/save-keys.conf @@ -0,0 +1,16 @@ +save-keys { + + # Whether to save ESP keys. + # esp = no + + # Whether to save IKE keys. + # ike = no + + # Whether to load the plugin. + load = no + + # Directory where the keys are stored in the format supported by Wireshark + # wireshark_keys = + +} + diff --git a/conf/plugins/save-keys.opt b/conf/plugins/save-keys.opt new file mode 100644 index 000000000..22a766a6f --- /dev/null +++ b/conf/plugins/save-keys.opt @@ -0,0 +1,16 @@ +charon.plugins.save-keys.load := no + Whether to load the plugin. + +charon.plugins.save-keys.esp = no + Whether to save ESP keys. + +charon.plugins.save-keys.ike = no + Whether to save IKE keys. + +charon.plugins.save-keys.wireshark_keys + Directory where the keys are stored in the format supported by Wireshark + + Directory where the keys are stored in the format supported by Wireshark. + IKEv1 keys are stored in the _ikev1_decryption_table_ file. + IKEv2 keys are stored in the _ikev2_decryption_table_ file. + Keys for ESP CHILD_SAs are stored in the _esp_sa_ file. diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main index b54f3e492..977403e91 100644 --- a/conf/strongswan.conf.5.main +++ b/conf/strongswan.conf.5.main @@ -51,7 +51,7 @@ Maximum number of half\-open IKE_SAs for a single peer IP. .TP .BR charon.cache_crls " [no]" -Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should be +Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP should be saved under a unique file name derived from the public key of the Certification Authority (CA) to .RB "" "/etc/ipsec.d/crls" "" @@ -406,6 +406,14 @@ WINS servers assigned to peer via configuration payload (CP). WINS servers assigned to peer via configuration payload (CP). .TP +.BR charon.plugin.ha.buflen " [2048]" +Buffer size for received HA messages. For IKEv1 the public DH factors are also +transmitted so depending on the DH group the HA messages can get quite big (the +default should be fine up to +.RI "" "modp4096" ")." + + +.TP .BR charon.plugins.addrblock.strict " [yes]" If set to yes, a subject certificate without an addrblock extension is rejected if the issuer certificate has such an addrblock extension. If set to no, subject @@ -973,7 +981,7 @@ If the maximum Netlink socket receive buffer in bytes set by .RI "" "receive_buffer_size" "" exceeds the system\-wide maximum from /proc/sys/net/core/rmem_max, this option can be used to override the limit. -Enabling this option requires special priviliges (CAP_NET_ADMIN). +Enabling this option requires special privileges (CAP_NET_ADMIN). .TP .BR charon.plugins.kernel-netlink.fwmark " []" @@ -1016,6 +1024,12 @@ based policies are directly tied to the IKE UDP sockets, port based policies use global XFRM bypass policies for the used IKE UDP ports. .TP +.BR charon.plugins.kernel-netlink.process_rules " [no]" +Whether to process changes in routing rules to trigger roam events. This is +currently only useful if the kernel based route lookup is used (i.e. if route +installation is disabled or an inverted fwmark match is configured). + +.TP .BR charon.plugins.kernel-netlink.receive_buffer_size " [0]" Maximum Netlink socket receive buffer in bytes. This value controls how many bytes of Netlink messages can be received on a Netlink socket. The default value @@ -1417,6 +1431,30 @@ Whether CRL validation should be enabled. Whether OCSP validation should be enabled. .TP +.BR charon.plugins.save-keys.esp " [no]" +Whether to save ESP keys. + +.TP +.BR charon.plugins.save-keys.ike " [no]" +Whether to save IKE keys. + +.TP +.BR charon.plugins.save-keys.load " [no]" +Whether to load the plugin. + +.TP +.BR charon.plugins.save-keys.wireshark_keys " []" +Directory where the keys are stored in the format supported by Wireshark. IKEv1 +keys are stored in the +.RI "" "ikev1_decryption_table" "" +file. IKEv2 keys are stored in +the +.RI "" "ikev2_decryption_table" "" +file. Keys for ESP CHILD_SAs are stored in the +.RI "" "esp_sa" "" +file. + +.TP .BR charon.plugins.socket-default.fwmark " []" Firewall mark to set on outbound packets. @@ -2121,6 +2159,11 @@ Manually set the path to the client device certificate (e.g. /etc/pts/aikCert.der) .TP +.BR libimcv.plugins.imc-os.device_handle " []" +Manually set handle to a private key bound to a smartcard or TPM (e.g. +0x81010004) + +.TP .BR libimcv.plugins.imc-os.device_id " []" Manually set the client device ID in hexadecimal format (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31) @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for strongSwan 5.6.1. +# Generated by GNU Autoconf 2.69 for strongSwan 5.6.2. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='5.6.1' -PACKAGE_STRING='strongSwan 5.6.1' +PACKAGE_VERSION='5.6.2' +PACKAGE_STRING='strongSwan 5.6.2' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -767,6 +767,8 @@ USE_SOCKET_DYNAMIC_FALSE USE_SOCKET_DYNAMIC_TRUE USE_SOCKET_DEFAULT_FALSE USE_SOCKET_DEFAULT_TRUE +USE_SAVE_KEYS_FALSE +USE_SAVE_KEYS_TRUE USE_IMV_HCD_FALSE USE_IMV_HCD_TRUE USE_IMC_HCD_FALSE @@ -1461,6 +1463,7 @@ enable_led enable_load_tester enable_lookip enable_radattr +enable_save_keys enable_systime_fix enable_test_vectors enable_updown @@ -2108,7 +2111,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 5.6.1 to adapt to many kinds of systems. +\`configure' configures strongSwan 5.6.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -2179,7 +2182,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 5.6.1:";; + short | recursive ) echo "Configuration of strongSwan 5.6.2:";; esac cat <<\_ACEOF @@ -2372,6 +2375,8 @@ Optional Features: plugin. --enable-radattr enable plugin to inject and process custom RADIUS attributes as IKEv2 client. + --enable-save-keys enable development/debugging plugin that saves IKE + and ESP keys in Wireshark format. --enable-systime-fix enable plugin to handle cert lifetimes with invalid system time gracefully. --enable-test-vectors enable plugin providing crypto test vectors. @@ -2659,7 +2664,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 5.6.1 +strongSwan configure 5.6.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -3181,7 +3186,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 5.6.1, which was +It was created by strongSwan $as_me 5.6.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4044,7 +4049,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='5.6.1' + VERSION='5.6.2' cat >>confdefs.h <<_ACEOF @@ -7211,6 +7216,22 @@ fi disabled_by_default=${disabled_by_default}" radattr" +# Check whether --enable-save-keys was given. +if test "${enable_save_keys+set}" = set; then : + enableval=$enable_save_keys; save_keys_given=true + if test x$enableval = xyes; then + save_keys=true + else + save_keys=false + fi +else + save_keys=false + save_keys_given=false + +fi + + disabled_by_default=${disabled_by_default}" save_keys" + # Check whether --enable-systime-fix was given. if test "${enable_systime_fix+set}" = set; then : enableval=$enable_systime_fix; systime_fix_given=true @@ -22414,104 +22435,6 @@ fi fi if test x$nm = xtrue; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnm-glib\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libnm-glib") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - -pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5 -$as_echo_n "checking for nm... " >&6; } - -if test -n "$nm_CFLAGS"; then - pkg_cv_nm_CFLAGS="$nm_CFLAGS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn\""; } >&5 - ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi -if test -n "$nm_LIBS"; then - pkg_cv_nm_LIBS="$nm_LIBS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn\""; } >&5 - ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi - - - -if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi - if test $_pkg_short_errors_supported = yes; then - nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1` - else - nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$nm_PKG_ERRORS" >&5 - - as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn) were not met: - -$nm_PKG_ERRORS - -Consider adjusting the PKG_CONFIG_PATH environment variable if you -installed software in a non-standard prefix. - -Alternatively, you may set the environment variables nm_CFLAGS -and nm_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details." "$LINENO" 5 -elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it -is in your PATH or set the PKG_CONFIG environment variable to the full -path to pkg-config. - -Alternatively, you may set the environment variables nm_CFLAGS -and nm_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details. - -To get pkg-config, see <http://pkg-config.freedesktop.org/>. -See \`config.log' for more details" "$LINENO" 5; } -else - nm_CFLAGS=$pkg_cv_nm_CFLAGS - nm_LIBS=$pkg_cv_nm_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - -fi -else pkg_failed=no { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nm" >&5 @@ -22521,12 +22444,12 @@ if test -n "$nm_CFLAGS"; then pkg_cv_nm_CFLAGS="$nm_CFLAGS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn\""; } >&5 - ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gthread-2.0 libnm\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gthread-2.0 libnm") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null` + pkg_cv_nm_CFLAGS=`$PKG_CONFIG --cflags "gthread-2.0 libnm" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -22538,12 +22461,12 @@ if test -n "$nm_LIBS"; then pkg_cv_nm_LIBS="$nm_LIBS" elif test -n "$PKG_CONFIG"; then if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn\""; } >&5 - ($PKG_CONFIG --exists --print-errors "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn") 2>&5 + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gthread-2.0 libnm\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gthread-2.0 libnm") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then - pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>/dev/null` + pkg_cv_nm_LIBS=`$PKG_CONFIG --libs "gthread-2.0 libnm" 2>/dev/null` test "x$?" != "x0" && pkg_failed=yes else pkg_failed=yes @@ -22564,14 +22487,14 @@ else _pkg_short_errors_supported=no fi if test $_pkg_short_errors_supported = yes; then - nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1` + nm_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "gthread-2.0 libnm" 2>&1` else - nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn" 2>&1` + nm_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "gthread-2.0 libnm" 2>&1` fi # Put the nasty error message in config.log where it belongs echo "$nm_PKG_ERRORS" >&5 - as_fn_error $? "Package requirements (NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn) were not met: + as_fn_error $? "Package requirements (gthread-2.0 libnm) were not met: $nm_PKG_ERRORS @@ -22604,8 +22527,6 @@ $as_echo "yes" >&6; } fi -fi - fi @@ -24101,6 +24022,11 @@ if test x$resolve = xtrue; then fi +if test x$save_keys = xtrue; then + c_plugins=${c_plugins}" save-keys" + + fi + if test x$socket_default = xtrue; then c_plugins=${c_plugins}" socket-default" charon_plugins=${charon_plugins}" socket-default" @@ -25622,6 +25548,14 @@ else USE_IMV_HCD_FALSE= fi + if test x$save_keys = xtrue; then + USE_SAVE_KEYS_TRUE= + USE_SAVE_KEYS_FALSE='#' +else + USE_SAVE_KEYS_TRUE='#' + USE_SAVE_KEYS_FALSE= +fi + if test x$socket_default = xtrue; then USE_SOCKET_DEFAULT_TRUE= USE_SOCKET_DEFAULT_FALSE='#' @@ -26267,7 +26201,7 @@ fi # build Makefiles # ================= -ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile conf/Makefile fuzz/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/sha3/Makefile src/libstrongswan/plugins/mgf1/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/curve25519/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/aesni/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/chapoly/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/newhope/Makefile src/libstrongswan/plugins/newhope/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libipsec/Makefile src/libipsec/tests/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/libimcv/plugins/imc_swima/Makefile src/libimcv/plugins/imv_swima/Makefile src/libimcv/plugins/imc_hcd/Makefile src/libimcv/plugins/imv_hcd/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/save_keys/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/bypass_lan/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/counters/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/p_cscf/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/perl/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/libtpmtss/Makefile src/libtpmtss/plugins/tpm/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/tpm_extendpcr/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/sw-collector/Makefile src/sec-updater/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile" # ================= @@ -26979,6 +26913,10 @@ if test -z "${USE_IMV_HCD_TRUE}" && test -z "${USE_IMV_HCD_FALSE}"; then as_fn_error $? "conditional \"USE_IMV_HCD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SAVE_KEYS_TRUE}" && test -z "${USE_SAVE_KEYS_FALSE}"; then + as_fn_error $? "conditional \"USE_SAVE_KEYS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -27644,7 +27582,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 5.6.1, which was +This file was extended by strongSwan $as_me 5.6.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27710,7 +27648,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 5.6.1 +strongSwan config.status 5.6.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -28258,6 +28196,7 @@ do "src/libcharon/plugins/xauth_noauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/xauth_noauth/Makefile" ;; "src/libcharon/plugins/tnc_ifmap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_ifmap/Makefile" ;; "src/libcharon/plugins/tnc_pdp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_pdp/Makefile" ;; + "src/libcharon/plugins/save_keys/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/save_keys/Makefile" ;; "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;; "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;; "src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;; @@ -28318,6 +28257,7 @@ do "src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;; "src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;; "src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;; + "src/tpm_extendpcr/Makefile") CONFIG_FILES="$CONFIG_FILES src/tpm_extendpcr/Makefile" ;; "src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;; "src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;; "src/pool/Makefile") CONFIG_FILES="$CONFIG_FILES src/pool/Makefile" ;; diff --git a/configure.ac b/configure.ac index 6effecce3..ae04fc87c 100644 --- a/configure.ac +++ b/configure.ac @@ -19,7 +19,7 @@ # initialize & set some vars # ============================ -AC_INIT([strongSwan],[5.6.1]) +AC_INIT([strongSwan],[5.6.2]) AM_INIT_AUTOMAKE(m4_esyscmd([ echo tar-ustar echo subdir-objects @@ -273,6 +273,7 @@ ARG_ENABL_SET([led], [enable plugin to control LEDs on IKEv2 activity ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.]) ARG_ENABL_SET([lookip], [enable fast virtual IP lookup and notification plugin.]) ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.]) +ARG_ENABL_SET([save-keys], [enable development/debugging plugin that saves IKE and ESP keys in Wireshark format.]) ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.]) ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) @@ -1174,10 +1175,7 @@ if test x$eap_sim_pcsc = xtrue; then fi if test x$nm = xtrue; then - PKG_CHECK_EXISTS([libnm-glib], - [PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm-util libnm-glib libnm-glib-vpn])], - [PKG_CHECK_MODULES(nm, [NetworkManager gthread-2.0 libnm_util libnm_glib libnm_glib_vpn])] - ) + PKG_CHECK_MODULES(nm, [gthread-2.0 libnm]) AC_SUBST(nm_CFLAGS) AC_SUBST(nm_LIBS) fi @@ -1438,6 +1436,7 @@ ADD_PLUGIN([kernel-pfkey], [c charon starter nm cmd]) ADD_PLUGIN([kernel-pfroute], [c charon starter nm cmd]) ADD_PLUGIN([kernel-netlink], [c charon starter nm cmd]) ADD_PLUGIN([resolve], [c charon cmd]) +ADD_PLUGIN([save-keys], [c]) ADD_PLUGIN([socket-default], [c charon nm cmd]) ADD_PLUGIN([socket-dynamic], [c charon cmd]) ADD_PLUGIN([socket-win], [c charon]) @@ -1667,6 +1666,7 @@ AM_CONDITIONAL(USE_IMC_SWIMA, test x$imc_swima = xtrue) AM_CONDITIONAL(USE_IMV_SWIMA, test x$imv_swima = xtrue) AM_CONDITIONAL(USE_IMC_HCD, test x$imc_hcd = xtrue) AM_CONDITIONAL(USE_IMV_HCD, test x$imv_hcd = xtrue) +AM_CONDITIONAL(USE_SAVE_KEYS, test x$save_keys = xtrue) AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue) @@ -1931,6 +1931,7 @@ AC_CONFIG_FILES([ src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile + src/libcharon/plugins/save_keys/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile @@ -1991,6 +1992,7 @@ AC_CONFIG_FILES([ src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile + src/tpm_extendpcr/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 774df75ac..eef6efaa0 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -609,9 +609,10 @@ To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to .BR pubkey or a key strength definition (for example -.BR pubkey-sha1-sha256 +.BR pubkey-sha256-sha512 , +.BR rsa-2048-sha256-sha384-sha512 , or -.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ). +.BR rsa-2048-sha256-ecdsa-256-sha256-sha384 ). Unless disabled in .BR strongswan.conf (5), or explicit IKEv2 signature constraints are configured (see below), such key diff --git a/src/Makefile.am b/src/Makefile.am index 7bef1a5dd..e2747c300 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -143,3 +143,7 @@ endif if USE_AIKGEN SUBDIRS += aikgen endif + +if USE_TPM + SUBDIRS += tpm_extendpcr +endif diff --git a/src/Makefile.in b/src/Makefile.in index baae1e09a..9aa3cb166 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -123,6 +123,7 @@ host_triplet = @host@ @USE_IMV_SWIMA_TRUE@am__append_34 = sec-updater @USE_INTEGRITY_TEST_TRUE@am__append_35 = checksum @USE_AIKGEN_TRUE@am__append_36 = aikgen +@USE_TPM_TRUE@am__append_37 = tpm_extendpcr subdir = src ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -201,7 +202,8 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \ libcharon starter ipsec _copyright charon charon-systemd \ charon-nm stroke _updown scepclient pki swanctl conftest dumm \ libfast manager medsrv pool charon-tkm charon-cmd charon-svc \ - pt-tls-client sw-collector sec-updater checksum aikgen + pt-tls-client sw-collector sec-updater checksum aikgen \ + tpm_extendpcr am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ @@ -478,7 +480,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_25) $(am__append_26) $(am__append_27) \ $(am__append_28) $(am__append_29) $(am__append_30) \ $(am__append_31) $(am__append_32) $(am__append_33) \ - $(am__append_34) $(am__append_35) $(am__append_36) + $(am__append_34) $(am__append_35) $(am__append_36) \ + $(am__append_37) all: all-recursive .SUFFIXES: diff --git a/src/charon-cmd/cmd/cmd_options.h b/src/charon-cmd/cmd/cmd_options.h index c7441e795..aa13b0951 100644 --- a/src/charon-cmd/cmd/cmd_options.h +++ b/src/charon-cmd/cmd/cmd_options.h @@ -63,7 +63,7 @@ struct cmd_option_t { const char *name; /** takes argument */ int has_arg; - /** decription of argument */ + /** description of argument */ const char *arg; /** short description to option */ const char *desc; diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c index 601daca0a..e4845e745 100644 --- a/src/charon-nm/nm/nm_backend.c +++ b/src/charon-nm/nm/nm_backend.c @@ -55,7 +55,7 @@ struct nm_backend_t { static nm_backend_t *nm_backend = NULL; /** - * NM plugin processing routine, creates and handles NMVPNPlugin + * NM plugin processing routine, creates and handles NMVpnServicePlugin */ static job_requeue_t run(nm_backend_t *this) { diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index 3e8392a57..9beac392a 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2017 Lubomir Rintel + * * Copyright (C) 2013 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * Hochschule fuer Technik Rapperswil @@ -14,8 +16,6 @@ * for more details. */ -#include <nm-setting-vpn.h> -#include <nm-setting-connection.h> #include "nm_service.h" #include <daemon.h> @@ -26,7 +26,7 @@ #include <stdio.h> -G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN) +G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN) /** * Private data of NMStrongswanPlugin @@ -37,7 +37,7 @@ typedef struct { /* IKE_SA we are listening on */ ike_sa_t *ike_sa; /* backref to public plugin */ - NMVPNPlugin *plugin; + NMVpnServicePlugin *plugin; /* credentials to use for authentication */ nm_creds_t *creds; /* attribute handler for DNS/NBNS server information */ @@ -53,50 +53,46 @@ typedef struct { /** * convert enumerated handler chunks to a UINT_ARRAY GValue */ -static GValue* handler_to_val(nm_handler_t *handler, +static GVariant* handler_to_variant(nm_handler_t *handler, configuration_attribute_type_t type) { - GValue *val; - GArray *array; + GVariantBuilder builder; enumerator_t *enumerator; chunk_t chunk; + g_variant_builder_init (&builder, G_VARIANT_TYPE ("au")); + enumerator = handler->create_enumerator(handler, type); - array = g_array_new (FALSE, TRUE, sizeof (guint32)); while (enumerator->enumerate(enumerator, &chunk)) { - g_array_append_val (array, *(uint32_t*)chunk.ptr); + g_variant_builder_add (&builder, "u", + g_variant_new_uint32 (*(uint32_t*)chunk.ptr)); } enumerator->destroy(enumerator); - val = g_slice_new0 (GValue); - g_value_init (val, DBUS_TYPE_G_UINT_ARRAY); - g_value_set_boxed (val, array); - return val; + return g_variant_builder_end (&builder); } /** * signal IPv4 config to NM, set connection as established */ -static void signal_ipv4_config(NMVPNPlugin *plugin, +static void signal_ipv4_config(NMVpnServicePlugin *plugin, ike_sa_t *ike_sa, child_sa_t *child_sa) { NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - GValue *val; - GHashTable *config; + GVariantBuilder builder; enumerator_t *enumerator; host_t *me, *other; nm_handler_t *handler; - config = g_hash_table_new(g_str_hash, g_str_equal); + g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT); + handler = priv->handler; /* NM apparently requires to know the gateway */ - val = g_slice_new0 (GValue); - g_value_init (val, G_TYPE_UINT); other = ike_sa->get_other_host(ike_sa); - g_value_set_uint (val, *(uint32_t*)other->get_address(other).ptr); - g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, val); + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY, + g_variant_new_uint32 (*(uint32_t*)other->get_address(other).ptr)); /* NM installs this IP address on the interface above, so we use the VIP if * we got one. @@ -107,47 +103,40 @@ static void signal_ipv4_config(NMVPNPlugin *plugin, me = ike_sa->get_my_host(ike_sa); } enumerator->destroy(enumerator); - val = g_slice_new0(GValue); - g_value_init(val, G_TYPE_UINT); - g_value_set_uint(val, *(uint32_t*)me->get_address(me).ptr); - g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val); + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, + g_variant_new_uint32 (*(uint32_t*)other->get_address(me).ptr)); - val = g_slice_new0(GValue); - g_value_init(val, G_TYPE_UINT); - g_value_set_uint(val, me->get_address(me).len * 8); - g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val); + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, + g_variant_new_uint32 (me->get_address(me).len * 8)); /* prevent NM from changing the default route. we set our own route in our * own routing table */ - val = g_slice_new0(GValue); - g_value_init(val, G_TYPE_BOOLEAN); - g_value_set_boolean(val, TRUE); - g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, val); + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT, + g_variant_new_boolean (TRUE)); - val = handler_to_val(handler, INTERNAL_IP4_DNS); - g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val); - val = handler_to_val(handler, INTERNAL_IP4_NBNS); - g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val); + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS, + handler_to_variant(handler, INTERNAL_IP4_DNS)); + + g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS, + handler_to_variant(handler, INTERNAL_IP4_NBNS)); handler->reset(handler); - nm_vpn_plugin_set_ip4_config(plugin, config); + nm_vpn_service_plugin_set_ip4_config(plugin, g_variant_builder_end (&builder)); } /** * signal failure to NM, connecting failed */ -static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure) +static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure) { nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler; handler->reset(handler); - /* TODO: NM does not handle this failure!? */ - nm_vpn_plugin_failure(plugin, failure); - nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED); + nm_vpn_service_plugin_failure(plugin, failure); } /** @@ -277,12 +266,12 @@ static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv, /** * Connect function called from NM via DBUS */ -static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, +static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, GError **err) { NMStrongswanPluginPrivate *priv; NMSettingConnection *conn; - NMSettingVPN *vpn; + NMSettingVpn *vpn; enumerator_t *enumerator; identification_t *user = NULL, *gateway = NULL; const char *address, *str; @@ -676,10 +665,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * NeedSecrets called from NM via DBUS */ -static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, - char **setting_name, GError **error) +static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection, + const char **setting_name, GError **error) { - NMSettingVPN *settings; + NMSettingVpn *settings; const char *method, *path; settings = NM_SETTING_VPN(nm_connection_get_setting(connection, @@ -735,9 +724,9 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, } /** - * Disconnect called from NM via DBUS + * The actual disconnection */ -static gboolean disconnect(NMVPNPlugin *plugin, GError **err) +static gboolean do_disconnect(gpointer plugin) { NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); enumerator_t *enumerator; @@ -755,17 +744,29 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) enumerator->destroy(enumerator); charon->controller->terminate_ike(charon->controller, id, controller_cb_empty, NULL, 0); - return TRUE; + return FALSE; } } enumerator->destroy(enumerator); - g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL, - "Connection not found."); + g_debug("Connection not found."); return FALSE; } /** + * Disconnect called from NM via DBUS + */ +static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err) +{ + /* enqueue the actual disconnection, because we may be called in + * response to a listener_t callback and the SA enumeration would + * possibly deadlock. */ + g_idle_add(do_disconnect, plugin); + + return TRUE; +} + +/** * Initializer */ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) @@ -773,7 +774,7 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) NMStrongswanPluginPrivate *priv; priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - priv->plugin = NM_VPN_PLUGIN(plugin); + priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin); memset(&priv->listener, 0, sizeof(listener_t)); priv->listener.child_updown = child_updown; priv->listener.ike_rekey = ike_rekey; @@ -786,7 +787,7 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) static void nm_strongswan_plugin_class_init( NMStrongswanPluginClass *strongswan_class) { - NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class); + NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class); g_type_class_add_private(G_OBJECT_CLASS(strongswan_class), sizeof(NMStrongswanPluginPrivate)); @@ -801,10 +802,15 @@ static void nm_strongswan_plugin_class_init( NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds, nm_handler_t *handler) { - NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new ( + GError *error = NULL; + + NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new ( NM_TYPE_STRONGSWAN_PLUGIN, - NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN, + NULL, + &error, + NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN, NULL); + if (plugin) { NMStrongswanPluginPrivate *priv; @@ -814,5 +820,11 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds, priv->creds = creds; priv->handler = handler; } + else + { + g_warning ("Failed to initialize a plugin instance: %s", error->message); + g_error_free (error); + } + return plugin; } diff --git a/src/charon-nm/nm/nm_service.h b/src/charon-nm/nm/nm_service.h index 0cb23e120..74ab38b03 100644 --- a/src/charon-nm/nm/nm_service.h +++ b/src/charon-nm/nm/nm_service.h @@ -23,7 +23,7 @@ #include <glib.h> #include <glib-object.h> -#include <nm-vpn-plugin.h> +#include <NetworkManager.h> #include "nm_creds.h" #include "nm_handler.h" @@ -40,11 +40,11 @@ #define NM_DBUS_PATH_STRONGSWAN "/org/freedesktop/NetworkManager/strongswan" typedef struct { - NMVPNPlugin parent; + NMVpnServicePlugin parent; } NMStrongswanPlugin; typedef struct { - NMVPNPluginClass parent; + NMVpnServicePluginClass parent; } NMStrongswanPluginClass; GType nm_strongswan_plugin_get_type(void); diff --git a/src/charon-tkm/src/ees/esa_event_service.adb b/src/charon-tkm/src/ees/esa_event_service.adb index 5b5d7003b..6b6b3f743 100644 --- a/src/charon-tkm/src/ees/esa_event_service.adb +++ b/src/charon-tkm/src/ees/esa_event_service.adb @@ -27,10 +27,13 @@ package body Esa_Event_Service is package Unix_TCP_Receiver is new Anet.Receivers.Stream - (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type); + (Socket_Type => Anet.Sockets.Unix.TCP_Socket_Type, + Address_Type => Anet.Sockets.Unix.Full_Path_Type, + Accept_Connection => Anet.Sockets.Unix.Accept_Connection); procedure Dispatch is new Tkmrpc.Process_Stream - (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch); + (Dispatch => Tkmrpc.Dispatchers.Ees.Dispatch, + Address_Type => Anet.Sockets.Unix.Full_Path_Type); Sock : aliased Anet.Sockets.Unix.TCP_Socket_Type; Receiver : Unix_TCP_Receiver.Receiver_Type (S => Sock'Access); diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c index 5f2cbfe0c..48d0001ce 100644 --- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c +++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c @@ -1,5 +1,5 @@ /* - * Copyrigth (C) 2012 Reto Buerki + * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c index ed5366c2c..ac38078d7 100644 --- a/src/charon-tkm/src/tkm/tkm_keymat.c +++ b/src/charon-tkm/src/tkm/tkm_keymat.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2015 Tobias Brunner - * Copyrigth (C) 2012 Reto Buerki + * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c index f57527602..290b00e37 100644 --- a/src/charon-tkm/src/tkm/tkm_listener.c +++ b/src/charon-tkm/src/tkm/tkm_listener.c @@ -1,5 +1,5 @@ /* - * Copyrigth (C) 2012 Reto Buerki + * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * diff --git a/src/charon-tkm/src/tkm/tkm_nonceg.c b/src/charon-tkm/src/tkm/tkm_nonceg.c index 493ea2922..2b3e66d2d 100644 --- a/src/charon-tkm/src/tkm/tkm_nonceg.c +++ b/src/charon-tkm/src/tkm/tkm_nonceg.c @@ -1,5 +1,5 @@ /* - * Copyrigth (C) 2012 Reto Buerki + * Copyright (C) 2012 Reto Buerki * Copyright (C) 2012 Adrian-Ken Rueegsegger * Hochschule fuer Technik Rapperswil * diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c index 8bba1f9d9..d4751f7d0 100644 --- a/src/charon-tkm/tests/keymat_tests.c +++ b/src/charon-tkm/tests/keymat_tests.c @@ -17,7 +17,7 @@ #include <tests/test_suite.h> #include <daemon.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <encoding/payloads/ike_header.h> #include <tkm/client.h> diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c index c4f8385c0..5e1cec089 100644 --- a/src/conftest/hooks/custom_proposal.c +++ b/src/conftest/hooks/custom_proposal.c @@ -18,7 +18,7 @@ #include <errno.h> #include <encoding/payloads/sa_payload.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> typedef struct private_custom_proposal_t private_custom_proposal_t; diff --git a/src/dumm/guest.h b/src/dumm/guest.h index 0da05d88c..36a69681d 100644 --- a/src/dumm/guest.h +++ b/src/dumm/guest.h @@ -47,7 +47,7 @@ enum guest_state_t { extern enum_name_t *guest_state_names; /** - * Invoke function which lauches the UML guest. + * Invoke function which launches the UML guest. * * Consoles are all set to NULL, you may change them by adding additional UML * options to args before invocation. diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8 index 17c918f60..4028096f0 100644 --- a/src/ipsec/_ipsec.8 +++ b/src/ipsec/_ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2013-10-29" "5.6.1rc1" "strongSwan" +.TH IPSEC 8 "2013-10-29" "5.6.2dr3" "strongSwan" . .SH NAME . diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index f381860b9..d1fb33702 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -16,7 +16,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ -config/proposal.c config/proposal.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 964a19ec8..25ac7972c 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -14,7 +14,6 @@ config/backend_manager.c config/backend_manager.h config/backend.h \ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ -config/proposal.c config/proposal.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -209,6 +208,13 @@ if MONOLITHIC endif endif +if USE_SAVE_KEYS + SUBDIRS += plugins/save_keys +if MONOLITHIC + libcharon_la_LIBADD += plugins/save_keys/libstrongswan-save-keys.la +endif +endif + if USE_SOCKET_DEFAULT SUBDIRS += plugins/socket_default if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index d3cbb0fb6..6c39317fa 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -155,150 +155,152 @@ host_triplet = @host@ @USE_LOAD_TESTER_TRUE@am__append_6 = plugins/load_tester @MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_7 = plugins/load_tester/libstrongswan-load-tester.la -@USE_SOCKET_DEFAULT_TRUE@am__append_8 = plugins/socket_default -@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_9 = plugins/socket_default/libstrongswan-socket-default.la -@USE_SOCKET_DYNAMIC_TRUE@am__append_10 = plugins/socket_dynamic -@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la -@USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win -@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la -@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark -@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la -@USE_BYPASS_LAN_TRUE@am__append_16 = plugins/bypass_lan -@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_17 = plugins/bypass_lan/libstrongswan-bypass-lan.la -@USE_FORECAST_TRUE@am__append_18 = plugins/forecast -@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_19 = plugins/forecast/libstrongswan-forecast.la -@USE_FARP_TRUE@am__append_20 = plugins/farp -@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_21 = plugins/farp/libstrongswan-farp.la -@USE_COUNTERS_TRUE@am__append_22 = plugins/counters -@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_23 = plugins/counters/libstrongswan-counters.la -@USE_STROKE_TRUE@am__append_24 = plugins/stroke -@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_25 = plugins/stroke/libstrongswan-stroke.la -@USE_VICI_TRUE@am__append_26 = plugins/vici -@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_27 = plugins/vici/libstrongswan-vici.la -@USE_SMP_TRUE@am__append_28 = plugins/smp -@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_29 = plugins/smp/libstrongswan-smp.la -@USE_SQL_TRUE@am__append_30 = plugins/sql -@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_31 = plugins/sql/libstrongswan-sql.la -@USE_DNSCERT_TRUE@am__append_32 = plugins/dnscert -@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_33 = plugins/dnscert/libstrongswan-dnscert.la -@USE_IPSECKEY_TRUE@am__append_34 = plugins/ipseckey -@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_35 = plugins/ipseckey/libstrongswan-ipseckey.la -@USE_UPDOWN_TRUE@am__append_36 = plugins/updown -@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_37 = plugins/updown/libstrongswan-updown.la -@USE_EXT_AUTH_TRUE@am__append_38 = plugins/ext_auth -@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_39 = plugins/ext_auth/libstrongswan-ext-auth.la -@USE_EAP_IDENTITY_TRUE@am__append_40 = plugins/eap_identity -@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_41 = plugins/eap_identity/libstrongswan-eap-identity.la -@USE_EAP_SIM_TRUE@am__append_42 = plugins/eap_sim -@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_43 = plugins/eap_sim/libstrongswan-eap-sim.la -@USE_EAP_SIM_FILE_TRUE@am__append_44 = plugins/eap_sim_file -@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_45 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIM_PCSC_TRUE@am__append_46 = plugins/eap_sim_pcsc -@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_47 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la -@USE_EAP_SIMAKA_SQL_TRUE@am__append_48 = plugins/eap_simaka_sql -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_49 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_50 = plugins/eap_simaka_pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_52 = plugins/eap_simaka_reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_53 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_54 = plugins/eap_aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_55 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP_TRUE@am__append_56 = plugins/eap_aka_3gpp -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_57 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_58 = plugins/eap_aka_3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_59 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_60 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_61 = plugins/eap_md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_62 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_63 = plugins/eap_gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_64 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_65 = plugins/eap_mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_66 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_DYNAMIC_TRUE@am__append_67 = plugins/eap_dynamic -@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_68 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la -@USE_EAP_RADIUS_TRUE@am__append_69 = plugins/eap_radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_70 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_EAP_TLS_TRUE@am__append_71 = plugins/eap_tls -@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_72 = plugins/eap_tls/libstrongswan-eap-tls.la -@USE_EAP_TTLS_TRUE@am__append_73 = plugins/eap_ttls -@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_74 = plugins/eap_ttls/libstrongswan-eap-ttls.la -@USE_EAP_PEAP_TRUE@am__append_75 = plugins/eap_peap -@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_76 = plugins/eap_peap/libstrongswan-eap-peap.la -@USE_EAP_TNC_TRUE@am__append_77 = plugins/eap_tnc -@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_78 = plugins/eap_tnc/libstrongswan-eap-tnc.la -@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_79 = $(top_builddir)/src/libtls/libtls.la -@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_80 = $(top_builddir)/src/libradius/libradius.la -@USE_TNC_IFMAP_TRUE@am__append_81 = plugins/tnc_ifmap -@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_82 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la -@USE_TNC_PDP_TRUE@am__append_83 = plugins/tnc_pdp -@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_84 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la -@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_85 = $(top_builddir)/src/libtnccs/libtnccs.la -@USE_MEDSRV_TRUE@am__append_86 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_87 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_88 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_89 = plugins/medcli/libstrongswan-medcli.la -@USE_DHCP_TRUE@am__append_90 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_91 = plugins/dhcp/libstrongswan-dhcp.la -@USE_OSX_ATTR_TRUE@am__append_92 = plugins/osx_attr -@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_93 = plugins/osx_attr/libstrongswan-osx-attr.la -@USE_P_CSCF_TRUE@am__append_94 = plugins/p_cscf -@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_95 = plugins/p_cscf/libstrongswan-p-cscf.la -@USE_ANDROID_DNS_TRUE@am__append_96 = plugins/android_dns -@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_97 = plugins/android_dns/libstrongswan-android-dns.la -@USE_ANDROID_LOG_TRUE@am__append_98 = plugins/android_log -@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_99 = plugins/android_log/libstrongswan-android-log.la -@USE_HA_TRUE@am__append_100 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_101 = plugins/ha/libstrongswan-ha.la -@USE_KERNEL_PFKEY_TRUE@am__append_102 = plugins/kernel_pfkey -@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_103 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la -@USE_KERNEL_PFROUTE_TRUE@am__append_104 = plugins/kernel_pfroute -@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_105 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la -@USE_KERNEL_NETLINK_TRUE@am__append_106 = plugins/kernel_netlink -@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_107 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la -@USE_KERNEL_LIBIPSEC_TRUE@am__append_108 = plugins/kernel_libipsec -@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_109 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la -@USE_KERNEL_WFP_TRUE@am__append_110 = plugins/kernel_wfp -@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_111 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la -@USE_KERNEL_IPH_TRUE@am__append_112 = plugins/kernel_iph -@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_113 = plugins/kernel_iph/libstrongswan-kernel-iph.la -@USE_WHITELIST_TRUE@am__append_114 = plugins/whitelist -@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_115 = plugins/whitelist/libstrongswan-whitelist.la -@USE_LOOKIP_TRUE@am__append_116 = plugins/lookip -@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_117 = plugins/lookip/libstrongswan-lookip.la -@USE_ERROR_NOTIFY_TRUE@am__append_118 = plugins/error_notify -@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_119 = plugins/error_notify/libstrongswan-error-notify.la -@USE_CERTEXPIRE_TRUE@am__append_120 = plugins/certexpire -@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_121 = plugins/certexpire/libstrongswan-certexpire.la -@USE_SYSTIME_FIX_TRUE@am__append_122 = plugins/systime_fix -@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_123 = plugins/systime_fix/libstrongswan-systime-fix.la -@USE_LED_TRUE@am__append_124 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_125 = plugins/led/libstrongswan-led.la -@USE_DUPLICHECK_TRUE@am__append_126 = plugins/duplicheck -@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_127 = plugins/duplicheck/libstrongswan-duplicheck.la -@USE_COUPLING_TRUE@am__append_128 = plugins/coupling -@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_129 = plugins/coupling/libstrongswan-coupling.la -@USE_RADATTR_TRUE@am__append_130 = plugins/radattr -@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_131 = plugins/radattr/libstrongswan-radattr.la -@USE_UCI_TRUE@am__append_132 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_133 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_134 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_135 = plugins/addrblock/libstrongswan-addrblock.la -@USE_UNITY_TRUE@am__append_136 = plugins/unity -@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_137 = plugins/unity/libstrongswan-unity.la -@USE_XAUTH_GENERIC_TRUE@am__append_138 = plugins/xauth_generic -@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_139 = plugins/xauth_generic/libstrongswan-xauth-generic.la -@USE_XAUTH_EAP_TRUE@am__append_140 = plugins/xauth_eap -@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_141 = plugins/xauth_eap/libstrongswan-xauth-eap.la -@USE_XAUTH_PAM_TRUE@am__append_142 = plugins/xauth_pam -@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_143 = plugins/xauth_pam/libstrongswan-xauth-pam.la -@USE_XAUTH_NOAUTH_TRUE@am__append_144 = plugins/xauth_noauth -@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_145 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la -@USE_RESOLVE_TRUE@am__append_146 = plugins/resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_147 = plugins/resolve/libstrongswan-resolve.la -@USE_ATTR_TRUE@am__append_148 = plugins/attr -@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_149 = plugins/attr/libstrongswan-attr.la -@USE_ATTR_SQL_TRUE@am__append_150 = plugins/attr_sql -@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_151 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_SAVE_KEYS_TRUE@am__append_8 = plugins/save_keys +@MONOLITHIC_TRUE@@USE_SAVE_KEYS_TRUE@am__append_9 = plugins/save_keys/libstrongswan-save-keys.la +@USE_SOCKET_DEFAULT_TRUE@am__append_10 = plugins/socket_default +@MONOLITHIC_TRUE@@USE_SOCKET_DEFAULT_TRUE@am__append_11 = plugins/socket_default/libstrongswan-socket-default.la +@USE_SOCKET_DYNAMIC_TRUE@am__append_12 = plugins/socket_dynamic +@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_13 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la +@USE_SOCKET_WIN_TRUE@am__append_14 = plugins/socket_win +@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_15 = plugins/socket_win/libstrongswan-socket-win.la +@USE_CONNMARK_TRUE@am__append_16 = plugins/connmark +@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_17 = plugins/connmark/libstrongswan-connmark.la +@USE_BYPASS_LAN_TRUE@am__append_18 = plugins/bypass_lan +@MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE@am__append_19 = plugins/bypass_lan/libstrongswan-bypass-lan.la +@USE_FORECAST_TRUE@am__append_20 = plugins/forecast +@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_21 = plugins/forecast/libstrongswan-forecast.la +@USE_FARP_TRUE@am__append_22 = plugins/farp +@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_23 = plugins/farp/libstrongswan-farp.la +@USE_COUNTERS_TRUE@am__append_24 = plugins/counters +@MONOLITHIC_TRUE@@USE_COUNTERS_TRUE@am__append_25 = plugins/counters/libstrongswan-counters.la +@USE_STROKE_TRUE@am__append_26 = plugins/stroke +@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_27 = plugins/stroke/libstrongswan-stroke.la +@USE_VICI_TRUE@am__append_28 = plugins/vici +@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_29 = plugins/vici/libstrongswan-vici.la +@USE_SMP_TRUE@am__append_30 = plugins/smp +@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_31 = plugins/smp/libstrongswan-smp.la +@USE_SQL_TRUE@am__append_32 = plugins/sql +@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_33 = plugins/sql/libstrongswan-sql.la +@USE_DNSCERT_TRUE@am__append_34 = plugins/dnscert +@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_35 = plugins/dnscert/libstrongswan-dnscert.la +@USE_IPSECKEY_TRUE@am__append_36 = plugins/ipseckey +@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_37 = plugins/ipseckey/libstrongswan-ipseckey.la +@USE_UPDOWN_TRUE@am__append_38 = plugins/updown +@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_39 = plugins/updown/libstrongswan-updown.la +@USE_EXT_AUTH_TRUE@am__append_40 = plugins/ext_auth +@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_41 = plugins/ext_auth/libstrongswan-ext-auth.la +@USE_EAP_IDENTITY_TRUE@am__append_42 = plugins/eap_identity +@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_43 = plugins/eap_identity/libstrongswan-eap-identity.la +@USE_EAP_SIM_TRUE@am__append_44 = plugins/eap_sim +@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_45 = plugins/eap_sim/libstrongswan-eap-sim.la +@USE_EAP_SIM_FILE_TRUE@am__append_46 = plugins/eap_sim_file +@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_47 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la +@USE_EAP_SIM_PCSC_TRUE@am__append_48 = plugins/eap_sim_pcsc +@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_49 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_50 = plugins/eap_simaka_sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = plugins/eap_simaka_pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_56 = plugins/eap_aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP_TRUE@am__append_58 = plugins/eap_aka_3gpp +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP_TRUE@am__append_59 = plugins/eap_aka_3gpp/libstrongswan-eap-aka-3gpp.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_62 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_63 = plugins/eap_md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_65 = plugins/eap_gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_66 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_67 = plugins/eap_mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_68 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_DYNAMIC_TRUE@am__append_69 = plugins/eap_dynamic +@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_70 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la +@USE_EAP_RADIUS_TRUE@am__append_71 = plugins/eap_radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_72 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_EAP_TLS_TRUE@am__append_73 = plugins/eap_tls +@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_74 = plugins/eap_tls/libstrongswan-eap-tls.la +@USE_EAP_TTLS_TRUE@am__append_75 = plugins/eap_ttls +@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_76 = plugins/eap_ttls/libstrongswan-eap-ttls.la +@USE_EAP_PEAP_TRUE@am__append_77 = plugins/eap_peap +@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_78 = plugins/eap_peap/libstrongswan-eap-peap.la +@USE_EAP_TNC_TRUE@am__append_79 = plugins/eap_tnc +@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_80 = plugins/eap_tnc/libstrongswan-eap-tnc.la +@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_81 = $(top_builddir)/src/libtls/libtls.la +@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_82 = $(top_builddir)/src/libradius/libradius.la +@USE_TNC_IFMAP_TRUE@am__append_83 = plugins/tnc_ifmap +@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_84 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la +@USE_TNC_PDP_TRUE@am__append_85 = plugins/tnc_pdp +@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_86 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la +@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_87 = $(top_builddir)/src/libtnccs/libtnccs.la +@USE_MEDSRV_TRUE@am__append_88 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_89 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_90 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_91 = plugins/medcli/libstrongswan-medcli.la +@USE_DHCP_TRUE@am__append_92 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_93 = plugins/dhcp/libstrongswan-dhcp.la +@USE_OSX_ATTR_TRUE@am__append_94 = plugins/osx_attr +@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_95 = plugins/osx_attr/libstrongswan-osx-attr.la +@USE_P_CSCF_TRUE@am__append_96 = plugins/p_cscf +@MONOLITHIC_TRUE@@USE_P_CSCF_TRUE@am__append_97 = plugins/p_cscf/libstrongswan-p-cscf.la +@USE_ANDROID_DNS_TRUE@am__append_98 = plugins/android_dns +@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_99 = plugins/android_dns/libstrongswan-android-dns.la +@USE_ANDROID_LOG_TRUE@am__append_100 = plugins/android_log +@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_101 = plugins/android_log/libstrongswan-android-log.la +@USE_HA_TRUE@am__append_102 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_103 = plugins/ha/libstrongswan-ha.la +@USE_KERNEL_PFKEY_TRUE@am__append_104 = plugins/kernel_pfkey +@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_105 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la +@USE_KERNEL_PFROUTE_TRUE@am__append_106 = plugins/kernel_pfroute +@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_107 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la +@USE_KERNEL_NETLINK_TRUE@am__append_108 = plugins/kernel_netlink +@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_109 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la +@USE_KERNEL_LIBIPSEC_TRUE@am__append_110 = plugins/kernel_libipsec +@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_111 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la +@USE_KERNEL_WFP_TRUE@am__append_112 = plugins/kernel_wfp +@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_113 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la +@USE_KERNEL_IPH_TRUE@am__append_114 = plugins/kernel_iph +@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_115 = plugins/kernel_iph/libstrongswan-kernel-iph.la +@USE_WHITELIST_TRUE@am__append_116 = plugins/whitelist +@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_117 = plugins/whitelist/libstrongswan-whitelist.la +@USE_LOOKIP_TRUE@am__append_118 = plugins/lookip +@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_119 = plugins/lookip/libstrongswan-lookip.la +@USE_ERROR_NOTIFY_TRUE@am__append_120 = plugins/error_notify +@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_121 = plugins/error_notify/libstrongswan-error-notify.la +@USE_CERTEXPIRE_TRUE@am__append_122 = plugins/certexpire +@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_123 = plugins/certexpire/libstrongswan-certexpire.la +@USE_SYSTIME_FIX_TRUE@am__append_124 = plugins/systime_fix +@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_125 = plugins/systime_fix/libstrongswan-systime-fix.la +@USE_LED_TRUE@am__append_126 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_127 = plugins/led/libstrongswan-led.la +@USE_DUPLICHECK_TRUE@am__append_128 = plugins/duplicheck +@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_129 = plugins/duplicheck/libstrongswan-duplicheck.la +@USE_COUPLING_TRUE@am__append_130 = plugins/coupling +@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_131 = plugins/coupling/libstrongswan-coupling.la +@USE_RADATTR_TRUE@am__append_132 = plugins/radattr +@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_133 = plugins/radattr/libstrongswan-radattr.la +@USE_UCI_TRUE@am__append_134 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_135 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_136 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_137 = plugins/addrblock/libstrongswan-addrblock.la +@USE_UNITY_TRUE@am__append_138 = plugins/unity +@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_139 = plugins/unity/libstrongswan-unity.la +@USE_XAUTH_GENERIC_TRUE@am__append_140 = plugins/xauth_generic +@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_141 = plugins/xauth_generic/libstrongswan-xauth-generic.la +@USE_XAUTH_EAP_TRUE@am__append_142 = plugins/xauth_eap +@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_143 = plugins/xauth_eap/libstrongswan-xauth-eap.la +@USE_XAUTH_PAM_TRUE@am__append_144 = plugins/xauth_pam +@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_145 = plugins/xauth_pam/libstrongswan-xauth-pam.la +@USE_XAUTH_NOAUTH_TRUE@am__append_146 = plugins/xauth_noauth +@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_147 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la +@USE_RESOLVE_TRUE@am__append_148 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_149 = plugins/resolve/libstrongswan-resolve.la +@USE_ATTR_TRUE@am__append_150 = plugins/attr +@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_151 = plugins/attr/libstrongswan-attr.la +@USE_ATTR_SQL_TRUE@am__append_152 = plugins/attr_sql +@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_153 = plugins/attr_sql/libstrongswan-attr-sql.la subdir = src/libcharon ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ @@ -361,12 +363,12 @@ libcharon_la_DEPENDENCIES = \ $(am__append_41) $(am__append_43) $(am__append_45) \ $(am__append_47) $(am__append_49) $(am__append_51) \ $(am__append_53) $(am__append_55) $(am__append_57) \ - $(am__append_59) $(am__append_60) $(am__append_62) \ + $(am__append_59) $(am__append_61) $(am__append_62) \ $(am__append_64) $(am__append_66) $(am__append_68) \ $(am__append_70) $(am__append_72) $(am__append_74) \ - $(am__append_76) $(am__append_78) $(am__append_79) \ - $(am__append_80) $(am__append_82) $(am__append_84) \ - $(am__append_85) $(am__append_87) $(am__append_89) \ + $(am__append_76) $(am__append_78) $(am__append_80) \ + $(am__append_81) $(am__append_82) $(am__append_84) \ + $(am__append_86) $(am__append_87) $(am__append_89) \ $(am__append_91) $(am__append_93) $(am__append_95) \ $(am__append_97) $(am__append_99) $(am__append_101) \ $(am__append_103) $(am__append_105) $(am__append_107) \ @@ -377,7 +379,7 @@ libcharon_la_DEPENDENCIES = \ $(am__append_133) $(am__append_135) $(am__append_137) \ $(am__append_139) $(am__append_141) $(am__append_143) \ $(am__append_145) $(am__append_147) $(am__append_149) \ - $(am__append_151) + $(am__append_151) $(am__append_153) am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ attributes/attributes.h attributes/attribute_provider.h \ attributes/attribute_handler.h attributes/attribute_manager.c \ @@ -388,11 +390,11 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \ bus/listeners/file_logger.h config/backend_manager.c \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h control/controller.c control/controller.h \ - daemon.c daemon.h encoding/generator.c encoding/generator.h \ - encoding/message.c encoding/message.h encoding/parser.c \ - encoding/parser.h encoding/payloads/auth_payload.c \ + config/peer_cfg.c config/peer_cfg.h control/controller.c \ + control/controller.h daemon.c daemon.h encoding/generator.c \ + encoding/generator.h encoding/message.c encoding/message.h \ + encoding/parser.c encoding/parser.h \ + encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -609,10 +611,9 @@ am_libcharon_la_OBJECTS = attributes/attributes.lo \ attributes/attribute_manager.lo attributes/mem_pool.lo \ bus/bus.lo bus/listeners/file_logger.lo \ config/backend_manager.lo config/child_cfg.lo \ - config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \ - control/controller.lo daemon.lo encoding/generator.lo \ - encoding/message.lo encoding/parser.lo \ - encoding/payloads/auth_payload.lo \ + config/ike_cfg.lo config/peer_cfg.lo control/controller.lo \ + daemon.lo encoding/generator.lo encoding/message.lo \ + encoding/parser.lo encoding/payloads/auth_payload.lo \ encoding/payloads/cert_payload.lo \ encoding/payloads/certreq_payload.lo \ encoding/payloads/configuration_attribute.lo \ @@ -744,22 +745,23 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ - plugins/socket_dynamic plugins/socket_win plugins/connmark \ - plugins/bypass_lan plugins/forecast plugins/farp \ - plugins/counters plugins/stroke plugins/vici plugins/smp \ - plugins/sql plugins/dnscert plugins/ipseckey plugins/updown \ - plugins/ext_auth plugins/eap_identity plugins/eap_sim \ - plugins/eap_sim_file plugins/eap_sim_pcsc \ - plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ - plugins/eap_simaka_reauth plugins/eap_aka plugins/eap_aka_3gpp \ - plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ - plugins/eap_mschapv2 plugins/eap_dynamic plugins/eap_radius \ - plugins/eap_tls plugins/eap_ttls plugins/eap_peap \ - plugins/eap_tnc plugins/tnc_ifmap plugins/tnc_pdp \ - plugins/medsrv plugins/medcli plugins/dhcp plugins/osx_attr \ - plugins/p_cscf plugins/android_dns plugins/android_log \ - plugins/ha plugins/kernel_pfkey plugins/kernel_pfroute \ +DIST_SUBDIRS = . plugins/load_tester plugins/save_keys \ + plugins/socket_default plugins/socket_dynamic \ + plugins/socket_win plugins/connmark plugins/bypass_lan \ + plugins/forecast plugins/farp plugins/counters plugins/stroke \ + plugins/vici plugins/smp plugins/sql plugins/dnscert \ + plugins/ipseckey plugins/updown plugins/ext_auth \ + plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \ + plugins/eap_sim_pcsc plugins/eap_simaka_sql \ + plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \ + plugins/eap_aka plugins/eap_aka_3gpp plugins/eap_aka_3gpp2 \ + plugins/eap_md5 plugins/eap_gtc plugins/eap_mschapv2 \ + plugins/eap_dynamic plugins/eap_radius plugins/eap_tls \ + plugins/eap_ttls plugins/eap_peap plugins/eap_tnc \ + plugins/tnc_ifmap plugins/tnc_pdp plugins/medsrv \ + plugins/medcli plugins/dhcp plugins/osx_attr plugins/p_cscf \ + plugins/android_dns plugins/android_log plugins/ha \ + plugins/kernel_pfkey plugins/kernel_pfroute \ plugins/kernel_netlink plugins/kernel_libipsec \ plugins/kernel_wfp plugins/kernel_iph plugins/whitelist \ plugins/lookip plugins/error_notify plugins/certexpire \ @@ -1043,11 +1045,11 @@ libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \ bus/listeners/file_logger.h config/backend_manager.c \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ - config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h control/controller.c control/controller.h \ - daemon.c daemon.h encoding/generator.c encoding/generator.h \ - encoding/message.c encoding/message.h encoding/parser.c \ - encoding/parser.h encoding/payloads/auth_payload.c \ + config/peer_cfg.c config/peer_cfg.h control/controller.c \ + control/controller.h daemon.c daemon.h encoding/generator.c \ + encoding/generator.h encoding/message.c encoding/message.h \ + encoding/parser.c encoding/parser.h \ + encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -1163,11 +1165,11 @@ libcharon_la_LIBADD = \ $(am__append_43) $(am__append_45) $(am__append_47) \ $(am__append_49) $(am__append_51) $(am__append_53) \ $(am__append_55) $(am__append_57) $(am__append_59) \ - $(am__append_60) $(am__append_62) $(am__append_64) \ + $(am__append_61) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_79) $(am__append_80) \ - $(am__append_82) $(am__append_84) $(am__append_85) \ + $(am__append_78) $(am__append_80) $(am__append_81) \ + $(am__append_82) $(am__append_84) $(am__append_86) \ $(am__append_87) $(am__append_89) $(am__append_91) \ $(am__append_93) $(am__append_95) $(am__append_97) \ $(am__append_99) $(am__append_101) $(am__append_103) \ @@ -1178,7 +1180,8 @@ libcharon_la_LIBADD = \ $(am__append_129) $(am__append_131) $(am__append_133) \ $(am__append_135) $(am__append_137) $(am__append_139) \ $(am__append_141) $(am__append_143) $(am__append_145) \ - $(am__append_147) $(am__append_149) $(am__append_151) + $(am__append_147) $(am__append_149) $(am__append_151) \ + $(am__append_153) EXTRA_DIST = Android.mk @STATIC_PLUGIN_CONSTRUCTORS_TRUE@BUILT_SOURCES = $(srcdir)/plugin_constructors.c @STATIC_PLUGIN_CONSTRUCTORS_TRUE@CLEANFILES = $(srcdir)/plugin_constructors.c @@ -1195,13 +1198,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_FALSE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_61) \ +@MONOLITHIC_FALSE@ $(am__append_58) $(am__append_60) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_FALSE@ $(am__append_75) $(am__append_77) \ -@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) \ -@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \ +@MONOLITHIC_FALSE@ $(am__append_79) $(am__append_83) \ +@MONOLITHIC_FALSE@ $(am__append_85) $(am__append_88) \ @MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_96) \ @MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \ @@ -1217,7 +1220,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \ @MONOLITHIC_FALSE@ $(am__append_146) $(am__append_148) \ -@MONOLITHIC_FALSE@ $(am__append_150) tests +@MONOLITHIC_FALSE@ $(am__append_150) $(am__append_152) tests # build optional plugins ######################## @@ -1234,13 +1237,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \ @MONOLITHIC_TRUE@ $(am__append_54) $(am__append_56) \ -@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_61) \ +@MONOLITHIC_TRUE@ $(am__append_58) $(am__append_60) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ @MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ @MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ @MONOLITHIC_TRUE@ $(am__append_75) $(am__append_77) \ -@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) \ -@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \ +@MONOLITHIC_TRUE@ $(am__append_79) $(am__append_83) \ +@MONOLITHIC_TRUE@ $(am__append_85) $(am__append_88) \ @MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_96) \ @MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \ @@ -1256,7 +1259,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \ @MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \ @MONOLITHIC_TRUE@ $(am__append_146) $(am__append_148) \ -@MONOLITHIC_TRUE@ $(am__append_150) . tests +@MONOLITHIC_TRUE@ $(am__append_150) $(am__append_152) . tests all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1367,8 +1370,6 @@ config/ike_cfg.lo: config/$(am__dirstamp) \ config/$(DEPDIR)/$(am__dirstamp) config/peer_cfg.lo: config/$(am__dirstamp) \ config/$(DEPDIR)/$(am__dirstamp) -config/proposal.lo: config/$(am__dirstamp) \ - config/$(DEPDIR)/$(am__dirstamp) control/$(am__dirstamp): @$(MKDIR_P) control @: > control/$(am__dirstamp) @@ -1784,7 +1785,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/child_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/ike_cfg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/peer_cfg.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@config/$(DEPDIR)/proposal.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@control/$(DEPDIR)/controller.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/generator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@encoding/$(DEPDIR)/message.Plo@am__quote@ diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index ec2a12431..3d110e9a2 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -224,6 +224,10 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, while (prefer_enum->enumerate(prefer_enum, &proposal)) { proposal = proposal->clone(proposal); + if (strip_dh) + { + proposal->strip_dh(proposal, MODP_NONE); + } if (prefer_self) { proposals->reset_enumerator(proposals, match_enum); @@ -234,11 +238,13 @@ METHOD(child_cfg_t, select_proposal, proposal_t*, } while (match_enum->enumerate(match_enum, &match)) { + match = match->clone(match); if (strip_dh) { - proposal->strip_dh(proposal, MODP_NONE); + match->strip_dh(match, MODP_NONE); } selected = proposal->select(proposal, match, prefer_self, private); + match->destroy(match); if (selected) { DBG2(DBG_CFG, "received proposals: %#P", proposals); diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 93904ec71..e2834fa8f 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -31,7 +31,7 @@ typedef struct child_cfg_create_t child_cfg_create_t; #include <library.h> #include <selectors/traffic_selector.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <kernel/kernel_ipsec.h> /** diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index 034996f60..81f2b6906 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -31,7 +31,7 @@ typedef struct ike_cfg_t ike_cfg_t; #include <networking/host.h> #include <collections/linked_list.h> #include <utils/identification.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <crypto/diffie_hellman.h> /** @@ -61,7 +61,7 @@ enum fragmentation_t { }; /** - * enum strings fro ike_version_t + * enum strings for ike_version_t */ extern enum_name_t *ike_version_names; diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index b294ae72f..6074a7cd4 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -32,7 +32,7 @@ typedef struct peer_cfg_create_t peer_cfg_create_t; #include <utils/identification.h> #include <collections/enumerator.h> #include <selectors/traffic_selector.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/ike_cfg.h> #include <config/child_cfg.h> #include <credentials/auth_cfg.h> diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 7c9f83d12..e4b819710 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -55,7 +55,6 @@ #include <bus/listeners/sys_logger.h> #include <bus/listeners/file_logger.h> #include <collections/array.h> -#include <config/proposal.h> #include <plugins/plugin_feature.h> #include <kernel/kernel_handler.h> #include <processing/jobs/start_action_job.h> @@ -989,11 +988,6 @@ bool libcharon_init() dbg_old = dbg; dbg = dbg_bus; - lib->printf_hook->add_handler(lib->printf_hook, 'P', - proposal_printf_hook, - PRINTF_HOOK_ARGTYPE_POINTER, - PRINTF_HOOK_ARGTYPE_END); - if (lib->integrity && !lib->integrity->check(lib->integrity, "libcharon", libcharon_init)) { diff --git a/src/libcharon/encoding/generator.h b/src/libcharon/encoding/generator.h index 375530776..9c7fe8979 100644 --- a/src/libcharon/encoding/generator.h +++ b/src/libcharon/encoding/generator.h @@ -35,8 +35,8 @@ typedef struct generator_t generator_t; * method. The generated bytes are appended. After all payloads are added, * the write_to_chunk method writes out all generated data since * the creation of the generator. - * The generater uses a set of encoding rules, which it can get from - * the supplied payload. With this rules, the generater can generate + * The generator uses a set of encoding rules, which it can get from + * the supplied payload. With this rules, the generator can generate * the payload and all substructures automatically. */ struct generator_t { diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index 6d850aac0..735526e3c 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -657,6 +657,7 @@ static payload_rule_t quick_mode_i_rules[] = { {PLV1_ID, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE}, + {PLV1_FRAGMENT, 0, 1, FALSE, TRUE}, }; /** @@ -673,6 +674,7 @@ static payload_order_t quick_mode_i_order[] = { {PLV1_ID, 0}, {PLV1_NAT_OA, 0}, {PLV1_NAT_OA_DRAFT_00_03, 0}, + {PLV1_FRAGMENT, 0}, }; /** @@ -689,6 +691,7 @@ static payload_rule_t quick_mode_r_rules[] = { {PLV1_ID, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA, 0, 2, TRUE, FALSE}, {PLV1_NAT_OA_DRAFT_00_03, 0, 2, TRUE, FALSE}, + {PLV1_FRAGMENT, 0, 1, FALSE, TRUE}, }; /** @@ -705,6 +708,7 @@ static payload_order_t quick_mode_r_order[] = { {PLV1_ID, 0}, {PLV1_NAT_OA, 0}, {PLV1_NAT_OA_DRAFT_00_03, 0}, + {PLV1_FRAGMENT, 0}, }; /** diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index 796c10890..cad597e58 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -29,7 +29,7 @@ typedef struct proposal_substructure_t proposal_substructure_t; #include <library.h> #include <encoding/payloads/payload.h> #include <encoding/payloads/transform_substructure.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <collections/linked_list.h> #include <kernel/kernel_ipsec.h> #include <sa/authenticator.h> diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index cb75f1ea7..a9d4f9f7d 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -32,7 +32,7 @@ typedef struct transform_substructure_t transform_substructure_t; #include <crypto/signers/signer.h> #include <crypto/prfs/prf.h> #include <crypto/crypters/crypter.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * IKEv1 Value for a transform payload. diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c index 3d736b25b..91ca259ef 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libcharon/kernel/kernel_interface.c @@ -351,7 +351,7 @@ METHOD(kernel_interface_t, alloc_reqid, status_t, if (entry) { /* we don't require a traffic selector match for explicit reqids, - * as we wan't to reuse a reqid for trap-triggered policies that + * as we want to reuse a reqid for trap-triggered policies that * got narrowed during negotiation. */ reqid_entry_destroy(tmpl); } diff --git a/src/libcharon/plugins/certexpire/certexpire_cron.h b/src/libcharon/plugins/certexpire/certexpire_cron.h index 0d6623d7f..3e1005b23 100644 --- a/src/libcharon/plugins/certexpire/certexpire_cron.h +++ b/src/libcharon/plugins/certexpire/certexpire_cron.h @@ -38,7 +38,7 @@ struct certexpire_cron_t { /** * Destroy a certexpire_cron_t. * - * It currently is not possible to savely cancel a cron job. Make sure + * It currently is not possible to safely cancel a cron job. Make sure * any scheduled jobs have been canceled before cleaning up. */ void (*destroy)(certexpire_cron_t *this); diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c index 58bbc2edd..8188bb764 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c @@ -92,7 +92,7 @@ static void destroy_attr(attr_t *this) * Hashtable entry with leases and attributes */ typedef struct { - /** IKE_SA uniqe id we assign the IP lease */ + /** IKE_SA unique id we assign the IP lease */ uintptr_t id; /** list of IP leases received from AAA, as host_t */ linked_list_t *addrs; diff --git a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c index 0fea50919..705fb188d 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_xauth.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_xauth.c @@ -72,7 +72,7 @@ struct private_eap_radius_xauth_t { xauth_round_t round; /** - * Concatentated password of all rounds + * Concatenated password of all rounds */ chunk_t pass; }; diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 0e83b1642..fb8d22915 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -335,7 +335,7 @@ METHOD(listener_t, message_hook, bool, chunk_t iv; /* we need the last block (or expected next IV) of Phase 1, which gets - * upated after successful en-/decryption depending on direction */ + * updated after successful en-/decryption depending on direction */ if (incoming == plain) { if (message->get_message_id(message) == 0) diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index e41e78bbf..d23e45e0b 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -52,6 +53,11 @@ struct private_ha_socket_t { * remote host to receive/send to */ host_t *remote; + + /** + * Receive buffer size + */ + u_int buflen; }; /** @@ -120,13 +126,26 @@ METHOD(ha_socket_t, pull, ha_message_t*, while (TRUE) { ha_message_t *message; - char buf[1024]; + char buf[this->buflen]; + struct iovec iov = { + .iov_base = buf, + .iov_len = this->buflen, + }; + struct msghdr msg = { + .msg_iov = &iov, + .msg_iovlen = 1, + }; bool oldstate; ssize_t len; oldstate = thread_cancelability(TRUE); - len = recv(this->fd, buf, sizeof(buf), 0); + len = recvmsg(this->fd, &msg, 0); thread_cancelability(oldstate); + if (msg.msg_flags & MSG_TRUNC) + { + DBG1(DBG_CFG, "HA message exceeds receive buffer"); + continue; + } if (len <= 0) { switch (errno) @@ -208,6 +227,8 @@ ha_socket_t *ha_socket_create(char *local, char *remote) }, .local = host_create_from_dns(local, 0, HA_PORT), .remote = host_create_from_dns(remote, 0, HA_PORT), + .buflen = lib->settings->get_int(lib->settings, + "%s.plugins.ha.buflen", 2048, lib->ns), .fd = -1, ); diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c index a21d0ae7f..c3f92f500 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -78,6 +78,9 @@ #define ROUTING_TABLE_PRIO 0 #endif +/** multicast groups (for groups > 31 setsockopt has to be used) */ +#define nl_group(group) (1 << (group - 1)) + ENUM(rt_msg_names, RTM_NEWLINK, RTM_GETRULE, "RTM_NEWLINK", "RTM_DELLINK", @@ -473,6 +476,11 @@ struct private_kernel_netlink_net_t { bool process_route; /** + * whether to react to RTM_NEWRULE or RTM_DELRULE events + */ + bool process_rules; + + /** * whether to trigger roam events */ bool roam_events; @@ -1452,6 +1460,45 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h } /** + * process RTM_NEW|DELRULE from kernel + */ +static void process_rule(private_kernel_netlink_net_t *this, struct nlmsghdr *hdr) +{ +#ifdef HAVE_LINUX_FIB_RULES_H + struct rtmsg* msg = NLMSG_DATA(hdr); + struct rtattr *rta = RTM_RTA(msg); + size_t rtasize = RTM_PAYLOAD(hdr); + uint32_t table = 0; + + /* ignore rules added by us or in the local routing table (local addrs) */ + if (msg->rtm_table && (msg->rtm_table == this->routing_table || + msg->rtm_table == RT_TABLE_LOCAL)) + { + return; + } + + while (RTA_OK(rta, rtasize)) + { + switch (rta->rta_type) + { + case FRA_TABLE: + if (RTA_PAYLOAD(rta) == sizeof(table)) + { + table = *(uint32_t*)RTA_DATA(rta); + } + break; + } + rta = RTA_NEXT(rta, rtasize); + } + if (table && table == this->routing_table) + { /* also check against extended table ID */ + return; + } + fire_roam_event(this, FALSE); +#endif +} + +/** * Receives events from kernel */ static bool receive_events(private_kernel_netlink_net_t *this, int fd, @@ -1508,6 +1555,13 @@ static bool receive_events(private_kernel_netlink_net_t *this, int fd, process_route(this, hdr); } break; + case RTM_NEWRULE: + case RTM_DELRULE: + if (this->process_rules) + { + process_rule(this, hdr); + } + break; default: break; } @@ -2333,7 +2387,9 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type if (ip->get_family(ip) == AF_INET6) { +#ifdef IFA_F_NODAD msg->ifa_flags |= IFA_F_NODAD; +#endif if (this->rta_prefsrc_for_ipv6) { /* if source routes are possible we let the virtual IP get @@ -2983,6 +3039,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() "%s.prefer_temporary_addrs", FALSE, lib->ns), .roam_events = lib->settings->get_bool(lib->settings, "%s.plugins.kernel-netlink.roam_events", TRUE, lib->ns), + .process_rules = lib->settings->get_bool(lib->settings, + "%s.plugins.kernel-netlink.process_rules", FALSE, lib->ns), .mtu = lib->settings->get_int(lib->settings, "%s.plugins.kernel-netlink.mtu", 0, lib->ns), .mss = lib->settings->get_int(lib->settings, @@ -3035,8 +3093,19 @@ kernel_netlink_net_t *kernel_netlink_net_create() destroy(this); return NULL; } - addr.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR | - RTMGRP_IPV4_ROUTE | RTMGRP_IPV6_ROUTE | RTMGRP_LINK; + addr.nl_groups = nl_group(RTNLGRP_IPV4_IFADDR) | + nl_group(RTNLGRP_IPV6_IFADDR) | + nl_group(RTNLGRP_LINK); + if (this->process_route) + { + addr.nl_groups |= nl_group(RTNLGRP_IPV4_ROUTE) | + nl_group(RTNLGRP_IPV6_ROUTE); + } + if (this->process_rules) + { + addr.nl_groups |= nl_group(RTNLGRP_IPV4_RULE) | + nl_group(RTNLGRP_IPV6_RULE); + } if (bind(this->socket_events, (struct sockaddr*)&addr, sizeof(addr))) { DBG1(DBG_KNL, "unable to bind RT event socket: %s (%d)", diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 710107889..79abe587a 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1752,13 +1752,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t, #ifdef SADB_X_EXT_SA_REPLAY if (data->inbound) { - struct sadb_x_sa_replay *replay; + struct sadb_x_sa_replay *repl; - replay = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); - replay->sadb_x_replay_exttype = SADB_X_EXT_SA_REPLAY; - replay->sadb_x_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); - replay->sadb_x_replay_replay = min(data->replay_window, UINT32_MAX-32); - PFKEY_EXT_ADD(msg, replay); + repl = (struct sadb_x_sa_replay*)PFKEY_EXT_ADD_NEXT(msg); + repl->sadb_x_sa_replay_exttype = SADB_X_EXT_SA_REPLAY; + repl->sadb_x_sa_replay_len = PFKEY_LEN(sizeof(struct sadb_x_sa_replay)); + repl->sadb_x_sa_replay_replay = min(data->replay_window, UINT32_MAX-32); + PFKEY_EXT_ADD(msg, repl); } #endif diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c index 774fcf5c8..0f36e7be3 100644 --- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c +++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c @@ -1982,7 +1982,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t, private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi) { - /* To avoid sequencial SPIs, we use a one-to-one permuation function on + /* To avoid sequential SPIs, we use a one-to-one permutation function on * an incrementing counter, that is a full period PRNG for the range we * allocate SPIs in. We add some randomness using a fixed XOR and start * the counter at random position. This is not cryptographically safe, diff --git a/src/libcharon/plugins/lookip/lookip_plugin.c b/src/libcharon/plugins/lookip/lookip_plugin.c index a6c32d65d..8324dd14f 100644 --- a/src/libcharon/plugins/lookip/lookip_plugin.c +++ b/src/libcharon/plugins/lookip/lookip_plugin.c @@ -33,7 +33,7 @@ struct private_lookip_plugin_t { lookip_plugin_t public; /** - * Listener collecting virtual IP assignements + * Listener collecting virtual IP assignments */ lookip_listener_t *listener; diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c index e7a627b93..6f19a03d5 100644 --- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c +++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c @@ -150,7 +150,7 @@ static bool manage_dns(private_osx_attr_handler_t *this, if (add) { if (!this->append && !this->original) - { /* backup orignal config, start with empty set */ + { /* backup original config, start with empty set */ this->original = arr; arr = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); } diff --git a/src/libcharon/plugins/save_keys/Makefile.am b/src/libcharon/plugins/save_keys/Makefile.am new file mode 100644 index 000000000..a41668bb5 --- /dev/null +++ b/src/libcharon/plugins/save_keys/Makefile.am @@ -0,0 +1,18 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-save-keys.la +else +plugin_LTLIBRARIES = libstrongswan-save-keys.la +endif + +libstrongswan_save_keys_la_SOURCES = \ + save_keys_plugin.h save_keys_plugin.c \ + save_keys_listener.c save_keys_listener.h + +libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/save_keys/Makefile.in b/src/libcharon/plugins/save_keys/Makefile.in new file mode 100644 index 000000000..a56d8eacd --- /dev/null +++ b/src/libcharon/plugins/save_keys/Makefile.in @@ -0,0 +1,803 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/save_keys +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_save_keys_la_LIBADD = +am_libstrongswan_save_keys_la_OBJECTS = save_keys_plugin.lo \ + save_keys_listener.lo +libstrongswan_save_keys_la_OBJECTS = \ + $(am_libstrongswan_save_keys_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libstrongswan_save_keys_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_save_keys_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_save_keys_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_save_keys_la_rpath = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(libstrongswan_save_keys_la_SOURCES) +DIST_SOURCES = $(libstrongswan_save_keys_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = \ + $(PLUGIN_CFLAGS) + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-save-keys.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-save-keys.la +libstrongswan_save_keys_la_SOURCES = \ + save_keys_plugin.h save_keys_plugin.c \ + save_keys_listener.c save_keys_listener.h + +libstrongswan_save_keys_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/save_keys/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +libstrongswan-save-keys.la: $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_DEPENDENCIES) $(EXTRA_libstrongswan_save_keys_la_DEPENDENCIES) + $(AM_V_CCLD)$(libstrongswan_save_keys_la_LINK) $(am_libstrongswan_save_keys_la_rpath) $(libstrongswan_save_keys_la_OBJECTS) $(libstrongswan_save_keys_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_listener.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/save_keys_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pluginLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pluginLTLIBRARIES + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.c b/src/libcharon/plugins/save_keys/save_keys_listener.c new file mode 100644 index 000000000..fc16f20e6 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_listener.c @@ -0,0 +1,435 @@ +/* + * Copyright (C) 2018 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#define _GNU_SOURCE + +#include "save_keys_listener.h" + +#include <stdio.h> +#include <inttypes.h> +#include <errno.h> + +#include <daemon.h> + +typedef struct private_save_keys_listener_t private_save_keys_listener_t; +typedef struct algo_map_t algo_map_t; + +/** + * Name for IKEv1 decryption table file + */ +static char *ikev1_name = "ikev1_decryption_table"; + +/** + * Name for IKEv2 decryption table file + */ +static char *ikev2_name = "ikev2_decryption_table"; + +/** + * Name for esp decryption table file + */ +static char *esp_name = "esp_sa"; + +/** + * Private data. + */ +struct private_save_keys_listener_t { + + /** + * Public interface. + */ + save_keys_listener_t public; + + /** + * Path to the directory where the decryption tables will be stored. + */ + char *path; + + /** + * Whether to save IKE keys + */ + bool ike; + + /** + * Whether to save ESP keys + */ + bool esp; +}; + +METHOD(save_keys_listener_t, destroy, void, + private_save_keys_listener_t *this) +{ + free(this); +} + +/** + * Mapping strongSwan identifiers to Wireshark names + */ +struct algo_map_t { + + /** + * IKE identifier + */ + const uint16_t ike; + + /** + * Optional key length + */ + const int key_len; + + /** + * Name of the algorithm in wireshark + */ + const char *name; +}; + +/** + * Map an algorithm identifier to a name + */ +static inline const char *algo_name(algo_map_t *map, int count, + uint16_t alg, int key_len) +{ + int i; + + for (i = 0; i < count; i++) + { + if (map[i].ike == alg) + { + if (map[i].key_len == -1 || map[i].key_len == key_len) + { + return map[i].name; + } + } + } + return NULL; +} + +/** + * Wireshark IKE algorithm identifiers for encryption + */ +static algo_map_t ike_encr[] = { + { ENCR_3DES, -1, "3DES [RFC2451]" }, + { ENCR_NULL, -1, "NULL [RFC2410]" }, + { ENCR_AES_CBC, 128, "AES-CBC-128 [RFC3602]" }, + { ENCR_AES_CBC, 192, "AES-CBC-192 [RFC3602]" }, + { ENCR_AES_CBC, 256, "AES-CBC-256 [RFC3602]" }, + { ENCR_AES_CTR, 128, "AES-CTR-128 [RFC5930]" }, + { ENCR_AES_CTR, 192, "AES-CTR-192 [RFC5930]" }, + { ENCR_AES_CTR, 256, "AES-CTR-256 [RFC5930]" }, + { ENCR_AES_GCM_ICV8, 128, "AES-GCM-128 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV8, 192, "AES-GCM-192 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV8, 256, "AES-GCM-256 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 128, "AES-GCM-128 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 192, "AES-GCM-192 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV12, 256, "AES-GCM-256 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 128, "AES-GCM-128 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 192, "AES-GCM-192 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_GCM_ICV16, 256, "AES-GCM-256 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 128, "AES-CCM-128 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 192, "AES-CCM-192 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV8, 256, "AES-CCM-256 with 8 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 128, "AES-CCM-128 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 192, "AES-CCM-192 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV12, 256, "AES-CCM-256 with 12 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 128, "AES-CCM-128 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 192, "AES-CCM-192 with 16 octet ICV [RFC5282]" }, + { ENCR_AES_CCM_ICV16, 256, "AES-CCM-256 with 16 octet ICV [RFC5282]" }, +}; + +/** + * Wireshark IKE algorithms for integrity + */ +static algo_map_t ike_integ[] = { + { AUTH_HMAC_MD5_96, -1, "HMAC_MD5_96 [RFC2403]" }, + { AUTH_HMAC_SHA1_96, -1, "HMAC_SHA1_96 [RFC2404]" }, + { AUTH_HMAC_MD5_128, -1, "HMAC_MD5_128 [RFC4595]" }, + { AUTH_HMAC_SHA1_160, -1, "HMAC_SHA1_160 [RFC4595]" }, + { AUTH_HMAC_SHA2_256_128, -1, "HMAC_SHA2_256_128 [RFC4868]" }, + { AUTH_HMAC_SHA2_384_192, -1, "HMAC_SHA2_384_192 [RFC4868]" }, + { AUTH_HMAC_SHA2_512_256, -1, "HMAC_SHA2_512_256 [RFC4868]" }, + { AUTH_HMAC_SHA2_256_96, -1, "HMAC_SHA2_256_96 [draft-ietf-ipsec-ciph-sha-256-00]" }, + { AUTH_UNDEFINED, -1, "NONE [RFC4306]" }, +}; + +/** + * Map an IKE proposal + */ +static inline void ike_names(proposal_t *proposal, const char **enc, + const char **integ) +{ + uint16_t alg, len; + + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len)) + { + *enc = algo_name(ike_encr, countof(ike_encr), alg, len); + } + if (encryption_algorithm_is_aead(alg)) + { + alg = AUTH_UNDEFINED; + } + else if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) + { + return; + } + *integ = algo_name(ike_integ, countof(ike_integ), alg, -1); +} + +/** + * Wireshark ESP algorithm identifiers for encryption + */ +static algo_map_t esp_encr[] = { + { ENCR_NULL, -1, "NULL" }, + { ENCR_3DES, -1, "TripleDes-CBC [RFC2451]" }, + { ENCR_AES_CBC, -1, "AES-CBC [RFC3602]" }, + { ENCR_AES_CTR, -1, "AES-CTR [RFC3686]" }, + { ENCR_DES, -1, "DES-CBC [RFC2405]" }, + { ENCR_CAST, -1, "CAST5-CBC [RFC2144]" }, + { ENCR_BLOWFISH, -1, "BLOWFISH-CBC [RFC2451]" }, + { ENCR_TWOFISH_CBC, -1, "TWOFISH-CBC" }, + { ENCR_AES_GCM_ICV8, -1, "AES-GCM [RFC4106]" }, + { ENCR_AES_GCM_ICV12, -1, "AES-GCM [RFC4106]" }, + { ENCR_AES_GCM_ICV16, -1, "AES-GCM [RFC4106]" }, +}; + +/** + * Wireshark ESP algorithms for integrity + */ +static algo_map_t esp_integ[] = { + { AUTH_HMAC_SHA1_96, -1, "HMAC-SHA-1-96 [RFC2404]" }, + { AUTH_HMAC_MD5_96, -1, "HMAC-MD5-96 [RFC2403]" }, + { AUTH_HMAC_SHA2_256_128, -1, "HMAC-SHA-256-128 [RFC4868]" }, + { AUTH_HMAC_SHA2_384_192, -1, "HMAC-SHA-384-192 [RFC4868]" }, + { AUTH_HMAC_SHA2_512_256, -1, "HMAC-SHA-512-256 [RFC4868]" }, + { AUTH_HMAC_SHA2_256_96, -1, "HMAC-SHA-256-96 [draft-ietf-ipsec-ciph-sha-256-00]" }, + { AUTH_UNDEFINED, 64, "ANY 64 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 96, "ANY 96 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 128, "ANY 128 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 192, "ANY 192 bit authentication [no checking]" }, + { AUTH_UNDEFINED, 256, "ANY 256 bit authentication [no checking]" }, + { AUTH_UNDEFINED, -1, "NULL" }, +}; + +/** + * Map an ESP proposal + */ +static inline void esp_names(proposal_t *proposal, const char **enc, + const char **integ) +{ + uint16_t alg, len; + + if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len)) + { + *enc = algo_name(esp_encr, countof(esp_encr), alg, len); + } + len = -1; + if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) + { + switch (alg) + { + case ENCR_AES_GCM_ICV8: + len = 64; + break; + case ENCR_AES_GCM_ICV12: + len = 64; + break; + case ENCR_AES_GCM_ICV16: + len = 128; + break; + } + alg = AUTH_UNDEFINED; + } + *integ = algo_name(esp_integ, countof(esp_integ), alg, len); +} + +METHOD(listener_t, ike_derived_keys, bool, + private_save_keys_listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei, + chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar) +{ + ike_version_t version; + ike_sa_id_t *id; + const char *enc = NULL, *integ = NULL; + char *path, *name; + FILE *file; + + if (!this->path || !this->ike) + { + return TRUE; + } + + version = ike_sa->get_version(ike_sa); + name = version == IKEV2 ? ikev2_name : ikev1_name; + if (asprintf(&path, "%s/%s", this->path, name) < 0) + { + DBG1(DBG_IKE, "failed to build path to IKE key table"); + return TRUE; + } + + file = fopen(path, "a"); + if (file) + { + id = ike_sa->get_id(ike_sa); + if (version == IKEV2) + { + ike_names(ike_sa->get_proposal(ike_sa), &enc, &integ); + if (enc && integ) + { + fprintf(file, "%.16"PRIx64",%.16"PRIx64",%+B,%+B,\"%s\"," + "%+B,%+B,\"%s\"\n", be64toh(id->get_initiator_spi(id)), + be64toh(id->get_responder_spi(id)), &sk_ei, &sk_er, + enc, &sk_ai, &sk_ar, integ); + } + } + else + { + fprintf(file, "%.16"PRIx64",%+B\n", + be64toh(id->get_initiator_spi(id)), &sk_ei); + } + fclose(file); + } + else + { + DBG1(DBG_IKE, "failed to open IKE key table '%s': %s", path, + strerror(errno)); + } + free(path); + return TRUE; +} + +METHOD(listener_t, child_derived_keys, bool, + private_save_keys_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool initiator, chunk_t encr_i, chunk_t encr_r, chunk_t integ_i, + chunk_t integ_r) +{ + host_t *init, *resp; + uint32_t spi_i, spi_r; + const char *enc = NULL, *integ = NULL; + char *path, *family; + FILE *file; + + if (!this->path || !this->esp || + child_sa->get_protocol(child_sa) != PROTO_ESP) + { + return TRUE; + } + + if (asprintf(&path, "%s/%s", this->path, esp_name) < 0) + { + DBG1(DBG_CHD, "failed to build path to ESP key table"); + return TRUE; + } + + file = fopen(path, "a"); + if (file) + { + esp_names(child_sa->get_proposal(child_sa), &enc, &integ); + if (enc && integ) + { + /* Since the IPs are printed this is not compatible with MOBIKE */ + if (initiator) + { + init = ike_sa->get_my_host(ike_sa); + resp = ike_sa->get_other_host(ike_sa); + } + else + { + init = ike_sa->get_other_host(ike_sa); + resp = ike_sa->get_my_host(ike_sa); + } + spi_i = child_sa->get_spi(child_sa, initiator); + spi_r = child_sa->get_spi(child_sa, !initiator); + family = init->get_family(init) == AF_INET ? "IPv4" : "IPv6"; + fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\"," + "\"%s\",\"0x%+B\"\n", family, init, resp, ntohl(spi_r), enc, + &encr_i, integ, &integ_i); + fprintf(file, "\"%s\",\"%H\",\"%H\",\"0x%.8x\",\"%s\",\"0x%+B\"," + "\"%s\",\"0x%+B\"\n", family, resp, init, ntohl(spi_i), enc, + &encr_r, integ, &integ_r); + } + fclose(file); + } + else + { + DBG1(DBG_CHD, "failed to open ESP key table '%s': %s", path, + strerror(errno)); + } + free(path); + return TRUE; +} + +/** + * See header. + */ +save_keys_listener_t *save_keys_listener_create() +{ + private_save_keys_listener_t *this; + + INIT(this, + .public = { + .listener = { + .ike_derived_keys = _ike_derived_keys, + .child_derived_keys = _child_derived_keys, + }, + .destroy = _destroy, + }, + .path = lib->settings->get_str(lib->settings, + "%s.plugins.save-keys.wireshark_keys", + NULL, lib->ns), + .esp = lib->settings->get_bool(lib->settings, + "%s.plugins.save-keys.esp", + FALSE, lib->ns), + .ike = lib->settings->get_bool(lib->settings, + "%s.plugins.save-keys.ike", + FALSE, lib->ns), + ); + + if (this->path && (this->ike || this->esp)) + { + char *keys = "IKE"; + + if (this->ike && this->esp) + { + keys = "IKE AND ESP"; + } + else if (this->esp) + { + keys = "ESP"; + } + DBG0(DBG_DMN, "!!", keys, this->path); + DBG0(DBG_DMN, "!! WARNING: SAVING %s KEYS TO '%s'", keys, this->path); + DBG0(DBG_DMN, "!!", keys, this->path); + } + return &this->public; +} diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.h b/src/libcharon/plugins/save_keys/save_keys_listener.h new file mode 100644 index 000000000..c4dc2cf45 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_listener.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup save_keys_listener save_keys_listener + * @{ @ingroup save_keys + */ + +#ifndef SAVE_KEYS_LISTENER_H_ +#define SAVE_KEYS_LISTENER_H_ + +#include <bus/listeners/listener.h> + +typedef struct save_keys_listener_t save_keys_listener_t; + +/** + * Listener saving derived IKE and ESP keys. + */ +struct save_keys_listener_t { + + /** + * Implements listener_t interface. + */ + listener_t listener; + + /** + * Destroy this instance. + */ + void (*destroy)(save_keys_listener_t *this); +}; + +/** + * Create a save_keys_listener_t instance. + */ +save_keys_listener_t *save_keys_listener_create(); + +#endif /** SAVE_KEYS_LISTENER_H_ @}*/ diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.c b/src/libcharon/plugins/save_keys/save_keys_plugin.c new file mode 100644 index 000000000..93db5bcac --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_plugin.c @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "save_keys_plugin.h" +#include "save_keys_listener.h" + +#include <daemon.h> + +typedef struct private_save_keys_plugin_t private_save_keys_plugin_t; + +/** + * Private data. + */ +struct private_save_keys_plugin_t { + + /** + * Implements plugin interface. + */ + save_keys_plugin_t public; + + /** + * Listener saving keys to file. + */ + save_keys_listener_t *listener; +}; + +METHOD(plugin_t, get_name, char*, + private_save_keys_plugin_t *this) +{ + return "save-keys"; +} + +/** + * Register listener. + */ +static bool plugin_cb(private_save_keys_plugin_t *this, + plugin_feature_t *feature, bool reg, void *cb_data) +{ + if (reg) + { + charon->bus->add_listener(charon->bus, &this->listener->listener); + } + else + { + charon->bus->remove_listener(charon->bus, &this->listener->listener); + } + return TRUE; +} + +METHOD(plugin_t, get_features, int, + private_save_keys_plugin_t *this, plugin_feature_t *features[]) +{ + static plugin_feature_t f[] = { + PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL), + PLUGIN_PROVIDE(CUSTOM, "save-keys"), + }; + *features = f; + return countof(f); +} + +METHOD(plugin_t, destroy, void, + private_save_keys_plugin_t *this) +{ + this->listener->destroy(this->listener); + free(this); +} + +/** + * Plugin constructor. + */ +plugin_t *save_keys_plugin_create() +{ + private_save_keys_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .get_name = _get_name, + .get_features = _get_features, + .destroy = _destroy, + }, + }, + .listener = save_keys_listener_create(), + ); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/save_keys/save_keys_plugin.h b/src/libcharon/plugins/save_keys/save_keys_plugin.h new file mode 100644 index 000000000..9501b5479 --- /dev/null +++ b/src/libcharon/plugins/save_keys/save_keys_plugin.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2016 Codrut Cristian Grosu (codrut.cristian.grosu@gmail.com) + * Copyright (C) 2016 IXIA (http://www.ixiacom.com) + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +/** + * @defgroup save_keys save_keys + * @ingroup cplugins + * + * @defgroup save_keys_plugin save_keys_plugin + * @{ @ingroup save_keys + */ + +#ifndef SAVE_KEYS_PLUGIN_H_ +#define SAVE_KEYS_PLUGIN_H_ + +#include <plugins/plugin.h> + +typedef struct save_keys_plugin_t save_keys_plugin_t; + +/** + * Plugin that saves derived IKE and ESP keys. + */ +struct save_keys_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** SAVE_KEYS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index ac0129210..ca22c7f82 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -519,7 +519,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } - /* authentication metod (class, actually) */ + /* authentication method (class, actually) */ if (strpfx(auth, "ike:") || strpfx(auth, "pubkey") || strpfx(auth, "rsa") || diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 9b61afb5c..7fc95657e 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -1131,7 +1131,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, shared_key_t *shared_key; linked_list_t *owners; chunk_t secret = chunk_empty; - bool any = TRUE; err_t ugh = extract_secret(&secret, &line); if (ugh != NULL) @@ -1148,7 +1147,6 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, while (ids.len > 0) { chunk_t id; - identification_t *peer_id; ugh = extract_value(&id, &ids); if (ugh != NULL) @@ -1165,17 +1163,9 @@ static bool load_shared(mem_cred_t *secrets, chunk_t line, int line_nr, /* NULL terminate the ID string */ *(id.ptr + id.len) = '\0'; - peer_id = identification_create_from_string(id.ptr); - if (peer_id->get_type(peer_id) == ID_ANY) - { - peer_id->destroy(peer_id); - continue; - } - - owners->insert_last(owners, peer_id); - any = FALSE; + owners->insert_last(owners, identification_create_from_string(id.ptr)); } - if (any) + if (!owners->get_count(owners)) { owners->insert_last(owners, identification_create_from_encoding(ID_ANY, chunk_empty)); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 22992599d..2bed420be 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -693,7 +693,7 @@ METHOD(stroke_list_t, status, void, /** * create a unique certificate list without duplicates - * certicates having the same issuer are grouped together. + * certificates having the same issuer are grouped together. */ static linked_list_t* create_unique_cert_list(certificate_type_t type) { diff --git a/src/libcharon/plugins/uci/uci_parser.c b/src/libcharon/plugins/uci/uci_parser.c index e847dd393..283d93928 100644 --- a/src/libcharon/plugins/uci/uci_parser.c +++ b/src/libcharon/plugins/uci/uci_parser.c @@ -112,7 +112,7 @@ METHOD(uci_parser_t, create_section_enumerator, enumerator_t*, va_list args; int i; - /* allocate enumerator large enought to hold keyword pointers */ + /* allocate enumerator large enough to hold keyword pointers */ i = 1; va_start(args, this); while (va_arg(args, char*)) diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md index 83521250d..49cce379d 100644 --- a/src/libcharon/plugins/vici/README.md +++ b/src/libcharon/plugins/vici/README.md @@ -530,11 +530,11 @@ on the key identifier derived from the public key). ### load-shared() ### -Load a shared IKE PSK, EAP or XAuth secret into the daemon. +Load a shared IKE PSK, EAP, XAuth or NTLM secret into the daemon. { id = <optional unique identifier of this shared key> - type = <shared key type, IKE|EAP|XAUTH> + type = <shared key type, IKE|EAP|XAUTH|NTLM> data = <raw shared key data> owners = [ <list of shared key owner identities> @@ -546,8 +546,8 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon. ### unload-shared() ### -Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique -identifier. +Unload a previously loaded shared IKE PSK, EAP, XAuth or NTLM secret by its +unique identifier. { id = <unique identifier of the shared key to unload> diff --git a/src/libcharon/plugins/vici/libvici.h b/src/libcharon/plugins/vici/libvici.h index 3ca9de424..d69597881 100644 --- a/src/libcharon/plugins/vici/libvici.h +++ b/src/libcharon/plugins/vici/libvici.h @@ -43,7 +43,7 @@ * thread pool. * * Connecting requires an uri, which is currently either a UNIX socket path - * prefixed with unix://, or a hostname:port touple prefixed with tcp://. + * prefixed with unix://, or a hostname:port tuple prefixed with tcp://. * Passing NULL takes the system default socket path. * * After the connection has been established, request messages can be sent. diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in index ff4e07d2d..6d29988db 100644 --- a/src/libcharon/plugins/vici/ruby/Makefile.in +++ b/src/libcharon/plugins/vici/ruby/Makefile.in @@ -476,8 +476,8 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -@RUBY_GEMS_INSTALL_FALSE@uninstall-local: @RUBY_GEMS_INSTALL_FALSE@install-data-local: +@RUBY_GEMS_INSTALL_FALSE@uninstall-local: clean: clean-am clean-am: clean-generic clean-libtool clean-local mostlyclean-am diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c index 5d8bf2f05..ec6c80a5b 100644 --- a/src/libcharon/plugins/vici/vici_cred.c +++ b/src/libcharon/plugins/vici/vici_cred.c @@ -434,7 +434,7 @@ CALLBACK(load_shared, vici_message_t*, { type = SHARED_IKE; } - else if (strcaseeq(str, "eap") || streq(str, "xauth")) + else if (strcaseeq(str, "eap") || strcaseeq(str, "xauth")) { type = SHARED_EAP; } diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c index 134ea375d..82c3d7855 100644 --- a/src/libcharon/plugins/vici/vici_query.c +++ b/src/libcharon/plugins/vici/vici_query.c @@ -774,7 +774,7 @@ CALLBACK(list_conns, vici_message_t*, ike_cfg_t *ike_cfg; child_cfg_t *child_cfg; char *ike, *str, *interface; - uint32_t manual_prio; + uint32_t manual_prio, dpd_delay, dpd_timeout; linked_list_t *list; traffic_selector_t *ts; lifetime_cfg_t *lft; @@ -825,6 +825,18 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "unique", "%N", unique_policy_names, peer_cfg->get_unique_policy(peer_cfg)); + dpd_delay = peer_cfg->get_dpd(peer_cfg); + if (dpd_delay) + { + b->add_kv(b, "dpd_delay", "%u", dpd_delay); + } + + dpd_timeout = peer_cfg->get_dpd_timeout(peer_cfg); + if (dpd_timeout) + { + b->add_kv(b, "dpd_timeout", "%u", dpd_timeout); + } + build_auth_cfgs(peer_cfg, TRUE, b); build_auth_cfgs(peer_cfg, FALSE, b); @@ -843,6 +855,11 @@ CALLBACK(list_conns, vici_message_t*, b->add_kv(b, "rekey_packets", "%"PRIu64, lft->packets.rekey); free(lft); + b->add_kv(b, "dpd_action", "%N", action_names, + child_cfg->get_dpd_action(child_cfg)); + b->add_kv(b, "close_action", "%N", action_names, + child_cfg->get_close_action(child_cfg)); + b->begin_list(b, "local-ts"); list = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL); selectors = list->create_enumerator(list); diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h index b2d5a11f6..b33ea617b 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.h +++ b/src/libcharon/processing/jobs/delete_child_sa_job.h @@ -27,7 +27,7 @@ typedef struct delete_child_sa_job_t delete_child_sa_job_t; #include <library.h> #include <sa/ike_sa_id.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h index 1de06fd07..1c9d9b400 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.h +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h @@ -26,7 +26,7 @@ typedef struct rekey_child_sa_job_t rekey_child_sa_job_t; #include <library.h> #include <sa/ike_sa_id.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * Class representing an REKEY_CHILD_SA Job. @@ -50,4 +50,5 @@ struct rekey_child_sa_job_t { */ rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol, uint32_t spi, host_t *dst); + #endif /** REKEY_CHILD_SA_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h index ed978dc8b..17beb68b6 100644 --- a/src/libcharon/processing/jobs/update_sa_job.h +++ b/src/libcharon/processing/jobs/update_sa_job.h @@ -26,7 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t; #include <library.h> #include <networking/host.h> #include <processing/jobs/job.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> /** * Update the addresses of an IKE and its CHILD_SAs. diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 91da4d3e6..a01ee9e4d 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006-2017 Tobias Brunner + * Copyright (C) 2006-2018 Tobias Brunner * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2006 Daniel Roethlisberger @@ -1249,17 +1249,6 @@ METHOD(child_sa_t, install_policies, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - /* install outbound drop policy to avoid packets leaving unencrypted - * when updating policies */ - if (priority == POLICY_PRIORITY_DEFAULT && manual_prio == 0 && - require_policy_update() && install_outbound) - { - status |= install_policies_outbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } - status |= install_policies_inbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, @@ -1350,15 +1339,6 @@ METHOD(child_sa_t, install_outbound, status_t, enumerator = create_policy_enumerator(this); while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - /* install outbound drop policy to avoid packets leaving unencrypted - * when updating policies */ - if (manual_prio == 0 && require_policy_update()) - { - status |= install_policies_outbound(this, this->my_addr, - this->other_addr, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } status |= install_policies_outbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, @@ -1407,12 +1387,6 @@ METHOD(child_sa_t, remove_outbound, void, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); - if (manual_prio == 0 && require_policy_update()) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0); - } } enumerator->destroy(enumerator); } @@ -1458,8 +1432,65 @@ CALLBACK(reinstall_vip, void, } } +/** + * Update addresses and encap state of IPsec SAs in the kernel + */ +static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other, + bool encap) +{ + /* update our (initiator) SA */ + if (this->my_spi) + { + kernel_ipsec_sa_id_t id = { + .src = this->other_addr, + .dst = this->my_addr, + .spi = this->my_spi, + .proto = proto_ike2ip(this->protocol), + .mark = mark_in_sa(this), + }; + kernel_ipsec_update_sa_t sa = { + .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, + .new_src = other, + .new_dst = me, + .encap = this->encap, + .new_encap = encap, + }; + if (charon->kernel->update_sa(charon->kernel, &id, + &sa) == NOT_SUPPORTED) + { + return NOT_SUPPORTED; + } + } + + /* update his (responder) SA */ + if (this->other_spi) + { + kernel_ipsec_sa_id_t id = { + .src = this->my_addr, + .dst = this->other_addr, + .spi = this->other_spi, + .proto = proto_ike2ip(this->protocol), + .mark = this->mark_out, + }; + kernel_ipsec_update_sa_t sa = { + .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, + .new_src = me, + .new_dst = other, + .encap = this->encap, + .new_encap = encap, + }; + if (charon->kernel->update_sa(charon->kernel, &id, + &sa) == NOT_SUPPORTED) + { + return NOT_SUPPORTED; + } + } + /* we currently ignore the actual return values above */ + return SUCCESS; +} + METHOD(child_sa_t, update, status_t, - private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips, + private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips, bool encap) { child_sa_state_t old; @@ -1478,84 +1509,50 @@ METHOD(child_sa_t, update, status_t, this->config->has_option(this->config, OPT_PROXY_MODE); - if (!transport_proxy_mode) + if (!this->config->has_option(this->config, OPT_NO_POLICIES) && + require_policy_update()) { - /* update our (initiator) SA */ - if (this->my_spi) - { - kernel_ipsec_sa_id_t id = { - .src = this->other_addr, - .dst = this->my_addr, - .spi = this->my_spi, - .proto = proto_ike2ip(this->protocol), - .mark = mark_in_sa(this), - }; - kernel_ipsec_update_sa_t sa = { - .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, - .new_src = other, - .new_dst = me, - .encap = this->encap, - .new_encap = encap, - }; - if (charon->kernel->update_sa(charon->kernel, &id, - &sa) == NOT_SUPPORTED) - { - set_state(this, old); - return NOT_SUPPORTED; - } - } + ipsec_sa_cfg_t my_sa, other_sa; + enumerator_t *enumerator; + traffic_selector_t *my_ts, *other_ts; + uint32_t manual_prio; + status_t state; + + prepare_sa_cfg(this, &my_sa, &other_sa); + manual_prio = this->config->get_manual_prio(this->config); - /* update his (responder) SA */ - if (this->other_spi) + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { - kernel_ipsec_sa_id_t id = { - .src = this->my_addr, - .dst = this->other_addr, - .spi = this->other_spi, - .proto = proto_ike2ip(this->protocol), - .mark = this->mark_out, - }; - kernel_ipsec_update_sa_t sa = { - .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, - .new_src = me, - .new_dst = other, - .encap = this->encap, - .new_encap = encap, - }; - if (charon->kernel->update_sa(charon->kernel, &id, - &sa) == NOT_SUPPORTED) - { - set_state(this, old); - return NOT_SUPPORTED; - } + /* install drop policy to avoid traffic leaks, acquires etc. */ + install_policies_outbound(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, manual_prio); + + /* remove old policies */ + del_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, + POLICY_PRIORITY_DEFAULT, manual_prio); } - } + enumerator->destroy(enumerator); - if (!this->config->has_option(this->config, OPT_NO_POLICIES) && - require_policy_update()) - { - if (!me->ip_equals(me, this->my_addr) || - !other->ip_equals(other, this->other_addr)) - { - ipsec_sa_cfg_t my_sa, other_sa; - enumerator_t *enumerator; - traffic_selector_t *my_ts, *other_ts; - uint32_t manual_prio; + /* update the IPsec SAs */ + state = update_sas(this, me, other, encap); - prepare_sa_cfg(this, &my_sa, &other_sa); - manual_prio = this->config->get_manual_prio(this->config); + enumerator = create_policy_enumerator(this); + while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + { + traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; - /* always use high priorities, as hosts getting updated are INSTALLED */ - enumerator = create_policy_enumerator(this); - while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) + /* reinstall the previous policies if we can't update the SAs */ + if (state == NOT_SUPPORTED) + { + install_policies_internal(this, this->my_addr, this->other_addr, + my_ts, other_ts, &my_sa, &other_sa, + POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); + } + else { - traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL; - - /* remove old policies first */ - del_policies_internal(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, - POLICY_PRIORITY_DEFAULT, manual_prio); - /* check if we have to update a "dynamic" traffic selector */ if (!me->ip_equals(me, this->my_addr) && my_ts->is_host(my_ts, this->my_addr)) @@ -1578,23 +1575,32 @@ METHOD(child_sa_t, update, status_t, install_policies_internal(this, me, other, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, POLICY_PRIORITY_DEFAULT, manual_prio); - - /* update fallback policies after the new policy is in place */ - if (manual_prio == 0) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - old_my_ts ?: my_ts, - old_other_ts ?: other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - install_policies_outbound(this, me, other, my_ts, other_ts, - &my_sa, &other_sa, POLICY_DROP, - POLICY_PRIORITY_FALLBACK, 0); - } - DESTROY_IF(old_my_ts); - DESTROY_IF(old_other_ts); } - enumerator->destroy(enumerator); + /* remove the drop policy */ + del_policies_outbound(this, this->my_addr, this->other_addr, + old_my_ts ?: my_ts, + old_other_ts ?: other_ts, + &my_sa, &other_sa, POLICY_DROP, + POLICY_PRIORITY_DEFAULT, 0); + + DESTROY_IF(old_my_ts); + DESTROY_IF(old_other_ts); + } + enumerator->destroy(enumerator); + + if (state == NOT_SUPPORTED) + { + set_state(this, old); + return NOT_SUPPORTED; + } + + } + else if (!transport_proxy_mode) + { + if (update_sas(this, me, other, encap) == NOT_SUPPORTED) + { + set_state(this, old); + return NOT_SUPPORTED; } } @@ -1655,13 +1661,6 @@ METHOD(child_sa_t, destroy, void, del_policies_inbound(this, this->my_addr, this->other_addr, my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC, priority, manual_prio); - if (!this->trap && manual_prio == 0 && require_policy_update() && - del_outbound) - { - del_policies_outbound(this, this->my_addr, this->other_addr, - my_ts, other_ts, &my_sa, &other_sa, - POLICY_DROP, POLICY_PRIORITY_FALLBACK, 0); - } } enumerator->destroy(enumerator); } diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 082404d93..49175ca01 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -30,7 +30,7 @@ typedef struct child_sa_t child_sa_t; #include <library.h> #include <crypto/prf_plus.h> #include <encoding/payloads/proposal_substructure.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/child_cfg.h> /** @@ -145,7 +145,7 @@ extern enum_name_t *child_sa_outbound_state_names; * - B allocates an SPI for the selected protocol * - B calls child_sa_t.install for both, the allocated and received SPI * - B sends the proposal with the allocated SPI to A - * - A calls child_sa_t.install for both, the allocated and recevied SPI + * - A calls child_sa_t.install for both, the allocated and received SPI * * Once SAs are set up, policies can be added using add_policies. */ @@ -254,7 +254,7 @@ struct child_sa_t { /** * Set the negotiated IPsec mode to use. * - * @param mode TUNNEL | TRANPORT | BEET + * @param mode TUNNEL | TRANSPORT | BEET */ void (*set_mode)(child_sa_t *this, ipsec_mode_t mode); diff --git a/src/libcharon/sa/eap/eap_manager.h b/src/libcharon/sa/eap/eap_manager.h index 4ed1cae20..391c906e9 100644 --- a/src/libcharon/sa/eap/eap_manager.h +++ b/src/libcharon/sa/eap/eap_manager.h @@ -30,7 +30,7 @@ typedef struct eap_manager_t eap_manager_t; * The EAP manager manages all EAP implementations and creates instances. * * A plugin registers it's implemented EAP method at the manager by - * providing type and a contructor function. The manager then instanciates + * providing type and a constructor function. The manager then instantiates * eap_method_t instances through the provided constructor to handle * EAP authentication. */ diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h index 8e25f7df8..840779727 100644 --- a/src/libcharon/sa/eap/eap_method.h +++ b/src/libcharon/sa/eap/eap_method.h @@ -64,7 +64,7 @@ struct eap_method_t { /** * Initiate the EAP exchange. * - * initiate() is only useable for server implementations, as clients only + * initiate() is only usable for server implementations, as clients only * reply to server requests. * A eap_payload is created in "out" if result is NEED_MORE. * diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 823cf2579..e1f4ec95a 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -232,11 +232,6 @@ struct private_ike_sa_t { chunk_t nat_detection_dest; /** - * number pending UPDATE_SA_ADDRESS (MOBIKE) - */ - uint32_t pending_updates; - - /** * NAT keep alive interval */ uint32_t keepalive_interval; @@ -734,8 +729,11 @@ METHOD(ike_sa_t, set_condition, void, switch (condition) { case COND_NAT_HERE: - case COND_NAT_FAKE: case COND_NAT_THERE: + DBG1(DBG_IKE, "%s host is not behind NAT anymore", + condition == COND_NAT_HERE ? "local" : "remote"); + /* fall-through */ + case COND_NAT_FAKE: set_condition(this, COND_NAT_ANY, has_condition(this, COND_NAT_HERE) || has_condition(this, COND_NAT_THERE) || @@ -1052,18 +1050,6 @@ METHOD(ike_sa_t, has_mapping_changed, bool, return TRUE; } -METHOD(ike_sa_t, set_pending_updates, void, - private_ike_sa_t *this, uint32_t updates) -{ - this->pending_updates = updates; -} - -METHOD(ike_sa_t, get_pending_updates, uint32_t, - private_ike_sa_t *this) -{ - return this->pending_updates; -} - METHOD(ike_sa_t, float_ports, void, private_ike_sa_t *this) { @@ -2561,6 +2547,12 @@ METHOD(ike_sa_t, roam, status_t, break; } + if (!this->ike_cfg) + { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and + * without config assigned */ + return SUCCESS; + } + /* ignore roam events if MOBIKE is not supported/enabled and the local * address is statically configured */ if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) && @@ -2964,8 +2956,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .supports_extension = _supports_extension, .set_condition = _set_condition, .has_condition = _has_condition, - .set_pending_updates = _set_pending_updates, - .get_pending_updates = _get_pending_updates, .create_peer_address_enumerator = _create_peer_address_enumerator, .add_peer_address = _add_peer_address, .clear_peer_addresses = _clear_peer_addresses, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index fbc367292..b4fbc56d7 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -646,20 +646,6 @@ struct ike_sa_t { */ bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); - /** - * Get the number of queued MOBIKE address updates. - * - * @return number of pending updates - */ - uint32_t (*get_pending_updates)(ike_sa_t *this); - - /** - * Set the number of queued MOBIKE address updates. - * - * @param updates number of pending updates - */ - void (*set_pending_updates)(ike_sa_t *this, uint32_t updates); - #ifdef ME /** * Activate mediation server functionality for this IKE_SA. @@ -869,7 +855,7 @@ struct ike_sa_t { * @param message_id ID of the request to retransmit * @return * - SUCCESS - * - NOT_FOUND if request doesn't have to be retransmited + * - NOT_FOUND if request doesn't have to be retransmitted */ status_t (*retransmit) (ike_sa_t *this, uint32_t message_id); @@ -1169,7 +1155,7 @@ struct ike_sa_t { void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); /** - * Reset the IKE_SA, useable when initiating fails. + * Reset the IKE_SA, usable when initiating fails. * * @param new_spi TRUE to allocate a new initiator SPI */ diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c index adce59f7e..5856f829e 100644 --- a/src/libcharon/sa/ikev1/phase1.c +++ b/src/libcharon/sa/ikev1/phase1.c @@ -1,6 +1,6 @@ /* - * Copyright (C) 2012 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2012-2017 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * Copyright (C) 2012 Martin Willi * Copyright (C) 2012 revosec AG @@ -102,6 +102,31 @@ static auth_cfg_t *get_auth_cfg(peer_cfg_t *peer_cfg, bool local) } /** + * Find a shared key for the given identities + */ +static shared_key_t *find_shared_key(identification_t *my_id, host_t *me, + identification_t *other_id, host_t *other) +{ + identification_t *any_id = NULL; + shared_key_t *shared_key; + + if (!other_id) + { + any_id = identification_create_from_encoding(ID_ANY, chunk_empty); + other_id = any_id; + } + shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, + my_id, other_id); + if (!shared_key) + { + DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", + my_id, me, other_id, other); + } + DESTROY_IF(any_id); + return shared_key; +} + +/** * Lookup a shared secret for this IKE_SA */ static shared_key_t *lookup_shared_key(private_phase1_t *this, @@ -131,15 +156,9 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, { other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); } - if (my_id && other_id) + if (my_id) { - shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, - my_id, other_id); - if (!shared_key) - { - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); - } + shared_key = find_shared_key(my_id, me, other_id, other); } } } @@ -158,14 +177,11 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this, other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY); if (my_id) { - shared_key = lib->credmgr->get_shared(lib->credmgr, - SHARED_IKE, my_id, other_id); + shared_key = find_shared_key(my_id, me, other_id, other); if (shared_key) { break; } - DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]", - my_id, me, other_id, other); } } } diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 7098d24a2..43897c304 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -547,7 +547,7 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) type, value)); } enumerator->destroy(enumerator); - /* if a client did not re-request all adresses, release them */ + /* if a client did not re-request all addresses, release them */ enumerator = migrated->create_enumerator(migrated); while (enumerator->enumerate(enumerator, &found)) { diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 49b476ad8..77592e59a 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -1330,7 +1330,7 @@ METHOD(task_t, process_i, status_t, &this->cpi_r); if (!list->get_count(list)) { - DBG1(DBG_IKE, "peer did not acccept our IPComp proposal, " + DBG1(DBG_IKE, "peer did not accept our IPComp proposal, " "IPComp disabled"); this->cpi_i = 0; } diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c index 361eb0fe1..5c0ec49f0 100644 --- a/src/libcharon/sa/ikev2/task_manager_v2.c +++ b/src/libcharon/sa/ikev2/task_manager_v2.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2016 Tobias Brunner + * Copyright (C) 2007-2018 Tobias Brunner * Copyright (C) 2007-2010 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -737,7 +737,7 @@ static status_t process_response(private_task_manager_t *this, charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet); } - /* catch if we get resetted while processing */ + /* catch if we get reset while processing */ this->reset = FALSE; enumerator = array_create_enumerator(this->active_tasks); while (enumerator->enumerate(enumerator, &task)) @@ -1642,24 +1642,9 @@ METHOD(task_manager_t, process_message, status_t, METHOD(task_manager_t, queue_task_delayed, void, private_task_manager_t *this, task_t *task, uint32_t delay) { - enumerator_t *enumerator; queued_task_t *queued; timeval_t time; - if (task->get_type(task) == TASK_IKE_MOBIKE) - { /* there is no need to queue more than one mobike task */ - enumerator = array_create_enumerator(this->queued_tasks); - while (enumerator->enumerate(enumerator, &queued)) - { - if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE) - { - enumerator->destroy(enumerator); - task->destroy(task); - return; - } - } - enumerator->destroy(enumerator); - } time_monotonic(&time); if (delay) { @@ -1877,12 +1862,41 @@ METHOD(task_manager_t, queue_ike_delete, void, queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE)); } +/** + * There is no need to queue more than one mobike task, so this either returns + * an already queued task or queues one if there is none yet. + */ +static ike_mobike_t *queue_mobike_task(private_task_manager_t *this) +{ + enumerator_t *enumerator; + queued_task_t *queued; + ike_mobike_t *mobike = NULL; + + enumerator = array_create_enumerator(this->queued_tasks); + while (enumerator->enumerate(enumerator, &queued)) + { + if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE) + { + mobike = (ike_mobike_t*)queued->task; + break; + } + } + enumerator->destroy(enumerator); + + if (!mobike) + { + mobike = ike_mobike_create(this->ike_sa, TRUE); + queue_task(this, &mobike->task); + } + return mobike; +} + METHOD(task_manager_t, queue_mobike, void, private_task_manager_t *this, bool roam, bool address) { ike_mobike_t *mobike; - mobike = ike_mobike_create(this->ike_sa, TRUE); + mobike = queue_mobike_task(this); if (roam) { enumerator_t *enumerator; @@ -1909,7 +1923,31 @@ METHOD(task_manager_t, queue_mobike, void, { mobike->addresses(mobike); } - queue_task(this, &mobike->task); +} + +METHOD(task_manager_t, queue_dpd, void, + private_task_manager_t *this) +{ + ike_mobike_t *mobike; + + if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) && + this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) + { +#ifdef ME + peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); + if (cfg->get_peer_id(cfg) || + this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) +#else + if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) +#endif + { + /* use mobike enabled DPD to detect NAT mapping changes */ + mobike = queue_mobike_task(this); + mobike->dpd(mobike); + return; + } + } + queue_task(this, (task_t*)ike_dpd_create(TRUE)); } METHOD(task_manager_t, queue_child, void, @@ -1940,32 +1978,6 @@ METHOD(task_manager_t, queue_child_delete, void, protocol, spi, expired)); } -METHOD(task_manager_t, queue_dpd, void, - private_task_manager_t *this) -{ - ike_mobike_t *mobike; - - if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) && - this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE)) - { -#ifdef ME - peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - if (cfg->get_peer_id(cfg) || - this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) -#else - if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) -#endif - { - /* use mobike enabled DPD to detect NAT mapping changes */ - mobike = ike_mobike_create(this->ike_sa, TRUE); - mobike->dpd(mobike); - queue_task(this, &mobike->task); - return; - } - } - queue_task(this, (task_t*)ike_dpd_create(TRUE)); -} - METHOD(task_manager_t, adopt_tasks, void, private_task_manager_t *this, task_manager_t *other_public) { diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 4d4d72e0b..85dac6d59 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2017 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -277,12 +277,13 @@ static bool ts_list_is_host(linked_list_t *list, host_t *host) } /** - * Allocate SPIs and update proposals + * Allocate SPIs and update proposals, we also promote the selected DH group */ static bool allocate_spi(private_child_create_t *this) { enumerator_t *enumerator; proposal_t *proposal; + linked_list_t *other_dh_groups; if (this->initiator) { @@ -304,12 +305,29 @@ static bool allocate_spi(private_child_create_t *this) { if (this->initiator) { + other_dh_groups = linked_list_create(); enumerator = this->proposals->create_enumerator(this->proposals); while (enumerator->enumerate(enumerator, &proposal)) { proposal->set_spi(proposal, this->my_spi); + + /* move the selected DH group to the front, if any */ + if (this->dh_group != MODP_NONE && + !proposal->promote_dh_group(proposal, this->dh_group)) + { /* proposals that don't contain the selected group are + * moved to the back */ + this->proposals->remove_at(this->proposals, enumerator); + other_dh_groups->insert_last(other_dh_groups, proposal); + } + } + enumerator->destroy(enumerator); + enumerator = other_dh_groups->create_enumerator(other_dh_groups); + while (enumerator->enumerate(enumerator, (void**)&proposal)) + { /* no need to remove from the list as we destroy it anyway*/ + this->proposals->insert_last(this->proposals, proposal); } enumerator->destroy(enumerator); + other_dh_groups->destroy(other_dh_groups); } else { @@ -396,7 +414,7 @@ static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local) } /** - * Substitude any host address with NATed address in traffic selector + * Substitute any host address with NATed address in traffic selector */ static linked_list_t* get_transport_nat_ts(private_child_create_t *this, bool local, linked_list_t *in) @@ -1006,8 +1024,8 @@ METHOD(task_t, build_i, status_t, chunk_empty); return SUCCESS; } - if (!this->retry) - { + if (!this->retry && this->dh_group == MODP_NONE) + { /* during a rekeying the group might already be set */ this->dh_group = this->config->get_dh_group(this->config); } break; @@ -1615,6 +1633,12 @@ METHOD(child_create_t, use_marks, void, this->mark_out = out; } +METHOD(child_create_t, use_dh_group, void, + private_child_create_t *this, diffie_hellman_group_t dh_group) +{ + this->dh_group = dh_group; +} + METHOD(child_create_t, get_child, child_sa_t*, private_child_create_t *this) { @@ -1736,6 +1760,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, .get_lower_nonce = _get_lower_nonce, .use_reqid = _use_reqid, .use_marks = _use_marks, + .use_dh_group = _use_dh_group, .task = { .get_type = _get_type, .migrate = _migrate, diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h index f48d7b0a9..59fc6d2d9 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.h +++ b/src/libcharon/sa/ikev2/tasks/child_create.h @@ -1,6 +1,7 @@ /* + * Copyright (C) 2018 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -60,6 +61,15 @@ struct child_create_t { void (*use_marks)(child_create_t *this, u_int in, u_int out); /** + * Initially propose a specific DH group to override configuration. + * + * This is used during rekeying to prefer the previously negotiated group. + * + * @param dh_group DH group to use + */ + void (*use_dh_group)(child_create_t *this, diffie_hellman_group_t dh_group); + + /** * Get the lower of the two nonces, used for rekey collisions. * * @return lower nonce diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c index b67e9b80f..f90056658 100644 --- a/src/libcharon/sa/ikev2/tasks/child_rekey.c +++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2017 Tobias Brunner + * Copyright (C) 2009-2018 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * HSR Hochschule fuer Technik Rapperswil @@ -190,8 +190,18 @@ METHOD(task_t, build_i, status_t, /* our CHILD_CREATE task does the hard work for us */ if (!this->child_create) { + proposal_t *proposal; + uint16_t dh_group; + this->child_create = child_create_create(this->ike_sa, config->get_ref(config), TRUE, NULL, NULL); + + proposal = this->child_sa->get_proposal(this->child_sa); + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &dh_group, NULL)) + { /* reuse the DH group negotiated previously */ + this->child_create->use_dh_group(this->child_create, dh_group); + } } reqid = this->child_sa->get_reqid(this->child_sa); this->child_create->use_reqid(this->child_create, reqid); diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c index d75d21715..3d73d728b 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_init.c +++ b/src/libcharon/sa/ikev2/tasks/ike_init.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -282,7 +282,7 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) sa_payload_t *sa_payload; ke_payload_t *ke_payload; nonce_payload_t *nonce_payload; - linked_list_t *proposal_list; + linked_list_t *proposal_list, *other_dh_groups; ike_sa_id_t *id; proposal_t *proposal; enumerator_t *enumerator; @@ -294,16 +294,31 @@ static bool build_payloads(private_ike_init_t *this, message_t *message) if (this->initiator) { proposal_list = this->config->get_proposals(this->config); - if (this->old_sa) + other_dh_groups = linked_list_create(); + enumerator = proposal_list->create_enumerator(proposal_list); + while (enumerator->enumerate(enumerator, (void**)&proposal)) { /* include SPI of new IKE_SA when we are rekeying */ - enumerator = proposal_list->create_enumerator(proposal_list); - while (enumerator->enumerate(enumerator, (void**)&proposal)) + if (this->old_sa) { proposal->set_spi(proposal, id->get_initiator_spi(id)); } - enumerator->destroy(enumerator); + /* move the selected DH group to the front of the proposal */ + if (!proposal->promote_dh_group(proposal, this->dh_group)) + { /* the proposal does not include the group, move to the back */ + proposal_list->remove_at(proposal_list, enumerator); + other_dh_groups->insert_last(other_dh_groups, proposal); + } } + enumerator->destroy(enumerator); + /* add proposals that don't contain the selected group */ + enumerator = other_dh_groups->create_enumerator(other_dh_groups); + while (enumerator->enumerate(enumerator, (void**)&proposal)) + { /* no need to remove from the list as we destroy it anyway*/ + proposal_list->insert_last(proposal_list, proposal); + } + enumerator->destroy(enumerator); + other_dh_groups->destroy(other_dh_groups); sa_payload = sa_payload_create_from_proposals_v2(proposal_list); proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy)); @@ -531,10 +546,30 @@ METHOD(task_t, build_i, status_t, return FAILED; } - /* if the DH group is set via use_dh_group(), we already have a DH object */ + /* if we are retrying after an INVALID_KE_PAYLOAD we already have one */ if (!this->dh) { - this->dh_group = this->config->get_dh_group(this->config); + if (this->old_sa && lib->settings->get_bool(lib->settings, + "%s.prefer_previous_dh_group", TRUE, lib->ns)) + { /* reuse the DH group we used for the old IKE_SA when rekeying */ + proposal_t *proposal; + uint16_t dh_group; + + proposal = this->old_sa->get_proposal(this->old_sa); + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, + &dh_group, NULL)) + { + this->dh_group = dh_group; + } + else + { /* this shouldn't happen, but let's be safe */ + this->dh_group = this->config->get_dh_group(this->config); + } + } + else + { + this->dh_group = this->config->get_dh_group(this->config); + } this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, this->dh_group); if (!this->dh) @@ -544,6 +579,18 @@ METHOD(task_t, build_i, status_t, return FAILED; } } + else if (this->dh->get_dh_group(this->dh) != this->dh_group) + { /* reset DH instance if group changed (INVALID_KE_PAYLOAD) */ + this->dh->destroy(this->dh); + this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, + this->dh_group); + if (!this->dh) + { + DBG1(DBG_IKE, "requested DH group %N not supported", + diffie_hellman_group_names, this->dh_group); + return FAILED; + } + } /* generate nonce only when we are trying the first time */ if (this->my_nonce.ptr == NULL) @@ -929,12 +976,6 @@ METHOD(task_t, migrate, void, this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa); this->proposal = NULL; this->dh_failed = FALSE; - if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group) - { /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */ - this->dh->destroy(this->dh); - this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat, - this->dh_group); - } } METHOD(task_t, destroy, void, diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c index dc0f24fb8..fe41a1cac 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c +++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2010-2014 Tobias Brunner + * Copyright (C) 2010-2018 Tobias Brunner * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -76,14 +76,36 @@ struct private_ike_mobike_t { * additional addresses got updated */ bool addresses_updated; - - /** - * whether the pending updates counter was increased - */ - bool pending_update; }; /** + * Check if a newer MOBIKE update task is queued + */ +static bool is_newer_update_queued(private_ike_mobike_t *this) +{ + enumerator_t *enumerator; + private_ike_mobike_t *mobike; + task_t *task; + bool found = FALSE; + + enumerator = this->ike_sa->create_task_enumerator(this->ike_sa, + TASK_QUEUE_QUEUED); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == TASK_IKE_MOBIKE) + { + mobike = (private_ike_mobike_t*)task; + /* a queued check or update might invalidate the results of the + * current task */ + found = mobike->check || mobike->update; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** * read notifys from message and evaluate them */ static void process_payloads(private_ike_mobike_t *this, message_t *message) @@ -526,9 +548,8 @@ METHOD(task_t, process_i, status_t, } else if (message->get_exchange_type(message) == INFORMATIONAL) { - if (this->ike_sa->get_pending_updates(this->ike_sa) > 1) + if (is_newer_update_queued(this)) { - /* newer update queued, ignore this one */ return SUCCESS; } if (this->cookie2.ptr) @@ -553,7 +574,7 @@ METHOD(task_t, process_i, status_t, if (this->natd) { this->natd->task.process(&this->natd->task, message); - if (this->natd->has_mapping_changed(this->natd)) + if (!this->update && this->natd->has_mapping_changed(this->natd)) { /* force an update if mappings have changed */ this->update = this->check = TRUE; @@ -615,25 +636,13 @@ METHOD(ike_mobike_t, addresses, void, private_ike_mobike_t *this) { this->address = TRUE; - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(ike_mobike_t, roam, void, private_ike_mobike_t *this, bool address) { this->check = TRUE; - this->address = address; - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } + this->address |= address; } METHOD(ike_mobike_t, dpd, void, @@ -643,12 +652,6 @@ METHOD(ike_mobike_t, dpd, void, { this->natd = ike_natd_create(this->ike_sa, this->initiator); } - if (!this->pending_update) - { - this->pending_update = TRUE; - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(ike_mobike_t, is_probing, bool, @@ -678,21 +681,11 @@ METHOD(task_t, migrate, void, { this->natd->task.migrate(&this->natd->task, ike_sa); } - if (this->pending_update) - { - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) + 1); - } } METHOD(task_t, destroy, void, private_ike_mobike_t *this) { - if (this->pending_update) - { - this->ike_sa->set_pending_updates(this->ike_sa, - this->ike_sa->get_pending_updates(this->ike_sa) - 1); - } chunk_free(&this->cookie2); if (this->natd) { diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index bc40b3d92..17d2efe37 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -27,7 +27,7 @@ typedef struct keymat_t keymat_t; #include <utils/identification.h> #include <crypto/prfs/prf.h> #include <crypto/aead.h> -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> #include <config/peer_cfg.h> #include <sa/ike_sa_id.h> diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index e3fddf39b..9545da4f3 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -86,7 +86,7 @@ enum task_queue_t { * completed. * For the initial IKE_SA setup, several tasks are queued: One for the * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup - * and maybe one for virtual IP assignement. + * and maybe one for virtual IP assignment. * The task manager is also responsible for retransmission. It uses a backoff * algorithm. The timeout is calculated using * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try). diff --git a/src/libcharon/sa/xauth/xauth_manager.h b/src/libcharon/sa/xauth/xauth_manager.h index 65b3c58a3..513bf32f5 100644 --- a/src/libcharon/sa/xauth/xauth_manager.h +++ b/src/libcharon/sa/xauth/xauth_manager.h @@ -29,7 +29,7 @@ typedef struct xauth_manager_t xauth_manager_t; * The XAuth manager manages all XAuth implementations and creates instances. * * A plugin registers it's implemented XAuth method at the manager by - * providing type and a contructor function. The manager then instanciates + * providing type and a constructor function. The manager then instantiates * xauth_method_t instances through the provided constructor to handle * XAuth authentication. */ diff --git a/src/libcharon/sa/xauth/xauth_method.h b/src/libcharon/sa/xauth/xauth_method.h index 701b4dc77..c0c2024e0 100644 --- a/src/libcharon/sa/xauth/xauth_method.h +++ b/src/libcharon/sa/xauth/xauth_method.h @@ -54,7 +54,7 @@ struct xauth_method_t { /** * Initiate the XAuth exchange. * - * initiate() is only useable for server implementations, as clients only + * initiate() is only usable for server implementations, as clients only * reply to server requests. * A cp_payload is created in "out" if result is NEED_MORE. * diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am index 8f762a2e6..5ebd0456c 100644 --- a/src/libcharon/tests/Makefile.am +++ b/src/libcharon/tests/Makefile.am @@ -3,7 +3,6 @@ TESTS = libcharon_tests exchange_tests check_PROGRAMS = $(TESTS) libcharon_tests_SOURCES = \ - suites/test_proposal.c \ suites/test_ike_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in index 66d2431c9..24552d201 100644 --- a/src/libcharon/tests/Makefile.in +++ b/src/libcharon/tests/Makefile.in @@ -138,7 +138,6 @@ exchange_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(exchange_tests_CFLAGS) $(CFLAGS) $(exchange_tests_LDFLAGS) \ $(LDFLAGS) -o $@ am_libcharon_tests_OBJECTS = \ - suites/libcharon_tests-test_proposal.$(OBJEXT) \ suites/libcharon_tests-test_ike_cfg.$(OBJEXT) \ suites/libcharon_tests-test_mem_pool.$(OBJEXT) \ suites/libcharon_tests-test_message_chapoly.$(OBJEXT) \ @@ -475,7 +474,6 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ libcharon_tests_SOURCES = \ - suites/test_proposal.c \ suites/test_ike_cfg.c \ suites/test_mem_pool.c \ suites/test_message_chapoly.c \ @@ -608,8 +606,6 @@ utils/exchange_tests-mock_sender.$(OBJEXT): utils/$(am__dirstamp) \ exchange_tests$(EXEEXT): $(exchange_tests_OBJECTS) $(exchange_tests_DEPENDENCIES) $(EXTRA_exchange_tests_DEPENDENCIES) @rm -f exchange_tests$(EXEEXT) $(AM_V_CCLD)$(exchange_tests_LINK) $(exchange_tests_OBJECTS) $(exchange_tests_LDADD) $(LIBS) -suites/libcharon_tests-test_proposal.$(OBJEXT): \ - suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_ike_cfg.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/libcharon_tests-test_mem_pool.$(OBJEXT): \ @@ -640,7 +636,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_message_chapoly.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_proposal.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_asserts.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-exchange_test_helper.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/exchange_tests-mock_dh.Po@am__quote@ @@ -854,20 +849,6 @@ exchange_tests-exchange_tests.obj: exchange_tests.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o exchange_tests-exchange_tests.obj `if test -f 'exchange_tests.c'; then $(CYGPATH_W) 'exchange_tests.c'; else $(CYGPATH_W) '$(srcdir)/exchange_tests.c'; fi` -suites/libcharon_tests-test_proposal.o: suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c - -suites/libcharon_tests-test_proposal.obj: suites/test_proposal.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_proposal.Tpo suites/$(DEPDIR)/libcharon_tests-test_proposal.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libcharon_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` - suites/libcharon_tests-test_ike_cfg.o: suites/test_ike_cfg.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_ike_cfg.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo -c -o suites/libcharon_tests-test_ike_cfg.o `test -f 'suites/test_ike_cfg.c' || echo '$(srcdir)/'`suites/test_ike_cfg.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Tpo suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h index f770f464d..d17ea041d 100644 --- a/src/libcharon/tests/libcharon_tests.h +++ b/src/libcharon/tests/libcharon_tests.h @@ -24,7 +24,6 @@ * @ingroup libcharon-tests */ -TEST_SUITE(proposal_suite_create) TEST_SUITE(ike_cfg_suite_create) TEST_SUITE(mem_pool_suite_create) TEST_SUITE_DEPEND(message_chapoly_suite_create, AEAD, ENCR_CHACHA20_POLY1305, 32) diff --git a/src/libcharon/tests/suites/test_child_rekey.c b/src/libcharon/tests/suites/test_child_rekey.c index ac169723f..44d004ab7 100644 --- a/src/libcharon/tests/suites/test_child_rekey.c +++ b/src/libcharon/tests/suites/test_child_rekey.c @@ -231,6 +231,61 @@ START_TEST(test_regular_ke_invalid) /* child_updown */ assert_hook(); + /* because the DH group should get reused another rekeying should complete + * without additional exchange */ + initiate_rekey(a, 5); + /* this should never get called as this results in a successful rekeying */ + assert_hook_not_called(child_updown); + + /* CREATE_CHILD_SA { N(REKEY_SA), SA, Ni, [KEi,] TSi, TSr } --> */ + assert_hook_called(child_rekey); + assert_notify(IN, REKEY_SA); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_child_sa_state(b, 6, CHILD_REKEYED, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_REGISTERED); + assert_ipsec_sas_installed(b, 5, 6, 8); + assert_hook(); + + /* <-- CREATE_CHILD_SA { SA, Nr, [KEr,] TSi, TSr } */ + assert_hook_called(child_rekey); + assert_no_notify(IN, REKEY_SA); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_state(a, 7, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + assert_ipsec_sas_installed(a, 5, 6, 7, 8); + assert_hook(); + + /* INFORMATIONAL { D } --> */ + assert_hook_not_called(child_rekey); + assert_single_payload(IN, PLV2_DELETE); + exchange_test_helper->process_message(exchange_test_helper, b, NULL); + assert_child_sa_state(b, 6, CHILD_DELETING, CHILD_OUTBOUND_NONE); + assert_child_sa_state(b, 8, CHILD_INSTALLED, CHILD_OUTBOUND_INSTALLED); + assert_child_sa_count(b, 2); + assert_ipsec_sas_installed(b, 6, 7, 8); + assert_hook(); + + /* <-- INFORMATIONAL { D } */ + assert_hook_not_called(child_rekey); + assert_single_payload(IN, PLV2_DELETE); + exchange_test_helper->process_message(exchange_test_helper, a, NULL); + assert_child_sa_state(a, 5, CHILD_DELETING, CHILD_OUTBOUND_NONE); + assert_child_sa_state(a, 7, CHILD_INSTALLED); + assert_child_sa_count(a, 2); + assert_ipsec_sas_installed(a, 5, 7, 8); + assert_hook(); + + /* simulate the execution of the scheduled jobs */ + destroy_rekeyed(a, 5); + assert_child_sa_count(a, 1); + assert_ipsec_sas_installed(a, 7, 8); + destroy_rekeyed(b, 6); + assert_child_sa_count(b, 1); + assert_ipsec_sas_installed(b, 7, 8); + + /* child_updown */ + assert_hook(); + call_ikesa(a, destroy); call_ikesa(b, destroy); } diff --git a/src/libcharon/tests/suites/test_ike_rekey.c b/src/libcharon/tests/suites/test_ike_rekey.c index ba39657a4..e22a0c288 100644 --- a/src/libcharon/tests/suites/test_ike_rekey.c +++ b/src/libcharon/tests/suites/test_ike_rekey.c @@ -138,6 +138,8 @@ START_TEST(test_regular_ke_invalid) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); initiate_rekey(a); @@ -382,6 +384,8 @@ START_TEST(test_collision_ke_invalid) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); /* Six nonces and SPIs are needed (SPI 1 and 2 are used for the initial * IKE_SA): @@ -591,6 +595,8 @@ START_TEST(test_collision_ke_invalid_delayed_retry) lib->settings->set_bool(lib->settings, "%s.prefer_configured_proposals", TRUE, lib->ns); + lib->settings->set_bool(lib->settings, "%s.prefer_previous_dh_group", + FALSE, lib->ns); /* Five nonces and SPIs are needed (SPI 1 and 2 are used for the initial * IKE_SA): diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index cabcd0a9e..d7b508ab9 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -239,9 +239,10 @@ static void add_default_pwd_enabled(imc_msg_t *msg) static void add_device_id(imc_msg_t *msg) { pa_tnc_attr_t *attr; - chunk_t value = chunk_empty, keyid; - char *name, *device_id, *cert_path; + chunk_t chunk, value = chunk_empty, keyid; + char *name, *device_id, *device_handle, *cert_path; certificate_t *cert = NULL; + private_key_t *privkey = NULL; public_key_t *pubkey; /* Get the device ID as a character string */ @@ -254,6 +255,32 @@ static void add_device_id(imc_msg_t *msg) if (value.len == 0) { + /* Derive the device ID from a private key bound to a smartcard or TPM */ + device_handle = lib->settings->get_str(lib->settings, + "%s.plugins.imc-os.device_handle", NULL, lib->ns); + if (device_handle) + { + chunk = chunk_from_hex( + chunk_create(device_handle, strlen(device_handle)), NULL); + privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + + if (privkey) + { + if (privkey->get_fingerprint(privkey, KEYID_PUBKEY_INFO_SHA1, + &keyid)) + { + value = chunk_to_hex(keyid, NULL, FALSE); + } + privkey->destroy(privkey); + + } + } + } + + if (value.len == 0) + { /* Derive the device ID from a raw public key */ cert_path = lib->settings->get_str(lib->settings, "%s.plugins.imc-os.device_pubkey", NULL, lib->ns); diff --git a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-2.swidtag index f10740d60..bb4d300a9 100644 --- a/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-1.swidtag +++ b/src/libimcv/plugins/imc_swid/strongswan.org__strongSwan-5-6-2.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-1" - version="5.6.1" versionScheme="alphanumeric" + tagId="strongSwan-5-6-2" + version="5.6.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-2.swidtag index f10740d60..bb4d300a9 100644 --- a/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-1.swidtag +++ b/src/libimcv/plugins/imc_swima/strongswan.org__strongSwan-5-6-2.swidtag @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8"?> <SoftwareIdentity name="strongSwan" - tagId="strongSwan-5-6-1" - version="5.6.1" versionScheme="alphanumeric" + tagId="strongSwan-5-6-2" + version="5.6.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd"> <Entity name="strongSwan Project" diff --git a/src/libimcv/pts/pts_database.h b/src/libimcv/pts/pts_database.h index 3a5ff5992..a19f14485 100644 --- a/src/libimcv/pts/pts_database.h +++ b/src/libimcv/pts/pts_database.h @@ -74,7 +74,7 @@ struct pts_database_t { * @param measurement File measurement hash * @param filename Optional name of the file to be checked * @param is_dir TRUE if part of directory measurement - * @param id Primary key into direcories/files table + * @param id Primary key into directories/files table * @return TRUE if successful */ bool (*add_file_measurement)(pts_database_t *this, int vid, diff --git a/src/libimcv/pts/pts_pcr.h b/src/libimcv/pts/pts_pcr.h index df84c679f..0658f1f98 100644 --- a/src/libimcv/pts/pts_pcr.h +++ b/src/libimcv/pts/pts_pcr.h @@ -92,7 +92,7 @@ struct pts_pcr_t { * Extend the content of a PCR * * @param pcr index of PCR - * @param measurement measurment value to be extended into PCR + * @param measurement measurement value to be extended into PCR * @return new content of PCR */ chunk_t (*extend)(pts_pcr_t *this, uint32_t pcr, chunk_t measurement); diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h index 2cee8e10f..3a1feae53 100644 --- a/src/libpttls/pt_tls.h +++ b/src/libpttls/pt_tls.h @@ -102,7 +102,7 @@ enum pt_tls_auth_t { * @param tls TLS socket to read from * @param vendor receives Message Type Vendor ID from header * @param type receives Message Type from header - * @param identifier receives Message Identifer + * @param identifier receives Message Identifier * @return reader over message value, NULL on error */ bio_reader_t* pt_tls_read(tls_socket_t *tls, uint32_t *vendor, diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index a1c645319..0168b1802 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -390,7 +390,7 @@ static bool authenticate(private_pt_tls_server_t *this) { if (do_sasl(this)) { - /* complete SASL with emtpy mechanism list */ + /* complete SASL with empty mechanism list */ return pt_tls_write(this->tls, PT_TLS_SASL_MECHS, this->identifier++, chunk_empty); } diff --git a/src/libradius/radius_client.h b/src/libradius/radius_client.h index cf5f79b6c..2f6c8a43a 100644 --- a/src/libradius/radius_client.h +++ b/src/libradius/radius_client.h @@ -30,7 +30,7 @@ typedef struct radius_client_t radius_client_t; * RADIUS client functionality. * * To communicate with a RADIUS server, create a client and send messages over - * it. The client allocates a socket from the best RADIUS server abailable. + * it. The client allocates a socket from the best RADIUS server available. */ struct radius_client_t { diff --git a/src/libradius/radius_message.h b/src/libradius/radius_message.h index c72773312..eb14bf08e 100644 --- a/src/libradius/radius_message.h +++ b/src/libradius/radius_message.h @@ -320,7 +320,7 @@ struct radius_message_t { radius_message_t *radius_message_create(radius_message_code_t code); /** - * Parse and verify a recevied RADIUS message. + * Parse and verify a received RADIUS message. * * @param data received message data * @return radius_message_t object, NULL if length invalid diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c index 115be79fb..b3d90d3e5 100644 --- a/src/libradius/radius_socket.c +++ b/src/libradius/radius_socket.c @@ -348,7 +348,14 @@ METHOD(radius_socket_t, decrypt_msk, chunk_t, enumerator->destroy(enumerator); if (send.ptr && recv.ptr) { - return chunk_cat("mm", recv, send); + chunk_t pad = chunk_empty; + + if ((send.len + recv.len) < 64) + { /* zero-pad MSK to at least 64 bytes */ + pad = chunk_alloca(64 - send.len - recv.len); + memset(pad.ptr, 0, pad.len); + } + return chunk_cat("mmc", recv, send, pad); } chunk_clear(&send); chunk_clear(&recv); diff --git a/src/libsimaka/simaka_manager.h b/src/libsimaka/simaka_manager.h index b10d1659b..9f6810f8f 100644 --- a/src/libsimaka/simaka_manager.h +++ b/src/libsimaka/simaka_manager.h @@ -98,7 +98,7 @@ struct simaka_manager_t { * @param id permanent identity to request quintuplet for * @param rand random value rand * @param auts resynchronization parameter auts - * @return TRUE if calculated, FALSE if no matcing card found + * @return TRUE if calculated, FALSE if no matching card found */ bool (*card_resync)(simaka_manager_t *this, identification_t *id, char rand[AKA_RAND_LEN], char auts[AKA_AUTS_LEN]); diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c index 6827c1795..8f5812a76 100644 --- a/src/libsimaka/simaka_message.c +++ b/src/libsimaka/simaka_message.c @@ -49,7 +49,7 @@ struct hdr_t { struct attr_hdr_t { /** attribute type */ uint8_t type; - /** attibute length */ + /** attribute length */ uint8_t length; } __attribute__((__packed__)); diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 0247add96..fb7c62a8a 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -8,7 +8,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ -crypto/hashers/hash_algorithm_set.c \ +crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index a9759aeee..66539a879 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -6,7 +6,7 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \ collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \ collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \ -crypto/hashers/hash_algorithm_set.c \ +crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \ crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \ crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \ @@ -69,7 +69,7 @@ asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \ collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ collections/linked_list.h collections/array.h collections/dictionary.h \ crypto/crypters/crypter.h crypto/hashers/hasher.h \ -crypto/hashers/hash_algorithm_set.h crypto/mac.h \ +crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \ crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 356670dad..a0eb8b6b5 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -335,7 +335,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ collections/enumerator.c collections/hashtable.c \ collections/array.c collections/linked_list.c \ crypto/crypters/crypter.c crypto/hashers/hasher.c \ - crypto/hashers/hash_algorithm_set.c \ + crypto/hashers/hash_algorithm_set.c crypto/proposal/proposal.c \ crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ @@ -425,6 +425,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ collections/array.lo collections/linked_list.lo \ crypto/crypters/crypter.lo crypto/hashers/hasher.lo \ crypto/hashers/hash_algorithm_set.lo \ + crypto/proposal/proposal.lo \ crypto/proposal/proposal_keywords.lo \ crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \ crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \ @@ -556,7 +557,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ collections/linked_list.h collections/array.h \ collections/dictionary.h crypto/crypters/crypter.h \ crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \ - crypto/mac.h crypto/proposal/proposal_keywords.h \ + crypto/mac.h crypto/proposal/proposal.h \ + crypto/proposal/proposal_keywords.h \ crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \ crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ crypto/prf_plus.h crypto/signers/signer.h \ @@ -942,7 +944,7 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ collections/hashtable.c collections/array.c \ collections/linked_list.c crypto/crypters/crypter.c \ crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \ - crypto/proposal/proposal_keywords.c \ + crypto/proposal/proposal.c crypto/proposal/proposal_keywords.c \ crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \ crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \ crypto/prf_plus.c crypto/signers/signer.c \ @@ -1005,7 +1007,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \ @USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \ @USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \ -@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \ +@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h crypto/proposal/proposal.h \ @USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \ @USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \ @USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \ @@ -1302,6 +1304,8 @@ crypto/proposal/$(am__dirstamp): crypto/proposal/$(DEPDIR)/$(am__dirstamp): @$(MKDIR_P) crypto/proposal/$(DEPDIR) @: > crypto/proposal/$(DEPDIR)/$(am__dirstamp) +crypto/proposal/proposal.lo: crypto/proposal/$(am__dirstamp) \ + crypto/proposal/$(DEPDIR)/$(am__dirstamp) crypto/proposal/proposal_keywords.lo: crypto/proposal/$(am__dirstamp) \ crypto/proposal/$(DEPDIR)/$(am__dirstamp) crypto/proposal/proposal_keywords_static.lo: \ @@ -1855,6 +1859,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords_static.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto/rngs/$(DEPDIR)/rng.Plo@am__quote@ diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 6d9f98ee4..a70aafdd9 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -205,8 +205,8 @@ const oid_t oid_names[] = { { 0x02, 193, 0, 7, "ecdsa-with-SHA256" }, /* 192 */ { 0x03, 194, 0, 7, "ecdsa-with-SHA384" }, /* 193 */ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 194 */ - {0x2B, 425, 1, 0, "" }, /* 195 */ - { 0x06, 336, 1, 1, "dod" }, /* 196 */ + {0x2B, 426, 1, 0, "" }, /* 195 */ + { 0x06, 337, 1, 1, "dod" }, /* 196 */ { 0x01, 0, 1, 2, "internet" }, /* 197 */ { 0x04, 287, 1, 3, "private" }, /* 198 */ { 0x01, 0, 1, 4, "enterprise" }, /* 199 */ @@ -299,211 +299,212 @@ const oid_t oid_names[] = { { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 286 */ { 0x05, 0, 1, 3, "security" }, /* 287 */ { 0x05, 0, 1, 4, "mechanisms" }, /* 288 */ - { 0x07, 333, 1, 5, "id-pkix" }, /* 289 */ - { 0x01, 294, 1, 6, "id-pe" }, /* 290 */ + { 0x07, 334, 1, 5, "id-pkix" }, /* 289 */ + { 0x01, 295, 1, 6, "id-pe" }, /* 290 */ { 0x01, 292, 0, 7, "authorityInfoAccess" }, /* 291 */ { 0x03, 293, 0, 7, "qcStatements" }, /* 292 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 293 */ - { 0x02, 297, 1, 6, "id-qt" }, /* 294 */ - { 0x01, 296, 0, 7, "cps" }, /* 295 */ - { 0x02, 0, 0, 7, "unotice" }, /* 296 */ - { 0x03, 307, 1, 6, "id-kp" }, /* 297 */ - { 0x01, 299, 0, 7, "serverAuth" }, /* 298 */ - { 0x02, 300, 0, 7, "clientAuth" }, /* 299 */ - { 0x03, 301, 0, 7, "codeSigning" }, /* 300 */ - { 0x04, 302, 0, 7, "emailProtection" }, /* 301 */ - { 0x05, 303, 0, 7, "ipsecEndSystem" }, /* 302 */ - { 0x06, 304, 0, 7, "ipsecTunnel" }, /* 303 */ - { 0x07, 305, 0, 7, "ipsecUser" }, /* 304 */ - { 0x08, 306, 0, 7, "timeStamping" }, /* 305 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 306 */ - { 0x08, 315, 1, 6, "id-otherNames" }, /* 307 */ - { 0x01, 309, 0, 7, "personalData" }, /* 308 */ - { 0x02, 310, 0, 7, "userGroup" }, /* 309 */ - { 0x03, 311, 0, 7, "id-on-permanentIdentifier" }, /* 310 */ - { 0x04, 312, 0, 7, "id-on-hardwareModuleName" }, /* 311 */ - { 0x05, 313, 0, 7, "xmppAddr" }, /* 312 */ - { 0x06, 314, 0, 7, "id-on-SIM" }, /* 313 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 314 */ - { 0x0A, 320, 1, 6, "id-aca" }, /* 315 */ - { 0x01, 317, 0, 7, "authenticationInfo" }, /* 316 */ - { 0x02, 318, 0, 7, "accessIdentity" }, /* 317 */ - { 0x03, 319, 0, 7, "chargingIdentity" }, /* 318 */ - { 0x04, 0, 0, 7, "group" }, /* 319 */ - { 0x0B, 321, 0, 6, "subjectInfoAccess" }, /* 320 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 321 */ - { 0x01, 330, 1, 7, "ocsp" }, /* 322 */ - { 0x01, 324, 0, 8, "basic" }, /* 323 */ - { 0x02, 325, 0, 8, "nonce" }, /* 324 */ - { 0x03, 326, 0, 8, "crl" }, /* 325 */ - { 0x04, 327, 0, 8, "response" }, /* 326 */ - { 0x05, 328, 0, 8, "noCheck" }, /* 327 */ - { 0x06, 329, 0, 8, "archiveCutoff" }, /* 328 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 329 */ - { 0x02, 331, 0, 7, "caIssuers" }, /* 330 */ - { 0x03, 332, 0, 7, "timeStamping" }, /* 331 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 332 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 333 */ - { 0x02, 0, 1, 6, "certificate" }, /* 334 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 335 */ - { 0x0E, 342, 1, 1, "oiw" }, /* 336 */ - { 0x03, 0, 1, 2, "secsig" }, /* 337 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 338 */ - { 0x07, 340, 0, 4, "des-cbc" }, /* 339 */ - { 0x1A, 341, 0, 4, "sha-1" }, /* 340 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 341 */ - { 0x24, 388, 1, 1, "TeleTrusT" }, /* 342 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 343 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 344 */ - { 0x01, 349, 1, 4, "rsaSignature" }, /* 345 */ - { 0x02, 347, 0, 5, "rsaSigWithripemd160" }, /* 346 */ - { 0x03, 348, 0, 5, "rsaSigWithripemd128" }, /* 347 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 348 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 349 */ - { 0x01, 351, 0, 5, "ecSignWithsha1" }, /* 350 */ - { 0x02, 352, 0, 5, "ecSignWithripemd160" }, /* 351 */ - { 0x03, 353, 0, 5, "ecSignWithmd2" }, /* 352 */ - { 0x04, 354, 0, 5, "ecSignWithmd5" }, /* 353 */ - { 0x05, 371, 1, 5, "ttt-ecg" }, /* 354 */ - { 0x01, 359, 1, 6, "fieldType" }, /* 355 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 356 */ - { 0x01, 0, 1, 8, "basisType" }, /* 357 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 358 */ - { 0x02, 361, 1, 6, "keyType" }, /* 359 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 360 */ - { 0x03, 362, 0, 6, "curve" }, /* 361 */ - { 0x04, 369, 1, 6, "signatures" }, /* 362 */ - { 0x01, 364, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 363 */ - { 0x02, 365, 0, 7, "ecgdsa-with-SHA1" }, /* 364 */ - { 0x03, 366, 0, 7, "ecgdsa-with-SHA224" }, /* 365 */ - { 0x04, 367, 0, 7, "ecgdsa-with-SHA256" }, /* 366 */ - { 0x05, 368, 0, 7, "ecgdsa-with-SHA384" }, /* 367 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 368 */ - { 0x05, 0, 1, 6, "module" }, /* 369 */ - { 0x01, 0, 0, 7, "1" }, /* 370 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 371 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 372 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 373 */ - { 0x01, 375, 0, 8, "brainpoolP160r1" }, /* 374 */ - { 0x02, 376, 0, 8, "brainpoolP160t1" }, /* 375 */ - { 0x03, 377, 0, 8, "brainpoolP192r1" }, /* 376 */ - { 0x04, 378, 0, 8, "brainpoolP192t1" }, /* 377 */ - { 0x05, 379, 0, 8, "brainpoolP224r1" }, /* 378 */ - { 0x06, 380, 0, 8, "brainpoolP224t1" }, /* 379 */ - { 0x07, 381, 0, 8, "brainpoolP256r1" }, /* 380 */ - { 0x08, 382, 0, 8, "brainpoolP256t1" }, /* 381 */ - { 0x09, 383, 0, 8, "brainpoolP320r1" }, /* 382 */ - { 0x0A, 384, 0, 8, "brainpoolP320t1" }, /* 383 */ - { 0x0B, 385, 0, 8, "brainpoolP384r1" }, /* 384 */ - { 0x0C, 386, 0, 8, "brainpoolP384t1" }, /* 385 */ - { 0x0D, 387, 0, 8, "brainpoolP512r1" }, /* 386 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 387 */ - { 0x65, 391, 1, 1, "Thawte" }, /* 388 */ - { 0x70, 390, 0, 2, "id-Ed25519" }, /* 389 */ - { 0x71, 0, 0, 2, "id-Ed448" }, /* 390 */ - { 0x81, 0, 1, 1, "" }, /* 391 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 392 */ - { 0x00, 0, 1, 3, "curve" }, /* 393 */ - { 0x01, 395, 0, 4, "sect163k1" }, /* 394 */ - { 0x02, 396, 0, 4, "sect163r1" }, /* 395 */ - { 0x03, 397, 0, 4, "sect239k1" }, /* 396 */ - { 0x04, 398, 0, 4, "sect113r1" }, /* 397 */ - { 0x05, 399, 0, 4, "sect113r2" }, /* 398 */ - { 0x06, 400, 0, 4, "secp112r1" }, /* 399 */ - { 0x07, 401, 0, 4, "secp112r2" }, /* 400 */ - { 0x08, 402, 0, 4, "secp160r1" }, /* 401 */ - { 0x09, 403, 0, 4, "secp160k1" }, /* 402 */ - { 0x0A, 404, 0, 4, "secp256k1" }, /* 403 */ - { 0x0F, 405, 0, 4, "sect163r2" }, /* 404 */ - { 0x10, 406, 0, 4, "sect283k1" }, /* 405 */ - { 0x11, 407, 0, 4, "sect283r1" }, /* 406 */ - { 0x16, 408, 0, 4, "sect131r1" }, /* 407 */ - { 0x17, 409, 0, 4, "sect131r2" }, /* 408 */ - { 0x18, 410, 0, 4, "sect193r1" }, /* 409 */ - { 0x19, 411, 0, 4, "sect193r2" }, /* 410 */ - { 0x1A, 412, 0, 4, "sect233k1" }, /* 411 */ - { 0x1B, 413, 0, 4, "sect233r1" }, /* 412 */ - { 0x1C, 414, 0, 4, "secp128r1" }, /* 413 */ - { 0x1D, 415, 0, 4, "secp128r2" }, /* 414 */ - { 0x1E, 416, 0, 4, "secp160r2" }, /* 415 */ - { 0x1F, 417, 0, 4, "secp192k1" }, /* 416 */ - { 0x20, 418, 0, 4, "secp224k1" }, /* 417 */ - { 0x21, 419, 0, 4, "secp224r1" }, /* 418 */ - { 0x22, 420, 0, 4, "secp384r1" }, /* 419 */ - { 0x23, 421, 0, 4, "secp521r1" }, /* 420 */ - { 0x24, 422, 0, 4, "sect409k1" }, /* 421 */ - { 0x25, 423, 0, 4, "sect409r1" }, /* 422 */ - { 0x26, 424, 0, 4, "sect571k1" }, /* 423 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 424 */ - {0x60, 488, 1, 0, "" }, /* 425 */ - { 0x86, 0, 1, 1, "" }, /* 426 */ - { 0x48, 0, 1, 2, "" }, /* 427 */ - { 0x01, 0, 1, 3, "organization" }, /* 428 */ - { 0x65, 464, 1, 4, "gov" }, /* 429 */ - { 0x03, 0, 1, 5, "csor" }, /* 430 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 431 */ - { 0x01, 442, 1, 7, "aes" }, /* 432 */ - { 0x02, 434, 0, 8, "id-aes128-CBC" }, /* 433 */ - { 0x06, 435, 0, 8, "id-aes128-GCM" }, /* 434 */ - { 0x07, 436, 0, 8, "id-aes128-CCM" }, /* 435 */ - { 0x16, 437, 0, 8, "id-aes192-CBC" }, /* 436 */ - { 0x1A, 438, 0, 8, "id-aes192-GCM" }, /* 437 */ - { 0x1B, 439, 0, 8, "id-aes192-CCM" }, /* 438 */ - { 0x2A, 440, 0, 8, "id-aes256-CBC" }, /* 439 */ - { 0x2E, 441, 0, 8, "id-aes256-GCM" }, /* 440 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 441 */ - { 0x02, 455, 1, 7, "hashAlgs" }, /* 442 */ - { 0x01, 444, 0, 8, "id-sha256" }, /* 443 */ - { 0x02, 445, 0, 8, "id-sha384" }, /* 444 */ - { 0x03, 446, 0, 8, "id-sha512" }, /* 445 */ - { 0x04, 447, 0, 8, "id-sha224" }, /* 446 */ - { 0x05, 448, 0, 8, "id-sha512-224" }, /* 447 */ - { 0x06, 449, 0, 8, "id-sha512-256" }, /* 448 */ - { 0x07, 450, 0, 8, "id-sha3-224" }, /* 449 */ - { 0x08, 451, 0, 8, "id-sha3-256" }, /* 450 */ - { 0x09, 452, 0, 8, "id-sha3-384" }, /* 451 */ - { 0x0A, 453, 0, 8, "id-sha3-512" }, /* 452 */ - { 0x0B, 454, 0, 8, "id-shake128" }, /* 453 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 454 */ - { 0x03, 0, 1, 7, "sigAlgs" }, /* 455 */ - { 0x09, 457, 0, 8, "id-ecdsa-with-sha3-224" }, /* 456 */ - { 0x0A, 458, 0, 8, "id-ecdsa-with-sha3-256" }, /* 457 */ - { 0x0B, 459, 0, 8, "id-ecdsa-with-sha3-384" }, /* 458 */ - { 0x0C, 460, 0, 8, "id-ecdsa-with-sha3-512" }, /* 459 */ - { 0x0D, 461, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 460 */ - { 0x0E, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 461 */ - { 0x0F, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 462 */ - { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 463 */ - { 0x86, 0, 1, 4, "" }, /* 464 */ - { 0xf8, 0, 1, 5, "" }, /* 465 */ - { 0x42, 478, 1, 6, "netscape" }, /* 466 */ - { 0x01, 473, 1, 7, "" }, /* 467 */ - { 0x01, 469, 0, 8, "nsCertType" }, /* 468 */ - { 0x03, 470, 0, 8, "nsRevocationUrl" }, /* 469 */ - { 0x04, 471, 0, 8, "nsCaRevocationUrl" }, /* 470 */ - { 0x08, 472, 0, 8, "nsCaPolicyUrl" }, /* 471 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 472 */ - { 0x03, 476, 1, 7, "directory" }, /* 473 */ - { 0x01, 0, 1, 8, "" }, /* 474 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 475 */ - { 0x04, 0, 1, 7, "policy" }, /* 476 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 477 */ - { 0x45, 0, 1, 6, "verisign" }, /* 478 */ - { 0x01, 0, 1, 7, "pki" }, /* 479 */ - { 0x09, 0, 1, 8, "attributes" }, /* 480 */ - { 0x02, 482, 0, 9, "messageType" }, /* 481 */ - { 0x03, 483, 0, 9, "pkiStatus" }, /* 482 */ - { 0x04, 484, 0, 9, "failInfo" }, /* 483 */ - { 0x05, 485, 0, 9, "senderNonce" }, /* 484 */ - { 0x06, 486, 0, 9, "recipientNonce" }, /* 485 */ - { 0x07, 487, 0, 9, "transID" }, /* 486 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 487 */ - {0x67, 0, 1, 0, "" }, /* 488 */ - { 0x81, 0, 1, 1, "" }, /* 489 */ - { 0x05, 0, 1, 2, "" }, /* 490 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 491 */ - { 0x01, 493, 0, 4, "tcg-at-tpmManufacturer" }, /* 492 */ - { 0x02, 494, 0, 4, "tcg-at-tpmModel" }, /* 493 */ - { 0x03, 495, 0, 4, "tcg-at-tpmVersion" }, /* 494 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 495 */ + { 0x07, 294, 0, 7, "ipAddrBlocks" }, /* 293 */ + { 0x18, 0, 0, 7, "tlsfeature" }, /* 294 */ + { 0x02, 298, 1, 6, "id-qt" }, /* 295 */ + { 0x01, 297, 0, 7, "cps" }, /* 296 */ + { 0x02, 0, 0, 7, "unotice" }, /* 297 */ + { 0x03, 308, 1, 6, "id-kp" }, /* 298 */ + { 0x01, 300, 0, 7, "serverAuth" }, /* 299 */ + { 0x02, 301, 0, 7, "clientAuth" }, /* 300 */ + { 0x03, 302, 0, 7, "codeSigning" }, /* 301 */ + { 0x04, 303, 0, 7, "emailProtection" }, /* 302 */ + { 0x05, 304, 0, 7, "ipsecEndSystem" }, /* 303 */ + { 0x06, 305, 0, 7, "ipsecTunnel" }, /* 304 */ + { 0x07, 306, 0, 7, "ipsecUser" }, /* 305 */ + { 0x08, 307, 0, 7, "timeStamping" }, /* 306 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 307 */ + { 0x08, 316, 1, 6, "id-otherNames" }, /* 308 */ + { 0x01, 310, 0, 7, "personalData" }, /* 309 */ + { 0x02, 311, 0, 7, "userGroup" }, /* 310 */ + { 0x03, 312, 0, 7, "id-on-permanentIdentifier" }, /* 311 */ + { 0x04, 313, 0, 7, "id-on-hardwareModuleName" }, /* 312 */ + { 0x05, 314, 0, 7, "xmppAddr" }, /* 313 */ + { 0x06, 315, 0, 7, "id-on-SIM" }, /* 314 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 315 */ + { 0x0A, 321, 1, 6, "id-aca" }, /* 316 */ + { 0x01, 318, 0, 7, "authenticationInfo" }, /* 317 */ + { 0x02, 319, 0, 7, "accessIdentity" }, /* 318 */ + { 0x03, 320, 0, 7, "chargingIdentity" }, /* 319 */ + { 0x04, 0, 0, 7, "group" }, /* 320 */ + { 0x0B, 322, 0, 6, "subjectInfoAccess" }, /* 321 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 322 */ + { 0x01, 331, 1, 7, "ocsp" }, /* 323 */ + { 0x01, 325, 0, 8, "basic" }, /* 324 */ + { 0x02, 326, 0, 8, "nonce" }, /* 325 */ + { 0x03, 327, 0, 8, "crl" }, /* 326 */ + { 0x04, 328, 0, 8, "response" }, /* 327 */ + { 0x05, 329, 0, 8, "noCheck" }, /* 328 */ + { 0x06, 330, 0, 8, "archiveCutoff" }, /* 329 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 330 */ + { 0x02, 332, 0, 7, "caIssuers" }, /* 331 */ + { 0x03, 333, 0, 7, "timeStamping" }, /* 332 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 333 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 334 */ + { 0x02, 0, 1, 6, "certificate" }, /* 335 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 336 */ + { 0x0E, 343, 1, 1, "oiw" }, /* 337 */ + { 0x03, 0, 1, 2, "secsig" }, /* 338 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 339 */ + { 0x07, 341, 0, 4, "des-cbc" }, /* 340 */ + { 0x1A, 342, 0, 4, "sha-1" }, /* 341 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 342 */ + { 0x24, 389, 1, 1, "TeleTrusT" }, /* 343 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 344 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 345 */ + { 0x01, 350, 1, 4, "rsaSignature" }, /* 346 */ + { 0x02, 348, 0, 5, "rsaSigWithripemd160" }, /* 347 */ + { 0x03, 349, 0, 5, "rsaSigWithripemd128" }, /* 348 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 349 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 350 */ + { 0x01, 352, 0, 5, "ecSignWithsha1" }, /* 351 */ + { 0x02, 353, 0, 5, "ecSignWithripemd160" }, /* 352 */ + { 0x03, 354, 0, 5, "ecSignWithmd2" }, /* 353 */ + { 0x04, 355, 0, 5, "ecSignWithmd5" }, /* 354 */ + { 0x05, 372, 1, 5, "ttt-ecg" }, /* 355 */ + { 0x01, 360, 1, 6, "fieldType" }, /* 356 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 357 */ + { 0x01, 0, 1, 8, "basisType" }, /* 358 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 359 */ + { 0x02, 362, 1, 6, "keyType" }, /* 360 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 361 */ + { 0x03, 363, 0, 6, "curve" }, /* 362 */ + { 0x04, 370, 1, 6, "signatures" }, /* 363 */ + { 0x01, 365, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 364 */ + { 0x02, 366, 0, 7, "ecgdsa-with-SHA1" }, /* 365 */ + { 0x03, 367, 0, 7, "ecgdsa-with-SHA224" }, /* 366 */ + { 0x04, 368, 0, 7, "ecgdsa-with-SHA256" }, /* 367 */ + { 0x05, 369, 0, 7, "ecgdsa-with-SHA384" }, /* 368 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 369 */ + { 0x05, 0, 1, 6, "module" }, /* 370 */ + { 0x01, 0, 0, 7, "1" }, /* 371 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 372 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 373 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 374 */ + { 0x01, 376, 0, 8, "brainpoolP160r1" }, /* 375 */ + { 0x02, 377, 0, 8, "brainpoolP160t1" }, /* 376 */ + { 0x03, 378, 0, 8, "brainpoolP192r1" }, /* 377 */ + { 0x04, 379, 0, 8, "brainpoolP192t1" }, /* 378 */ + { 0x05, 380, 0, 8, "brainpoolP224r1" }, /* 379 */ + { 0x06, 381, 0, 8, "brainpoolP224t1" }, /* 380 */ + { 0x07, 382, 0, 8, "brainpoolP256r1" }, /* 381 */ + { 0x08, 383, 0, 8, "brainpoolP256t1" }, /* 382 */ + { 0x09, 384, 0, 8, "brainpoolP320r1" }, /* 383 */ + { 0x0A, 385, 0, 8, "brainpoolP320t1" }, /* 384 */ + { 0x0B, 386, 0, 8, "brainpoolP384r1" }, /* 385 */ + { 0x0C, 387, 0, 8, "brainpoolP384t1" }, /* 386 */ + { 0x0D, 388, 0, 8, "brainpoolP512r1" }, /* 387 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 388 */ + { 0x65, 392, 1, 1, "Thawte" }, /* 389 */ + { 0x70, 391, 0, 2, "id-Ed25519" }, /* 390 */ + { 0x71, 0, 0, 2, "id-Ed448" }, /* 391 */ + { 0x81, 0, 1, 1, "" }, /* 392 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 393 */ + { 0x00, 0, 1, 3, "curve" }, /* 394 */ + { 0x01, 396, 0, 4, "sect163k1" }, /* 395 */ + { 0x02, 397, 0, 4, "sect163r1" }, /* 396 */ + { 0x03, 398, 0, 4, "sect239k1" }, /* 397 */ + { 0x04, 399, 0, 4, "sect113r1" }, /* 398 */ + { 0x05, 400, 0, 4, "sect113r2" }, /* 399 */ + { 0x06, 401, 0, 4, "secp112r1" }, /* 400 */ + { 0x07, 402, 0, 4, "secp112r2" }, /* 401 */ + { 0x08, 403, 0, 4, "secp160r1" }, /* 402 */ + { 0x09, 404, 0, 4, "secp160k1" }, /* 403 */ + { 0x0A, 405, 0, 4, "secp256k1" }, /* 404 */ + { 0x0F, 406, 0, 4, "sect163r2" }, /* 405 */ + { 0x10, 407, 0, 4, "sect283k1" }, /* 406 */ + { 0x11, 408, 0, 4, "sect283r1" }, /* 407 */ + { 0x16, 409, 0, 4, "sect131r1" }, /* 408 */ + { 0x17, 410, 0, 4, "sect131r2" }, /* 409 */ + { 0x18, 411, 0, 4, "sect193r1" }, /* 410 */ + { 0x19, 412, 0, 4, "sect193r2" }, /* 411 */ + { 0x1A, 413, 0, 4, "sect233k1" }, /* 412 */ + { 0x1B, 414, 0, 4, "sect233r1" }, /* 413 */ + { 0x1C, 415, 0, 4, "secp128r1" }, /* 414 */ + { 0x1D, 416, 0, 4, "secp128r2" }, /* 415 */ + { 0x1E, 417, 0, 4, "secp160r2" }, /* 416 */ + { 0x1F, 418, 0, 4, "secp192k1" }, /* 417 */ + { 0x20, 419, 0, 4, "secp224k1" }, /* 418 */ + { 0x21, 420, 0, 4, "secp224r1" }, /* 419 */ + { 0x22, 421, 0, 4, "secp384r1" }, /* 420 */ + { 0x23, 422, 0, 4, "secp521r1" }, /* 421 */ + { 0x24, 423, 0, 4, "sect409k1" }, /* 422 */ + { 0x25, 424, 0, 4, "sect409r1" }, /* 423 */ + { 0x26, 425, 0, 4, "sect571k1" }, /* 424 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 425 */ + {0x60, 489, 1, 0, "" }, /* 426 */ + { 0x86, 0, 1, 1, "" }, /* 427 */ + { 0x48, 0, 1, 2, "" }, /* 428 */ + { 0x01, 0, 1, 3, "organization" }, /* 429 */ + { 0x65, 465, 1, 4, "gov" }, /* 430 */ + { 0x03, 0, 1, 5, "csor" }, /* 431 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 432 */ + { 0x01, 443, 1, 7, "aes" }, /* 433 */ + { 0x02, 435, 0, 8, "id-aes128-CBC" }, /* 434 */ + { 0x06, 436, 0, 8, "id-aes128-GCM" }, /* 435 */ + { 0x07, 437, 0, 8, "id-aes128-CCM" }, /* 436 */ + { 0x16, 438, 0, 8, "id-aes192-CBC" }, /* 437 */ + { 0x1A, 439, 0, 8, "id-aes192-GCM" }, /* 438 */ + { 0x1B, 440, 0, 8, "id-aes192-CCM" }, /* 439 */ + { 0x2A, 441, 0, 8, "id-aes256-CBC" }, /* 440 */ + { 0x2E, 442, 0, 8, "id-aes256-GCM" }, /* 441 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 442 */ + { 0x02, 456, 1, 7, "hashAlgs" }, /* 443 */ + { 0x01, 445, 0, 8, "id-sha256" }, /* 444 */ + { 0x02, 446, 0, 8, "id-sha384" }, /* 445 */ + { 0x03, 447, 0, 8, "id-sha512" }, /* 446 */ + { 0x04, 448, 0, 8, "id-sha224" }, /* 447 */ + { 0x05, 449, 0, 8, "id-sha512-224" }, /* 448 */ + { 0x06, 450, 0, 8, "id-sha512-256" }, /* 449 */ + { 0x07, 451, 0, 8, "id-sha3-224" }, /* 450 */ + { 0x08, 452, 0, 8, "id-sha3-256" }, /* 451 */ + { 0x09, 453, 0, 8, "id-sha3-384" }, /* 452 */ + { 0x0A, 454, 0, 8, "id-sha3-512" }, /* 453 */ + { 0x0B, 455, 0, 8, "id-shake128" }, /* 454 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 455 */ + { 0x03, 0, 1, 7, "sigAlgs" }, /* 456 */ + { 0x09, 458, 0, 8, "id-ecdsa-with-sha3-224" }, /* 457 */ + { 0x0A, 459, 0, 8, "id-ecdsa-with-sha3-256" }, /* 458 */ + { 0x0B, 460, 0, 8, "id-ecdsa-with-sha3-384" }, /* 459 */ + { 0x0C, 461, 0, 8, "id-ecdsa-with-sha3-512" }, /* 460 */ + { 0x0D, 462, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 461 */ + { 0x0E, 463, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 462 */ + { 0x0F, 464, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 463 */ + { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 464 */ + { 0x86, 0, 1, 4, "" }, /* 465 */ + { 0xf8, 0, 1, 5, "" }, /* 466 */ + { 0x42, 479, 1, 6, "netscape" }, /* 467 */ + { 0x01, 474, 1, 7, "" }, /* 468 */ + { 0x01, 470, 0, 8, "nsCertType" }, /* 469 */ + { 0x03, 471, 0, 8, "nsRevocationUrl" }, /* 470 */ + { 0x04, 472, 0, 8, "nsCaRevocationUrl" }, /* 471 */ + { 0x08, 473, 0, 8, "nsCaPolicyUrl" }, /* 472 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 473 */ + { 0x03, 477, 1, 7, "directory" }, /* 474 */ + { 0x01, 0, 1, 8, "" }, /* 475 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 476 */ + { 0x04, 0, 1, 7, "policy" }, /* 477 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 478 */ + { 0x45, 0, 1, 6, "verisign" }, /* 479 */ + { 0x01, 0, 1, 7, "pki" }, /* 480 */ + { 0x09, 0, 1, 8, "attributes" }, /* 481 */ + { 0x02, 483, 0, 9, "messageType" }, /* 482 */ + { 0x03, 484, 0, 9, "pkiStatus" }, /* 483 */ + { 0x04, 485, 0, 9, "failInfo" }, /* 484 */ + { 0x05, 486, 0, 9, "senderNonce" }, /* 485 */ + { 0x06, 487, 0, 9, "recipientNonce" }, /* 486 */ + { 0x07, 488, 0, 9, "transID" }, /* 487 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 488 */ + {0x67, 0, 1, 0, "" }, /* 489 */ + { 0x81, 0, 1, 1, "" }, /* 490 */ + { 0x05, 0, 1, 2, "" }, /* 491 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 492 */ + { 0x01, 494, 0, 4, "tcg-at-tpmManufacturer" }, /* 493 */ + { 0x02, 495, 0, 4, "tcg-at-tpmModel" }, /* 494 */ + { 0x03, 496, 0, 4, "tcg-at-tpmVersion" }, /* 495 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 496 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 0e9b7ea24..230fe2f87 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -167,110 +167,110 @@ extern const oid_t oid_names[]; #define OID_BLOWFISH_CBC 247 #define OID_AUTHORITY_INFO_ACCESS 291 #define OID_IP_ADDR_BLOCKS 293 -#define OID_POLICY_QUALIFIER_CPS 295 -#define OID_POLICY_QUALIFIER_UNOTICE 296 -#define OID_SERVER_AUTH 298 -#define OID_CLIENT_AUTH 299 -#define OID_OCSP_SIGNING 306 -#define OID_XMPP_ADDR 312 -#define OID_AUTHENTICATION_INFO 316 -#define OID_ACCESS_IDENTITY 317 -#define OID_CHARGING_IDENTITY 318 -#define OID_GROUP 319 -#define OID_OCSP 322 -#define OID_BASIC 323 -#define OID_NONCE 324 -#define OID_CRL 325 -#define OID_RESPONSE 326 -#define OID_NO_CHECK 327 -#define OID_ARCHIVE_CUTOFF 328 -#define OID_SERVICE_LOCATOR 329 -#define OID_CA_ISSUERS 330 -#define OID_IKE_INTERMEDIATE 335 -#define OID_DES_CBC 339 -#define OID_SHA1 340 -#define OID_SHA1_WITH_RSA_OIW 341 -#define OID_ECGDSA_PUBKEY 360 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 363 -#define OID_ECGDSA_SIG_WITH_SHA1 364 -#define OID_ECGDSA_SIG_WITH_SHA224 365 -#define OID_ECGDSA_SIG_WITH_SHA256 366 -#define OID_ECGDSA_SIG_WITH_SHA384 367 -#define OID_ECGDSA_SIG_WITH_SHA512 368 -#define OID_ED25519 389 -#define OID_ED448 390 -#define OID_SECT163K1 394 -#define OID_SECT163R1 395 -#define OID_SECT239K1 396 -#define OID_SECT113R1 397 -#define OID_SECT113R2 398 -#define OID_SECT112R1 399 -#define OID_SECT112R2 400 -#define OID_SECT160R1 401 -#define OID_SECT160K1 402 -#define OID_SECT256K1 403 -#define OID_SECT163R2 404 -#define OID_SECT283K1 405 -#define OID_SECT283R1 406 -#define OID_SECT131R1 407 -#define OID_SECT131R2 408 -#define OID_SECT193R1 409 -#define OID_SECT193R2 410 -#define OID_SECT233K1 411 -#define OID_SECT233R1 412 -#define OID_SECT128R1 413 -#define OID_SECT128R2 414 -#define OID_SECT160R2 415 -#define OID_SECT192K1 416 -#define OID_SECT224K1 417 -#define OID_SECT224R1 418 -#define OID_SECT384R1 419 -#define OID_SECT521R1 420 -#define OID_SECT409K1 421 -#define OID_SECT409R1 422 -#define OID_SECT571K1 423 -#define OID_SECT571R1 424 -#define OID_AES128_CBC 433 -#define OID_AES128_GCM 434 -#define OID_AES128_CCM 435 -#define OID_AES192_CBC 436 -#define OID_AES192_GCM 437 -#define OID_AES192_CCM 438 -#define OID_AES256_CBC 439 -#define OID_AES256_GCM 440 -#define OID_AES256_CCM 441 -#define OID_SHA256 443 -#define OID_SHA384 444 -#define OID_SHA512 445 -#define OID_SHA224 446 -#define OID_SHA3_224 449 -#define OID_SHA3_256 450 -#define OID_SHA3_384 451 -#define OID_SHA3_512 452 -#define OID_ECDSA_WITH_SHA3_224 456 -#define OID_ECDSA_WITH_SHA3_256 457 -#define OID_ECDSA_WITH_SHA3_384 458 -#define OID_ECDSA_WITH_SHA3_512 459 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 460 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 461 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 462 -#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 463 -#define OID_NS_REVOCATION_URL 469 -#define OID_NS_CA_REVOCATION_URL 470 -#define OID_NS_CA_POLICY_URL 471 -#define OID_NS_COMMENT 472 -#define OID_EMPLOYEE_NUMBER 475 -#define OID_PKI_MESSAGE_TYPE 481 -#define OID_PKI_STATUS 482 -#define OID_PKI_FAIL_INFO 483 -#define OID_PKI_SENDER_NONCE 484 -#define OID_PKI_RECIPIENT_NONCE 485 -#define OID_PKI_TRANS_ID 486 -#define OID_TPM_MANUFACTURER 492 -#define OID_TPM_MODEL 493 -#define OID_TPM_VERSION 494 -#define OID_TPM_ID_LABEL 495 +#define OID_POLICY_QUALIFIER_CPS 296 +#define OID_POLICY_QUALIFIER_UNOTICE 297 +#define OID_SERVER_AUTH 299 +#define OID_CLIENT_AUTH 300 +#define OID_OCSP_SIGNING 307 +#define OID_XMPP_ADDR 313 +#define OID_AUTHENTICATION_INFO 317 +#define OID_ACCESS_IDENTITY 318 +#define OID_CHARGING_IDENTITY 319 +#define OID_GROUP 320 +#define OID_OCSP 323 +#define OID_BASIC 324 +#define OID_NONCE 325 +#define OID_CRL 326 +#define OID_RESPONSE 327 +#define OID_NO_CHECK 328 +#define OID_ARCHIVE_CUTOFF 329 +#define OID_SERVICE_LOCATOR 330 +#define OID_CA_ISSUERS 331 +#define OID_IKE_INTERMEDIATE 336 +#define OID_DES_CBC 340 +#define OID_SHA1 341 +#define OID_SHA1_WITH_RSA_OIW 342 +#define OID_ECGDSA_PUBKEY 361 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 364 +#define OID_ECGDSA_SIG_WITH_SHA1 365 +#define OID_ECGDSA_SIG_WITH_SHA224 366 +#define OID_ECGDSA_SIG_WITH_SHA256 367 +#define OID_ECGDSA_SIG_WITH_SHA384 368 +#define OID_ECGDSA_SIG_WITH_SHA512 369 +#define OID_ED25519 390 +#define OID_ED448 391 +#define OID_SECT163K1 395 +#define OID_SECT163R1 396 +#define OID_SECT239K1 397 +#define OID_SECT113R1 398 +#define OID_SECT113R2 399 +#define OID_SECT112R1 400 +#define OID_SECT112R2 401 +#define OID_SECT160R1 402 +#define OID_SECT160K1 403 +#define OID_SECT256K1 404 +#define OID_SECT163R2 405 +#define OID_SECT283K1 406 +#define OID_SECT283R1 407 +#define OID_SECT131R1 408 +#define OID_SECT131R2 409 +#define OID_SECT193R1 410 +#define OID_SECT193R2 411 +#define OID_SECT233K1 412 +#define OID_SECT233R1 413 +#define OID_SECT128R1 414 +#define OID_SECT128R2 415 +#define OID_SECT160R2 416 +#define OID_SECT192K1 417 +#define OID_SECT224K1 418 +#define OID_SECT224R1 419 +#define OID_SECT384R1 420 +#define OID_SECT521R1 421 +#define OID_SECT409K1 422 +#define OID_SECT409R1 423 +#define OID_SECT571K1 424 +#define OID_SECT571R1 425 +#define OID_AES128_CBC 434 +#define OID_AES128_GCM 435 +#define OID_AES128_CCM 436 +#define OID_AES192_CBC 437 +#define OID_AES192_GCM 438 +#define OID_AES192_CCM 439 +#define OID_AES256_CBC 440 +#define OID_AES256_GCM 441 +#define OID_AES256_CCM 442 +#define OID_SHA256 444 +#define OID_SHA384 445 +#define OID_SHA512 446 +#define OID_SHA224 447 +#define OID_SHA3_224 450 +#define OID_SHA3_256 451 +#define OID_SHA3_384 452 +#define OID_SHA3_512 453 +#define OID_ECDSA_WITH_SHA3_224 457 +#define OID_ECDSA_WITH_SHA3_256 458 +#define OID_ECDSA_WITH_SHA3_384 459 +#define OID_ECDSA_WITH_SHA3_512 460 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 461 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 462 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 463 +#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 464 +#define OID_NS_REVOCATION_URL 470 +#define OID_NS_CA_REVOCATION_URL 471 +#define OID_NS_CA_POLICY_URL 472 +#define OID_NS_COMMENT 473 +#define OID_EMPLOYEE_NUMBER 476 +#define OID_PKI_MESSAGE_TYPE 482 +#define OID_PKI_STATUS 483 +#define OID_PKI_FAIL_INFO 484 +#define OID_PKI_SENDER_NONCE 485 +#define OID_PKI_RECIPIENT_NONCE 486 +#define OID_PKI_TRANS_ID 487 +#define OID_TPM_MANUFACTURER 493 +#define OID_TPM_MODEL 494 +#define OID_TPM_VERSION 495 +#define OID_TPM_ID_LABEL 496 -#define OID_MAX 496 +#define OID_MAX 497 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 9583baa5e..369f6f899 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -292,6 +292,7 @@ 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS + 0x18 "tlsfeature" 0x02 "id-qt" 0x01 "cps" OID_POLICY_QUALIFIER_CPS 0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h index 246b9a5c5..c99cb836b 100644 --- a/src/libstrongswan/collections/linked_list.h +++ b/src/libstrongswan/collections/linked_list.h @@ -195,7 +195,7 @@ struct linked_list_t { * If a linked list contains objects with function pointers, * invoke() can call a method on each of the objects. The * method is specified by an offset of the function pointer, - * which can be evalutated at compile time using the offsetof + * which can be evaluated at compile time using the offsetof * macro, e.g.: list->invoke(list, offsetof(object_t, method)); * * @param offset offset of the method to invoke on objects diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index d1be7b401..278c67405 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -73,9 +73,6 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_RSA_STRENGTH: - case AUTH_RULE_ECDSA_STRENGTH: - case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_IDENTITY: case AUTH_RULE_IDENTITY_LOOSE: case AUTH_RULE_EAP_IDENTITY: @@ -94,6 +91,9 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_CERT_POLICY: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: @@ -737,8 +737,8 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, } enumerator->destroy(enumerator); - /* if no explicit IKE signature contraints were added we add them for all - * configured signature contraints */ + /* if no explicit IKE signature constraints were added we add them for all + * configured signature constraints */ if (ike && !ike_added && lib->settings->get_bool(lib->settings, "%s.signature_authentication_constraints", TRUE, diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c index 303816391..d6523821e 100644 --- a/src/libstrongswan/credentials/cred_encoding.c +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -39,7 +39,7 @@ struct private_cred_encoding_t { hashtable_t *cache[CRED_ENCODING_MAX]; /** - * Registered encoding fuctions, cred_encoder_t + * Registered encoding functions, cred_encoder_t */ linked_list_t *encoders; diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c index 6b4d22e7b..8f42fb940 100644 --- a/src/libstrongswan/credentials/keys/signature_params.c +++ b/src/libstrongswan/credentials/keys/signature_params.c @@ -280,13 +280,17 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) case RSASSA_PSS_PARAMS_MGF_ALG: if (object.len) { - chunk_t hash; + chunk_t hash = chunk_empty; alg = asn1_parse_algorithmIdentifier(object, level, &hash); if (alg != OID_MGF1) { goto end; } + if (!hash.len) + { + goto end; + } alg = asn1_parse_algorithmIdentifier(hash, level+1, NULL); params->mgf1_hash = hasher_algorithm_from_oid(alg); if (params->mgf1_hash == HASH_UNKNOWN) diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c index 0e64f0350..f1579c60a 100644 --- a/src/libstrongswan/credentials/sets/cert_cache.c +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -239,7 +239,7 @@ METHOD(cert_cache_t, issued_by, bool, } /** - * certificate enumerator implemenation + * certificate enumerator implementation */ typedef struct { /** implements enumerator_t interface */ diff --git a/src/libcharon/config/proposal.c b/src/libstrongswan/crypto/proposal/proposal.c index 46c3c9400..bb0a02b59 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libstrongswan/crypto/proposal/proposal.c @@ -1,8 +1,8 @@ /* - * Copyright (C) 2008-2016 Tobias Brunner + * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2006-2010 Martin Willi * Copyright (C) 2013-2015 Andreas Steffen - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -19,7 +19,6 @@ #include "proposal.h" -#include <daemon.h> #include <collections/array.h> #include <utils/identification.h> @@ -172,6 +171,36 @@ METHOD(proposal_t, has_dh_group, bool, return found; } +METHOD(proposal_t, promote_dh_group, bool, + private_proposal_t *this, diffie_hellman_group_t group) +{ + enumerator_t *enumerator; + entry_t *entry; + bool found = FALSE; + + enumerator = array_create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->type == DIFFIE_HELLMAN_GROUP && + entry->alg == group) + { + array_remove_at(this->transforms, enumerator); + found = TRUE; + } + } + enumerator->destroy(enumerator); + + if (found) + { + entry_t entry = { + .type = DIFFIE_HELLMAN_GROUP, + .alg = group, + }; + array_insert(this->transforms, ARRAY_HEAD, &entry); + } + return found; +} + METHOD(proposal_t, strip_dh, void, private_proposal_t *this, diffie_hellman_group_t keep) { @@ -668,7 +697,7 @@ int proposal_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec, { enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &this)) - { /* call recursivly */ + { /* call recursively */ if (first) { written += print_in_hook(data, "%P", this); @@ -717,6 +746,7 @@ proposal_t *proposal_create(protocol_id_t protocol, u_int number) .create_enumerator = _create_enumerator, .get_algorithm = _get_algorithm, .has_dh_group = _has_dh_group, + .promote_dh_group = _promote_dh_group, .strip_dh = _strip_dh, .select = _select_proposal, .get_protocol = _get_protocol, @@ -954,6 +984,7 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead) { case MODP_3072_BIT: case MODP_4096_BIT: + case MODP_6144_BIT: case MODP_8192_BIT: add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0); break; diff --git a/src/libcharon/config/proposal.h b/src/libstrongswan/crypto/proposal/proposal.h index 0dc70f4c5..0052674b9 100644 --- a/src/libcharon/config/proposal.h +++ b/src/libstrongswan/crypto/proposal/proposal.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009-2016 Tobias Brunner + * Copyright (C) 2009-2018 Tobias Brunner * Copyright (C) 2006 Martin Willi * HSR Hochschule fuer Technik Rapperswil * @@ -16,7 +16,7 @@ /** * @defgroup proposal proposal - * @{ @ingroup config + * @{ @ingroup crypto */ #ifndef PROPOSAL_H_ @@ -108,7 +108,16 @@ struct proposal_t { * @param group group to check for * @return TRUE if algorithm included */ - bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group); + bool (*has_dh_group)(proposal_t *this, diffie_hellman_group_t group); + + /** + * Move the given DH group to the front of the list if it was contained in + * the proposal. + * + * @param group group to promote + * @return TRUE if algorithm included + */ + bool (*promote_dh_group)(proposal_t *this, diffie_hellman_group_t group); /** * Strip DH groups from proposal to use it without PFS. diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords.h b/src/libstrongswan/crypto/proposal/proposal_keywords.h index 856abdce6..b062221e5 100644 --- a/src/libstrongswan/crypto/proposal/proposal_keywords.h +++ b/src/libstrongswan/crypto/proposal/proposal_keywords.h @@ -37,7 +37,7 @@ /** * @defgroup proposal_keywords proposal_keywords - * @{ @ingroup crypto + * @{ @ingroup proposal */ #ifndef PROPOSAL_KEYWORDS_H_ diff --git a/src/libstrongswan/eap/eap.c b/src/libstrongswan/eap/eap.c index 64b5dbe51..2b7295e3d 100644 --- a/src/libstrongswan/eap/eap.c +++ b/src/libstrongswan/eap/eap.c @@ -157,6 +157,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str) type = eap_type_from_string(part); if (!type) { + errno = 0; type = strtoul(part, &end, 0); if (*end != '\0' || errno) { @@ -166,6 +167,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str) } continue; } + errno = 0; vendor = strtoul(part, &end, 0); if (*end != '\0' || errno) { diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c index 68c3935b9..c992eb5ad 100644 --- a/src/libstrongswan/ipsec/ipsec_types.c +++ b/src/libstrongswan/ipsec/ipsec_types.c @@ -104,7 +104,10 @@ bool mark_from_string(const char *value, mark_t *mark) { mark->mask = 0xffffffff; } - /* apply the mask to ensure the value is in range */ - mark->value &= mark->mask; + if (!MARK_IS_UNIQUE(mark->value)) + { + /* apply the mask to ensure the value is in range */ + mark->value &= mark->mask; + } return TRUE; } diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 7944b9356..dbdf5cfe9 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -26,6 +26,7 @@ #include <collections/hashtable.h> #include <utils/backtrace.h> #include <selectors/traffic_selector.h> +#include <crypto/proposal/proposal.h> #define CHECKSUM_LIBRARY IPSEC_LIB_DIR"/libchecksum.so" @@ -369,6 +370,8 @@ bool library_init(char *settings, const char *namespace) PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'R', traffic_selector_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); + pfh->add_handler(pfh, 'P', proposal_printf_hook, + PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); this->objects = hashtable_create((hashtable_hash_t)hash, (hashtable_equals_t)equals, 4); diff --git a/src/libstrongswan/plugins/blowfish/bf_enc.c b/src/libstrongswan/plugins/blowfish/bf_enc.c index ebcc5dbdf..f9591c1a4 100644 --- a/src/libstrongswan/plugins/blowfish/bf_enc.c +++ b/src/libstrongswan/plugins/blowfish/bf_enc.c @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_locl.h b/src/libstrongswan/plugins/blowfish/bf_locl.h index 1375a0aa9..e5f49280b 100644 --- a/src/libstrongswan/plugins/blowfish/bf_locl.h +++ b/src/libstrongswan/plugins/blowfish/bf_locl.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_pi.h b/src/libstrongswan/plugins/blowfish/bf_pi.h index 79d23db6c..86c2ef366 100644 --- a/src/libstrongswan/plugins/blowfish/bf_pi.h +++ b/src/libstrongswan/plugins/blowfish/bf_pi.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/bf_skey.c b/src/libstrongswan/plugins/blowfish/bf_skey.c index ceec3b8d4..52a051890 100644 --- a/src/libstrongswan/plugins/blowfish/bf_skey.c +++ b/src/libstrongswan/plugins/blowfish/bf_skey.c @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/blowfish.h b/src/libstrongswan/plugins/blowfish/blowfish.h index 9aa30df4b..3c8f77a0f 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish.h +++ b/src/libstrongswan/plugins/blowfish/blowfish.h @@ -7,7 +7,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -32,7 +32,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c index 1708e078d..6d8d1d709 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_crypter.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_crypter.c @@ -6,7 +6,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions + * the following conditions are adhered to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms @@ -31,7 +31,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: diff --git a/src/libstrongswan/plugins/des/des_crypter.c b/src/libstrongswan/plugins/des/des_crypter.c index d236bd429..cb5064d90 100644 --- a/src/libstrongswan/plugins/des/des_crypter.c +++ b/src/libstrongswan/plugins/des/des_crypter.c @@ -13,7 +13,7 @@ * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. + * the following conditions are adhered to. * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. @@ -34,7 +34,7 @@ * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library + * The word 'cryptographic' can be left out if the routines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: @@ -309,7 +309,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! #endif /* The changes to this macro may help or hinder, depending on the - * compiler and the achitecture. gcc2 always seems to do well :-). + * compiler and the architecture. gcc2 always seems to do well :-). * Inspired by Dana How <how@isl.stanford.edu> * DO NOT use the alternative version on machines with 8 byte longs. * It does not seem to work on the Alpha, even when DES_LONG is 4 diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index aca232c86..241ef7d3b 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -936,7 +936,12 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this) bool success = FALSE; gmp_randinit_default(rstate); - mpz_inits(k, r, g, y, n1, x, NULL); + mpz_init(k); + mpz_init(r); + mpz_init(g); + mpz_init(y); + mpz_init(n1); + mpz_init(x); /* k = (d * e) - 1 */ mpz_mul(k, *this->d, this->e); mpz_sub_ui(k, k, 1); @@ -956,7 +961,7 @@ static bool calculate_pq(private_gmp_rsa_private_key_t *this) { /* generate random integer g in [0, n-1] */ mpz_urandomm(g, rstate, this->n); /* y = g^r mod n */ - mpz_powm_sec(y, g, r, this->n); + mpz_powm(y, g, r, this->n); /* try again if y == 1 or y == n-1 */ if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, n1) == 0) { diff --git a/src/libstrongswan/plugins/newhope/newhope_ke.c b/src/libstrongswan/plugins/newhope/newhope_ke.c index 28956d5fb..72b7e034c 100644 --- a/src/libstrongswan/plugins/newhope/newhope_ke.c +++ b/src/libstrongswan/plugins/newhope/newhope_ke.c @@ -246,7 +246,7 @@ static uint32_t* multiply_ntt_inv_poly(private_newhope_ke_t *this, uint32_t *b) } /** - * Pack four 2-bit coefficents into one byte + * Pack four 2-bit coefficients into one byte */ static void pack_rec(private_newhope_ke_t *this, uint8_t *x, uint8_t *r) { diff --git a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c index ca6899786..efcd2b30a 100644 --- a/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c +++ b/src/libstrongswan/plugins/pkcs7/pkcs7_attributes.c @@ -202,7 +202,7 @@ pkcs7_attributes_t *pkcs7_attributes_create(void) } /** - * ASN.1 definition of the X.501 atttribute type + * ASN.1 definition of the X.501 attribute type */ static const asn1Object_t attributesObjects[] = { { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ diff --git a/src/libstrongswan/plugins/plugin_loader.h b/src/libstrongswan/plugins/plugin_loader.h index 92a860615..156bd8656 100644 --- a/src/libstrongswan/plugins/plugin_loader.h +++ b/src/libstrongswan/plugins/plugin_loader.h @@ -76,7 +76,7 @@ struct plugin_loader_t { * If \<ns>.load_modular is enabled (where \<ns> is lib->ns) the plugins to * load are determined via a load option in their respective plugin config * section e.g. \<ns>.plugins.\<plugin>.load = <priority|bool>. - * The oder is determined by the configured priority. If two plugins have + * The order is determined by the configured priority. If two plugins have * the same priority the order as seen in list is preserved. Plugins not * found in list are loaded first, in alphabetical order. * diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 16ee0ecc7..1b68320df 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, enumerator_t *enumerator; time_t revocation; crl_reason_t reason; - chunk_t serial; + chunk_t subject_serial, serial; crl_t *crl = (crl_t*)cand; if (base) @@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, return best; } + subject_serial = chunk_skip_zero(subject->get_serial(subject)); enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { - if (chunk_equals(serial, subject->get_serial(subject))) + if (chunk_equals(subject_serial, chunk_skip_zero(serial))) { if (reason != CRL_REASON_CERTIFICATE_HOLD) { diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h index 1cd96d976..239487dae 100644 --- a/src/libstrongswan/processing/scheduler.h +++ b/src/libstrongswan/processing/scheduler.h @@ -45,7 +45,7 @@ typedef struct scheduler_t scheduler_t; * in-between got slower, as the number of events grew larger (O(n)). * For each connection there could be several events: IKE-rekey, NAT-keepalive, * retransmissions, expire (half-open), and others. So a gateway that probably - * has to handle thousands of concurrent connnections has to be able to queue a + * has to handle thousands of concurrent connections has to be able to queue a * large number of events as fast as possible. Locking makes this even worse, to * provide thread-safety, no events can be processed, while an event is queued, * so making the insertion fast is even more important. @@ -97,13 +97,13 @@ struct scheduler_t { void (*schedule_job_ms) (scheduler_t *this, job_t *job, uint32_t ms); /** - * Adds a event to the queue, using an absolut time. + * Adds a event to the queue, using an absolute time. * * The passed timeval should be calculated based on the time_monotonic() * function. * * @param job job to schedule - * @param time absolut time to schedule job + * @param time absolute time to schedule job */ void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv); diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index 07f5eb5f2..5737e7a17 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -47,6 +47,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ + suites/test_proposal.c \ suites/test_crypto_factory.c \ suites/test_iv_gen.c \ suites/test_pen.c \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index f8f8ce83e..20cb27cf3 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -152,6 +152,7 @@ am_libstrongswan_tests_OBJECTS = libstrongswan_tests-tests.$(OBJEXT) \ suites/libstrongswan_tests-test_auth_cfg.$(OBJEXT) \ suites/libstrongswan_tests-test_hasher.$(OBJEXT) \ suites/libstrongswan_tests-test_crypter.$(OBJEXT) \ + suites/libstrongswan_tests-test_proposal.$(OBJEXT) \ suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT) \ suites/libstrongswan_tests-test_iv_gen.$(OBJEXT) \ suites/libstrongswan_tests-test_pen.$(OBJEXT) \ @@ -535,6 +536,7 @@ libstrongswan_tests_SOURCES = tests.h tests.c \ suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ + suites/test_proposal.c \ suites/test_crypto_factory.c \ suites/test_iv_gen.c \ suites/test_pen.c \ @@ -683,6 +685,8 @@ suites/libstrongswan_tests-test_hasher.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_crypter.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) +suites/libstrongswan_tests-test_proposal.$(OBJEXT): \ + suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_crypto_factory.$(OBJEXT): \ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp) suites/libstrongswan_tests-test_iv_gen.$(OBJEXT): \ @@ -750,6 +754,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_pen.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_printf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_rsa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_settings.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libstrongswan_tests-test_signature_params.Po@am__quote@ @@ -1199,6 +1204,20 @@ suites/libstrongswan_tests-test_crypter.obj: suites/test_crypter.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_crypter.obj `if test -f 'suites/test_crypter.c'; then $(CYGPATH_W) 'suites/test_crypter.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_crypter.c'; fi` +suites/libstrongswan_tests-test_proposal.o: suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.o `test -f 'suites/test_proposal.c' || echo '$(srcdir)/'`suites/test_proposal.c + +suites/libstrongswan_tests-test_proposal.obj: suites/test_proposal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_proposal.obj -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_proposal.c' object='suites/libstrongswan_tests-test_proposal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -c -o suites/libstrongswan_tests-test_proposal.obj `if test -f 'suites/test_proposal.c'; then $(CYGPATH_W) 'suites/test_proposal.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_proposal.c'; fi` + suites/libstrongswan_tests-test_crypto_factory.o: suites/test_crypto_factory.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libstrongswan_tests_CFLAGS) $(CFLAGS) -MT suites/libstrongswan_tests-test_crypto_factory.o -MD -MP -MF suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo -c -o suites/libstrongswan_tests-test_crypto_factory.o `test -f 'suites/test_crypto_factory.c' || echo '$(srcdir)/'`suites/test_crypto_factory.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Tpo suites/$(DEPDIR)/libstrongswan_tests-test_crypto_factory.Po diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libstrongswan/tests/suites/test_proposal.c index f1591794a..1a2f97d5f 100644 --- a/src/libcharon/tests/suites/test_proposal.c +++ b/src/libstrongswan/tests/suites/test_proposal.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2016-2018 Tobias Brunner * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,7 +15,7 @@ #include "test_suite.h" -#include <config/proposal.h> +#include <crypto/proposal/proposal.h> static struct { protocol_id_t proto; @@ -57,21 +57,27 @@ static struct { { PROTO_AH, "sha256-esn-noesn", "AH:HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ" }, }; -START_TEST(test_create_from_string) +static void assert_proposal_eq(proposal_t *proposal, char *expected) { - proposal_t *proposal; char str[BUF_LEN]; - proposal = proposal_create_from_string(create_data[_i].proto, - create_data[_i].proposal); - if (!create_data[_i].expected) + if (!expected) { ck_assert(!proposal); return; } snprintf(str, sizeof(str), "%P", proposal); - ck_assert_str_eq(create_data[_i].expected, str); - proposal->destroy(proposal); + ck_assert_str_eq(expected, str); +} + +START_TEST(test_create_from_string) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(create_data[_i].proto, + create_data[_i].proposal); + assert_proposal_eq(proposal, create_data[_i].expected); + DESTROY_IF(proposal); } END_TEST @@ -151,6 +157,43 @@ START_TEST(test_select_spi) } END_TEST +START_TEST(test_promote_dh_group) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + ck_assert(proposal->promote_dh_group(proposal, ECP_256_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256/MODP_3072"); + proposal->destroy(proposal); +} +END_TEST + +START_TEST(test_promote_dh_group_already_front) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + ck_assert(proposal->promote_dh_group(proposal, MODP_3072_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256"); + proposal->destroy(proposal); +} +END_TEST + +START_TEST(test_promote_dh_group_not_contained) +{ + proposal_t *proposal; + + proposal = proposal_create_from_string(PROTO_IKE, + "aes128-sha256-modp3072-ecp256"); + + ck_assert(!proposal->promote_dh_group(proposal, MODP_2048_BIT)); + assert_proposal_eq(proposal, "IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072/ECP_256"); + proposal->destroy(proposal); +} +END_TEST + Suite *proposal_suite_create() { Suite *s; @@ -167,5 +210,11 @@ Suite *proposal_suite_create() tcase_add_test(tc, test_select_spi); suite_add_tcase(s, tc); + tc = tcase_create("promote_dh_group"); + tcase_add_test(tc, test_promote_dh_group); + tcase_add_test(tc, test_promote_dh_group_already_front); + tcase_add_test(tc, test_promote_dh_group_not_contained); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c index 353010aaf..b423d7d2d 100644 --- a/src/libstrongswan/tests/suites/test_utils.c +++ b/src/libstrongswan/tests/suites/test_utils.c @@ -877,8 +877,23 @@ static struct { {"/0xff", TRUE, { 0, 0xff }}, {"/x", FALSE, { 0 }}, {"x/x", FALSE, { 0 }}, - {"0xffffffff/0x0000ffff", TRUE, { 0x0000ffff, 0x0000ffff }}, - {"0xffffffff/0xffffffff", TRUE, { 0xffffffff, 0xffffffff }}, + {"0xfffffff0/0x0000ffff", TRUE, { 0x0000fff0, 0x0000ffff }}, + {"%unique", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique/", TRUE, { MARK_UNIQUE, 0 }}, + {"%unique/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }}, + {"%unique/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique0xffffffffff", FALSE, { 0, 0 }}, + {"0xffffffff/0x0000ffff", TRUE, { MARK_UNIQUE, 0x0000ffff }}, + {"0xffffffff/0xffffffff", TRUE, { MARK_UNIQUE, 0xffffffff }}, + {"%unique-dir", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-dir/", TRUE, { MARK_UNIQUE_DIR, 0 }}, + {"%unique-dir/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }}, + {"%unique-dir/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-dir0xffffffff", FALSE, { 0, 0 }}, + {"0xfffffffe/0x0000ffff", TRUE, { MARK_UNIQUE_DIR, 0x0000ffff }}, + {"0xfffffffe/0xffffffff", TRUE, { MARK_UNIQUE_DIR, 0xffffffff }}, + {"%unique-/0xffffffff", FALSE, { 0, 0 }}, + {"%unique-foo/0xffffffff", FALSE, { 0, 0 }}, }; START_TEST(test_mark_from_string) diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index 525bdeb94..5fab227f2 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -40,6 +40,7 @@ TEST_SUITE(printf_suite_create) TEST_SUITE(auth_cfg_suite_create) TEST_SUITE(hasher_suite_create) TEST_SUITE(crypter_suite_create) +TEST_SUITE(proposal_suite_create) TEST_SUITE(crypto_factory_suite_create) TEST_SUITE_DEPEND(iv_gen_suite_create, RNG, RNG_STRONG) TEST_SUITE(pen_suite_create) diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h index d3ab0f3d9..bb384e669 100644 --- a/src/libstrongswan/threading/semaphore.h +++ b/src/libstrongswan/threading/semaphore.h @@ -29,7 +29,7 @@ typedef struct semaphore_t semaphore_t; * A semaphore is basically an integer whose value is never allowed to be * lower than 0. Two operations can be performed on it: increment the * value by one, and decrement the value by one. If the value is currently - * zero, then the decrement operation will blcok until the value becomes + * zero, then the decrement operation will block until the value becomes * greater than zero. */ struct semaphore_t { diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c index 8f4b7efff..3a7984098 100644 --- a/src/libstrongswan/utils/chunk.c +++ b/src/libstrongswan/utils/chunk.c @@ -478,7 +478,7 @@ chunk_t chunk_to_hex(chunk_t chunk, char *buf, bool uppercase) } /** - * convert a signle hex character to its binary value + * convert a single hex character to its binary value */ static char hex2bin(char hex) { @@ -859,7 +859,7 @@ static inline uint64_t siplast(size_t len, u_char *pos) } /** - * Caculate SipHash-2-4 with an optional first block given as argument. + * Calculate SipHash-2-4 with an optional first block given as argument. */ static uint64_t chunk_mac_inc(chunk_t chunk, u_char *key, uint64_t m) { diff --git a/src/libtls/tls_alert.c b/src/libtls/tls_alert.c index 7dd219db8..69570e9c9 100644 --- a/src/libtls/tls_alert.c +++ b/src/libtls/tls_alert.c @@ -106,7 +106,7 @@ struct private_tls_alert_t { bool consumed; /** - * Fatal alert discription + * Fatal alert description */ tls_alert_desc_t desc; }; diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 7f7742e88..0ec2f5cbe 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -376,7 +376,7 @@ struct private_tls_crypto_t { tls_cache_t *cache; /** - * All handshake data concatentated + * All handshake data concatenated */ chunk_t handshake; diff --git a/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h b/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h index 3477fa74e..cf6110868 100644 --- a/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h +++ b/src/libtnccs/plugins/tnccs_11/messages/imc_imv_msg.h @@ -28,7 +28,7 @@ typedef struct imc_imv_msg_t imc_imv_msg_t; #include <tncif.h> /** - * Classs representing the PB-PA message type. + * Class representing the PB-PA message type. */ struct imc_imv_msg_t { diff --git a/src/libtpmtss/Makefile.am b/src/libtpmtss/Makefile.am index 5f3a97a99..1b3a9706f 100644 --- a/src/libtpmtss/Makefile.am +++ b/src/libtpmtss/Makefile.am @@ -48,5 +48,3 @@ if MONOLITHIC libtpmtss_la_LIBADD += plugins/tpm/libstrongswan-tpm.la endif endif - - diff --git a/src/libtpmtss/plugins/tpm/Makefile.am b/src/libtpmtss/plugins/tpm/Makefile.am index 281281022..27db5cc01 100644 --- a/src/libtpmtss/plugins/tpm/Makefile.am +++ b/src/libtpmtss/plugins/tpm/Makefile.am @@ -15,6 +15,7 @@ endif libstrongswan_tpm_la_SOURCES = \ tpm_plugin.h tpm_plugin.c \ + tpm_cert.h tpm_cert.c \ tpm_private_key.h tpm_private_key.c \ tpm_rng.h tpm_rng.c diff --git a/src/libtpmtss/plugins/tpm/Makefile.in b/src/libtpmtss/plugins/tpm/Makefile.in index a12c18a35..e03e73656 100644 --- a/src/libtpmtss/plugins/tpm/Makefile.in +++ b/src/libtpmtss/plugins/tpm/Makefile.in @@ -138,8 +138,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) @MONOLITHIC_FALSE@libstrongswan_tpm_la_DEPENDENCIES = \ @MONOLITHIC_FALSE@ $(top_builddir)/src/libtpmtss/libtpmtss.la -am_libstrongswan_tpm_la_OBJECTS = tpm_plugin.lo tpm_private_key.lo \ - tpm_rng.lo +am_libstrongswan_tpm_la_OBJECTS = tpm_plugin.lo tpm_cert.lo \ + tpm_private_key.lo tpm_rng.lo libstrongswan_tpm_la_OBJECTS = $(am_libstrongswan_tpm_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -465,6 +465,7 @@ AM_CFLAGS = \ libstrongswan_tpm_la_SOURCES = \ tpm_plugin.h tpm_plugin.c \ + tpm_cert.h tpm_cert.c \ tpm_private_key.h tpm_private_key.c \ tpm_rng.h tpm_rng.c @@ -558,6 +559,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_cert.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_private_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_rng.Plo@am__quote@ diff --git a/src/libtpmtss/plugins/tpm/tpm_cert.c b/src/libtpmtss/plugins/tpm/tpm_cert.c new file mode 100644 index 000000000..248da7e53 --- /dev/null +++ b/src/libtpmtss/plugins/tpm/tpm_cert.c @@ -0,0 +1,97 @@ +/* + * Copyright (C) 2017 Andreas Steffen + * HSR Hochschule für Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tpm_cert.h" + +#include <tpm_tss.h> + +#include <utils/debug.h> + + +/** + * See header. + */ +certificate_t *tpm_cert_load(certificate_type_t type, va_list args) +{ + tpm_tss_t *tpm; + chunk_t keyid = chunk_empty, pin = chunk_empty, data = chunk_empty; + certificate_t *cert; + char handle_str[4]; + size_t len; + uint32_t hierarchy = 0x40000001; /* TPM_RH_OWNER */ + uint32_t handle; + bool success; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_PKCS11_KEYID: + keyid = va_arg(args, chunk_t); + continue; + case BUILD_PKCS11_SLOT: + hierarchy = va_arg(args, int); + continue; + case BUILD_PKCS11_MODULE: + va_arg(args, char*); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + /* convert keyid into 32 bit TPM key object handle */ + if (!keyid.len) + { + return NULL; + } + len = min(keyid.len, 4); + memset(handle_str, 0x00, 4); + memcpy(handle_str + 4 - len, keyid.ptr + keyid.len - len, len); + handle = untoh32(handle_str); + + /* try to find a TPM 2.0 */ + tpm = tpm_tss_probe(TPM_VERSION_2_0); + if (!tpm) + { + DBG1(DBG_LIB, "no TPM 2.0 found"); + return NULL; + } + success = tpm->get_data(tpm, hierarchy, handle, pin, &data); + tpm->destroy(tpm); + + if (!success) + { + DBG1(DBG_LIB, "loading certificate from TPM NV index 0x%08x failed", + handle); + return NULL; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, data, BUILD_END); + free(data.ptr); + + if (!cert) + { + DBG1(DBG_LIB, "parsing certificate from TPM NV index 0x%08x failed", + handle); + return NULL; + } + DBG1(DBG_LIB, "loaded certificate from TPM NV index 0x%08x", handle); + + return cert; +} diff --git a/src/libtpmtss/plugins/tpm/tpm_cert.h b/src/libtpmtss/plugins/tpm/tpm_cert.h new file mode 100644 index 000000000..a6cb34554 --- /dev/null +++ b/src/libtpmtss/plugins/tpm/tpm_cert.h @@ -0,0 +1,38 @@ +/* + * Copyright (C) 2017 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tpm_cert tpm_cert + * @{ @ingroup tpm + */ + +#ifndef TPM_CERT_H_ +#define TPM_CERT_H_ + +#include <credentials/certificates/certificate.h> + +/** + * Load a specific certificate from a TPM + * + * Requires a BUILD_PKCS11_KEYID argument, and optionally a BUILD_PKCS11_SLOT + * to designate the NV storage hierarchy. + * + * @param type certificate type, must be CERT_X509 + * @param args variable argument list, containing BUILD_PKCS11_KEYID. + * @return loaded certificate, or NULL on failure + */ +certificate_t *tpm_cert_load(certificate_type_t type, va_list args); + +#endif /** TPM_CERT_H_ @}*/ diff --git a/src/libtpmtss/plugins/tpm/tpm_plugin.c b/src/libtpmtss/plugins/tpm/tpm_plugin.c index b9a4c12a8..e98899852 100644 --- a/src/libtpmtss/plugins/tpm/tpm_plugin.c +++ b/src/libtpmtss/plugins/tpm/tpm_plugin.c @@ -15,6 +15,7 @@ #include "tpm_plugin.h" #include "tpm_private_key.h" +#include "tpm_cert.h" #include "tpm_rng.h" #include <library.h> @@ -50,13 +51,19 @@ METHOD(plugin_t, get_features, int, PLUGIN_REGISTER(PRIVKEY, tpm_private_key_connect, FALSE), PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), }; - static plugin_feature_t f[countof(f_rng) + countof(f_privkey)] = {}; - + static plugin_feature_t f_cert[] = { + PLUGIN_REGISTER(CERT_DECODE, tpm_cert_load, FALSE), + PLUGIN_PROVIDE(CERT_DECODE, CERT_X509), + PLUGIN_DEPENDS(CERT_DECODE, CERT_X509), + }; + static plugin_feature_t f[countof(f_rng) + countof(f_privkey) + + countof(f_cert)] = {}; static int count = 0; if (!count) { plugin_features_add(f, f_privkey, countof(f_privkey), &count); + plugin_features_add(f, f_cert, countof(f_cert), &count); if (lib->settings->get_bool(lib->settings, "%s.plugins.tpm.use_rng", FALSE, lib->ns)) diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h index f408d0440..bcb7ab949 100644 --- a/src/libtpmtss/tpm_tss.h +++ b/src/libtpmtss/tpm_tss.h @@ -144,6 +144,18 @@ struct tpm_tss_t { bool (*get_random)(tpm_tss_t *this, size_t bytes, uint8_t *buffer); /** + * Get a data blob from TPM NV store using its object handle (TPM 2.0 only) + * + * @param handle object handle of TPM key to be used for signature + * @param hierarchy hierarchy the TPM key object is attached to + * @param pin PIN code or empty chunk + * @param data returns data blob + * @return TRUE if data retrieval succeeded + */ + bool (*get_data)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle, + chunk_t pin, chunk_t *data); + + /** * Destroy a tpm_tss_t. */ void (*destroy)(tpm_tss_t *this); diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c index d5bc2b84f..6ed57af9d 100644 --- a/src/libtpmtss/tpm_tss_trousers.c +++ b/src/libtpmtss/tpm_tss_trousers.c @@ -595,6 +595,13 @@ METHOD(tpm_tss_t, get_random, bool, return FALSE; } +METHOD(tpm_tss_t, get_data, bool, + private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle, + chunk_t pin, chunk_t *data) +{ + return FALSE; +} + METHOD(tpm_tss_t, destroy, void, private_tpm_tss_trousers_t *this) { @@ -639,6 +646,7 @@ tpm_tss_t *tpm_tss_trousers_create() .quote = _quote, .sign = _sign, .get_random = _get_random, + .get_data = _get_data, .destroy = _destroy, }, .load_aik = _load_aik, diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c index 4c0d95fe5..8b91fb44a 100644 --- a/src/libtpmtss/tpm_tss_tss2.c +++ b/src/libtpmtss/tpm_tss_tss2.c @@ -150,14 +150,56 @@ static bool is_supported_alg(private_tpm_tss_tss2_t *this, TPM_ALG_ID alg_id) static bool get_algs_capability(private_tpm_tss_tss2_t *this) { TPMS_CAPABILITY_DATA cap_data; + TPMS_TAGGED_PROPERTY tp; TPMI_YES_NO more_data; TPM_ALG_ID alg; - uint32_t rval, i; + uint32_t rval, i, offset, revision = 0, year = 0; size_t len = BUF_LEN; - char buf[BUF_LEN]; + char buf[BUF_LEN], manufacturer[5], vendor_string[17]; char *pos = buf; int written; + /* get fixed properties */ + rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_TPM_PROPERTIES, + PT_FIXED, MAX_TPM_PROPERTIES, &more_data, &cap_data, 0); + if (rval != TPM_RC_SUCCESS) + { + DBG1(DBG_PTS, "%s GetCapability failed for TPM_CAP_TPM_PROPERTIES: 0x%06x", + LABEL, rval); + return FALSE; + } + memset(manufacturer, '\0', sizeof(manufacturer)); + memset(vendor_string, '\0', sizeof(vendor_string)); + + /* print fixed properties */ + for (i = 0; i < cap_data.data.tpmProperties.count; i++) + { + tp = cap_data.data.tpmProperties.tpmProperty[i]; + switch (tp.property) + { + case TPM_PT_REVISION: + revision = tp.value; + break; + case TPM_PT_YEAR: + year = tp.value; + break; + case TPM_PT_MANUFACTURER: + htoun32(manufacturer, tp.value); + break; + case TPM_PT_VENDOR_STRING_1: + case TPM_PT_VENDOR_STRING_2: + case TPM_PT_VENDOR_STRING_3: + case TPM_PT_VENDOR_STRING_4: + offset = 4 * (tp.property - TPM_PT_VENDOR_STRING_1); + htoun32(vendor_string + offset, tp.value); + break; + default: + break; + } + } + DBG2(DBG_PTS, "%s manufacturer: %s (%s) rev: %05.2f %u", LABEL, manufacturer, + vendor_string, (float)revision/100, year); + /* get supported algorithms */ rval = Tss2_Sys_GetCapability(this->sys_context, 0, TPM_CAP_ALGS, 0, TPM_PT_ALGORITHM_SET, &more_data, &cap_data, 0); @@ -433,6 +475,7 @@ METHOD(tpm_tss_t, get_public, chunk_t, { DBG1(DBG_PTS, "%s subjectPublicKeyInfo encoding of AIK key " "failed", LABEL); + return chunk_empty; } break; } @@ -563,8 +606,93 @@ METHOD(tpm_tss_t, extend_pcr, bool, private_tpm_tss_tss2_t *this, uint32_t pcr_num, chunk_t *pcr_value, chunk_t data, hash_algorithm_t alg) { - /* TODO */ - return FALSE; + uint32_t rval; + TPM_ALG_ID alg_id; + TPML_DIGEST_VALUES digest_values; + TPMS_AUTH_COMMAND session_data_cmd; + TPMS_AUTH_RESPONSE session_data_rsp; + TSS2_SYS_CMD_AUTHS sessions_data_cmd; + TSS2_SYS_RSP_AUTHS sessions_data_rsp; + TPMS_AUTH_COMMAND *session_data_cmd_array[1]; + TPMS_AUTH_RESPONSE *session_data_rsp_array[1]; + + session_data_cmd_array[0] = &session_data_cmd; + session_data_rsp_array[0] = &session_data_rsp; + + sessions_data_cmd.cmdAuths = &session_data_cmd_array[0]; + sessions_data_rsp.rspAuths = &session_data_rsp_array[0]; + + sessions_data_cmd.cmdAuthsCount = 1; + sessions_data_rsp.rspAuthsCount = 1; + + session_data_cmd.sessionHandle = TPM_RS_PW; + session_data_cmd.hmac.t.size = 0; + session_data_cmd.nonce.t.size = 0; + + *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; + + /* check if hash algorithm is supported by TPM */ + alg_id = hash_alg_to_tpm_alg_id(alg); + if (!is_supported_alg(this, alg_id)) + { + DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM", + LABEL, hash_algorithm_short_names, alg); + return FALSE; + } + + digest_values.count = 1; + digest_values.digests[0].hashAlg = alg_id; + + switch (alg) + { + case HASH_SHA1: + if (data.len != HASH_SIZE_SHA1) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha1, data.ptr, + HASH_SIZE_SHA1); + break; + case HASH_SHA256: + if (data.len != HASH_SIZE_SHA256) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha256, data.ptr, + HASH_SIZE_SHA256); + break; + case HASH_SHA384: + if (data.len != HASH_SIZE_SHA384) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha384, data.ptr, + HASH_SIZE_SHA384); + break; + case HASH_SHA512: + if (data.len != HASH_SIZE_SHA512) + { + return FALSE; + } + memcpy(digest_values.digests[0].digest.sha512, data.ptr, + HASH_SIZE_SHA512); + break; + default: + return FALSE; + } + + /* extend PCR */ + rval = Tss2_Sys_PCR_Extend(this->sys_context, pcr_num, &sessions_data_cmd, + &digest_values, &sessions_data_rsp); + if (rval != TPM_RC_SUCCESS) + { + DBG1(DBG_PTS, "%s PCR %02u could not be extended: 0x%06x", + LABEL, pcr_num, rval); + return FALSE; + } + + /* get updated PCR value */ + return read_pcr(this, pcr_num, pcr_value, alg); } METHOD(tpm_tss_t, quote, bool, @@ -913,6 +1041,78 @@ METHOD(tpm_tss_t, get_random, bool, return TRUE; } +METHOD(tpm_tss_t, get_data, bool, + private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle, + chunk_t pin, chunk_t *data) +{ + uint16_t nv_size, nv_offset = 0; + uint32_t rval; + + TPM2B_NAME nv_name = { { sizeof(TPM2B_NAME)-2, } }; + TPM2B_NV_PUBLIC nv_public = { { 0, } }; + TPM2B_MAX_NV_BUFFER nv_data = { { sizeof(TPM2B_MAX_NV_BUFFER)-2, } }; + TPMS_AUTH_COMMAND session_data_cmd; + TPMS_AUTH_RESPONSE session_data_rsp; + TSS2_SYS_CMD_AUTHS sessions_data_cmd; + TSS2_SYS_RSP_AUTHS sessions_data_rsp; + TPMS_AUTH_COMMAND *session_data_cmd_array[1]; + TPMS_AUTH_RESPONSE *session_data_rsp_array[1]; + + /* get size of NV object */ + rval = Tss2_Sys_NV_ReadPublic(this->sys_context, handle, 0, &nv_public, + &nv_name, 0); + if (rval != TPM_RC_SUCCESS) + { + DBG1(DBG_PTS,"%s Tss2_Sys_NV_ReadPublic failed: 0x%06x", LABEL, rval); + return FALSE; + } + nv_size = nv_public.t.nvPublic.dataSize; + *data = chunk_alloc(nv_size); + + /*prepare NV read session */ + session_data_cmd_array[0] = &session_data_cmd; + session_data_rsp_array[0] = &session_data_rsp; + + sessions_data_cmd.cmdAuths = &session_data_cmd_array[0]; + sessions_data_rsp.rspAuths = &session_data_rsp_array[0]; + + sessions_data_cmd.cmdAuthsCount = 1; + sessions_data_rsp.rspAuthsCount = 1; + + session_data_cmd.sessionHandle = TPM_RS_PW; + session_data_cmd.nonce.t.size = 0; + session_data_cmd.hmac.t.size = 0; + + if (pin.len > 0) + { + session_data_cmd.hmac.t.size = min(sizeof(session_data_cmd.hmac.t) - 2, + pin.len); + memcpy(session_data_cmd.hmac.t.buffer, pin.ptr, + session_data_cmd.hmac.t.size); + } + *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0; + + /* read NV data an NV buffer block at a time */ + while (nv_size > 0) + { + rval = Tss2_Sys_NV_Read(this->sys_context, hierarchy, handle, + &sessions_data_cmd, min(nv_size, MAX_NV_BUFFER_SIZE), + nv_offset, &nv_data, &sessions_data_rsp); + + if (rval != TPM_RC_SUCCESS) + { + DBG1(DBG_PTS,"%s Tss2_Sys_NV_Read failed: 0x%06x", LABEL, rval); + chunk_free(data); + return FALSE; + } + memcpy(data->ptr + nv_offset, nv_data.t.buffer, nv_data.t.size); + nv_offset += nv_data.t.size; + nv_size -= nv_data.t.size; + } + + return TRUE; +} + METHOD(tpm_tss_t, destroy, void, private_tpm_tss_tss2_t *this) { @@ -939,6 +1139,7 @@ tpm_tss_t *tpm_tss_tss2_create() .quote = _quote, .sign = _sign, .get_random = _get_random, + .get_data = _get_data, .destroy = _destroy, }, ); diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 80210166a..2ab3e61fc 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -60,7 +60,8 @@ static int print() credential_type_t type = CRED_CERTIFICATE; int subtype = CERT_X509; void *cred; - char *arg, *file = NULL; + char *arg, *file = NULL, *keyid = NULL; + chunk_t chunk; while (TRUE) { @@ -126,6 +127,9 @@ static int print() case 'i': file = arg; continue; + case 'x': + keyid = arg; + continue; case EOF: break; default: @@ -133,15 +137,20 @@ static int print() } break; } - if (file) + if (keyid) + { + chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + free(chunk.ptr); + } + else if (file) { cred = lib->creds->create(lib->creds, type, subtype, BUILD_FROM_FILE, file, BUILD_END); } else { - chunk_t chunk; - set_file_mode(stdin, CERT_ASN1_DER); if (!chunk_from_fd(0, &chunk)) { @@ -187,10 +196,12 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"}, + {"[--in file|--keyid hex] " + "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, + {"keyid", 'x', 1, "smartcard or TPM object handle"}, {"type", 't', 1, "type of credential, default: x509"}, } }); diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index ad85fb381..09b8a10c3 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -7,7 +7,9 @@ pki \-\-print \- Print a credential (key, certificate etc.) in human readable fo .SH "SYNOPSIS" . .SY pki\ \-\-print -.OP \-\-in file +.RB [ \-\-in +.IR file | \fB\-\-keyid\fR +.IR hex ] .OP \-\-type type .OP \-\-debug level .YS @@ -43,6 +45,10 @@ Read command line options from \fIfile\fR. .BI "\-i, \-\-in " file Input file. If not given the input is read from \fISTDIN\fR. .TP +.BI "\-x, \-\-keyid " hex +Smartcard or TPM private key or certificate object handle in hex format with +an optional 0x prefix. +.TP .BI "\-t, \-\-type " type Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key), diff --git a/src/pt-tls-client/pt-tls-client.1.in b/src/pt-tls-client/pt-tls-client.1.in index 795054c80..3e14cbe37 100644 --- a/src/pt-tls-client/pt-tls-client.1.in +++ b/src/pt-tls-client/pt-tls-client.1.in @@ -10,7 +10,8 @@ pt-tls-client \- Simple client using PT-TLS to collect integrity information .BI \-\-connect .IR hostname |\fIaddress .OP \-\-port hex -.RB [ \-\-cert +.RB [ \-\-certid +.IR hex |\fB\-\-cert .IR file ]+ .RB [ \-\-keyid .IR hex |\fB\-\-key @@ -64,6 +65,10 @@ Set the port of the PT-TLS server, default: 271. Set the path to an X.509 certificate file. This option can be repeated to load multiple client and CA certificates. .TP +.BI "\-X, \-\-certid " hex +Set the handle of the certificate stored in a smartcard or a TPM 2.0 Trusted +Platform Module. +.TP .BI "\-k, \-\-key " file Set the path to the client's PKCS#1 or PKCS#8 private key file .TP @@ -71,7 +76,7 @@ Set the path to the client's PKCS#1 or PKCS#8 private key file Define the type of the private key if stored in PKCS#1 format. Can be omitted with PKCS#8 keys. .TP -.BI "\-x, \-\-keyid " hex +.BI "\-K, \-\-keyid " hex Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted Platform Module. .TP diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index 841724eb3..d31e16220 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -42,7 +42,7 @@ static void usage(FILE *out) { fprintf(out, "Usage: pt-tls --connect <hostname|address> [--port <port>]\n" - " [--cert <file>]+ [--keyid <hex>|--key <file>]\n" + " [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n" " [--key-type rsa|ecdsa] [--client <client-id>]\n" " [--secret <password>] [--mutual] [--quiet]\n" " [--debug <level>] [--options <filename>]\n"); @@ -104,15 +104,26 @@ static mem_cred_t *creds; /** * Load certificate from file */ -static bool load_certificate(char *filename) +static bool load_certificate(char *certid, char *filename) { certificate_t *cert; + chunk_t chunk; - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_FROM_FILE, filename, BUILD_END); + if (certid) + { + chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL); + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_PKCS11_KEYID, chunk, BUILD_END); + } + else + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, filename, BUILD_END); + } if (!cert) { - DBG1(DBG_TLS, "loading certificate from '%s' failed", filename); + DBG1(DBG_TLS, "loading certificate from '%s' failed", + certid ? certid : filename); return FALSE; } creds->add_cert(creds, TRUE, cert); @@ -282,6 +293,7 @@ int main(int argc, char *argv[]) {"client", required_argument, NULL, 'i' }, {"secret", required_argument, NULL, 's' }, {"port", required_argument, NULL, 'p' }, + {"certid", required_argument, NULL, 'X' }, {"cert", required_argument, NULL, 'x' }, {"keyid", required_argument, NULL, 'K' }, {"key", required_argument, NULL, 'k' }, @@ -301,8 +313,14 @@ int main(int argc, char *argv[]) case 'h': /* --help */ usage(stdout); return 0; + case 'X': /* --certid <hex> */ + if (!load_certificate(optarg, NULL)) + { + return 1; + } + continue; case 'x': /* --cert <file> */ - if (!load_certificate(optarg)) + if (!load_certificate(NULL, optarg)) { return 1; } diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c index 19e7050da..f692e9966 100644 --- a/src/swanctl/commands/list_conns.c +++ b/src/swanctl/commands/list_conns.c @@ -84,8 +84,8 @@ CALLBACK(children_sn, int, { hashtable_t *child; char *mode, *interface, *priority; - char *rekey_time, *rekey_bytes, *rekey_packets; - bool no_time, no_bytes, no_packets, or = FALSE; + char *rekey_time, *rekey_bytes, *rekey_packets, *dpd_action, *dpd_delay; + bool no_time, no_bytes, no_packets, no_dpd, or = FALSE; int ret; child = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1); @@ -98,14 +98,18 @@ CALLBACK(children_sn, int, rekey_time = child->get(child, "rekey_time"); rekey_bytes = child->get(child, "rekey_bytes"); rekey_packets = child->get(child, "rekey_packets"); + dpd_action = child->get(child, "dpd_action"); + dpd_delay = ike->get(ike, "dpd_delay"); + no_time = streq(rekey_time, "0"); no_bytes = streq(rekey_bytes, "0"); no_packets = streq(rekey_packets, "0"); + no_dpd = streq(dpd_delay, "0"); if (strcaseeq(mode, "PASS") || strcaseeq(mode, "DROP") || (no_time && no_bytes && no_packets)) { - printf("no rekeying\n"); + printf("no rekeying"); } else { @@ -124,8 +128,12 @@ CALLBACK(children_sn, int, { printf("%s %s packets", or ? " or" : "", rekey_packets); } - printf("\n"); } + if (!no_dpd) + { + printf(", dpd action is %s", dpd_action); + } + printf("\n"); printf(" local: %s\n", child->get(child, "local-ts")); printf(" remote: %s\n", child->get(child, "remote-ts")); @@ -153,7 +161,7 @@ CALLBACK(conn_sn, int, if (streq(name, "children")) { - return vici_parse_cb(res, children_sn, NULL, NULL, NULL); + return vici_parse_cb(res, children_sn, NULL, NULL, ike); } if (strpfx(name, "local") || strpfx(name, "remote")) { @@ -225,11 +233,17 @@ CALLBACK(conn_list, int, CALLBACK(conns, int, void *null, vici_res_t *res, char *name) { - char *version, *reauth_time, *rekey_time; + int ret; + char *version, *reauth_time, *rekey_time, *dpd_delay; + hashtable_t *ike; version = vici_find_str(res, "", "%s.version", name); - reauth_time = vici_find_str(res, "", "%s.reauth_time", name); - rekey_time = vici_find_str(res, "", "%s.rekey_time", name); + reauth_time = vici_find_str(res, "0", "%s.reauth_time", name); + rekey_time = vici_find_str(res, "0", "%s.rekey_time", name); + dpd_delay = vici_find_str(res, "0", "%s.dpd_delay", name); + + ike = hashtable_create(hashtable_hash_str, hashtable_equals_str, 1); + free(ike->put(ike,"dpd_delay", strdup(dpd_delay))); printf("%s: %s, ", name, version); if (streq(version, "IKEv1")) @@ -247,22 +261,26 @@ CALLBACK(conns, int, { printf("reauthentication every %ss", reauth_time); } - if (streq(version, "IKEv1")) - { - printf("\n"); - } - else + if (!streq(version, "IKEv1")) { if (streq(rekey_time, "0")) { - printf(", no rekeying\n"); + printf(", no rekeying"); } else { - printf(", rekeying every %ss\n", rekey_time); + printf(", rekeying every %ss", rekey_time); } } - return vici_parse_cb(res, conn_sn, NULL, conn_list, NULL); + if (!streq(dpd_delay, "0")) + { + printf(", dpd delay %ss", dpd_delay); + } + printf("\n"); + + ret = vici_parse_cb(res, conn_sn, NULL, conn_list, ike); + free_hashtable(ike); + return ret; } CALLBACK(list_cb, void, diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c index 8947866f5..d82c0f98e 100644 --- a/src/swanctl/commands/load_authorities.c +++ b/src/swanctl/commands/load_authorities.c @@ -75,15 +75,15 @@ static bool add_file_key_value(vici_req_t *req, char *key, char *value) } /** - * Translate sletting key/values from a section into vici key-values/lists + * Translate sletting key/values from a section enumerator into vici + * key-values/lists. Destroys the enumerator. */ -static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section) +static bool add_key_values(vici_req_t *req, enumerator_t *enumerator) { - enumerator_t *enumerator; char *key, *value; bool ret = TRUE; - enumerator = cfg->create_key_value_enumerator(cfg, section); + while (enumerator->enumerate(enumerator, &key, &value)) { if (streq(key, "cacert")) @@ -115,17 +115,17 @@ static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section) static bool load_authority(vici_conn_t *conn, settings_t *cfg, char *section, command_format_options_t format) { + enumerator_t *enumerator; vici_req_t *req; vici_res_t *res; bool ret = TRUE; - char buf[128]; - - snprintf(buf, sizeof(buf), "%s.%s", "authorities", section); req = vici_begin("load-authority"); vici_begin_section(req, section); - if (!add_key_values(req, cfg, buf)) + enumerator = cfg->create_key_value_enumerator(cfg, "authorities.%s", + section); + if (!add_key_values(req, enumerator)) { vici_free_req(req); return FALSE; diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index d8541061e..15ef2f151 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -337,7 +337,7 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type, credential_type_t credtype; int subtype; enumerator_t *enumerator, *secrets; - char *section, *key, *value, *file, buf[128]; + char *section, *key, *value, *file; shared_key_t *shared; void *cred = NULL; mem_cred_t *mem = NULL; @@ -356,8 +356,8 @@ static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type, file = ctx->cfg->get_str(ctx->cfg, "secrets.%s.file", NULL, section); if (file && strcaseeq(file, name)) { - snprintf(buf, sizeof(buf), "secrets.%s", section); - secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf); + secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg, + "secrets.%s", section); while (secrets->enumerate(secrets, &key, &value)) { if (strpfx(key, "secret")) @@ -657,7 +657,7 @@ static bool load_secret(load_ctx_t *ctx, char *section) vici_req_t *req; vici_res_t *res; chunk_t data; - char *key, *value, buf[128], *type = NULL; + char *key, *value, *type = NULL; bool ret = TRUE; int i; char *types[] = { @@ -720,8 +720,8 @@ static bool load_secret(load_ctx_t *ctx, char *section) chunk_clear(&data); vici_begin_list(req, "owners"); - snprintf(buf, sizeof(buf), "secrets.%s", section); - enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf); + enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, "secrets.%s", + section); while (enumerator->enumerate(enumerator, &key, &value)) { if (strpfx(key, "id")) diff --git a/src/swanctl/commands/load_pools.c b/src/swanctl/commands/load_pools.c index 2b9fa2d42..feb8d3a52 100644 --- a/src/swanctl/commands/load_pools.c +++ b/src/swanctl/commands/load_pools.c @@ -41,14 +41,13 @@ static void add_list_key(vici_req_t *req, char *key, char *value) } /** - * Translate setting key/values from a section into vici key-values/lists + * Translate setting key/values from a section enumerator into vici + * key-values/lists. Destroys the enumerator. */ -static void add_key_values(vici_req_t *req, settings_t *cfg, char *section) +static void add_key_values(vici_req_t *req, enumerator_t *enumerator) { - enumerator_t *enumerator; char *key, *value; - enumerator = cfg->create_key_value_enumerator(cfg, section); while (enumerator->enumerate(enumerator, &key, &value)) { /* pool subnet is encoded as key/value, all other attributes as list */ @@ -70,17 +69,16 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section) static bool load_pool(vici_conn_t *conn, settings_t *cfg, char *section, command_format_options_t format) { + enumerator_t *enumerator; vici_req_t *req; vici_res_t *res; bool ret = TRUE; - char buf[128]; - - snprintf(buf, sizeof(buf), "%s.%s", "pools", section); req = vici_begin("load-pool"); vici_begin_section(req, section); - add_key_values(req, cfg, buf); + enumerator = cfg->create_key_value_enumerator(cfg, "pools.%s", section); + add_key_values(req, enumerator); vici_end_section(req); res = vici_submit(req, conn); diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main index 6c73d4775..637661083 100644 --- a/src/swanctl/swanctl.conf.5.main +++ b/src/swanctl/swanctl.conf.5.main @@ -726,9 +726,10 @@ trustchain validation, append hash algorithms to .RI "" "pubkey" "" or a key strength definition (for example -.RI "" "pubkey\-sha1\-sha256" "" +.RI "" "pubkey\-sha256\-sha512" "," +.RI "" "rsa\-2048\-sha256\-sha384\-sha512" "" or -.RI "" "rsa\-2048\-ecdsa\-256\-sha256\-sha384\-sha512" ")." +.RI "" "rsa\-2048\-sha256\-ecdsa\-256\-sha256\-sha384" ")." Unless disabled in .RB "" "strongswan.conf" "(5)," or explicit IKEv2 signature constraints are configured diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index 2dd9ea374..5675b31ca 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -587,8 +587,9 @@ connections.<conn>.remote<suffix>.auth = pubkey key type followed by the minimum strength in bits (for example _ecdsa-384_ or _rsa-2048-ecdsa-256_). To limit the acceptable set of hashing algorithms for trustchain validation, append hash algorithms to _pubkey_ or a key - strength definition (for example _pubkey-sha1-sha256_ or - _rsa-2048-ecdsa-256-sha256-sha384-sha512_). + strength definition (for example _pubkey-sha256-sha512_, + _rsa-2048-sha256-sha384-sha512_ or + _rsa-2048-sha256-ecdsa-256-sha256-sha384_). Unless disabled in **strongswan.conf**(5), or explicit IKEv2 signature constraints are configured (refer to the description of the **local** section's **auth** keyword for details), such key types and hash algorithms diff --git a/src/tpm_extendpcr/Makefile.am b/src/tpm_extendpcr/Makefile.am new file mode 100644 index 000000000..2e2474418 --- /dev/null +++ b/src/tpm_extendpcr/Makefile.am @@ -0,0 +1,14 @@ +bin_PROGRAMS = tpm_extendpcr + +tpm_extendpcr_SOURCES = tpm_extendpcr.c + +tpm_extendpcr_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtpmtss/libtpmtss.la + +tpm_extendpcr.o : $(top_builddir)/config.status + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtpmtss \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" diff --git a/src/tpm_extendpcr/Makefile.in b/src/tpm_extendpcr/Makefile.in new file mode 100644 index 000000000..0ce681c69 --- /dev/null +++ b/src/tpm_extendpcr/Makefile.in @@ -0,0 +1,769 @@ +# Makefile.in generated by automake 1.15 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +bin_PROGRAMS = tpm_extendpcr$(EXEEXT) +subdir = src/tpm_extendpcr +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/split-package-version.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(bindir)" +PROGRAMS = $(bin_PROGRAMS) +am_tpm_extendpcr_OBJECTS = tpm_extendpcr.$(OBJEXT) +tpm_extendpcr_OBJECTS = $(am_tpm_extendpcr_OBJECTS) +tpm_extendpcr_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtpmtss/libtpmtss.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(tpm_extendpcr_SOURCES) +DIST_SOURCES = $(tpm_extendpcr_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +ATOMICLIB = @ATOMICLIB@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BFDLIB = @BFDLIB@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FUZZING_LDFLAGS = @FUZZING_LDFLAGS@ +GEM = @GEM@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GPERF_LEN_TYPE = @GPERF_LEN_TYPE@ +GPRBUILD = @GPRBUILD@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ +PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ +PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ +PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ +PTHREADLIB = @PTHREADLIB@ +PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYGEMDIR = @RUBYGEMDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +attest_plugins = @attest_plugins@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ +clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dev_headers = @dev_headers@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +imcvdir = @imcvdir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipseclibdir = @ipseclibdir@ +ipsecuser = @ipsecuser@ +json_CFLAGS = @json_CFLAGS@ +json_LIBS = @json_LIBS@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ +oldincludedir = @oldincludedir@ +p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +ruby_CFLAGS = @ruby_CFLAGS@ +ruby_LIBS = @ruby_LIBS@ +runstatedir = @runstatedir@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +starter_plugins = @starter_plugins@ +strongswan_conf = @strongswan_conf@ +strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ +sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ +systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ +systemd_daemon_LIBS = @systemd_daemon_LIBS@ +systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ +systemd_journal_LIBS = @systemd_journal_LIBS@ +systemdsystemunitdir = @systemdsystemunitdir@ +t_plugins = @t_plugins@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +tss2_CFLAGS = @tss2_CFLAGS@ +tss2_LIBS = @tss2_LIBS@ +tss2_socket_CFLAGS = @tss2_socket_CFLAGS@ +tss2_socket_LIBS = @tss2_socket_LIBS@ +tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@ +tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +tpm_extendpcr_SOURCES = tpm_extendpcr.c +tpm_extendpcr_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtpmtss/libtpmtss.la + +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtpmtss \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/tpm_extendpcr/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/tpm_extendpcr/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-binPROGRAMS: $(bin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-binPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(bindir)" && rm -f $$files + +clean-binPROGRAMS: + @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +tpm_extendpcr$(EXEEXT): $(tpm_extendpcr_OBJECTS) $(tpm_extendpcr_DEPENDENCIES) $(EXTRA_tpm_extendpcr_DEPENDENCIES) + @rm -f tpm_extendpcr$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(tpm_extendpcr_OBJECTS) $(tpm_extendpcr_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tpm_extendpcr.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(bindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-binPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-binPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \ + clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-binPROGRAMS \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-binPROGRAMS + +.PRECIOUS: Makefile + + +tpm_extendpcr.o : $(top_builddir)/config.status + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/tpm_extendpcr/tpm_extendpcr.c b/src/tpm_extendpcr/tpm_extendpcr.c new file mode 100644 index 000000000..31d0d3d25 --- /dev/null +++ b/src/tpm_extendpcr/tpm_extendpcr.c @@ -0,0 +1,317 @@ +/* + * Copyright (C) 2017 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <tpm_tss.h> + +#include <library.h> +#include <crypto/hashers/hasher.h> +#include <utils/debug.h> + +#include <syslog.h> +#include <getopt.h> +#include <errno.h> + + +/* logging */ +static bool log_to_stderr = TRUE; +static bool log_to_syslog = TRUE; +static level_t default_loglevel = 1; + +/* global variables */ +tpm_tss_t *tpm; +chunk_t digest; +chunk_t pcr_value; + +/** + * logging function for tpm_extendpcr + */ +static void tpm_extendpcr_dbg(debug_t group, level_t level, char *fmt, ...) +{ + char buffer[8192]; + char *current = buffer, *next; + va_list args; + + if (level <= default_loglevel) + { + if (log_to_stderr) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + fprintf(stderr, "\n"); + } + if (log_to_syslog) + { + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) + { + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(LOG_INFO, "%s\n", current); + current = next; + } + } + } +} + +/** + * Initialize logging to stderr/syslog + */ +static void init_log(const char *program) +{ + dbg = tpm_extendpcr_dbg; + + if (log_to_stderr) + { + setbuf(stderr, NULL); + } + if (log_to_syslog) + { + openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); + } +} + +/** + * @brief exit tpm_extendpcr + * + * @param status 0 = OK, -1 = general discomfort + */ +static void exit_tpm_extendpcr(err_t message, ...) +{ + int status = 0; + + DESTROY_IF(tpm); + chunk_free(&digest); + chunk_free(&pcr_value); + + /* print any error message to stderr */ + if (message != NULL && *message != '\0') + { + va_list args; + char m[8192]; + + va_start(args, message); + vsnprintf(m, sizeof(m), message, args); + va_end(args); + + fprintf(stderr, "tpm_extendpcr error: %s\n", m); + status = -1; + } + library_deinit(); + exit(status); +} + +/** + * @brief prints the usage of the program to the stderr output + * + * If message is set, program is exited with 1 (error) + * @param message message in case of an error + */ +static void usage(const char *message) +{ + fprintf(stderr, + "Usage: tpm_extendpcr [--alg <name>] --pcr <nr> --digest <hex>|--in" + " <file>\n" + " [--hash] [--out <file>] [--quiet]" + " [--debug <level>]\n" + " tpm_extendpcr --help\n" + "\n" + "Options:\n" + " --alg (-a) hash algorithm (sha1|sha256)\n" + " --pcr (-p) platform configuration register (0..23)\n" + " --digest (-d) digest in hex format to be extended\n" + " --in (-i) binary input file with digest to be extended\n" + " --hash (-x) prehash the input file to create digest\n" + " --out (-o) binary output file with updated PCR value\n" + " --help (-h) show usage and exit\n" + "\n" + "Debugging output:\n" + " --debug (-l) changes the log level (-1..4, default: 1)\n" + " --quiet (-q) do not write log output to stderr\n" + ); + exit_tpm_extendpcr(message); +} + +/** + * @brief main of tpm_extendpcr which extends digest into a PCR + * + * @param argc number of arguments + * @param argv pointer to the argument values + */ +int main(int argc, char *argv[]) +{ + hash_algorithm_t alg = HASH_SHA1; + hasher_t *hasher = NULL; + char *infile = NULL, *outfile = NULL; + uint32_t pcr = 16; + bool hash = FALSE; + + atexit(library_deinit); + if (!library_init(NULL, "tpm_extendpcr")) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "tpm_extendpcr", argv[0])) + { + fprintf(stderr, "integrity check of tpm_extendpcr failed\n"); + exit(SS_RC_DAEMON_INTEGRITY); + } + + for (;;) + { + static const struct option long_opts[] = { + /* name, has_arg, flag, val */ + { "help", no_argument, NULL, 'h' }, + { "alg", required_argument, NULL, 'a' }, + { "pcr", required_argument, NULL, 'p' }, + { "digest", required_argument, NULL, 'd' }, + { "in", required_argument, NULL, 'i' }, + { "hash", no_argument, NULL, 'x' }, + { "out", required_argument, NULL, 'o' }, + { "quiet", no_argument, NULL, 'q' }, + { "debug", required_argument, NULL, 'l' }, + { 0,0,0,0 } + }; + + /* parse next option */ + int c = getopt_long(argc, argv, "ha:p:d:i:xo:ql:", long_opts, NULL); + + switch (c) + { + case EOF: /* end of flags */ + break; + + case 'h': /* --help */ + usage(NULL); + + case 'a': /* --alg <name> */ + if (!enum_from_name(hash_algorithm_short_names, optarg, &alg)) + { + usage("unsupported hash algorithm"); + } + continue; + case 'p': /* --pcr <nr> */ + pcr = atoi(optarg); + continue; + + case 'd': /* --digest <hex> */ + digest = chunk_from_hex(chunk_from_str(optarg), NULL); + continue; + + case 'i': /* --in <file> */ + infile = optarg; + continue; + + case 'x': /* --hash */ + hash = TRUE; + continue; + + case 'o': /* --out <file> */ + outfile = optarg; + continue; + + case 'q': /* --quiet */ + log_to_stderr = FALSE; + continue; + + case 'l': /* --debug <level> */ + default_loglevel = atoi(optarg); + continue; + + default: + usage("unknown option"); + } + /* break from loop */ + break; + } + + init_log("tpm_extendpcr"); + + if (!lib->plugins->load(lib->plugins, + lib->settings->get_str(lib->settings, "tpm_extendpcr.load", + "tpm sha1 sha2"))) + { + exit_tpm_extendpcr("plugin loading failed"); + } + + /* try to find a TPM */ + tpm = tpm_tss_probe(TPM_VERSION_ANY); + if (!tpm) + { + exit_tpm_extendpcr("no TPM found"); + } + + /* read digest from file */ + if (digest.len == 0) + { + chunk_t *chunk; + + if (!infile) + { + exit_tpm_extendpcr("--digest or --in option required"); + } + chunk = chunk_map(infile, FALSE); + if (!chunk) + { + exit_tpm_extendpcr("reading input file failed"); + } + if (hash) + { + hasher = lib->crypto->create_hasher(lib->crypto, alg); + if (!hasher || !hasher->allocate_hash(hasher, *chunk, &digest)) + { + DESTROY_IF(hasher); + chunk_unmap(chunk); + exit_tpm_extendpcr("prehashing infile failed"); + } + hasher->destroy(hasher); + } + else + { + digest = chunk_clone(*chunk); + } + chunk_unmap(chunk); + } + DBG1(DBG_PTS, "Digest: %#B", &digest); + + /* extend digest into PCR */ + if (!tpm->extend_pcr(tpm, pcr, &pcr_value, digest, alg)) + { + exit_tpm_extendpcr("extending PCR failed"); + } + DBG1(DBG_PTS, "PCR %02u: %#B", pcr, &pcr_value); + + /* write PCR value to file */ + if (outfile) + { + if (!chunk_write(pcr_value, outfile, 022, TRUE)) + { + DBG1(DBG_PTS, "writing '%s' failed", outfile); + } + } + chunk_free(&pcr_value); + + exit_tpm_extendpcr(NULL); + return -1; /* should never be reached */ +} diff --git a/testing/config/kernel/config-4.13 b/testing/config/kernel/config-4.13 index dcdceccd8..b1f84aaed 100644 --- a/testing/config/kernel/config-4.13 +++ b/testing/config/kernel/config-4.13 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.13.12 Kernel Configuration +# Linux/x86 4.13.16 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -664,12 +664,14 @@ CONFIG_IP_MULTIPLE_TABLES=y CONFIG_IP_ROUTE_CLASSID=y # CONFIG_IP_PNP is not set # CONFIG_NET_IPIP is not set -# CONFIG_NET_IPGRE_DEMUX is not set +CONFIG_NET_IPGRE_DEMUX=y CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y # CONFIG_SYN_COOKIES is not set -# CONFIG_NET_IPVTI is not set +CONFIG_NET_IPVTI=y CONFIG_NET_UDP_TUNNEL=y # CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set CONFIG_INET_AH=y CONFIG_INET_ESP=y # CONFIG_INET_ESP_OFFLOAD is not set @@ -703,9 +705,10 @@ CONFIG_INET6_XFRM_MODE_TRANSPORT=y CONFIG_INET6_XFRM_MODE_TUNNEL=y CONFIG_INET6_XFRM_MODE_BEET=y # CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set -# CONFIG_IPV6_VTI is not set +CONFIG_IPV6_VTI=y # CONFIG_IPV6_SIT is not set CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y # CONFIG_IPV6_FOU is not set # CONFIG_IPV6_FOU_TUNNEL is not set CONFIG_IPV6_MULTIPLE_TABLES=y diff --git a/testing/config/kernel/config-4.14 b/testing/config/kernel/config-4.14 new file mode 100644 index 000000000..ad74e6457 --- /dev/null +++ b/testing/config/kernel/config-4.14 @@ -0,0 +1,2640 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.14.13 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_FHANDLE=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_RCU_NEED_SEGCBLIST is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_POSIX_TIMERS=y +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +# CONFIG_BPF_SYSCALL is not set +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +# CONFIG_USERFAULTFD is not set +CONFIG_PCI_QUIRKS=y +CONFIG_MEMBARRIER=y +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y +# CONFIG_PC104 is not set + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +# CONFIG_SYSTEM_DATA_VERIFICATION is not set +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_RCU_TABLE_FREE=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_THIN_ARCHIVES=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +# CONFIG_HAVE_ARCH_HASH is not set +# CONFIG_ISA_BUS_API is not set +# CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX is not set +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_ARCH_HAS_REFCOUNT=y +# CONFIG_REFCOUNT_FULL is not set + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_SLABINFO=y +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +# CONFIG_INTEL_RDT is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +# CONFIG_VM86 is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_HAVE_GENERIC_GUP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_LEGACY_VSYSCALL_NATIVE is not set +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_BUS_ADDR_T_64BIT=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set +# CONFIG_PCI_STUB is not set +CONFIG_HT_IRQ=y +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT is not set + +# +# PCI host controller drivers +# +# CONFIG_VMD is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +# CONFIG_IPV6_FOU is not set +# CONFIG_IPV6_FOU_TUNNEL is not set +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +# CONFIG_STREAM_PARSER is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set +# CONFIG_CXL_LIB is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +# CONFIG_AMD_XGBE_HAVE_ECC is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_MDIO_BUS is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +CONFIG_RC_MAP=y +CONFIG_RC_DECODERS=y +# CONFIG_LIRC is not set +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_RC_DEVICES is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ACP (Audio CoProcessor) Configuration +# +# CONFIG_DRM_LIB_RANDOM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set + +# +# USB Power Delivery and Type-C drivers +# +# CONFIG_TYPEC_UCSI is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_HYPERV_TSCPAGE is not set +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_MLX_CPLD_PLATFORM is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_COMMON_CLK_NXP is not set +# CONFIG_COMMON_CLK_PXA is not set +# CONFIG_COMMON_CLK_PIC32 is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# + +# +# Broadcom SoC drivers +# + +# +# i.MX SoC drivers +# + +# +# Qualcomm SoC drivers +# +# CONFIG_SUNXI_SRAM is not set +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# CONFIG_FPGA is not set + +# +# FSI support +# +# CONFIG_FSI is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set +# CONFIG_EFI_DEV_PATH_PARSER is not set + +# +# Tegra firmware driver +# + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_STACK_VALIDATION=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KMEMCHECK=y +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHED_INFO is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_PROVE_RCU is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP_CORE is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set + +# +# Security options +# +# CONFIG_KEYS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +# CONFIG_CRYPTO_RSA is not set +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +# CONFIG_CRYPTO_HW is not set + +# +# Certificates for signature checking +# +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_GENERIC_IO=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +# CONFIG_DMA_NOOP_OPS is not set +# CONFIG_DMA_VIRT_OPS is not set +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +# CONFIG_SG_SPLIT is not set +# CONFIG_SG_POOL is not set +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_SBITMAP=y +# CONFIG_STRING_SELFTEST is not set diff --git a/testing/config/kernel/config-4.15 b/testing/config/kernel/config-4.15 new file mode 100644 index 000000000..c16e64b89 --- /dev/null +++ b/testing/config/kernel/config-4.15 @@ -0,0 +1,2685 @@ +# +# Automatically generated file; DO NOT EDIT. +# Linux/x86 4.15.0 Kernel Configuration +# +CONFIG_64BIT=y +CONFIG_X86_64=y +CONFIG_X86=y +CONFIG_INSTRUCTION_DECODER=y +CONFIG_OUTPUT_FORMAT="elf64-x86-64" +CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" +CONFIG_LOCKDEP_SUPPORT=y +CONFIG_STACKTRACE_SUPPORT=y +CONFIG_MMU=y +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 +CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 +CONFIG_NEED_DMA_MAP_STATE=y +CONFIG_NEED_SG_DMA_LENGTH=y +CONFIG_GENERIC_ISA_DMA=y +CONFIG_GENERIC_BUG=y +CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y +CONFIG_GENERIC_HWEIGHT=y +CONFIG_ARCH_MAY_HAVE_PC_FDC=y +CONFIG_RWSEM_XCHGADD_ALGORITHM=y +CONFIG_GENERIC_CALIBRATE_DELAY=y +CONFIG_ARCH_HAS_CPU_RELAX=y +CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y +CONFIG_HAVE_SETUP_PER_CPU_AREA=y +CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y +CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y +CONFIG_ARCH_HIBERNATION_POSSIBLE=y +CONFIG_ARCH_SUSPEND_POSSIBLE=y +CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y +CONFIG_ARCH_WANT_GENERAL_HUGETLB=y +CONFIG_ZONE_DMA32=y +CONFIG_AUDIT_ARCH=y +CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y +CONFIG_ARCH_SUPPORTS_UPROBES=y +CONFIG_FIX_EARLYCON_MEM=y +CONFIG_PGTABLE_LEVELS=4 +CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" +CONFIG_IRQ_WORK=y +CONFIG_BUILDTIME_EXTABLE_SORT=y +CONFIG_THREAD_INFO_IN_TASK=y + +# +# General setup +# +CONFIG_BROKEN_ON_SMP=y +CONFIG_INIT_ENV_ARG_LIMIT=32 +CONFIG_CROSS_COMPILE="" +# CONFIG_COMPILE_TEST is not set +CONFIG_LOCALVERSION="" +CONFIG_LOCALVERSION_AUTO=y +CONFIG_HAVE_KERNEL_GZIP=y +CONFIG_HAVE_KERNEL_BZIP2=y +CONFIG_HAVE_KERNEL_LZMA=y +CONFIG_HAVE_KERNEL_XZ=y +CONFIG_HAVE_KERNEL_LZO=y +CONFIG_HAVE_KERNEL_LZ4=y +CONFIG_KERNEL_GZIP=y +# CONFIG_KERNEL_BZIP2 is not set +# CONFIG_KERNEL_LZMA is not set +# CONFIG_KERNEL_XZ is not set +# CONFIG_KERNEL_LZO is not set +# CONFIG_KERNEL_LZ4 is not set +CONFIG_DEFAULT_HOSTNAME="(none)" +CONFIG_SWAP=y +CONFIG_SYSVIPC=y +CONFIG_SYSVIPC_SYSCTL=y +CONFIG_POSIX_MQUEUE=y +CONFIG_POSIX_MQUEUE_SYSCTL=y +CONFIG_CROSS_MEMORY_ATTACH=y +CONFIG_USELIB=y +# CONFIG_AUDIT is not set +CONFIG_HAVE_ARCH_AUDITSYSCALL=y + +# +# IRQ subsystem +# +CONFIG_GENERIC_IRQ_PROBE=y +CONFIG_GENERIC_IRQ_SHOW=y +CONFIG_IRQ_DOMAIN=y +CONFIG_IRQ_DOMAIN_HIERARCHY=y +CONFIG_GENERIC_MSI_IRQ=y +CONFIG_GENERIC_MSI_IRQ_DOMAIN=y +CONFIG_GENERIC_IRQ_MATRIX_ALLOCATOR=y +CONFIG_GENERIC_IRQ_RESERVATION_MODE=y +CONFIG_IRQ_FORCED_THREADING=y +CONFIG_SPARSE_IRQ=y +CONFIG_CLOCKSOURCE_WATCHDOG=y +CONFIG_ARCH_CLOCKSOURCE_DATA=y +CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y +CONFIG_GENERIC_TIME_VSYSCALL=y +CONFIG_GENERIC_CLOCKEVENTS=y +CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y +CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y +CONFIG_GENERIC_CMOS_UPDATE=y + +# +# Timers subsystem +# +CONFIG_TICK_ONESHOT=y +CONFIG_NO_HZ_COMMON=y +# CONFIG_HZ_PERIODIC is not set +CONFIG_NO_HZ_IDLE=y +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +# +# CPU/Task time and stats accounting +# +CONFIG_TICK_CPU_ACCOUNTING=y +# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set +# CONFIG_IRQ_TIME_ACCOUNTING is not set +CONFIG_BSD_PROCESS_ACCT=y +# CONFIG_BSD_PROCESS_ACCT_V3 is not set +# CONFIG_TASKSTATS is not set + +# +# RCU Subsystem +# +CONFIG_TINY_RCU=y +# CONFIG_RCU_EXPERT is not set +CONFIG_SRCU=y +CONFIG_TINY_SRCU=y +# CONFIG_TASKS_RCU is not set +# CONFIG_RCU_STALL_COMMON is not set +# CONFIG_RCU_NEED_SEGCBLIST is not set +CONFIG_BUILD_BIN2C=y +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 +CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 +CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y +CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y +CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH=y +CONFIG_ARCH_SUPPORTS_INT128=y +CONFIG_CGROUPS=y +CONFIG_PAGE_COUNTER=y +CONFIG_MEMCG=y +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y +CONFIG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_CGROUP_WRITEBACK=y +CONFIG_CGROUP_SCHED=y +CONFIG_FAIR_GROUP_SCHED=y +CONFIG_CFS_BANDWIDTH=y +# CONFIG_RT_GROUP_SCHED is not set +CONFIG_CGROUP_PIDS=y +# CONFIG_CGROUP_RDMA is not set +CONFIG_CGROUP_FREEZER=y +CONFIG_CGROUP_DEVICE=y +CONFIG_CGROUP_CPUACCT=y +CONFIG_CGROUP_PERF=y +# CONFIG_CGROUP_DEBUG is not set +CONFIG_SOCK_CGROUP_DATA=y +CONFIG_NAMESPACES=y +# CONFIG_UTS_NS is not set +# CONFIG_IPC_NS is not set +# CONFIG_USER_NS is not set +# CONFIG_PID_NS is not set +# CONFIG_NET_NS is not set +# CONFIG_SCHED_AUTOGROUP is not set +# CONFIG_SYSFS_DEPRECATED is not set +# CONFIG_RELAY is not set +# CONFIG_BLK_DEV_INITRD is not set +# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set +CONFIG_CC_OPTIMIZE_FOR_SIZE=y +CONFIG_SYSCTL=y +CONFIG_ANON_INODES=y +CONFIG_SYSCTL_EXCEPTION_TRACE=y +CONFIG_HAVE_PCSPKR_PLATFORM=y +CONFIG_BPF=y +# CONFIG_EXPERT is not set +CONFIG_MULTIUSER=y +CONFIG_SGETMASK_SYSCALL=y +CONFIG_SYSFS_SYSCALL=y +# CONFIG_SYSCTL_SYSCALL is not set +CONFIG_FHANDLE=y +CONFIG_POSIX_TIMERS=y +CONFIG_PRINTK=y +CONFIG_PRINTK_NMI=y +CONFIG_BUG=y +CONFIG_ELF_CORE=y +CONFIG_PCSPKR_PLATFORM=y +CONFIG_BASE_FULL=y +CONFIG_FUTEX=y +CONFIG_FUTEX_PI=y +CONFIG_EPOLL=y +CONFIG_SIGNALFD=y +CONFIG_TIMERFD=y +CONFIG_EVENTFD=y +CONFIG_SHMEM=y +CONFIG_AIO=y +CONFIG_ADVISE_SYSCALLS=y +CONFIG_MEMBARRIER=y +# CONFIG_CHECKPOINT_RESTORE is not set +CONFIG_KALLSYMS=y +# CONFIG_KALLSYMS_ALL is not set +# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set +CONFIG_KALLSYMS_BASE_RELATIVE=y +# CONFIG_BPF_SYSCALL is not set +# CONFIG_USERFAULTFD is not set +# CONFIG_EMBEDDED is not set +CONFIG_HAVE_PERF_EVENTS=y +# CONFIG_PC104 is not set + +# +# Kernel Performance Events And Counters +# +CONFIG_PERF_EVENTS=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_VM_EVENT_COUNTERS=y +CONFIG_COMPAT_BRK=y +CONFIG_SLAB=y +# CONFIG_SLUB is not set +CONFIG_SLAB_MERGE_DEFAULT=y +# CONFIG_SLAB_FREELIST_RANDOM is not set +CONFIG_SYSTEM_DATA_VERIFICATION=y +# CONFIG_PROFILING is not set +CONFIG_HAVE_OPROFILE=y +CONFIG_OPROFILE_NMI_TIMER=y +# CONFIG_JUMP_LABEL is not set +# CONFIG_UPROBES is not set +# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set +CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y +CONFIG_ARCH_USE_BUILTIN_BSWAP=y +CONFIG_HAVE_IOREMAP_PROT=y +CONFIG_HAVE_KPROBES=y +CONFIG_HAVE_KRETPROBES=y +CONFIG_HAVE_OPTPROBES=y +CONFIG_HAVE_KPROBES_ON_FTRACE=y +CONFIG_HAVE_NMI=y +CONFIG_HAVE_ARCH_TRACEHOOK=y +CONFIG_HAVE_DMA_CONTIGUOUS=y +CONFIG_GENERIC_SMP_IDLE_THREAD=y +CONFIG_ARCH_HAS_FORTIFY_SOURCE=y +CONFIG_ARCH_HAS_SET_MEMORY=y +CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y +CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y +CONFIG_HAVE_CLK=y +CONFIG_HAVE_DMA_API_DEBUG=y +CONFIG_HAVE_HW_BREAKPOINT=y +CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y +CONFIG_HAVE_USER_RETURN_NOTIFIER=y +CONFIG_HAVE_PERF_EVENTS_NMI=y +CONFIG_HAVE_HARDLOCKUP_DETECTOR_PERF=y +CONFIG_HAVE_PERF_REGS=y +CONFIG_HAVE_PERF_USER_STACK_DUMP=y +CONFIG_HAVE_ARCH_JUMP_LABEL=y +CONFIG_HAVE_RCU_TABLE_FREE=y +CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y +CONFIG_HAVE_CMPXCHG_LOCAL=y +CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_HAVE_ARCH_SECCOMP_FILTER=y +CONFIG_SECCOMP_FILTER=y +CONFIG_HAVE_GCC_PLUGINS=y +# CONFIG_GCC_PLUGINS is not set +CONFIG_HAVE_CC_STACKPROTECTOR=y +CONFIG_CC_STACKPROTECTOR=y +# CONFIG_CC_STACKPROTECTOR_NONE is not set +CONFIG_CC_STACKPROTECTOR_REGULAR=y +# CONFIG_CC_STACKPROTECTOR_STRONG is not set +CONFIG_THIN_ARCHIVES=y +CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y +CONFIG_HAVE_CONTEXT_TRACKING=y +CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y +CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD=y +CONFIG_HAVE_ARCH_HUGE_VMAP=y +CONFIG_HAVE_ARCH_SOFT_DIRTY=y +CONFIG_HAVE_MOD_ARCH_SPECIFIC=y +CONFIG_MODULES_USE_ELF_RELA=y +CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_ARCH_HAS_ELF_RANDOMIZE=y +CONFIG_HAVE_ARCH_MMAP_RND_BITS=y +CONFIG_HAVE_EXIT_THREAD=y +CONFIG_ARCH_MMAP_RND_BITS=28 +CONFIG_HAVE_COPY_THREAD_TLS=y +CONFIG_HAVE_STACK_VALIDATION=y +# CONFIG_HAVE_ARCH_HASH is not set +# CONFIG_ISA_BUS_API is not set +# CONFIG_CPU_NO_EFFICIENT_FFS is not set +CONFIG_HAVE_ARCH_VMAP_STACK=y +CONFIG_VMAP_STACK=y +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX is not set +# CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT is not set +CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y +CONFIG_STRICT_KERNEL_RWX=y +CONFIG_ARCH_HAS_STRICT_MODULE_RWX=y +CONFIG_ARCH_HAS_REFCOUNT=y +# CONFIG_REFCOUNT_FULL is not set + +# +# GCOV-based kernel profiling +# +CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y +# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set +CONFIG_RT_MUTEXES=y +CONFIG_BASE_SMALL=0 +# CONFIG_MODULES is not set +CONFIG_MODULES_TREE_LOOKUP=y +CONFIG_BLOCK=y +# CONFIG_BLK_DEV_BSG is not set +# CONFIG_BLK_DEV_BSGLIB is not set +# CONFIG_BLK_DEV_INTEGRITY is not set +# CONFIG_BLK_DEV_ZONED is not set +# CONFIG_BLK_DEV_THROTTLING is not set +# CONFIG_BLK_CMDLINE_PARSER is not set +# CONFIG_BLK_WBT is not set +# CONFIG_BLK_SED_OPAL is not set + +# +# Partition Types +# +# CONFIG_PARTITION_ADVANCED is not set +CONFIG_MSDOS_PARTITION=y +CONFIG_EFI_PARTITION=y +CONFIG_BLK_MQ_PCI=y +CONFIG_BLK_MQ_VIRTIO=y + +# +# IO Schedulers +# +CONFIG_IOSCHED_NOOP=y +CONFIG_IOSCHED_DEADLINE=y +CONFIG_IOSCHED_CFQ=y +# CONFIG_CFQ_GROUP_IOSCHED is not set +# CONFIG_DEFAULT_DEADLINE is not set +CONFIG_DEFAULT_CFQ=y +# CONFIG_DEFAULT_NOOP is not set +CONFIG_DEFAULT_IOSCHED="cfq" +CONFIG_MQ_IOSCHED_DEADLINE=y +CONFIG_MQ_IOSCHED_KYBER=y +# CONFIG_IOSCHED_BFQ is not set +CONFIG_ASN1=y +CONFIG_INLINE_SPIN_UNLOCK_IRQ=y +CONFIG_INLINE_READ_UNLOCK=y +CONFIG_INLINE_READ_UNLOCK_IRQ=y +CONFIG_INLINE_WRITE_UNLOCK=y +CONFIG_INLINE_WRITE_UNLOCK_IRQ=y +CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y +CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y +CONFIG_ARCH_USE_QUEUED_RWLOCKS=y +CONFIG_FREEZER=y + +# +# Processor type and features +# +CONFIG_ZONE_DMA=y +# CONFIG_SMP is not set +CONFIG_X86_FEATURE_NAMES=y +CONFIG_X86_FAST_FEATURE_TESTS=y +CONFIG_X86_MPPARSE=y +# CONFIG_GOLDFISH is not set +CONFIG_RETPOLINE=y +# CONFIG_INTEL_RDT is not set +CONFIG_X86_EXTENDED_PLATFORM=y +# CONFIG_X86_GOLDFISH is not set +# CONFIG_X86_INTEL_MID is not set +# CONFIG_X86_INTEL_LPSS is not set +# CONFIG_X86_AMD_PLATFORM_DEVICE is not set +CONFIG_IOSF_MBI=y +CONFIG_SCHED_OMIT_FRAME_POINTER=y +# CONFIG_HYPERVISOR_GUEST is not set +CONFIG_NO_BOOTMEM=y +# CONFIG_MK8 is not set +# CONFIG_MPSC is not set +CONFIG_MCORE2=y +# CONFIG_MATOM is not set +# CONFIG_GENERIC_CPU is not set +CONFIG_X86_INTERNODE_CACHE_SHIFT=6 +CONFIG_X86_L1_CACHE_SHIFT=6 +CONFIG_X86_INTEL_USERCOPY=y +CONFIG_X86_USE_PPRO_CHECKSUM=y +CONFIG_X86_P6_NOP=y +CONFIG_X86_TSC=y +CONFIG_X86_CMPXCHG64=y +CONFIG_X86_CMOV=y +CONFIG_X86_MINIMUM_CPU_FAMILY=64 +CONFIG_X86_DEBUGCTLMSR=y +CONFIG_CPU_SUP_INTEL=y +CONFIG_CPU_SUP_AMD=y +CONFIG_CPU_SUP_CENTAUR=y +CONFIG_HPET_TIMER=y +CONFIG_DMI=y +CONFIG_GART_IOMMU=y +# CONFIG_CALGARY_IOMMU is not set +CONFIG_SWIOTLB=y +CONFIG_IOMMU_HELPER=y +CONFIG_NR_CPUS=1 +CONFIG_PREEMPT_NONE=y +# CONFIG_PREEMPT_VOLUNTARY is not set +# CONFIG_PREEMPT is not set +CONFIG_UP_LATE_INIT=y +CONFIG_X86_LOCAL_APIC=y +CONFIG_X86_IO_APIC=y +# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set +# CONFIG_X86_MCE is not set + +# +# Performance monitoring +# +CONFIG_PERF_EVENTS_INTEL_UNCORE=y +CONFIG_PERF_EVENTS_INTEL_RAPL=y +CONFIG_PERF_EVENTS_INTEL_CSTATE=y +# CONFIG_PERF_EVENTS_AMD_POWER is not set +# CONFIG_VM86 is not set +CONFIG_X86_16BIT=y +CONFIG_X86_ESPFIX64=y +CONFIG_X86_VSYSCALL_EMULATION=y +# CONFIG_I8K is not set +CONFIG_MICROCODE=y +CONFIG_MICROCODE_INTEL=y +# CONFIG_MICROCODE_AMD is not set +CONFIG_MICROCODE_OLD_INTERFACE=y +# CONFIG_X86_MSR is not set +# CONFIG_X86_CPUID is not set +# CONFIG_X86_5LEVEL is not set +CONFIG_ARCH_PHYS_ADDR_T_64BIT=y +CONFIG_ARCH_DMA_ADDR_T_64BIT=y +CONFIG_X86_DIRECT_GBPAGES=y +CONFIG_ARCH_HAS_MEM_ENCRYPT=y +# CONFIG_AMD_MEM_ENCRYPT is not set +CONFIG_ARCH_SPARSEMEM_ENABLE=y +CONFIG_ARCH_SPARSEMEM_DEFAULT=y +CONFIG_ARCH_SELECT_MEMORY_MODEL=y +CONFIG_ARCH_MEMORY_PROBE=y +CONFIG_ARCH_PROC_KCORE_TEXT=y +CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 +CONFIG_SELECT_MEMORY_MODEL=y +CONFIG_SPARSEMEM_MANUAL=y +CONFIG_SPARSEMEM=y +CONFIG_HAVE_MEMORY_PRESENT=y +CONFIG_SPARSEMEM_EXTREME=y +CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y +CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y +CONFIG_SPARSEMEM_VMEMMAP=y +CONFIG_HAVE_MEMBLOCK=y +CONFIG_HAVE_MEMBLOCK_NODE_MAP=y +CONFIG_HAVE_GENERIC_GUP=y +CONFIG_ARCH_DISCARD_MEMBLOCK=y +CONFIG_MEMORY_ISOLATION=y +CONFIG_HAVE_BOOTMEM_INFO_NODE=y +CONFIG_MEMORY_HOTPLUG=y +CONFIG_MEMORY_HOTPLUG_SPARSE=y +# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set +CONFIG_MEMORY_HOTREMOVE=y +CONFIG_SPLIT_PTLOCK_CPUS=4 +CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y +CONFIG_MEMORY_BALLOON=y +# CONFIG_COMPACTION is not set +CONFIG_MIGRATION=y +CONFIG_PHYS_ADDR_T_64BIT=y +CONFIG_BOUNCE=y +CONFIG_VIRT_TO_BUS=y +# CONFIG_KSM is not set +CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 +# CONFIG_TRANSPARENT_HUGEPAGE is not set +CONFIG_ARCH_WANTS_THP_SWAP=y +CONFIG_NEED_PER_CPU_KM=y +# CONFIG_CLEANCACHE is not set +# CONFIG_FRONTSWAP is not set +# CONFIG_CMA is not set +# CONFIG_ZPOOL is not set +# CONFIG_ZBUD is not set +# CONFIG_ZSMALLOC is not set +CONFIG_GENERIC_EARLY_IOREMAP=y +CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y +# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set +# CONFIG_IDLE_PAGE_TRACKING is not set +CONFIG_ARCH_HAS_ZONE_DEVICE=y +# CONFIG_ZONE_DEVICE is not set +CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y +CONFIG_ARCH_HAS_PKEYS=y +# CONFIG_PERCPU_STATS is not set +# CONFIG_GUP_BENCHMARK is not set +# CONFIG_X86_PMEM_LEGACY is not set +# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set +CONFIG_X86_RESERVE_LOW=64 +CONFIG_MTRR=y +CONFIG_MTRR_SANITIZER=y +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 +CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 +CONFIG_X86_PAT=y +CONFIG_ARCH_USES_PG_UNCACHED=y +CONFIG_ARCH_RANDOM=y +CONFIG_X86_SMAP=y +CONFIG_X86_INTEL_UMIP=y +# CONFIG_X86_INTEL_MPX is not set +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +# CONFIG_EFI is not set +CONFIG_SECCOMP=y +# CONFIG_HZ_100 is not set +CONFIG_HZ_250=y +# CONFIG_HZ_300 is not set +# CONFIG_HZ_1000 is not set +CONFIG_HZ=250 +CONFIG_SCHED_HRTICK=y +# CONFIG_KEXEC is not set +# CONFIG_KEXEC_FILE is not set +# CONFIG_CRASH_DUMP is not set +CONFIG_PHYSICAL_START=0x1000000 +CONFIG_RELOCATABLE=y +# CONFIG_RANDOMIZE_BASE is not set +CONFIG_PHYSICAL_ALIGN=0x1000000 +# CONFIG_LEGACY_VSYSCALL_NATIVE is not set +CONFIG_LEGACY_VSYSCALL_EMULATE=y +# CONFIG_LEGACY_VSYSCALL_NONE is not set +# CONFIG_CMDLINE_BOOL is not set +CONFIG_MODIFY_LDT_SYSCALL=y +CONFIG_HAVE_LIVEPATCH=y +CONFIG_ARCH_HAS_ADD_PAGES=y +CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y +CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y + +# +# Power management and ACPI options +# +CONFIG_SUSPEND=y +CONFIG_SUSPEND_FREEZER=y +# CONFIG_HIBERNATION is not set +CONFIG_PM_SLEEP=y +# CONFIG_PM_AUTOSLEEP is not set +# CONFIG_PM_WAKELOCKS is not set +CONFIG_PM=y +# CONFIG_PM_DEBUG is not set +CONFIG_PM_CLK=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_ACPI=y +CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y +CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y +CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y +# CONFIG_ACPI_DEBUGGER is not set +CONFIG_ACPI_LPIT=y +CONFIG_ACPI_SLEEP=y +# CONFIG_ACPI_PROCFS_POWER is not set +CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y +# CONFIG_ACPI_EC_DEBUGFS is not set +CONFIG_ACPI_AC=y +CONFIG_ACPI_BATTERY=y +CONFIG_ACPI_BUTTON=y +CONFIG_ACPI_FAN=y +# CONFIG_ACPI_DOCK is not set +CONFIG_ACPI_CPU_FREQ_PSS=y +CONFIG_ACPI_PROCESSOR_CSTATE=y +CONFIG_ACPI_PROCESSOR_IDLE=y +CONFIG_ACPI_PROCESSOR=y +# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set +CONFIG_ACPI_THERMAL=y +# CONFIG_ACPI_CUSTOM_DSDT is not set +CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y +# CONFIG_ACPI_DEBUG is not set +# CONFIG_ACPI_PCI_SLOT is not set +CONFIG_X86_PM_TIMER=y +# CONFIG_ACPI_CONTAINER is not set +# CONFIG_ACPI_HOTPLUG_MEMORY is not set +CONFIG_ACPI_HOTPLUG_IOAPIC=y +# CONFIG_ACPI_SBS is not set +# CONFIG_ACPI_HED is not set +# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set +# CONFIG_ACPI_NFIT is not set +CONFIG_HAVE_ACPI_APEI=y +CONFIG_HAVE_ACPI_APEI_NMI=y +# CONFIG_ACPI_APEI is not set +# CONFIG_DPTF_POWER is not set +# CONFIG_PMIC_OPREGION is not set +# CONFIG_ACPI_CONFIGFS is not set +# CONFIG_SFI is not set + +# +# CPU Frequency scaling +# +# CONFIG_CPU_FREQ is not set + +# +# CPU Idle +# +CONFIG_CPU_IDLE=y +CONFIG_CPU_IDLE_GOV_LADDER=y +CONFIG_CPU_IDLE_GOV_MENU=y +# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set +# CONFIG_INTEL_IDLE is not set + +# +# Bus options (PCI etc.) +# +CONFIG_PCI=y +CONFIG_PCI_DIRECT=y +# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_DOMAINS=y +# CONFIG_PCIEPORTBUS is not set +CONFIG_PCI_BUS_ADDR_T_64BIT=y +CONFIG_PCI_MSI=y +CONFIG_PCI_MSI_IRQ_DOMAIN=y +CONFIG_PCI_QUIRKS=y +# CONFIG_PCI_DEBUG is not set +# CONFIG_PCI_STUB is not set +CONFIG_PCI_LOCKLESS_CONFIG=y +# CONFIG_PCI_IOV is not set +# CONFIG_PCI_PRI is not set +# CONFIG_PCI_PASID is not set +CONFIG_PCI_LABEL=y +# CONFIG_HOTPLUG_PCI is not set + +# +# DesignWare PCI Core Support +# +# CONFIG_PCIE_DW_PLAT is not set + +# +# PCI host controller drivers +# +# CONFIG_VMD is not set + +# +# PCI Endpoint +# +# CONFIG_PCI_ENDPOINT is not set + +# +# PCI switch controller drivers +# +# CONFIG_PCI_SW_SWITCHTEC is not set +CONFIG_ISA_DMA_API=y +CONFIG_AMD_NB=y +# CONFIG_PCCARD is not set +# CONFIG_RAPIDIO is not set +# CONFIG_X86_SYSFB is not set + +# +# Executable file formats / Emulations +# +CONFIG_BINFMT_ELF=y +CONFIG_ELFCORE=y +# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set +CONFIG_BINFMT_SCRIPT=y +# CONFIG_HAVE_AOUT is not set +# CONFIG_BINFMT_MISC is not set +CONFIG_COREDUMP=y +# CONFIG_IA32_EMULATION is not set +# CONFIG_X86_X32 is not set +CONFIG_X86_DEV_DMA_OPS=y +CONFIG_NET=y +CONFIG_NET_INGRESS=y + +# +# Networking options +# +CONFIG_PACKET=y +# CONFIG_PACKET_DIAG is not set +CONFIG_UNIX=y +# CONFIG_UNIX_DIAG is not set +CONFIG_TLS=y +CONFIG_XFRM=y +CONFIG_XFRM_ALGO=y +CONFIG_XFRM_USER=y +CONFIG_XFRM_SUB_POLICY=y +CONFIG_XFRM_MIGRATE=y +CONFIG_XFRM_STATISTICS=y +CONFIG_XFRM_IPCOMP=y +CONFIG_NET_KEY=y +CONFIG_NET_KEY_MIGRATE=y +CONFIG_INET=y +# CONFIG_IP_MULTICAST is not set +CONFIG_IP_ADVANCED_ROUTER=y +# CONFIG_IP_FIB_TRIE_STATS is not set +CONFIG_IP_MULTIPLE_TABLES=y +# CONFIG_IP_ROUTE_MULTIPATH is not set +# CONFIG_IP_ROUTE_VERBOSE is not set +CONFIG_IP_ROUTE_CLASSID=y +# CONFIG_IP_PNP is not set +# CONFIG_NET_IPIP is not set +CONFIG_NET_IPGRE_DEMUX=y +CONFIG_NET_IP_TUNNEL=y +CONFIG_NET_IPGRE=y +# CONFIG_SYN_COOKIES is not set +CONFIG_NET_IPVTI=y +CONFIG_NET_UDP_TUNNEL=y +# CONFIG_NET_FOU is not set +# CONFIG_NET_FOU_IP_TUNNELS is not set +CONFIG_INET_AH=y +CONFIG_INET_ESP=y +# CONFIG_INET_ESP_OFFLOAD is not set +CONFIG_INET_IPCOMP=y +CONFIG_INET_XFRM_TUNNEL=y +CONFIG_INET_TUNNEL=y +CONFIG_INET_XFRM_MODE_TRANSPORT=y +CONFIG_INET_XFRM_MODE_TUNNEL=y +CONFIG_INET_XFRM_MODE_BEET=y +CONFIG_INET_DIAG=y +CONFIG_INET_TCP_DIAG=y +# CONFIG_INET_UDP_DIAG is not set +# CONFIG_INET_RAW_DIAG is not set +# CONFIG_INET_DIAG_DESTROY is not set +# CONFIG_TCP_CONG_ADVANCED is not set +CONFIG_TCP_CONG_CUBIC=y +CONFIG_DEFAULT_TCP_CONG="cubic" +# CONFIG_TCP_MD5SIG is not set +CONFIG_IPV6=y +# CONFIG_IPV6_ROUTER_PREF is not set +CONFIG_IPV6_OPTIMISTIC_DAD=y +CONFIG_INET6_AH=y +CONFIG_INET6_ESP=y +# CONFIG_INET6_ESP_OFFLOAD is not set +CONFIG_INET6_IPCOMP=y +CONFIG_IPV6_MIP6=y +# CONFIG_IPV6_ILA is not set +CONFIG_INET6_XFRM_TUNNEL=y +CONFIG_INET6_TUNNEL=y +CONFIG_INET6_XFRM_MODE_TRANSPORT=y +CONFIG_INET6_XFRM_MODE_TUNNEL=y +CONFIG_INET6_XFRM_MODE_BEET=y +# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set +CONFIG_IPV6_VTI=y +# CONFIG_IPV6_SIT is not set +CONFIG_IPV6_TUNNEL=y +CONFIG_IPV6_GRE=y +# CONFIG_IPV6_FOU is not set +# CONFIG_IPV6_FOU_TUNNEL is not set +CONFIG_IPV6_MULTIPLE_TABLES=y +CONFIG_IPV6_SUBTREES=y +# CONFIG_IPV6_MROUTE is not set +# CONFIG_IPV6_SEG6_LWTUNNEL is not set +# CONFIG_IPV6_SEG6_HMAC is not set +# CONFIG_NETWORK_SECMARK is not set +# CONFIG_NET_PTP_CLASSIFY is not set +# CONFIG_NETWORK_PHY_TIMESTAMPING is not set +CONFIG_NETFILTER=y +CONFIG_NETFILTER_ADVANCED=y + +# +# Core Netfilter Configuration +# +CONFIG_NETFILTER_INGRESS=y +CONFIG_NETFILTER_NETLINK=y +# CONFIG_NETFILTER_NETLINK_ACCT is not set +CONFIG_NETFILTER_NETLINK_QUEUE=y +CONFIG_NETFILTER_NETLINK_LOG=y +CONFIG_NF_CONNTRACK=y +CONFIG_NF_LOG_COMMON=y +# CONFIG_NF_LOG_NETDEV is not set +CONFIG_NF_CONNTRACK_MARK=y +# CONFIG_NF_CONNTRACK_ZONES is not set +CONFIG_NF_CONNTRACK_PROCFS=y +CONFIG_NF_CONNTRACK_EVENTS=y +# CONFIG_NF_CONNTRACK_TIMEOUT is not set +# CONFIG_NF_CONNTRACK_TIMESTAMP is not set +# CONFIG_NF_CT_PROTO_DCCP is not set +# CONFIG_NF_CT_PROTO_SCTP is not set +CONFIG_NF_CT_PROTO_UDPLITE=y +# CONFIG_NF_CONNTRACK_AMANDA is not set +# CONFIG_NF_CONNTRACK_FTP is not set +# CONFIG_NF_CONNTRACK_H323 is not set +# CONFIG_NF_CONNTRACK_IRC is not set +# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set +# CONFIG_NF_CONNTRACK_SNMP is not set +# CONFIG_NF_CONNTRACK_PPTP is not set +CONFIG_NF_CONNTRACK_SANE=y +# CONFIG_NF_CONNTRACK_SIP is not set +# CONFIG_NF_CONNTRACK_TFTP is not set +CONFIG_NF_CT_NETLINK=y +# CONFIG_NF_CT_NETLINK_TIMEOUT is not set +# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set +CONFIG_NF_NAT=y +CONFIG_NF_NAT_NEEDED=y +CONFIG_NF_NAT_PROTO_UDPLITE=y +# CONFIG_NF_NAT_AMANDA is not set +# CONFIG_NF_NAT_FTP is not set +# CONFIG_NF_NAT_IRC is not set +# CONFIG_NF_NAT_SIP is not set +# CONFIG_NF_NAT_TFTP is not set +CONFIG_NF_NAT_REDIRECT=y +# CONFIG_NF_TABLES is not set +CONFIG_NETFILTER_XTABLES=y + +# +# Xtables combined modules +# +CONFIG_NETFILTER_XT_MARK=y +CONFIG_NETFILTER_XT_CONNMARK=y +CONFIG_NETFILTER_XT_SET=y + +# +# Xtables targets +# +# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set +CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y +CONFIG_NETFILTER_XT_TARGET_CONNMARK=y +CONFIG_NETFILTER_XT_TARGET_CT=y +CONFIG_NETFILTER_XT_TARGET_DSCP=y +CONFIG_NETFILTER_XT_TARGET_HL=y +# CONFIG_NETFILTER_XT_TARGET_HMARK is not set +# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set +CONFIG_NETFILTER_XT_TARGET_LOG=y +CONFIG_NETFILTER_XT_TARGET_MARK=y +CONFIG_NETFILTER_XT_NAT=y +CONFIG_NETFILTER_XT_TARGET_NETMAP=y +CONFIG_NETFILTER_XT_TARGET_NFLOG=y +CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y +CONFIG_NETFILTER_XT_TARGET_NOTRACK=y +# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set +CONFIG_NETFILTER_XT_TARGET_REDIRECT=y +# CONFIG_NETFILTER_XT_TARGET_TEE is not set +# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set +CONFIG_NETFILTER_XT_TARGET_TRACE=y +CONFIG_NETFILTER_XT_TARGET_TCPMSS=y +# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set + +# +# Xtables matches +# +CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y +# CONFIG_NETFILTER_XT_MATCH_BPF is not set +# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set +CONFIG_NETFILTER_XT_MATCH_CLUSTER=y +CONFIG_NETFILTER_XT_MATCH_COMMENT=y +CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y +# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set +CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y +CONFIG_NETFILTER_XT_MATCH_CONNMARK=y +CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y +# CONFIG_NETFILTER_XT_MATCH_CPU is not set +CONFIG_NETFILTER_XT_MATCH_DCCP=y +CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y +CONFIG_NETFILTER_XT_MATCH_DSCP=y +CONFIG_NETFILTER_XT_MATCH_ECN=y +CONFIG_NETFILTER_XT_MATCH_ESP=y +CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y +CONFIG_NETFILTER_XT_MATCH_HELPER=y +CONFIG_NETFILTER_XT_MATCH_HL=y +# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set +# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set +CONFIG_NETFILTER_XT_MATCH_L2TP=y +CONFIG_NETFILTER_XT_MATCH_LENGTH=y +CONFIG_NETFILTER_XT_MATCH_LIMIT=y +CONFIG_NETFILTER_XT_MATCH_MAC=y +CONFIG_NETFILTER_XT_MATCH_MARK=y +CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y +# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set +# CONFIG_NETFILTER_XT_MATCH_OSF is not set +# CONFIG_NETFILTER_XT_MATCH_OWNER is not set +CONFIG_NETFILTER_XT_MATCH_POLICY=y +CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y +CONFIG_NETFILTER_XT_MATCH_QUOTA=y +# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set +CONFIG_NETFILTER_XT_MATCH_REALM=y +# CONFIG_NETFILTER_XT_MATCH_RECENT is not set +CONFIG_NETFILTER_XT_MATCH_SCTP=y +CONFIG_NETFILTER_XT_MATCH_STATE=y +CONFIG_NETFILTER_XT_MATCH_STATISTIC=y +CONFIG_NETFILTER_XT_MATCH_STRING=y +CONFIG_NETFILTER_XT_MATCH_TCPMSS=y +# CONFIG_NETFILTER_XT_MATCH_TIME is not set +CONFIG_NETFILTER_XT_MATCH_U32=y +CONFIG_IP_SET=y +CONFIG_IP_SET_MAX=256 +CONFIG_IP_SET_BITMAP_IP=y +CONFIG_IP_SET_BITMAP_IPMAC=y +CONFIG_IP_SET_BITMAP_PORT=y +CONFIG_IP_SET_HASH_IP=y +# CONFIG_IP_SET_HASH_IPMARK is not set +CONFIG_IP_SET_HASH_IPPORT=y +CONFIG_IP_SET_HASH_IPPORTIP=y +CONFIG_IP_SET_HASH_IPPORTNET=y +# CONFIG_IP_SET_HASH_IPMAC is not set +# CONFIG_IP_SET_HASH_MAC is not set +# CONFIG_IP_SET_HASH_NETPORTNET is not set +CONFIG_IP_SET_HASH_NET=y +# CONFIG_IP_SET_HASH_NETNET is not set +CONFIG_IP_SET_HASH_NETPORT=y +# CONFIG_IP_SET_HASH_NETIFACE is not set +CONFIG_IP_SET_LIST_SET=y +# CONFIG_IP_VS is not set + +# +# IP: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV4=y +CONFIG_NF_CONNTRACK_IPV4=y +# CONFIG_NF_SOCKET_IPV4 is not set +# CONFIG_NF_DUP_IPV4 is not set +# CONFIG_NF_LOG_ARP is not set +CONFIG_NF_LOG_IPV4=y +CONFIG_NF_REJECT_IPV4=y +CONFIG_NF_NAT_IPV4=y +CONFIG_NF_NAT_MASQUERADE_IPV4=y +# CONFIG_NF_NAT_PPTP is not set +# CONFIG_NF_NAT_H323 is not set +CONFIG_IP_NF_IPTABLES=y +CONFIG_IP_NF_MATCH_AH=y +CONFIG_IP_NF_MATCH_ECN=y +# CONFIG_IP_NF_MATCH_RPFILTER is not set +CONFIG_IP_NF_MATCH_TTL=y +CONFIG_IP_NF_FILTER=y +CONFIG_IP_NF_TARGET_REJECT=y +# CONFIG_IP_NF_TARGET_SYNPROXY is not set +CONFIG_IP_NF_NAT=y +CONFIG_IP_NF_TARGET_MASQUERADE=y +CONFIG_IP_NF_TARGET_NETMAP=y +CONFIG_IP_NF_TARGET_REDIRECT=y +CONFIG_IP_NF_MANGLE=y +CONFIG_IP_NF_TARGET_CLUSTERIP=y +CONFIG_IP_NF_TARGET_ECN=y +CONFIG_IP_NF_TARGET_TTL=y +CONFIG_IP_NF_RAW=y +CONFIG_IP_NF_ARPTABLES=y +CONFIG_IP_NF_ARPFILTER=y +CONFIG_IP_NF_ARP_MANGLE=y + +# +# IPv6: Netfilter Configuration +# +CONFIG_NF_DEFRAG_IPV6=y +CONFIG_NF_CONNTRACK_IPV6=y +# CONFIG_NF_SOCKET_IPV6 is not set +# CONFIG_NF_DUP_IPV6 is not set +CONFIG_NF_REJECT_IPV6=y +CONFIG_NF_LOG_IPV6=y +CONFIG_NF_NAT_IPV6=y +CONFIG_NF_NAT_MASQUERADE_IPV6=y +CONFIG_IP6_NF_IPTABLES=y +CONFIG_IP6_NF_MATCH_AH=y +CONFIG_IP6_NF_MATCH_EUI64=y +CONFIG_IP6_NF_MATCH_FRAG=y +CONFIG_IP6_NF_MATCH_OPTS=y +CONFIG_IP6_NF_MATCH_HL=y +CONFIG_IP6_NF_MATCH_IPV6HEADER=y +CONFIG_IP6_NF_MATCH_MH=y +# CONFIG_IP6_NF_MATCH_RPFILTER is not set +CONFIG_IP6_NF_MATCH_RT=y +CONFIG_IP6_NF_TARGET_HL=y +CONFIG_IP6_NF_FILTER=y +CONFIG_IP6_NF_TARGET_REJECT=y +# CONFIG_IP6_NF_TARGET_SYNPROXY is not set +CONFIG_IP6_NF_MANGLE=y +CONFIG_IP6_NF_RAW=y +CONFIG_IP6_NF_NAT=y +CONFIG_IP6_NF_TARGET_MASQUERADE=y +CONFIG_IP6_NF_TARGET_NPT=y +# CONFIG_IP_DCCP is not set +# CONFIG_IP_SCTP is not set +# CONFIG_RDS is not set +# CONFIG_TIPC is not set +# CONFIG_ATM is not set +CONFIG_L2TP=y +# CONFIG_L2TP_V3 is not set +# CONFIG_BRIDGE is not set +CONFIG_HAVE_NET_DSA=y +# CONFIG_NET_DSA is not set +# CONFIG_VLAN_8021Q is not set +# CONFIG_DECNET is not set +# CONFIG_LLC2 is not set +# CONFIG_IPX is not set +# CONFIG_ATALK is not set +# CONFIG_X25 is not set +# CONFIG_LAPB is not set +# CONFIG_PHONET is not set +# CONFIG_6LOWPAN is not set +# CONFIG_IEEE802154 is not set +# CONFIG_NET_SCHED is not set +# CONFIG_DCB is not set +CONFIG_DNS_RESOLVER=y +# CONFIG_BATMAN_ADV is not set +# CONFIG_OPENVSWITCH is not set +# CONFIG_VSOCKETS is not set +# CONFIG_NETLINK_DIAG is not set +# CONFIG_MPLS is not set +# CONFIG_NET_NSH is not set +# CONFIG_HSR is not set +# CONFIG_NET_SWITCHDEV is not set +# CONFIG_NET_L3_MASTER_DEV is not set +# CONFIG_NET_NCSI is not set +CONFIG_CGROUP_NET_PRIO=y +CONFIG_CGROUP_NET_CLASSID=y +CONFIG_NET_RX_BUSY_POLL=y +CONFIG_BQL=y + +# +# Network testing +# +# CONFIG_NET_PKTGEN is not set +# CONFIG_HAMRADIO is not set +# CONFIG_CAN is not set +# CONFIG_BT is not set +# CONFIG_AF_RXRPC is not set +# CONFIG_AF_KCM is not set +# CONFIG_STREAM_PARSER is not set +CONFIG_FIB_RULES=y +CONFIG_WIRELESS=y +# CONFIG_CFG80211 is not set +CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y +CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y +# CONFIG_LIB80211 is not set + +# +# CFG80211 needs to be enabled for MAC80211 +# +CONFIG_MAC80211_STA_HASH_MAX_SIZE=0 +# CONFIG_WIMAX is not set +# CONFIG_RFKILL is not set +CONFIG_NET_9P=y +CONFIG_NET_9P_VIRTIO=y +# CONFIG_NET_9P_DEBUG is not set +# CONFIG_CAIF is not set +# CONFIG_CEPH_LIB is not set +# CONFIG_NFC is not set +# CONFIG_PSAMPLE is not set +# CONFIG_NET_IFE is not set +# CONFIG_LWTUNNEL is not set +CONFIG_DST_CACHE=y +CONFIG_GRO_CELLS=y +# CONFIG_NET_DEVLINK is not set +CONFIG_MAY_USE_DEVLINK=y +CONFIG_HAVE_EBPF_JIT=y + +# +# Device Drivers +# + +# +# Generic Driver Options +# +CONFIG_UEVENT_HELPER=y +CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug" +CONFIG_DEVTMPFS=y +CONFIG_DEVTMPFS_MOUNT=y +CONFIG_STANDALONE=y +CONFIG_PREVENT_FIRMWARE_BUILD=y +CONFIG_FW_LOADER=y +CONFIG_FIRMWARE_IN_KERNEL=y +CONFIG_EXTRA_FIRMWARE="" +# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set +CONFIG_ALLOW_DEV_COREDUMP=y +# CONFIG_DEBUG_DRIVER is not set +# CONFIG_DEBUG_DEVRES is not set +# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set +# CONFIG_SYS_HYPERVISOR is not set +# CONFIG_GENERIC_CPU_DEVICES is not set +CONFIG_GENERIC_CPU_AUTOPROBE=y +CONFIG_GENERIC_CPU_VULNERABILITIES=y +# CONFIG_DMA_SHARED_BUFFER is not set + +# +# Bus devices +# +# CONFIG_CONNECTOR is not set +# CONFIG_MTD is not set +# CONFIG_OF is not set +CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y +# CONFIG_PARPORT is not set +CONFIG_PNP=y +CONFIG_PNP_DEBUG_MESSAGES=y + +# +# Protocols +# +CONFIG_PNPACPI=y +CONFIG_BLK_DEV=y +# CONFIG_BLK_DEV_NULL_BLK is not set +# CONFIG_BLK_DEV_FD is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_BLK_DEV_DAC960 is not set +# CONFIG_BLK_DEV_UMEM is not set +# CONFIG_BLK_DEV_COW_COMMON is not set +CONFIG_BLK_DEV_LOOP=y +CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 +# CONFIG_BLK_DEV_CRYPTOLOOP is not set +# CONFIG_BLK_DEV_DRBD is not set +CONFIG_BLK_DEV_NBD=y +# CONFIG_BLK_DEV_SKD is not set +# CONFIG_BLK_DEV_SX8 is not set +# CONFIG_BLK_DEV_RAM is not set +# CONFIG_CDROM_PKTCDVD is not set +# CONFIG_ATA_OVER_ETH is not set +CONFIG_VIRTIO_BLK=y +# CONFIG_VIRTIO_BLK_SCSI is not set +# CONFIG_BLK_DEV_RBD is not set +# CONFIG_BLK_DEV_RSXX is not set + +# +# NVME Support +# +# CONFIG_BLK_DEV_NVME is not set +# CONFIG_NVME_FC is not set + +# +# Misc devices +# +# CONFIG_SENSORS_LIS3LV02D is not set +# CONFIG_DUMMY_IRQ is not set +# CONFIG_IBM_ASM is not set +# CONFIG_PHANTOM is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_TIFM_CORE is not set +# CONFIG_ENCLOSURE_SERVICES is not set +# CONFIG_HP_ILO is not set +# CONFIG_SRAM is not set +# CONFIG_PCI_ENDPOINT_TEST is not set +# CONFIG_C2PORT is not set + +# +# EEPROM support +# +# CONFIG_EEPROM_93CX6 is not set +# CONFIG_CB710_CORE is not set + +# +# Texas Instruments shared transport line discipline +# + +# +# Altera FPGA firmware download module (requires I2C) +# +# CONFIG_INTEL_MEI is not set +# CONFIG_INTEL_MEI_ME is not set +# CONFIG_INTEL_MEI_TXE is not set +# CONFIG_VMWARE_VMCI is not set + +# +# Intel MIC & related support +# + +# +# Intel MIC Bus Driver +# +# CONFIG_INTEL_MIC_BUS is not set + +# +# SCIF Bus Driver +# +# CONFIG_SCIF_BUS is not set + +# +# VOP Bus Driver +# +# CONFIG_VOP_BUS is not set + +# +# Intel MIC Host Driver +# + +# +# Intel MIC Card Driver +# + +# +# SCIF Driver +# + +# +# Intel MIC Coprocessor State Management (COSM) Drivers +# + +# +# VOP Driver +# +# CONFIG_GENWQE is not set +# CONFIG_ECHO is not set +# CONFIG_CXL_BASE is not set +# CONFIG_CXL_AFU_DRIVER_OPS is not set +# CONFIG_CXL_LIB is not set +CONFIG_HAVE_IDE=y +# CONFIG_IDE is not set + +# +# SCSI device support +# +CONFIG_SCSI_MOD=y +# CONFIG_RAID_ATTRS is not set +# CONFIG_SCSI is not set +# CONFIG_SCSI_DMA is not set +# CONFIG_SCSI_NETLINK is not set +# CONFIG_ATA is not set +# CONFIG_MD is not set +# CONFIG_FUSION is not set + +# +# IEEE 1394 (FireWire) support +# +# CONFIG_FIREWIRE is not set +# CONFIG_FIREWIRE_NOSY is not set +# CONFIG_MACINTOSH_DRIVERS is not set +CONFIG_NETDEVICES=y +CONFIG_NET_CORE=y +# CONFIG_BONDING is not set +CONFIG_DUMMY=y +# CONFIG_EQUALIZER is not set +# CONFIG_NET_TEAM is not set +# CONFIG_MACVLAN is not set +# CONFIG_VXLAN is not set +# CONFIG_GENEVE is not set +# CONFIG_GTP is not set +CONFIG_MACSEC=y +# CONFIG_NETCONSOLE is not set +# CONFIG_NETPOLL is not set +# CONFIG_NET_POLL_CONTROLLER is not set +CONFIG_TUN=y +# CONFIG_TUN_VNET_CROSS_LE is not set +# CONFIG_VETH is not set +CONFIG_VIRTIO_NET=y +# CONFIG_NLMON is not set +# CONFIG_ARCNET is not set + +# +# CAIF transport drivers +# + +# +# Distributed Switch Architecture drivers +# +CONFIG_ETHERNET=y +CONFIG_NET_VENDOR_3COM=y +# CONFIG_VORTEX is not set +# CONFIG_TYPHOON is not set +CONFIG_NET_VENDOR_ADAPTEC=y +# CONFIG_ADAPTEC_STARFIRE is not set +CONFIG_NET_VENDOR_AGERE=y +# CONFIG_ET131X is not set +CONFIG_NET_VENDOR_ALACRITECH=y +# CONFIG_SLICOSS is not set +CONFIG_NET_VENDOR_ALTEON=y +# CONFIG_ACENIC is not set +# CONFIG_ALTERA_TSE is not set +CONFIG_NET_VENDOR_AMAZON=y +# CONFIG_ENA_ETHERNET is not set +CONFIG_NET_VENDOR_AMD=y +# CONFIG_AMD8111_ETH is not set +# CONFIG_PCNET32 is not set +# CONFIG_AMD_XGBE is not set +# CONFIG_AMD_XGBE_HAVE_ECC is not set +CONFIG_NET_VENDOR_AQUANTIA=y +# CONFIG_AQTION is not set +# CONFIG_NET_VENDOR_ARC is not set +CONFIG_NET_VENDOR_ATHEROS=y +# CONFIG_ATL2 is not set +# CONFIG_ATL1 is not set +# CONFIG_ATL1E is not set +# CONFIG_ATL1C is not set +# CONFIG_ALX is not set +# CONFIG_NET_VENDOR_AURORA is not set +CONFIG_NET_CADENCE=y +# CONFIG_MACB is not set +CONFIG_NET_VENDOR_BROADCOM=y +# CONFIG_B44 is not set +# CONFIG_BNX2 is not set +# CONFIG_CNIC is not set +# CONFIG_TIGON3 is not set +# CONFIG_BNX2X is not set +# CONFIG_BNXT is not set +CONFIG_NET_VENDOR_BROCADE=y +# CONFIG_BNA is not set +CONFIG_NET_VENDOR_CAVIUM=y +# CONFIG_THUNDER_NIC_PF is not set +# CONFIG_THUNDER_NIC_VF is not set +# CONFIG_THUNDER_NIC_BGX is not set +# CONFIG_THUNDER_NIC_RGX is not set +# CONFIG_LIQUIDIO is not set +# CONFIG_LIQUIDIO_VF is not set +CONFIG_NET_VENDOR_CHELSIO=y +# CONFIG_CHELSIO_T1 is not set +# CONFIG_CHELSIO_T3 is not set +# CONFIG_CHELSIO_T4 is not set +# CONFIG_CHELSIO_T4VF is not set +CONFIG_NET_VENDOR_CISCO=y +# CONFIG_ENIC is not set +# CONFIG_CX_ECAT is not set +# CONFIG_DNET is not set +CONFIG_NET_VENDOR_DEC=y +# CONFIG_NET_TULIP is not set +CONFIG_NET_VENDOR_DLINK=y +# CONFIG_DL2K is not set +# CONFIG_SUNDANCE is not set +CONFIG_NET_VENDOR_EMULEX=y +# CONFIG_BE2NET is not set +CONFIG_NET_VENDOR_EZCHIP=y +CONFIG_NET_VENDOR_EXAR=y +# CONFIG_S2IO is not set +# CONFIG_VXGE is not set +CONFIG_NET_VENDOR_HP=y +# CONFIG_HP100 is not set +CONFIG_NET_VENDOR_HUAWEI=y +# CONFIG_HINIC is not set +CONFIG_NET_VENDOR_INTEL=y +# CONFIG_E100 is not set +# CONFIG_E1000 is not set +# CONFIG_E1000E is not set +# CONFIG_IGB is not set +# CONFIG_IGBVF is not set +# CONFIG_IXGB is not set +# CONFIG_IXGBE is not set +# CONFIG_IXGBEVF is not set +# CONFIG_I40E is not set +# CONFIG_I40EVF is not set +# CONFIG_FM10K is not set +CONFIG_NET_VENDOR_I825XX=y +# CONFIG_JME is not set +CONFIG_NET_VENDOR_MARVELL=y +# CONFIG_MVMDIO is not set +# CONFIG_SKGE is not set +# CONFIG_SKY2 is not set +CONFIG_NET_VENDOR_MELLANOX=y +# CONFIG_MLX4_EN is not set +# CONFIG_MLX4_CORE is not set +# CONFIG_MLX5_CORE is not set +# CONFIG_MLXSW_CORE is not set +# CONFIG_MLXFW is not set +CONFIG_NET_VENDOR_MICREL=y +# CONFIG_KS8851_MLL is not set +# CONFIG_KSZ884X_PCI is not set +CONFIG_NET_VENDOR_MYRI=y +# CONFIG_MYRI10GE is not set +# CONFIG_FEALNX is not set +CONFIG_NET_VENDOR_NATSEMI=y +# CONFIG_NATSEMI is not set +# CONFIG_NS83820 is not set +CONFIG_NET_VENDOR_NETRONOME=y +# CONFIG_NFP is not set +CONFIG_NET_VENDOR_8390=y +# CONFIG_NE2K_PCI is not set +CONFIG_NET_VENDOR_NVIDIA=y +# CONFIG_FORCEDETH is not set +CONFIG_NET_VENDOR_OKI=y +# CONFIG_ETHOC is not set +CONFIG_NET_PACKET_ENGINE=y +# CONFIG_HAMACHI is not set +# CONFIG_YELLOWFIN is not set +CONFIG_NET_VENDOR_QLOGIC=y +# CONFIG_QLA3XXX is not set +# CONFIG_QLCNIC is not set +# CONFIG_QLGE is not set +# CONFIG_NETXEN_NIC is not set +# CONFIG_QED is not set +CONFIG_NET_VENDOR_QUALCOMM=y +# CONFIG_QCOM_EMAC is not set +# CONFIG_RMNET is not set +CONFIG_NET_VENDOR_REALTEK=y +# CONFIG_8139CP is not set +# CONFIG_8139TOO is not set +# CONFIG_R8169 is not set +CONFIG_NET_VENDOR_RENESAS=y +CONFIG_NET_VENDOR_RDC=y +# CONFIG_R6040 is not set +CONFIG_NET_VENDOR_ROCKER=y +CONFIG_NET_VENDOR_SAMSUNG=y +# CONFIG_SXGBE_ETH is not set +CONFIG_NET_VENDOR_SEEQ=y +CONFIG_NET_VENDOR_SILAN=y +# CONFIG_SC92031 is not set +CONFIG_NET_VENDOR_SIS=y +# CONFIG_SIS900 is not set +# CONFIG_SIS190 is not set +CONFIG_NET_VENDOR_SOLARFLARE=y +# CONFIG_SFC is not set +# CONFIG_SFC_FALCON is not set +CONFIG_NET_VENDOR_SMSC=y +# CONFIG_EPIC100 is not set +# CONFIG_SMSC911X is not set +# CONFIG_SMSC9420 is not set +CONFIG_NET_VENDOR_STMICRO=y +# CONFIG_STMMAC_ETH is not set +CONFIG_NET_VENDOR_SUN=y +# CONFIG_HAPPYMEAL is not set +# CONFIG_SUNGEM is not set +# CONFIG_CASSINI is not set +# CONFIG_NIU is not set +CONFIG_NET_VENDOR_TEHUTI=y +# CONFIG_TEHUTI is not set +CONFIG_NET_VENDOR_TI=y +# CONFIG_TI_CPSW_ALE is not set +# CONFIG_TLAN is not set +CONFIG_NET_VENDOR_VIA=y +# CONFIG_VIA_RHINE is not set +# CONFIG_VIA_VELOCITY is not set +CONFIG_NET_VENDOR_WIZNET=y +# CONFIG_WIZNET_W5100 is not set +# CONFIG_WIZNET_W5300 is not set +CONFIG_NET_VENDOR_SYNOPSYS=y +# CONFIG_DWC_XLGMAC is not set +# CONFIG_FDDI is not set +# CONFIG_HIPPI is not set +# CONFIG_NET_SB1000 is not set +# CONFIG_MDIO_DEVICE is not set +# CONFIG_MDIO_BUS is not set +# CONFIG_PHYLIB is not set +# CONFIG_PPP is not set +# CONFIG_SLIP is not set + +# +# Host-side USB support is needed for USB Network Adapter support +# +CONFIG_WLAN=y +CONFIG_WLAN_VENDOR_ADMTEK=y +CONFIG_WLAN_VENDOR_ATH=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_ATH5K_PCI is not set +CONFIG_WLAN_VENDOR_ATMEL=y +CONFIG_WLAN_VENDOR_BROADCOM=y +CONFIG_WLAN_VENDOR_CISCO=y +CONFIG_WLAN_VENDOR_INTEL=y +CONFIG_WLAN_VENDOR_INTERSIL=y +# CONFIG_HOSTAP is not set +# CONFIG_PRISM54 is not set +CONFIG_WLAN_VENDOR_MARVELL=y +CONFIG_WLAN_VENDOR_MEDIATEK=y +CONFIG_WLAN_VENDOR_RALINK=y +CONFIG_WLAN_VENDOR_REALTEK=y +CONFIG_WLAN_VENDOR_RSI=y +CONFIG_WLAN_VENDOR_ST=y +CONFIG_WLAN_VENDOR_TI=y +CONFIG_WLAN_VENDOR_ZYDAS=y +CONFIG_WLAN_VENDOR_QUANTENNA=y + +# +# Enable WiMAX (Networking options) to see the WiMAX drivers +# +# CONFIG_WAN is not set +# CONFIG_VMXNET3 is not set +# CONFIG_FUJITSU_ES is not set +# CONFIG_ISDN is not set +# CONFIG_NVM is not set + +# +# Input device support +# +CONFIG_INPUT=y +# CONFIG_INPUT_FF_MEMLESS is not set +# CONFIG_INPUT_POLLDEV is not set +# CONFIG_INPUT_SPARSEKMAP is not set +# CONFIG_INPUT_MATRIXKMAP is not set + +# +# Userland interfaces +# +CONFIG_INPUT_MOUSEDEV=y +CONFIG_INPUT_MOUSEDEV_PSAUX=y +CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024 +CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768 +# CONFIG_INPUT_JOYDEV is not set +CONFIG_INPUT_EVDEV=y +# CONFIG_INPUT_EVBUG is not set + +# +# Input Device Drivers +# +CONFIG_INPUT_KEYBOARD=y +CONFIG_KEYBOARD_ATKBD=y +# CONFIG_KEYBOARD_LKKBD is not set +# CONFIG_KEYBOARD_NEWTON is not set +# CONFIG_KEYBOARD_OPENCORES is not set +# CONFIG_KEYBOARD_SAMSUNG is not set +# CONFIG_KEYBOARD_STOWAWAY is not set +# CONFIG_KEYBOARD_SUNKBD is not set +# CONFIG_KEYBOARD_XTKBD is not set +CONFIG_INPUT_MOUSE=y +CONFIG_MOUSE_PS2=y +CONFIG_MOUSE_PS2_ALPS=y +CONFIG_MOUSE_PS2_BYD=y +CONFIG_MOUSE_PS2_LOGIPS2PP=y +CONFIG_MOUSE_PS2_SYNAPTICS=y +CONFIG_MOUSE_PS2_CYPRESS=y +CONFIG_MOUSE_PS2_LIFEBOOK=y +CONFIG_MOUSE_PS2_TRACKPOINT=y +# CONFIG_MOUSE_PS2_ELANTECH is not set +# CONFIG_MOUSE_PS2_SENTELIC is not set +# CONFIG_MOUSE_PS2_TOUCHKIT is not set +CONFIG_MOUSE_PS2_FOCALTECH=y +# CONFIG_MOUSE_SERIAL is not set +# CONFIG_MOUSE_APPLETOUCH is not set +# CONFIG_MOUSE_BCM5974 is not set +# CONFIG_MOUSE_VSXXXAA is not set +# CONFIG_MOUSE_SYNAPTICS_USB is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set +# CONFIG_RMI4_CORE is not set + +# +# Hardware I/O ports +# +CONFIG_SERIO=y +CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y +CONFIG_SERIO_I8042=y +CONFIG_SERIO_SERPORT=y +# CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_PCIPS2 is not set +CONFIG_SERIO_LIBPS2=y +# CONFIG_SERIO_RAW is not set +# CONFIG_SERIO_ALTERA_PS2 is not set +# CONFIG_SERIO_PS2MULT is not set +# CONFIG_SERIO_ARC_PS2 is not set +# CONFIG_USERIO is not set +# CONFIG_GAMEPORT is not set + +# +# Character devices +# +CONFIG_TTY=y +CONFIG_VT=y +CONFIG_CONSOLE_TRANSLATIONS=y +CONFIG_VT_CONSOLE=y +CONFIG_VT_CONSOLE_SLEEP=y +CONFIG_HW_CONSOLE=y +# CONFIG_VT_HW_CONSOLE_BINDING is not set +CONFIG_UNIX98_PTYS=y +CONFIG_LEGACY_PTYS=y +CONFIG_LEGACY_PTY_COUNT=256 +# CONFIG_SERIAL_NONSTANDARD is not set +# CONFIG_NOZOMI is not set +# CONFIG_N_GSM is not set +# CONFIG_TRACE_SINK is not set +CONFIG_DEVMEM=y +CONFIG_DEVKMEM=y + +# +# Serial drivers +# +# CONFIG_SERIAL_8250 is not set + +# +# Non-8250 serial port support +# +# CONFIG_SERIAL_UARTLITE is not set +# CONFIG_SERIAL_JSM is not set +# CONFIG_SERIAL_SCCNXP is not set +# CONFIG_SERIAL_ALTERA_JTAGUART is not set +# CONFIG_SERIAL_ALTERA_UART is not set +# CONFIG_SERIAL_ARC is not set +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_DEV_BUS is not set +CONFIG_HVC_DRIVER=y +CONFIG_VIRTIO_CONSOLE=y +# CONFIG_IPMI_HANDLER is not set +# CONFIG_HW_RANDOM is not set +# CONFIG_NVRAM is not set +# CONFIG_R3964 is not set +# CONFIG_APPLICOM is not set +# CONFIG_MWAVE is not set +# CONFIG_RAW_DRIVER is not set +# CONFIG_HPET is not set +# CONFIG_HANGCHECK_TIMER is not set +# CONFIG_TCG_TPM is not set +# CONFIG_TELCLOCK is not set +CONFIG_DEVPORT=y +# CONFIG_XILLYBUS is not set + +# +# I2C support +# +# CONFIG_I2C is not set +# CONFIG_SPI is not set +# CONFIG_SPMI is not set +# CONFIG_HSI is not set +# CONFIG_PPS is not set + +# +# PTP clock support +# +# CONFIG_PTP_1588_CLOCK is not set + +# +# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks. +# +# CONFIG_PINCTRL is not set +# CONFIG_GPIOLIB is not set +# CONFIG_W1 is not set +# CONFIG_POWER_AVS is not set +# CONFIG_POWER_RESET is not set +CONFIG_POWER_SUPPLY=y +# CONFIG_POWER_SUPPLY_DEBUG is not set +# CONFIG_PDA_POWER is not set +# CONFIG_TEST_POWER is not set +# CONFIG_BATTERY_DS2780 is not set +# CONFIG_BATTERY_DS2781 is not set +# CONFIG_BATTERY_BQ27XXX is not set +# CONFIG_CHARGER_MAX8903 is not set +CONFIG_HWMON=y +# CONFIG_HWMON_VID is not set +# CONFIG_HWMON_DEBUG_CHIP is not set + +# +# Native drivers +# +# CONFIG_SENSORS_ABITUGURU is not set +# CONFIG_SENSORS_ABITUGURU3 is not set +# CONFIG_SENSORS_K8TEMP is not set +# CONFIG_SENSORS_K10TEMP is not set +# CONFIG_SENSORS_FAM15H_POWER is not set +# CONFIG_SENSORS_APPLESMC is not set +# CONFIG_SENSORS_ASPEED is not set +# CONFIG_SENSORS_DELL_SMM is not set +# CONFIG_SENSORS_I5K_AMB is not set +# CONFIG_SENSORS_F71805F is not set +# CONFIG_SENSORS_F71882FG is not set +# CONFIG_SENSORS_I5500 is not set +# CONFIG_SENSORS_CORETEMP is not set +# CONFIG_SENSORS_IT87 is not set +# CONFIG_SENSORS_MAX197 is not set +# CONFIG_SENSORS_PC87360 is not set +# CONFIG_SENSORS_PC87427 is not set +# CONFIG_SENSORS_NTC_THERMISTOR is not set +# CONFIG_SENSORS_NCT6683 is not set +# CONFIG_SENSORS_NCT6775 is not set +# CONFIG_SENSORS_SIS5595 is not set +# CONFIG_SENSORS_SMSC47M1 is not set +# CONFIG_SENSORS_SMSC47B397 is not set +# CONFIG_SENSORS_SCH56XX_COMMON is not set +# CONFIG_SENSORS_VIA_CPUTEMP is not set +# CONFIG_SENSORS_VIA686A is not set +# CONFIG_SENSORS_VT1211 is not set +# CONFIG_SENSORS_VT8231 is not set +# CONFIG_SENSORS_W83627HF is not set +# CONFIG_SENSORS_W83627EHF is not set + +# +# ACPI drivers +# +# CONFIG_SENSORS_ACPI_POWER is not set +# CONFIG_SENSORS_ATK0110 is not set +CONFIG_THERMAL=y +CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0 +CONFIG_THERMAL_HWMON=y +# CONFIG_THERMAL_WRITABLE_TRIPS is not set +CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y +# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set +# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set +# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_GOV_FAIR_SHARE is not set +CONFIG_THERMAL_GOV_STEP_WISE=y +# CONFIG_THERMAL_GOV_BANG_BANG is not set +# CONFIG_THERMAL_GOV_USER_SPACE is not set +# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set +# CONFIG_THERMAL_EMULATION is not set +# CONFIG_INTEL_POWERCLAMP is not set +# CONFIG_INTEL_SOC_DTS_THERMAL is not set + +# +# ACPI INT340X thermal drivers +# +# CONFIG_INT340X_THERMAL is not set +# CONFIG_INTEL_PCH_THERMAL is not set +# CONFIG_WATCHDOG is not set +CONFIG_SSB_POSSIBLE=y + +# +# Sonics Silicon Backplane +# +# CONFIG_SSB is not set +CONFIG_BCMA_POSSIBLE=y +# CONFIG_BCMA is not set + +# +# Multifunction device drivers +# +# CONFIG_MFD_CORE is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_HTC_PASIC3 is not set +# CONFIG_MFD_INTEL_QUARK_I2C_GPIO is not set +# CONFIG_LPC_ICH is not set +# CONFIG_LPC_SCH is not set +# CONFIG_MFD_INTEL_LPSS_ACPI is not set +# CONFIG_MFD_INTEL_LPSS_PCI is not set +# CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set +# CONFIG_MFD_MT6397 is not set +# CONFIG_MFD_RDC321X is not set +# CONFIG_MFD_RTSX_PCI is not set +# CONFIG_MFD_SM501 is not set +# CONFIG_ABX500_CORE is not set +# CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_TI_AM335X_TSCADC is not set +# CONFIG_MFD_TMIO is not set +# CONFIG_MFD_VX855 is not set +# CONFIG_REGULATOR is not set +CONFIG_RC_CORE=y +CONFIG_RC_MAP=y +CONFIG_RC_DECODERS=y +# CONFIG_LIRC is not set +CONFIG_IR_NEC_DECODER=y +CONFIG_IR_RC5_DECODER=y +CONFIG_IR_RC6_DECODER=y +CONFIG_IR_JVC_DECODER=y +CONFIG_IR_SONY_DECODER=y +CONFIG_IR_SANYO_DECODER=y +CONFIG_IR_SHARP_DECODER=y +CONFIG_IR_MCE_KBD_DECODER=y +CONFIG_IR_XMP_DECODER=y +# CONFIG_RC_DEVICES is not set +# CONFIG_MEDIA_SUPPORT is not set + +# +# Graphics support +# +# CONFIG_AGP is not set +CONFIG_VGA_ARB=y +CONFIG_VGA_ARB_MAX_GPUS=16 +# CONFIG_VGA_SWITCHEROO is not set +# CONFIG_DRM is not set + +# +# ACP (Audio CoProcessor) Configuration +# + +# +# AMD Library routines +# +# CONFIG_CHASH is not set +# CONFIG_DRM_LIB_RANDOM is not set + +# +# Frame buffer Devices +# +# CONFIG_FB is not set +# CONFIG_BACKLIGHT_LCD_SUPPORT is not set +# CONFIG_VGASTATE is not set + +# +# Console display driver support +# +CONFIG_VGA_CONSOLE=y +# CONFIG_VGACON_SOFT_SCROLLBACK is not set +CONFIG_DUMMY_CONSOLE=y +CONFIG_DUMMY_CONSOLE_COLUMNS=80 +CONFIG_DUMMY_CONSOLE_ROWS=25 +CONFIG_SOUND=y +# CONFIG_SOUND_OSS_CORE is not set +# CONFIG_SND is not set + +# +# HID support +# +CONFIG_HID=y +# CONFIG_HID_BATTERY_STRENGTH is not set +# CONFIG_HIDRAW is not set +# CONFIG_UHID is not set +CONFIG_HID_GENERIC=y + +# +# Special HID drivers +# +CONFIG_HID_A4TECH=y +# CONFIG_HID_ACRUX is not set +CONFIG_HID_APPLE=y +# CONFIG_HID_AUREAL is not set +CONFIG_HID_BELKIN=y +CONFIG_HID_CHERRY=y +CONFIG_HID_CHICONY=y +# CONFIG_HID_CMEDIA is not set +CONFIG_HID_CYPRESS=y +# CONFIG_HID_DRAGONRISE is not set +# CONFIG_HID_EMS_FF is not set +# CONFIG_HID_ELECOM is not set +CONFIG_HID_EZKEY=y +# CONFIG_HID_GEMBIRD is not set +# CONFIG_HID_GFRM is not set +# CONFIG_HID_KEYTOUCH is not set +# CONFIG_HID_KYE is not set +# CONFIG_HID_WALTOP is not set +# CONFIG_HID_GYRATION is not set +# CONFIG_HID_ICADE is not set +CONFIG_HID_ITE=y +# CONFIG_HID_TWINHAN is not set +CONFIG_HID_KENSINGTON=y +# CONFIG_HID_LCPOWER is not set +# CONFIG_HID_LENOVO is not set +CONFIG_HID_LOGITECH=y +# CONFIG_HID_LOGITECH_HIDPP is not set +# CONFIG_LOGITECH_FF is not set +# CONFIG_LOGIRUMBLEPAD2_FF is not set +# CONFIG_LOGIG940_FF is not set +# CONFIG_LOGIWHEELS_FF is not set +# CONFIG_HID_MAGICMOUSE is not set +# CONFIG_HID_MAYFLASH is not set +CONFIG_HID_MICROSOFT=y +CONFIG_HID_MONTEREY=y +# CONFIG_HID_MULTITOUCH is not set +# CONFIG_HID_NTI is not set +# CONFIG_HID_ORTEK is not set +# CONFIG_HID_PANTHERLORD is not set +# CONFIG_HID_PETALYNX is not set +# CONFIG_HID_PICOLCD is not set +CONFIG_HID_PLANTRONICS=y +# CONFIG_HID_PRIMAX is not set +# CONFIG_HID_SAITEK is not set +# CONFIG_HID_SAMSUNG is not set +# CONFIG_HID_SPEEDLINK is not set +# CONFIG_HID_STEELSERIES is not set +# CONFIG_HID_SUNPLUS is not set +# CONFIG_HID_RMI is not set +# CONFIG_HID_GREENASIA is not set +# CONFIG_HID_SMARTJOYPLUS is not set +# CONFIG_HID_TIVO is not set +# CONFIG_HID_TOPSEED is not set +# CONFIG_HID_THRUSTMASTER is not set +# CONFIG_HID_UDRAW_PS3 is not set +# CONFIG_HID_XINMO is not set +# CONFIG_HID_ZEROPLUS is not set +# CONFIG_HID_ZYDACRON is not set +# CONFIG_HID_SENSOR_HUB is not set +# CONFIG_HID_ALPS is not set + +# +# Intel ISH HID support +# +# CONFIG_INTEL_ISH_HID is not set +CONFIG_USB_OHCI_LITTLE_ENDIAN=y +CONFIG_USB_SUPPORT=y +CONFIG_USB_ARCH_HAS_HCD=y +# CONFIG_USB is not set +CONFIG_USB_PCI=y + +# +# USB port drivers +# + +# +# USB Physical Layer drivers +# +# CONFIG_USB_PHY is not set +# CONFIG_NOP_USB_XCEIV is not set +# CONFIG_USB_GADGET is not set +# CONFIG_TYPEC is not set +# CONFIG_USB_ULPI_BUS is not set +# CONFIG_UWB is not set +# CONFIG_MMC is not set +# CONFIG_MEMSTICK is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_ACCESSIBILITY is not set +# CONFIG_INFINIBAND is not set +CONFIG_EDAC_ATOMIC_SCRUB=y +CONFIG_EDAC_SUPPORT=y +CONFIG_RTC_LIB=y +CONFIG_RTC_MC146818_LIB=y +# CONFIG_RTC_CLASS is not set +# CONFIG_DMADEVICES is not set + +# +# DMABUF options +# +# CONFIG_SYNC_FILE is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_UIO is not set +# CONFIG_VIRT_DRIVERS is not set +CONFIG_VIRTIO=y + +# +# Virtio drivers +# +CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI_LEGACY=y +CONFIG_VIRTIO_BALLOON=y +# CONFIG_VIRTIO_INPUT is not set +CONFIG_VIRTIO_MMIO=y +# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set + +# +# Microsoft Hyper-V guest support +# +# CONFIG_HYPERV_TSCPAGE is not set +# CONFIG_STAGING is not set +CONFIG_X86_PLATFORM_DEVICES=y +# CONFIG_ACERHDF is not set +# CONFIG_DELL_SMO8800 is not set +# CONFIG_FUJITSU_TABLET is not set +# CONFIG_HP_ACCEL is not set +# CONFIG_HP_WIRELESS is not set +# CONFIG_SENSORS_HDAPS is not set +# CONFIG_INTEL_MENLOW is not set +# CONFIG_ASUS_WIRELESS is not set +# CONFIG_ACPI_WMI is not set +# CONFIG_TOPSTAR_LAPTOP is not set +# CONFIG_TOSHIBA_BT_RFKILL is not set +# CONFIG_TOSHIBA_HAPS is not set +# CONFIG_ACPI_CMPC is not set +# CONFIG_INTEL_HID_EVENT is not set +# CONFIG_INTEL_VBTN is not set +# CONFIG_INTEL_IPS is not set +# CONFIG_INTEL_PMC_CORE is not set +# CONFIG_IBM_RTL is not set +# CONFIG_SAMSUNG_Q10 is not set +# CONFIG_INTEL_RST is not set +# CONFIG_INTEL_SMARTCONNECT is not set +# CONFIG_PVPANIC is not set +# CONFIG_INTEL_PMC_IPC is not set +# CONFIG_SURFACE_PRO3_BUTTON is not set +# CONFIG_INTEL_PUNIT_IPC is not set +# CONFIG_MLX_PLATFORM is not set +# CONFIG_MLX_CPLD_PLATFORM is not set +CONFIG_PMC_ATOM=y +# CONFIG_CHROME_PLATFORMS is not set +CONFIG_CLKDEV_LOOKUP=y +CONFIG_HAVE_CLK_PREPARE=y +CONFIG_COMMON_CLK=y + +# +# Common Clock Framework +# +# CONFIG_COMMON_CLK_NXP is not set +# CONFIG_COMMON_CLK_PXA is not set +# CONFIG_COMMON_CLK_PIC32 is not set +# CONFIG_HWSPINLOCK is not set + +# +# Clock Source drivers +# +CONFIG_CLKEVT_I8253=y +CONFIG_I8253_LOCK=y +CONFIG_CLKBLD_I8253=y +# CONFIG_ATMEL_PIT is not set +# CONFIG_SH_TIMER_CMT is not set +# CONFIG_SH_TIMER_MTU2 is not set +# CONFIG_SH_TIMER_TMU is not set +# CONFIG_EM_TIMER_STI is not set +# CONFIG_MAILBOX is not set +CONFIG_IOMMU_SUPPORT=y + +# +# Generic IOMMU Pagetable Support +# +# CONFIG_AMD_IOMMU is not set +# CONFIG_INTEL_IOMMU is not set +# CONFIG_IRQ_REMAP is not set + +# +# Remoteproc drivers +# +# CONFIG_REMOTEPROC is not set + +# +# Rpmsg drivers +# +# CONFIG_RPMSG_VIRTIO is not set + +# +# SOC (System On Chip) specific Drivers +# + +# +# Amlogic SoC drivers +# + +# +# Broadcom SoC drivers +# + +# +# i.MX SoC drivers +# + +# +# Qualcomm SoC drivers +# +# CONFIG_SUNXI_SRAM is not set +# CONFIG_SOC_TI is not set +# CONFIG_PM_DEVFREQ is not set +# CONFIG_EXTCON is not set +# CONFIG_MEMORY is not set +# CONFIG_IIO is not set +# CONFIG_NTB is not set +# CONFIG_VME_BUS is not set +# CONFIG_PWM is not set + +# +# IRQ chip support +# +CONFIG_ARM_GIC_MAX_NR=1 +# CONFIG_ARM_GIC_V3_ITS is not set +# CONFIG_IPACK_BUS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_FMC is not set + +# +# PHY Subsystem +# +# CONFIG_GENERIC_PHY is not set +# CONFIG_BCM_KONA_USB2_PHY is not set +# CONFIG_PHY_PXA_28NM_HSIC is not set +# CONFIG_PHY_PXA_28NM_USB2 is not set +# CONFIG_POWERCAP is not set +# CONFIG_MCB is not set + +# +# Performance monitor support +# +# CONFIG_RAS is not set +# CONFIG_THUNDERBOLT is not set + +# +# Android +# +# CONFIG_ANDROID is not set +# CONFIG_LIBNVDIMM is not set +# CONFIG_DAX is not set +# CONFIG_NVMEM is not set +# CONFIG_STM is not set +# CONFIG_INTEL_TH is not set +# CONFIG_FPGA is not set + +# +# FSI support +# +# CONFIG_FSI is not set + +# +# Firmware Drivers +# +# CONFIG_EDD is not set +CONFIG_FIRMWARE_MEMMAP=y +# CONFIG_DELL_RBU is not set +# CONFIG_DCDBAS is not set +CONFIG_DMIID=y +# CONFIG_DMI_SYSFS is not set +CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y +# CONFIG_ISCSI_IBFT_FIND is not set +# CONFIG_FW_CFG_SYSFS is not set +# CONFIG_GOOGLE_FIRMWARE is not set +# CONFIG_EFI_DEV_PATH_PARSER is not set + +# +# Tegra firmware driver +# + +# +# File systems +# +CONFIG_DCACHE_WORD_ACCESS=y +CONFIG_FS_IOMAP=y +CONFIG_EXT2_FS=y +# CONFIG_EXT2_FS_XATTR is not set +CONFIG_EXT3_FS=y +# CONFIG_EXT3_FS_POSIX_ACL is not set +# CONFIG_EXT3_FS_SECURITY is not set +CONFIG_EXT4_FS=y +# CONFIG_EXT4_FS_POSIX_ACL is not set +# CONFIG_EXT4_FS_SECURITY is not set +# CONFIG_EXT4_ENCRYPTION is not set +# CONFIG_EXT4_DEBUG is not set +CONFIG_JBD2=y +# CONFIG_JBD2_DEBUG is not set +CONFIG_FS_MBCACHE=y +CONFIG_REISERFS_FS=y +# CONFIG_REISERFS_CHECK is not set +# CONFIG_REISERFS_PROC_INFO is not set +# CONFIG_REISERFS_FS_XATTR is not set +# CONFIG_JFS_FS is not set +# CONFIG_XFS_FS is not set +# CONFIG_GFS2_FS is not set +# CONFIG_BTRFS_FS is not set +# CONFIG_NILFS2_FS is not set +# CONFIG_F2FS_FS is not set +# CONFIG_FS_DAX is not set +CONFIG_FS_POSIX_ACL=y +CONFIG_EXPORTFS=y +# CONFIG_EXPORTFS_BLOCK_OPS is not set +CONFIG_FILE_LOCKING=y +CONFIG_MANDATORY_FILE_LOCKING=y +# CONFIG_FS_ENCRYPTION is not set +CONFIG_FSNOTIFY=y +CONFIG_DNOTIFY=y +CONFIG_INOTIFY_USER=y +# CONFIG_FANOTIFY is not set +CONFIG_QUOTA=y +# CONFIG_QUOTA_NETLINK_INTERFACE is not set +CONFIG_PRINT_QUOTA_WARNING=y +# CONFIG_QUOTA_DEBUG is not set +# CONFIG_QFMT_V1 is not set +# CONFIG_QFMT_V2 is not set +CONFIG_QUOTACTL=y +CONFIG_AUTOFS4_FS=y +# CONFIG_FUSE_FS is not set +# CONFIG_OVERLAY_FS is not set + +# +# Caches +# +# CONFIG_FSCACHE is not set + +# +# CD-ROM/DVD Filesystems +# +CONFIG_ISO9660_FS=y +CONFIG_JOLIET=y +# CONFIG_ZISOFS is not set +# CONFIG_UDF_FS is not set + +# +# DOS/FAT/NT Filesystems +# +# CONFIG_MSDOS_FS is not set +# CONFIG_VFAT_FS is not set +# CONFIG_NTFS_FS is not set + +# +# Pseudo filesystems +# +CONFIG_PROC_FS=y +CONFIG_PROC_KCORE=y +CONFIG_PROC_SYSCTL=y +CONFIG_PROC_PAGE_MONITOR=y +# CONFIG_PROC_CHILDREN is not set +CONFIG_KERNFS=y +CONFIG_SYSFS=y +CONFIG_TMPFS=y +# CONFIG_TMPFS_POSIX_ACL is not set +# CONFIG_TMPFS_XATTR is not set +# CONFIG_HUGETLBFS is not set +# CONFIG_HUGETLB_PAGE is not set +# CONFIG_CONFIGFS_FS is not set +CONFIG_MISC_FILESYSTEMS=y +# CONFIG_ORANGEFS_FS is not set +# CONFIG_ADFS_FS is not set +# CONFIG_AFFS_FS is not set +# CONFIG_ECRYPT_FS is not set +# CONFIG_HFS_FS is not set +# CONFIG_HFSPLUS_FS is not set +# CONFIG_BEFS_FS is not set +# CONFIG_BFS_FS is not set +# CONFIG_EFS_FS is not set +# CONFIG_CRAMFS is not set +# CONFIG_SQUASHFS is not set +# CONFIG_VXFS_FS is not set +# CONFIG_MINIX_FS is not set +# CONFIG_OMFS_FS is not set +# CONFIG_HPFS_FS is not set +# CONFIG_QNX4FS_FS is not set +# CONFIG_QNX6FS_FS is not set +# CONFIG_ROMFS_FS is not set +# CONFIG_PSTORE is not set +# CONFIG_SYSV_FS is not set +# CONFIG_UFS_FS is not set +CONFIG_NETWORK_FILESYSTEMS=y +# CONFIG_NFS_FS is not set +# CONFIG_NFSD is not set +# CONFIG_CEPH_FS is not set +# CONFIG_CIFS is not set +# CONFIG_NCP_FS is not set +# CONFIG_CODA_FS is not set +# CONFIG_AFS_FS is not set +CONFIG_9P_FS=y +CONFIG_9P_FS_POSIX_ACL=y +# CONFIG_9P_FS_SECURITY is not set +CONFIG_NLS=y +CONFIG_NLS_DEFAULT="iso8859-1" +# CONFIG_NLS_CODEPAGE_437 is not set +# CONFIG_NLS_CODEPAGE_737 is not set +# CONFIG_NLS_CODEPAGE_775 is not set +# CONFIG_NLS_CODEPAGE_850 is not set +# CONFIG_NLS_CODEPAGE_852 is not set +# CONFIG_NLS_CODEPAGE_855 is not set +# CONFIG_NLS_CODEPAGE_857 is not set +# CONFIG_NLS_CODEPAGE_860 is not set +# CONFIG_NLS_CODEPAGE_861 is not set +# CONFIG_NLS_CODEPAGE_862 is not set +# CONFIG_NLS_CODEPAGE_863 is not set +# CONFIG_NLS_CODEPAGE_864 is not set +# CONFIG_NLS_CODEPAGE_865 is not set +# CONFIG_NLS_CODEPAGE_866 is not set +# CONFIG_NLS_CODEPAGE_869 is not set +# CONFIG_NLS_CODEPAGE_936 is not set +# CONFIG_NLS_CODEPAGE_950 is not set +# CONFIG_NLS_CODEPAGE_932 is not set +# CONFIG_NLS_CODEPAGE_949 is not set +# CONFIG_NLS_CODEPAGE_874 is not set +# CONFIG_NLS_ISO8859_8 is not set +# CONFIG_NLS_CODEPAGE_1250 is not set +# CONFIG_NLS_CODEPAGE_1251 is not set +# CONFIG_NLS_ASCII is not set +# CONFIG_NLS_ISO8859_1 is not set +# CONFIG_NLS_ISO8859_2 is not set +# CONFIG_NLS_ISO8859_3 is not set +# CONFIG_NLS_ISO8859_4 is not set +# CONFIG_NLS_ISO8859_5 is not set +# CONFIG_NLS_ISO8859_6 is not set +# CONFIG_NLS_ISO8859_7 is not set +# CONFIG_NLS_ISO8859_9 is not set +# CONFIG_NLS_ISO8859_13 is not set +# CONFIG_NLS_ISO8859_14 is not set +# CONFIG_NLS_ISO8859_15 is not set +# CONFIG_NLS_KOI8_R is not set +# CONFIG_NLS_KOI8_U is not set +# CONFIG_NLS_MAC_ROMAN is not set +# CONFIG_NLS_MAC_CELTIC is not set +# CONFIG_NLS_MAC_CENTEURO is not set +# CONFIG_NLS_MAC_CROATIAN is not set +# CONFIG_NLS_MAC_CYRILLIC is not set +# CONFIG_NLS_MAC_GAELIC is not set +# CONFIG_NLS_MAC_GREEK is not set +# CONFIG_NLS_MAC_ICELAND is not set +# CONFIG_NLS_MAC_INUIT is not set +# CONFIG_NLS_MAC_ROMANIAN is not set +# CONFIG_NLS_MAC_TURKISH is not set +# CONFIG_NLS_UTF8 is not set + +# +# Kernel hacking +# +CONFIG_TRACE_IRQFLAGS_SUPPORT=y + +# +# printk and dmesg options +# +# CONFIG_PRINTK_TIME is not set +CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7 +CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4 +# CONFIG_BOOT_PRINTK_DELAY is not set + +# +# Compile-time checks and compiler options +# +CONFIG_DEBUG_INFO=y +# CONFIG_DEBUG_INFO_REDUCED is not set +# CONFIG_DEBUG_INFO_SPLIT is not set +# CONFIG_DEBUG_INFO_DWARF4 is not set +# CONFIG_GDB_SCRIPTS is not set +CONFIG_ENABLE_WARN_DEPRECATED=y +CONFIG_ENABLE_MUST_CHECK=y +CONFIG_FRAME_WARN=1024 +# CONFIG_STRIP_ASM_SYMS is not set +# CONFIG_READABLE_ASM is not set +# CONFIG_UNUSED_SYMBOLS is not set +# CONFIG_PAGE_OWNER is not set +# CONFIG_DEBUG_FS is not set +# CONFIG_HEADERS_CHECK is not set +# CONFIG_DEBUG_SECTION_MISMATCH is not set +CONFIG_SECTION_MISMATCH_WARN_ONLY=y +CONFIG_STACK_VALIDATION=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +# CONFIG_MAGIC_SYSRQ is not set +CONFIG_DEBUG_KERNEL=y + +# +# Memory Debugging +# +# CONFIG_PAGE_EXTENSION is not set +# CONFIG_DEBUG_PAGEALLOC is not set +# CONFIG_PAGE_POISONING is not set +CONFIG_DEBUG_RODATA_TEST=y +# CONFIG_DEBUG_OBJECTS is not set +# CONFIG_DEBUG_SLAB is not set +CONFIG_HAVE_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set +# CONFIG_DEBUG_STACK_USAGE is not set +# CONFIG_DEBUG_VM is not set +CONFIG_ARCH_HAS_DEBUG_VIRTUAL=y +# CONFIG_DEBUG_VIRTUAL is not set +CONFIG_DEBUG_MEMORY_INIT=y +CONFIG_HAVE_DEBUG_STACKOVERFLOW=y +# CONFIG_DEBUG_STACKOVERFLOW is not set +CONFIG_HAVE_ARCH_KASAN=y +# CONFIG_KASAN is not set +CONFIG_ARCH_HAS_KCOV=y +# CONFIG_KCOV is not set +# CONFIG_DEBUG_SHIRQ is not set + +# +# Debug Lockups and Hangs +# +# CONFIG_SOFTLOCKUP_DETECTOR is not set +CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y +# CONFIG_HARDLOCKUP_DETECTOR is not set +CONFIG_DETECT_HUNG_TASK=y +CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 +# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set +CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0 +# CONFIG_WQ_WATCHDOG is not set +# CONFIG_PANIC_ON_OOPS is not set +CONFIG_PANIC_ON_OOPS_VALUE=0 +CONFIG_PANIC_TIMEOUT=0 +# CONFIG_SCHED_DEBUG is not set +# CONFIG_SCHED_INFO is not set +# CONFIG_SCHEDSTATS is not set +# CONFIG_SCHED_STACK_END_CHECK is not set +# CONFIG_DEBUG_TIMEKEEPING is not set + +# +# Lock Debugging (spinlocks, mutexes, etc...) +# +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_DEBUG_ATOMIC_SLEEP is not set +# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set +# CONFIG_LOCK_TORTURE_TEST is not set +# CONFIG_WW_MUTEX_SELFTEST is not set +# CONFIG_STACKTRACE is not set +# CONFIG_WARN_ALL_UNSEEDED_RANDOM is not set +# CONFIG_DEBUG_KOBJECT is not set +CONFIG_DEBUG_BUGVERBOSE=y +# CONFIG_DEBUG_LIST is not set +# CONFIG_DEBUG_PI_LIST is not set +# CONFIG_DEBUG_SG is not set +# CONFIG_DEBUG_NOTIFIERS is not set +# CONFIG_DEBUG_CREDENTIALS is not set + +# +# RCU Debugging +# +# CONFIG_PROVE_RCU is not set +# CONFIG_TORTURE_TEST is not set +# CONFIG_RCU_PERF_TEST is not set +# CONFIG_RCU_TORTURE_TEST is not set +# CONFIG_RCU_TRACE is not set +# CONFIG_RCU_EQS_DEBUG is not set +# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set +# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set +# CONFIG_NOTIFIER_ERROR_INJECTION is not set +# CONFIG_FAULT_INJECTION is not set +# CONFIG_LATENCYTOP is not set +CONFIG_USER_STACKTRACE_SUPPORT=y +CONFIG_HAVE_FUNCTION_TRACER=y +CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y +CONFIG_HAVE_DYNAMIC_FTRACE=y +CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y +CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y +CONFIG_HAVE_SYSCALL_TRACEPOINTS=y +CONFIG_HAVE_FENTRY=y +CONFIG_HAVE_C_RECORDMCOUNT=y +CONFIG_TRACING_SUPPORT=y +CONFIG_FTRACE=y +# CONFIG_FUNCTION_TRACER is not set +# CONFIG_IRQSOFF_TRACER is not set +# CONFIG_SCHED_TRACER is not set +# CONFIG_HWLAT_TRACER is not set +# CONFIG_ENABLE_DEFAULT_TRACERS is not set +# CONFIG_FTRACE_SYSCALLS is not set +# CONFIG_TRACER_SNAPSHOT is not set +CONFIG_BRANCH_PROFILE_NONE=y +# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set +# CONFIG_PROFILE_ALL_BRANCHES is not set +# CONFIG_STACK_TRACER is not set +# CONFIG_BLK_DEV_IO_TRACE is not set +# CONFIG_UPROBE_EVENTS is not set +# CONFIG_PROBE_EVENTS is not set +# CONFIG_MMIOTRACE is not set +# CONFIG_HIST_TRIGGERS is not set +# CONFIG_TRACEPOINT_BENCHMARK is not set +# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set +# CONFIG_DMA_API_DEBUG is not set + +# +# Runtime Testing +# +# CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_SORT is not set +# CONFIG_BACKTRACE_SELF_TEST is not set +# CONFIG_RBTREE_TEST is not set +# CONFIG_INTERVAL_TREE_TEST is not set +# CONFIG_ATOMIC64_SELFTEST is not set +# CONFIG_TEST_HEXDUMP is not set +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_TEST_KSTRTOX is not set +# CONFIG_TEST_PRINTF is not set +# CONFIG_TEST_BITMAP is not set +# CONFIG_TEST_UUID is not set +# CONFIG_TEST_RHASHTABLE is not set +# CONFIG_TEST_HASH is not set +# CONFIG_TEST_FIND_BIT is not set +# CONFIG_TEST_FIRMWARE is not set +# CONFIG_TEST_SYSCTL is not set +# CONFIG_TEST_UDELAY is not set +# CONFIG_MEMTEST is not set +# CONFIG_BUG_ON_DATA_CORRUPTION is not set +# CONFIG_SAMPLES is not set +CONFIG_HAVE_ARCH_KGDB=y +# CONFIG_KGDB is not set +CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y +# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set +# CONFIG_UBSAN is not set +CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y +# CONFIG_STRICT_DEVMEM is not set +CONFIG_X86_VERBOSE_BOOTUP=y +CONFIG_EARLY_PRINTK=y +# CONFIG_EARLY_PRINTK_DBGP is not set +# CONFIG_EARLY_PRINTK_USB_XDBC is not set +# CONFIG_X86_PTDUMP_CORE is not set +# CONFIG_X86_PTDUMP is not set +# CONFIG_DEBUG_WX is not set +CONFIG_DOUBLEFAULT=y +# CONFIG_DEBUG_TLBFLUSH is not set +# CONFIG_IOMMU_DEBUG is not set +# CONFIG_IOMMU_STRESS is not set +CONFIG_HAVE_MMIOTRACE_SUPPORT=y +CONFIG_IO_DELAY_TYPE_0X80=0 +CONFIG_IO_DELAY_TYPE_0XED=1 +CONFIG_IO_DELAY_TYPE_UDELAY=2 +CONFIG_IO_DELAY_TYPE_NONE=3 +CONFIG_IO_DELAY_0X80=y +# CONFIG_IO_DELAY_0XED is not set +# CONFIG_IO_DELAY_UDELAY is not set +# CONFIG_IO_DELAY_NONE is not set +CONFIG_DEFAULT_IO_DELAY_TYPE=0 +# CONFIG_CPA_DEBUG is not set +# CONFIG_OPTIMIZE_INLINING is not set +# CONFIG_DEBUG_ENTRY is not set +# CONFIG_DEBUG_NMI_SELFTEST is not set +CONFIG_X86_DEBUG_FPU=y +# CONFIG_PUNIT_ATOM_DEBUG is not set +CONFIG_UNWINDER_ORC=y +# CONFIG_UNWINDER_FRAME_POINTER is not set + +# +# Security options +# +CONFIG_KEYS=y +# CONFIG_PERSISTENT_KEYRINGS is not set +# CONFIG_BIG_KEYS is not set +# CONFIG_ENCRYPTED_KEYS is not set +# CONFIG_KEY_DH_OPERATIONS is not set +# CONFIG_SECURITY_DMESG_RESTRICT is not set +# CONFIG_SECURITY is not set +# CONFIG_SECURITYFS is not set +CONFIG_PAGE_TABLE_ISOLATION=y +CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y +# CONFIG_HARDENED_USERCOPY is not set +# CONFIG_FORTIFY_SOURCE is not set +# CONFIG_STATIC_USERMODEHELPER is not set +CONFIG_DEFAULT_SECURITY_DAC=y +CONFIG_DEFAULT_SECURITY="" +CONFIG_CRYPTO=y + +# +# Crypto core or helper +# +CONFIG_CRYPTO_ALGAPI=y +CONFIG_CRYPTO_ALGAPI2=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_BLKCIPHER=y +CONFIG_CRYPTO_BLKCIPHER2=y +CONFIG_CRYPTO_HASH=y +CONFIG_CRYPTO_HASH2=y +CONFIG_CRYPTO_RNG=y +CONFIG_CRYPTO_RNG2=y +CONFIG_CRYPTO_RNG_DEFAULT=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_AKCIPHER=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_KPP=y +CONFIG_CRYPTO_ACOMP2=y +CONFIG_CRYPTO_RSA=y +CONFIG_CRYPTO_DH=y +CONFIG_CRYPTO_ECDH=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y +CONFIG_CRYPTO_GF128MUL=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_WORKQUEUE=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_MCRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_ABLK_HELPER=y +CONFIG_CRYPTO_SIMD=y +CONFIG_CRYPTO_GLUE_HELPER_X86=y + +# +# Authenticated Encryption with Associated Data +# +CONFIG_CRYPTO_CCM=y +CONFIG_CRYPTO_GCM=y +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_SEQIV=y +CONFIG_CRYPTO_ECHAINIV=y + +# +# Block modes +# +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_CTR=y +# CONFIG_CRYPTO_CTS is not set +CONFIG_CRYPTO_ECB=y +CONFIG_CRYPTO_LRW=y +CONFIG_CRYPTO_PCBC=y +CONFIG_CRYPTO_XTS=y +# CONFIG_CRYPTO_KEYWRAP is not set + +# +# Hash modes +# +CONFIG_CRYPTO_CMAC=y +CONFIG_CRYPTO_HMAC=y +CONFIG_CRYPTO_XCBC=y +# CONFIG_CRYPTO_VMAC is not set + +# +# Digest +# +CONFIG_CRYPTO_CRC32C=y +# CONFIG_CRYPTO_CRC32C_INTEL is not set +# CONFIG_CRYPTO_CRC32 is not set +# CONFIG_CRYPTO_CRC32_PCLMUL is not set +# CONFIG_CRYPTO_CRCT10DIF is not set +CONFIG_CRYPTO_GHASH=y +CONFIG_CRYPTO_POLY1305=y +CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_MD4=y +CONFIG_CRYPTO_MD5=y +CONFIG_CRYPTO_MICHAEL_MIC=y +CONFIG_CRYPTO_RMD128=y +CONFIG_CRYPTO_RMD160=y +CONFIG_CRYPTO_RMD256=y +CONFIG_CRYPTO_RMD320=y +CONFIG_CRYPTO_SHA1=y +# CONFIG_CRYPTO_SHA1_SSSE3 is not set +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_SHA512_SSSE3=y +# CONFIG_CRYPTO_SHA1_MB is not set +CONFIG_CRYPTO_SHA256_MB=y +CONFIG_CRYPTO_SHA512_MB=y +CONFIG_CRYPTO_SHA256=y +CONFIG_CRYPTO_SHA512=y +CONFIG_CRYPTO_SHA3=y +CONFIG_CRYPTO_SM3=y +CONFIG_CRYPTO_TGR192=y +CONFIG_CRYPTO_WP512=y +# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set + +# +# Ciphers +# +CONFIG_CRYPTO_AES=y +# CONFIG_CRYPTO_AES_TI is not set +CONFIG_CRYPTO_AES_X86_64=y +CONFIG_CRYPTO_AES_NI_INTEL=y +CONFIG_CRYPTO_ANUBIS=y +CONFIG_CRYPTO_ARC4=y +CONFIG_CRYPTO_BLOWFISH=y +CONFIG_CRYPTO_BLOWFISH_COMMON=y +CONFIG_CRYPTO_BLOWFISH_X86_64=y +CONFIG_CRYPTO_CAMELLIA=y +CONFIG_CRYPTO_CAMELLIA_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y +CONFIG_CRYPTO_CAST_COMMON=y +CONFIG_CRYPTO_CAST5=y +CONFIG_CRYPTO_CAST5_AVX_X86_64=y +CONFIG_CRYPTO_CAST6=y +CONFIG_CRYPTO_CAST6_AVX_X86_64=y +CONFIG_CRYPTO_DES=y +# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set +CONFIG_CRYPTO_FCRYPT=y +CONFIG_CRYPTO_KHAZAD=y +CONFIG_CRYPTO_SALSA20=y +CONFIG_CRYPTO_SALSA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y +CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_SEED=y +CONFIG_CRYPTO_SERPENT=y +CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX_X86_64=y +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y +CONFIG_CRYPTO_TEA=y +CONFIG_CRYPTO_TWOFISH=y +CONFIG_CRYPTO_TWOFISH_COMMON=y +CONFIG_CRYPTO_TWOFISH_X86_64=y +CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y +CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y + +# +# Compression +# +CONFIG_CRYPTO_DEFLATE=y +CONFIG_CRYPTO_LZO=y +CONFIG_CRYPTO_842=y +CONFIG_CRYPTO_LZ4=y +CONFIG_CRYPTO_LZ4HC=y + +# +# Random Number Generation +# +# CONFIG_CRYPTO_ANSI_CPRNG is not set +CONFIG_CRYPTO_DRBG_MENU=y +CONFIG_CRYPTO_DRBG_HMAC=y +CONFIG_CRYPTO_DRBG_HASH=y +CONFIG_CRYPTO_DRBG_CTR=y +CONFIG_CRYPTO_DRBG=y +CONFIG_CRYPTO_JITTERENTROPY=y +CONFIG_CRYPTO_USER_API=y +CONFIG_CRYPTO_USER_API_HASH=y +CONFIG_CRYPTO_USER_API_SKCIPHER=y +# CONFIG_CRYPTO_USER_API_RNG is not set +CONFIG_CRYPTO_USER_API_AEAD=y +CONFIG_CRYPTO_HASH_INFO=y +# CONFIG_CRYPTO_HW is not set +CONFIG_ASYMMETRIC_KEY_TYPE=y +CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y +CONFIG_X509_CERTIFICATE_PARSER=y +CONFIG_PKCS7_MESSAGE_PARSER=y +# CONFIG_PKCS7_TEST_KEY is not set +# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set + +# +# Certificates for signature checking +# +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_TRUSTED_KEYS="" +# CONFIG_SYSTEM_EXTRA_CERTIFICATE is not set +# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_HAVE_KVM=y +CONFIG_VIRTUALIZATION=y +# CONFIG_KVM is not set +# CONFIG_VHOST_NET is not set +# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set +# CONFIG_BINARY_PRINTF is not set + +# +# Library routines +# +CONFIG_BITREVERSE=y +# CONFIG_HAVE_ARCH_BITREVERSE is not set +CONFIG_RATIONAL=y +CONFIG_GENERIC_STRNCPY_FROM_USER=y +CONFIG_GENERIC_STRNLEN_USER=y +CONFIG_GENERIC_NET_UTILS=y +CONFIG_GENERIC_FIND_FIRST_BIT=y +CONFIG_GENERIC_PCI_IOMAP=y +CONFIG_GENERIC_IOMAP=y +CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y +CONFIG_ARCH_HAS_FAST_MULTIPLIER=y +CONFIG_CRC_CCITT=y +CONFIG_CRC16=y +# CONFIG_CRC_T10DIF is not set +CONFIG_CRC_ITU_T=y +CONFIG_CRC32=y +# CONFIG_CRC32_SELFTEST is not set +CONFIG_CRC32_SLICEBY8=y +# CONFIG_CRC32_SLICEBY4 is not set +# CONFIG_CRC32_SARWATE is not set +# CONFIG_CRC32_BIT is not set +# CONFIG_CRC4 is not set +CONFIG_CRC7=y +CONFIG_LIBCRC32C=y +# CONFIG_CRC8 is not set +# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set +# CONFIG_RANDOM32_SELFTEST is not set +CONFIG_842_COMPRESS=y +CONFIG_842_DECOMPRESS=y +CONFIG_ZLIB_INFLATE=y +CONFIG_ZLIB_DEFLATE=y +CONFIG_LZO_COMPRESS=y +CONFIG_LZO_DECOMPRESS=y +CONFIG_LZ4_COMPRESS=y +CONFIG_LZ4HC_COMPRESS=y +CONFIG_LZ4_DECOMPRESS=y +# CONFIG_XZ_DEC is not set +# CONFIG_XZ_DEC_BCJ is not set +CONFIG_TEXTSEARCH=y +CONFIG_TEXTSEARCH_KMP=y +CONFIG_TEXTSEARCH_BM=y +CONFIG_TEXTSEARCH_FSM=y +CONFIG_ASSOCIATIVE_ARRAY=y +CONFIG_HAS_IOMEM=y +CONFIG_HAS_IOPORT_MAP=y +CONFIG_HAS_DMA=y +# CONFIG_DMA_NOOP_OPS is not set +# CONFIG_DMA_VIRT_OPS is not set +CONFIG_DQL=y +CONFIG_NLATTR=y +CONFIG_CLZ_TAB=y +# CONFIG_CORDIC is not set +# CONFIG_DDR is not set +# CONFIG_IRQ_POLL is not set +CONFIG_MPILIB=y +CONFIG_OID_REGISTRY=y +# CONFIG_SG_SPLIT is not set +# CONFIG_SG_POOL is not set +CONFIG_ARCH_HAS_SG_CHAIN=y +CONFIG_ARCH_HAS_PMEM_API=y +CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y +CONFIG_SBITMAP=y +# CONFIG_STRING_SELFTEST is not set diff --git a/testing/do-tests b/testing/do-tests index 38999ea61..641529533 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -776,8 +776,10 @@ do do eval HOSTLOGIN=root@\$ipv4_${host} IPSECSTATE=`ssh $SSHCONF $HOSTLOGIN 'ip xfrm state'` + # ignore IPv4/v6 states created with IPComp SAs + IPSECSTATEISSUE=`echo "$IPSECSTATE" | grep 'proto.*spi' | grep -v 'proto 4'` IPSECPOLICY=`ssh $SSHCONF $HOSTLOGIN 'ip xfrm policy'` - if [ -n "$IPSECSTATE" -o -n "$IPSECPOLICY" ] + if [ -n "$IPSECSTATEISSUE" -o -n "$IPSECPOLICY" ] then echo -e "\n$host# ip xfrm state [NO]" >> $CONSOLE_LOG echo "$IPSECSTATE" >> $CONSOLE_LOG diff --git a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf index 6f5f3011c..68438a656 100644 --- a/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf +++ b/testing/hosts/winnetou/etc/apache2/conf-enabled/testresults-as-text.conf @@ -1 +1,4 @@ -AddType text/plain .iptables .log .sql +AddType text/plain .conf .log .sql .users +AddType text/plain .secrets .listall .statusall +AddType text/plain .conns .certs .sas .pools .authorities .stats +AddType text/plain .policy .state .route .iptables .iptables-save diff --git a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text index 6f5f3011c..68438a656 100644 --- a/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text +++ b/testing/hosts/winnetou/etc/apache2/conf.d/testresults-as-text @@ -1 +1,4 @@ -AddType text/plain .iptables .log .sql +AddType text/plain .conf .log .sql .users +AddType text/plain .secrets .listall .statusall +AddType text/plain .conns .certs .sas .pools .authorities .stats +AddType text/plain .policy .state .route .iptables .iptables-save diff --git a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf index c73872d15..260171cfd 100644 --- a/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/duck/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/duck RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf index 0e29dcf79..d31752e30 100644 --- a/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/ecdsa/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/ecdsa RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf index 77474c129..5985b5650 100644 --- a/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/monster/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/monster RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf index 3939efc98..9078b2043 100644 --- a/testing/hosts/winnetou/etc/openssl/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf index 6ccf3c2f8..7099413f0 100644 --- a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/research RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf index e8a0a2ee7..12da734aa 100644 --- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/rfc3779 RANDFILE = $CAHOME/.rand diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf index 8511c5452..f3ec7e168 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -3,7 +3,7 @@ # # This definitions were set by the ca_init script DO NOT change -# them manualy. +# them manually. CAHOME = /etc/openssl/sales RANDFILE = $CAHOME/.rand diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh index 9a32c44ab..c512b8add 100755 --- a/testing/scripts/function.sh +++ b/testing/scripts/function.sh @@ -50,7 +50,7 @@ execute() # $1 - command to execute execute_chroot() { - execute "chroot $LOOPDIR $@" + execute "chroot $LOOPDIR env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $@" } # write green status message to console diff --git a/testing/scripts/recipes/005_anet.mk b/testing/scripts/recipes/005_anet.mk index b02d63094..a6af5df5c 100644 --- a/testing/scripts/recipes/005_anet.mk +++ b/testing/scripts/recipes/005_anet.mk @@ -2,7 +2,7 @@ PKG = anet SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.3.1 +REV = c9bdee807f2fcd2b6ec2ad8fe4c814e1abb71358 PREFIX = /usr/local/ada diff --git a/testing/scripts/recipes/006_tkm-rpc.mk b/testing/scripts/recipes/006_tkm-rpc.mk index 5c98123d6..5f2e207c8 100644 --- a/testing/scripts/recipes/006_tkm-rpc.mk +++ b/testing/scripts/recipes/006_tkm-rpc.mk @@ -2,7 +2,7 @@ PKG = tkm-rpc SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.2 +REV = 9a70e4f88e054d7a2a8fd35245e147880bce4809 PREFIX = /usr/local/ada diff --git a/testing/scripts/recipes/010_tkm.mk b/testing/scripts/recipes/010_tkm.mk index 8799d424d..03ee5b526 100644 --- a/testing/scripts/recipes/010_tkm.mk +++ b/testing/scripts/recipes/010_tkm.mk @@ -2,7 +2,7 @@ PKG = tkm SRC = http://git.codelabs.ch/git/$(PKG).git -REV = v0.1.3 +REV = 53d224a7312124516aa6220743355c896be6345a export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index 80f779c7d..52462d077 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -104,7 +104,9 @@ CONFIG_OPTS = \ --enable-bliss \ --enable-sha3 \ --enable-newhope \ - --enable-systemd + --enable-systemd \ + --enable-counters \ + --enable-save-keys export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/scripts/recipes/patches/freeradius-tnc-fhh b/testing/scripts/recipes/patches/freeradius-tnc-fhh index 26a233d48..6460c86a3 100644 --- a/testing/scripts/recipes/patches/freeradius-tnc-fhh +++ b/testing/scripts/recipes/patches/freeradius-tnc-fhh @@ -5363,7 +5363,7 @@ diff -u -r -N freeradius-server-2.2.0.orig/src/modules/rlm_eap/types/rlm_eap_tnc -#define VLAN_ACCESS 2 -/* - **** -- * EAP - MD5 doesnot specify code, id & length but chap specifies them, +- * EAP - MD5 does not specify code, id & length but chap specifies them, - * for generalization purpose, complete header should be sent - * and not just value_size, value and name. - * future implementation. diff --git a/testing/testing.conf b/testing/testing.conf index e33fb4fc9..595fd9667 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,14 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -: ${KERNELVERSION=4.10.17} +: ${KERNELVERSION=4.15} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} -: ${KERNELCONFIG=$DIR/../config/kernel/config-4.10} -: ${KERNELPATCH=ha-4.4-abicompat.patch.bz2} +: ${KERNELCONFIG=$DIR/../config/kernel/config-4.15} +: ${KERNELPATCH=ha-4.14-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.6.1} +: ${SWANVERSION=5.6.2} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/description.txt b/testing/tests/ikev2/mobike-virtual-ip-nat/description.txt new file mode 100644 index 000000000..6f1837c86 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/description.txt @@ -0,0 +1,9 @@ +The roadwarrior <b>alice</b> is sitting behind the NAT router <b>moon</b> but +at the outset of the scenariou is also directly connected to the 192.168.0.0/24 network +via an additional <b>eth1</b> interface. <b>alice</b> builds up a tunnel to gateway <b>sun</b> +in order to reach <b>bob</b> in the subnet behind. When the <b>eth1</b> interface +goes away, <b>alice</b> switches to <b>eth0</b> and signals the IP address change +via a MOBIKE ADDRESS_UPDATE notification to peer <b>sun</b>. Later the interface +comes back up again and because the best path is preferred (charon.prefer_best_path) +there is another switch to the directly connected path. <b>alice</b> sets +a virtual IP of 10.3.0.3, so that the IPsec policies don't have to be changed. diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat new file mode 100644 index 000000000..46df60041 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/evaltest.dat @@ -0,0 +1,31 @@ +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES +alice::ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP SPIs::YES +sun:: ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP SPIs::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +alice::ifdown eth1::No output expected::NO +alice::sleep 1::No output expected::NO +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES +alice::ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP in UDP SPIs::YES +sun:: ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP in UDP SPIs::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +alice::ifup eth1::No output expected::NO +alice::sleep 1::No output expected::NO +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES +alice::ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP SPIs::YES +sun:: ipsec status 2> /dev/null::mobike.*INSTALLED.*ESP SPIs::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: ESP.*seq=0x2::YES +bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::3 +bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::3 diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..6039e5f46 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn mobike + leftsourceip=%config + leftcert=aliceCert.pem + leftid=alice@strongswan.org + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..450e7cef6 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/iptables.rules @@ -0,0 +1,42 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow traffic on lo as ifup/ifdown call bind's rndc which accesses TCP 953 +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i lo -j ACCEPT + +# allow IPsec tunnel traffic +-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..bd51a50bb --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + prefer_best_path = yes + + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e187f9569 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn mobike + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + right=%any + rightsourceip=10.3.0.3 + rightid=alice@strongswan.org + auto=add diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..929b1b247 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..9241d28d6 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default + + syslog { + daemon { + knl = 2 + } + } +} diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat new file mode 100644 index 000000000..0adb75555 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/posttest.dat @@ -0,0 +1,6 @@ +alice::ipsec stop +sun::ipsec stop +alice::ifdown eth1 +alice::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat new file mode 100644 index 000000000..ece8912b9 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/pretest.dat @@ -0,0 +1,10 @@ +alice::ifup eth1 +alice::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +sun::ipsec start +alice::expect-connection mobike +sun::expect-connection mobike +alice::ipsec up mobike diff --git a/testing/tests/ikev2/mobike-virtual-ip-nat/test.conf b/testing/tests/ikev2/mobike-virtual-ip-nat/test.conf new file mode 100644 index 000000000..70c64c503 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="bob moon sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt index 6860700db..f823455a4 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt @@ -6,4 +6,4 @@ against the gateway <b>moon</b>. The user credentials of <b>carol</b> and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>. <b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b> -belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet. +belongs to the class <b>Accounting</b> and has access to the <b>access</b> subnet. diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat index 849da7c61..591e2da59 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/evaltest.dat @@ -1,5 +1,5 @@ alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES -moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] -sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16] +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES +sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=1 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat index 40ae8524a..2ee553a61 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/evaltest.dat @@ -1,4 +1,4 @@ alice::ping6 -c 1 -p deadbeef ip6-bob.strongswan.org::64 bytes from ip6-bob.strongswan.org: icmp_seq=1::YES -moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16] +moon::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec2:\:/16]::YES sun::swanctl --list-sas --raw 2> /dev/null::net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec2:\:/16] remote-ts=\[fec1:\:/16]sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat index 78488871f..026235171 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/evaltest.dat @@ -1,9 +1,9 @@ carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] -dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] -moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] -moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat index d0f2bac96..dd120f524 100644 --- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat +++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/evaltest.dat @@ -1,9 +1,9 @@ carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES -carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16] -dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16] -moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128] -moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128] +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat index f482c558a..eb65da374 100644 --- a/testing/tests/libipsec/host2host-cert/evaltest.dat +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -1,5 +1,5 @@ moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES -moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32] -sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32] +moon::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat index 36c0ee781..41723ae92 100644 --- a/testing/tests/libipsec/net2net-3des/evaltest.dat +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -1,5 +1,5 @@ alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat index 5364c1e82..2771251ff 100644 --- a/testing/tests/libipsec/net2net-cert/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert/evaltest.dat @@ -1,5 +1,5 @@ alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES] +sun::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/route-based/net2net-gre/description.txt b/testing/tests/route-based/net2net-gre/description.txt new file mode 100644 index 000000000..422f935ad --- /dev/null +++ b/testing/tests/route-based/net2net-gre/description.txt @@ -0,0 +1,12 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> +is set up using GRE interfaces. +<p/> +The gateways use <b>route-based forwarding</b> with <b>GRE tunnels</b>, with +firewall rules to allow traffic to pass. The IPsec traffic selector is limited +to the GRE protocol, specific routing is achieved with routes on the GRE +interfaces. The IKE daemon is configured to not install routes with +<em>charon.install_routes=0</em>, and static routes are installed for the +target subnets on the VTI interfaces. +<p/> +Client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located +behind gateway <b>sun</b>. diff --git a/testing/tests/route-based/net2net-gre/evaltest.dat b/testing/tests/route-based/net2net-gre/evaltest.dat new file mode 100644 index 000000000..ba9945833 --- /dev/null +++ b/testing/tests/route-based/net2net-gre/evaltest.dat @@ -0,0 +1,5 @@ +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*gre.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*local-ts=\[PH_IP_MOON/32\[gre]] remote-ts=\[PH_IP_SUN/32\[gre]]::YES +sun:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*gre.*reqid=1 state=INSTALLED mode=TRANSPORT.*ESP.*local-ts=\[PH_IP_SUN/32\[gre]] remote-ts=\[PH_IP_MOON/32\[gre]]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/net2net-gre/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/net2net-gre/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-gre/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b2c3af7e6 --- /dev/null +++ b/testing/tests/route-based/net2net-gre/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + gre { + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = transport + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf b/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/net2net-gre/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/net2net-gre/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-gre/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..d19d37311 --- /dev/null +++ b/testing/tests/route-based/net2net-gre/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + gre { + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = transport + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-gre/posttest.dat b/testing/tests/route-based/net2net-gre/posttest.dat new file mode 100644 index 000000000..4007d2c64 --- /dev/null +++ b/testing/tests/route-based/net2net-gre/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip tunnel del gre-moon +sun::ip tunnel del gre-sun diff --git a/testing/tests/route-based/net2net-gre/pretest.dat b/testing/tests/route-based/net2net-gre/pretest.dat new file mode 100644 index 000000000..213845221 --- /dev/null +++ b/testing/tests/route-based/net2net-gre/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip tunnel add gre-moon local PH_IP_MOON remote PH_IP_SUN mode gre key 42 +moon::ip link set gre-moon up +moon::ip route add 10.2.0.0/16 dev gre-moon +moon::iptables -A FORWARD -i gre-moon -j ACCEPT +moon::iptables -A FORWARD -o gre-moon -j ACCEPT +sun::ip tunnel add gre-sun local PH_IP_SUN remote PH_IP_MOON mode gre key 42 +sun::ip link set gre-sun up +sun::ip route add 10.1.0.0/16 dev gre-sun +sun::iptables -A FORWARD -i gre-sun -j ACCEPT +sun::iptables -A FORWARD -o gre-sun -j ACCEPT +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child gre diff --git a/testing/tests/route-based/net2net-gre/test.conf b/testing/tests/route-based/net2net-gre/test.conf new file mode 100644 index 000000000..87abc763b --- /dev/null +++ b/testing/tests/route-based/net2net-gre/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/route-based/net2net-vti/description.txt b/testing/tests/route-based/net2net-vti/description.txt new file mode 100644 index 000000000..fc35caf6f --- /dev/null +++ b/testing/tests/route-based/net2net-vti/description.txt @@ -0,0 +1,12 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> +is set up using VTI interfaces. +<p/> +The gateways use <b>route-based forwarding</b> with <b>VTI tunnels</b>, with +firewall rules to allow traffic to pass. The IPsec traffic selector used is +0.0.0.0/0, however specific routing is achieved with routes on the VTI +interfaces. The IKE daemon is configured to not install routes with +<em>charon.install_routes=0</em>, and static routes are installed for the +target subnets on the VTI interfaces. +<p/> +Client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located +behind gateway <b>sun</b>. diff --git a/testing/tests/route-based/net2net-vti/evaltest.dat b/testing/tests/route-based/net2net-vti/evaltest.dat new file mode 100644 index 000000000..0bf5cdb5a --- /dev/null +++ b/testing/tests/route-based/net2net-vti/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=4500 remote-id=sun.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=4500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[0.0.0.0/0] remote-ts=\[0.0.0.0/0]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/net2net-vti/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/net2net-vti/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-vti/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e8beec307 --- /dev/null +++ b/testing/tests/route-based/net2net-vti/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_MOON + remote_addrs = PH_IP_SUN + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + mark_in = 42 + mark_out = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf b/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/net2net-vti/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/net2net-vti/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/route-based/net2net-vti/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..df213159f --- /dev/null +++ b/testing/tests/route-based/net2net-vti/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + gw-gw { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 0.0.0.0/0 + remote_ts = 0.0.0.0/0 + mark_in = 1337 + mark_out = 1337 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/net2net-vti/posttest.dat b/testing/tests/route-based/net2net-vti/posttest.dat new file mode 100644 index 000000000..47b3dff06 --- /dev/null +++ b/testing/tests/route-based/net2net-vti/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw +moon::systemctl stop strongswan-swanctl +sun::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::ip tunnel del vti-moon +sun::ip tunnel del vti-sun diff --git a/testing/tests/route-based/net2net-vti/pretest.dat b/testing/tests/route-based/net2net-vti/pretest.dat new file mode 100644 index 000000000..24b285edb --- /dev/null +++ b/testing/tests/route-based/net2net-vti/pretest.dat @@ -0,0 +1,19 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ip tunnel add vti-moon local PH_IP_MOON remote PH_IP_SUN mode vti key 42 +moon::sysctl -w net.ipv4.conf.vti-moon.disable_policy=1 +moon::ip link set vti-moon up +moon::ip route add 10.2.0.0/16 dev vti-moon +moon::iptables -A FORWARD -i vti-moon -j ACCEPT +moon::iptables -A FORWARD -o vti-moon -j ACCEPT +sun::ip tunnel add vti-sun local PH_IP_SUN remote PH_IP_MOON mode vti key 1337 +sun::sysctl -w net.ipv4.conf.vti-sun.disable_policy=1 +sun::ip link set vti-sun up +sun::ip route add 10.1.0.0/16 dev vti-sun +sun::iptables -A FORWARD -i vti-sun -j ACCEPT +sun::iptables -A FORWARD -o vti-sun -j ACCEPT +moon::systemctl start strongswan-swanctl +sun::systemctl start strongswan-swanctl +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net diff --git a/testing/tests/route-based/net2net-vti/test.conf b/testing/tests/route-based/net2net-vti/test.conf new file mode 100644 index 000000000..87abc763b --- /dev/null +++ b/testing/tests/route-based/net2net-vti/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/description.txt b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/description.txt new file mode 100644 index 000000000..305e491f0 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6-in-IPv4 connection each to +gateway <b>moon</b>. Both <b>carol</b> and <b>dave</b> request an IPv6 <b>virtual +IP</b> via the IKEv2 configuration payload. +<p/> +The gateway <b>moon</b> uses <b>route-based forwarding</b> with <b>VTI +tunnels</b>, with firewall rules to allow traffic to pass. The IKE daemon is +configured to not install routes with <em>charon.install_routes=0</em>, and a +static route is installed for the IPv6 virtual IP subnet on the VTI device. +<p/> +Both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the +gateway <b>moon</b>. diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat new file mode 100644 index 000000000..6e427b265 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:1] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:1/128] remote-ts=\[fec1:\:/16]::YES +dave::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*local-vips=\[fec3:\:2] child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec3:\:2/128] remote-ts=\[fec1:\:/16]::YES +moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*remote-vips=\[fec3:\:1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:1/128]::YES +moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*remote-vips=\[fec3:\:2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP.*local-ts=\[fec1:\:/16] remote-ts=\[fec3:\:2/128]::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave:: ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/ip6tables.rules b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..514013ee6 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + vips = :: + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/ip6tables.rules b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..439310569 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + vips = :: + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = fec1::/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/ip6tables.rules b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/ip6tables.rules new file mode 100644 index 000000000..409f2e9bb --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/ip6tables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow ICMPv6 neighbor-solicitations +-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + +# allow ICMPv6 neighbor-advertisements +-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT +-A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..c4d236aa6 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = fec1::/16 + mark_in = 42 + mark_out = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = fec3::/120 + } +} diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/posttest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/posttest.dat new file mode 100644 index 000000000..2b17600b8 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/posttest.dat @@ -0,0 +1,13 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip6tables-restore < /etc/iptables.flush +carol::ip6tables-restore < /etc/iptables.flush +dave::ip6tables-restore < /etc/iptables.flush +moon::ip tunnel del vti0 +alice::"ip route del fec3:\:/16 via fec1:\:1" diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/pretest.dat b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/pretest.dat new file mode 100644 index 000000000..2380dc0f3 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/pretest.dat @@ -0,0 +1,21 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip6tables-restore < /etc/ip6tables.rules +carol::ip6tables-restore < /etc/ip6tables.rules +dave::ip6tables-restore < /etc/ip6tables.rules +alice::"ip route add fec3:\:/16 via fec1:\:1" +moon::ip tunnel add vti0 local PH_IP_MOON remote 0.0.0.0 mode vti key 42 +moon::sysctl -w net.ipv4.conf.vti0.disable_policy=1 +moon::ip link set vti0 up +moon::"ip route add fec3:\:/16 dev vti0" +moon::ip6tables -A FORWARD -i vti0 -j ACCEPT +moon::ip6tables -A FORWARD -o vti0 -j ACCEPT +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/test.conf b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/test.conf new file mode 100644 index 000000000..0f02a1a11 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti-ip6-in-ip4/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# IP protocol used by IPsec is IPv6 +# +IPV6=1 + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/route-based/rw-shared-vti/description.txt b/testing/tests/route-based/rw-shared-vti/description.txt new file mode 100644 index 000000000..fa11b2df5 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/description.txt @@ -0,0 +1,12 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to +gateway <b>moon</b>. Both <b>carol</b> and <b>dave</b> request a <b>virtual +IP</b> via the IKEv2 configuration payload. +<p/> +The gateway <b>moon</b> uses <b>route-based forwarding</b> with <b>VTI +tunnels</b>, with firewall rules to allow traffic to pass. The IKE daemon is +configured to not install routes with <em>charon.install_routes=0</em>, and a +static route is installed for the virtual IP subnet on the VTI device. +<p/> +Both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the +gateway <b>moon</b>. The source IP addresses of the two pings will be the +virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/route-based/rw-shared-vti/evaltest.dat b/testing/tests/route-based/rw-shared-vti/evaltest.dat new file mode 100644 index 000000000..f69310314 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_CAROL local-port=4500 local-id=carol@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=PH_IP_DAVE local-port=4500 local-id=dave@strongswan.org remote-host=PH_IP_MOON remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_CAROL remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=4500 local-id=moon.strongswan.org remote-host=PH_IP_DAVE remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..15e80d2aa --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_CAROL + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..ad4c18e43 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5b14d36ef --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = PH_IP_DAVE + remote_addrs = PH_IP_MOON + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf b/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..136dbe84f --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown +} + +charon { + install_routes = 0 +} diff --git a/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..b0efaf9c1 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = PH_IP_MOON + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + mark_in = 42 + mark_out = 42 + + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/route-based/rw-shared-vti/posttest.dat b/testing/tests/route-based/rw-shared-vti/posttest.dat new file mode 100644 index 000000000..31d75642a --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/posttest.dat @@ -0,0 +1,9 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +moon::systemctl stop strongswan-swanctl +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::ip tunnel del vti0 diff --git a/testing/tests/route-based/rw-shared-vti/pretest.dat b/testing/tests/route-based/rw-shared-vti/pretest.dat new file mode 100644 index 000000000..a7afeeb35 --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/pretest.dat @@ -0,0 +1,17 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ip tunnel add vti0 local PH_IP_MOON remote 0.0.0.0 mode vti key 42 +moon::sysctl -w net.ipv4.conf.vti0.disable_policy=1 +moon::ip link set vti0 up +moon::ip route add 10.3.0.0/28 dev vti0 +moon::iptables -A FORWARD -i vti0 -j ACCEPT +moon::iptables -A FORWARD -o vti0 -j ACCEPT +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home +dave::expect-connection home +dave::swanctl --initiate --child home diff --git a/testing/tests/route-based/rw-shared-vti/test.conf b/testing/tests/route-based/rw-shared-vti/test.conf new file mode 100644 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/route-based/rw-shared-vti/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat index 2e3fe8f76..d7669ef41 100644 --- a/testing/tests/sql/ip-pool-db-restart/evaltest.dat +++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat @@ -12,7 +12,7 @@ moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired existing lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat index 0f55c040f..d5f30c40a 100644 --- a/testing/tests/sql/ip-pool-db/evaltest.dat +++ b/testing/tests/sql/ip-pool-db/evaltest.dat @@ -21,7 +21,7 @@ moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES moon:: ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES moon:: ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.0.6.*static.*2::YES diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat index b77707035..b605bef2b 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat +++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat @@ -11,4 +11,4 @@ moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .* moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.1.1] child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.1.1/32]::YES diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat index b003091a5..9f43b6c37 100644 --- a/testing/tests/sql/multi-level-ca/evaltest.dat +++ b/testing/tests/sql/multi-level-ca/evaltest.dat @@ -11,7 +11,7 @@ moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat index 2d8b95659..2efde556d 100644 --- a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat +++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat @@ -6,8 +6,7 @@ alice::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[1 venus::swanctl --list-pols --raw 2> /dev/null::local-net.*mode=PASS local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice@strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.1/32] remote-ts=\[0.0.0.0/0]::YES venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.3.0.2/32] remote-ts=\[0.0.0.0/0]::YES -sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 - local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES +sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice@strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.1/32]::YES sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[0.0.0.0/0] remote-ts=\[10.3.0.2/32]::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat index 3827b655b..de62af271 100755 --- a/testing/tests/swanctl/config-payload/evaltest.dat +++ b/testing/tests/swanctl/config-payload/evaltest.dat @@ -1,7 +1,7 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat index 7b88c6df9..aa62bcec4 100644 --- a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat +++ b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat @@ -4,8 +4,8 @@ alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.50/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.1.0.51/32]::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat index 93983d8d3..130a0b918 100755 --- a/testing/tests/swanctl/ip-pool-db/evaltest.dat +++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat @@ -1,7 +1,7 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol@strongswan.org::YES moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave@strongswan.org::YES moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat index 0be5dcffb..51ac523b8 100755 --- a/testing/tests/swanctl/ip-pool/evaltest.dat +++ b/testing/tests/swanctl/ip-pool/evaltest.dat @@ -1,7 +1,7 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol@strongswan.org status=online::YES moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave@strongswan.org status=online::YES diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat index 1a34a9248..8a8a95f7e 100755 --- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat @@ -1,7 +1,7 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat index 3eacc397d..3804e0712 100755 --- a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat @@ -6,8 +6,8 @@ alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::NO venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::NO carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_4096.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE25519.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_4096.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_4096.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat index c4d46e706..11a3f6b06 100755 --- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat @@ -1,7 +1,7 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES -moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32] -moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32] +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES |