diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-03-30 08:31:24 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2008-03-30 08:31:24 +0000 |
commit | 1c088a8b6237ec67f63c23f97a0f2dc4e99af869 (patch) | |
tree | 7fff7c8329d19bbaa910312e746a116f28fbfaf5 | |
parent | bcc8f7ca7fd8e8ff6e8a4d579251458313133598 (diff) | |
download | vyos-strongswan-1c088a8b6237ec67f63c23f97a0f2dc4e99af869.tar.gz vyos-strongswan-1c088a8b6237ec67f63c23f97a0f2dc4e99af869.zip |
[svn-upgrade] Integrating new upstream version, strongswan (4.1.11)
82 files changed, 3309 insertions, 992 deletions
diff --git a/Makefile.in b/Makefile.in index 039896cb9..d78ac62ad 100644 --- a/Makefile.in +++ b/Makefile.in @@ -187,11 +187,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ @@ -1,3 +1,18 @@ +strongswan-4.1.11 +----------------- + +- IKE rekeying in NAT situations did not inherit the NAT conditions + to the rekeyed IKE_SA so that the UDP encapsulation was lost with + the next CHILD_SA rekeying. + +- Wrong type definition of the next_payload variable in id_payload.c + caused an INVALID_SYNTAX error on PowerPC platforms. + +- Implemented IKEv2 EAP-SIM server and client test modules that use + triplets stored in a file. For details on the configuration see + the scenario 'ikev2/rw-eap-sim-rsa'. + + strongswan-4.1.10 ----------------- @@ -18,6 +33,7 @@ strongswan-4.1.10 interface to EAP modules has been slightly changed, so make sure to check the changes if you're already rolling your own modules. + strongswan-4.1.9 ---------------- @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.61 for strongSwan 4.1.10. +# Generated by GNU Autoconf 2.61 for strongSwan 4.1.11. # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, # 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. @@ -726,8 +726,8 @@ SHELL=${CONFIG_SHELL-/bin/sh} # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='4.1.10' -PACKAGE_STRING='strongSwan 4.1.10' +PACKAGE_VERSION='4.1.11' +PACKAGE_STRING='strongSwan 4.1.11' PACKAGE_BUGREPORT='' # Factoring default headers for most tests. @@ -845,11 +845,13 @@ CPP GREP EGREP confdir -ipsecdir piddir +ipsecdir +plugindir eapdir backenddir interfacedir +simreader linuxdir LINUX_HEADERS IPSEC_ROUTING_TABLE @@ -1473,7 +1475,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 4.1.10 to adapt to many kinds of systems. +\`configure' configures strongSwan 4.1.11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1543,7 +1545,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 4.1.10:";; + short | recursive ) echo "Configuration of strongSwan 4.1.11:";; esac cat <<\_ACEOF @@ -1616,19 +1618,21 @@ Optional Packages: --with-urandom-device=dev set the device for pseudo random data other than "/dev/urandom" - --with-ipsecdir=dir installation path for ipsec tools other than - "libexecdir/ipsec" --with-piddir=dir path for PID and UNIX socket files other than "/var/run" + --with-ipsecdir=dir installation path for ipsec tools other than + "libexecdir/ipsec" + --with-plugindir=dir installation path for plugins other than + "ipsecdir/plugins" --with-eapdir=dir path for pluggable EAP modules other than - "ipsecdir/plugins/eap" + "plugindir/eap" --with-backenddir=dir path for pluggable configuration backend modules - other than "ipsecdir/plugins/backends" + other than "plugindir/backends" --with-interfacedir=dir path for pluggable control interface modules other - than "ipsecdir/plugins/interfaces" + than "plugindir/interfaces" --with-sim-reader=library.so - library containing the sim_run_alg() function for - EAP-SIM + library containing the + sim_run_alg()/sim_get_triplet() function for EAP-SIM --with-linux-headers=dir use the linux header files in dir instead of the supplied ones in "src/include" @@ -1733,7 +1737,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 4.1.10 +strongSwan configure 4.1.11 generated by GNU Autoconf 2.61 Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -1747,7 +1751,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 4.1.10, which was +It was created by strongSwan $as_me 4.1.11, which was generated by GNU Autoconf 2.61. Invocation command line was $ $0 $@ @@ -2437,7 +2441,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='4.1.10' + VERSION='4.1.11' cat >>confdefs.h <<_ACEOF @@ -4705,6 +4709,18 @@ fi +# Check whether --with-piddir was given. +if test "${with_piddir+set}" = set; then + withval=$with_piddir; piddir="$withval" + +else + piddir="/var/run" + + +fi + + + # Check whether --with-ipsecdir was given. if test "${with_ipsecdir+set}" = set; then withval=$with_ipsecdir; ipsecdir="$withval" @@ -4717,12 +4733,12 @@ fi -# Check whether --with-piddir was given. -if test "${with_piddir+set}" = set; then - withval=$with_piddir; piddir="$withval" +# Check whether --with-plugindir was given. +if test "${with_plugindir+set}" = set; then + withval=$with_plugindir; plugindir="$withval" else - piddir="/var/run" + plugindir="${ipsecdir}/plugins" fi @@ -4734,7 +4750,7 @@ if test "${with_eapdir+set}" = set; then withval=$with_eapdir; eapdir="$withval" else - eapdir="${ipsecdir}/plugins/eap" + eapdir="${plugindir}/eap" fi @@ -4746,7 +4762,7 @@ if test "${with_backenddir+set}" = set; then withval=$with_backenddir; backenddir="$withval" else - backenddir="${ipsecdir}/plugins/backends" + backenddir="${plugindir}/backends" fi @@ -4758,7 +4774,7 @@ if test "${with_interfacedir+set}" = set; then withval=$with_interfacedir; interfacedir="$withval" else - interfacedir="${ipsecdir}/plugins/interfaces" + interfacedir="${plugindir}/interfaces" fi @@ -4767,9 +4783,10 @@ fi # Check whether --with-sim-reader was given. if test "${with_sim_reader+set}" = set; then - withval=$with_sim_reader; cat >>confdefs.h <<_ACEOF -#define SIM_READER_LIB "$withval" -_ACEOF + withval=$with_sim_reader; simreader="$withval" + +else + simreader="${plugindir}/libcharon-eapsim-file.so" fi @@ -6083,7 +6100,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 6086 "configure"' > conftest.$ac_ext + echo '#line 6103 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -8404,11 +8421,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8407: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8424: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8411: \$? = $ac_status" >&5 + echo "$as_me:8428: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8694,11 +8711,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8697: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8714: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:8701: \$? = $ac_status" >&5 + echo "$as_me:8718: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -8798,11 +8815,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:8801: $lt_compile\"" >&5) + (eval echo "\"\$as_me:8818: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:8805: \$? = $ac_status" >&5 + echo "$as_me:8822: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -11156,7 +11173,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 11159 "configure" +#line 11176 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11256,7 +11273,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 11259 "configure" +#line 11276 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13671,11 +13688,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13674: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13691: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13678: \$? = $ac_status" >&5 + echo "$as_me:13695: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13775,11 +13792,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13778: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13795: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13782: \$? = $ac_status" >&5 + echo "$as_me:13799: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -15349,11 +15366,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15352: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15369: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15356: \$? = $ac_status" >&5 + echo "$as_me:15373: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -15453,11 +15470,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15456: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15473: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:15460: \$? = $ac_status" >&5 + echo "$as_me:15477: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17648,11 +17665,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17651: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17668: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17655: \$? = $ac_status" >&5 + echo "$as_me:17672: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -17938,11 +17955,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:17941: $lt_compile\"" >&5) + (eval echo "\"\$as_me:17958: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:17945: \$? = $ac_status" >&5 + echo "$as_me:17962: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -18042,11 +18059,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:18045: $lt_compile\"" >&5) + (eval echo "\"\$as_me:18062: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:18049: \$? = $ac_status" >&5 + echo "$as_me:18066: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -23571,7 +23588,7 @@ exec 6>&1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 4.1.10, which was +This file was extended by strongSwan $as_me 4.1.11, which was generated by GNU Autoconf 2.61. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -23618,7 +23635,7 @@ Report bugs to <bug-autoconf@gnu.org>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF ac_cs_version="\\ -strongSwan config.status 4.1.10 +strongSwan config.status 4.1.11 configured by $0, generated by GNU Autoconf 2.61, with options \\"`echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" @@ -23884,11 +23901,13 @@ CPP!$CPP$ac_delim GREP!$GREP$ac_delim EGREP!$EGREP$ac_delim confdir!$confdir$ac_delim -ipsecdir!$ipsecdir$ac_delim piddir!$piddir$ac_delim +ipsecdir!$ipsecdir$ac_delim +plugindir!$plugindir$ac_delim eapdir!$eapdir$ac_delim backenddir!$backenddir$ac_delim interfacedir!$interfacedir$ac_delim +simreader!$simreader$ac_delim linuxdir!$linuxdir$ac_delim LINUX_HEADERS!$LINUX_HEADERS$ac_delim IPSEC_ROUTING_TABLE!$IPSEC_ROUTING_TABLE$ac_delim @@ -23900,8 +23919,6 @@ USE_LIBCURL_FALSE!$USE_LIBCURL_FALSE$ac_delim USE_LIBLDAP_TRUE!$USE_LIBLDAP_TRUE$ac_delim USE_LIBLDAP_FALSE!$USE_LIBLDAP_FALSE$ac_delim USE_STROKE_TRUE!$USE_STROKE_TRUE$ac_delim -USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim -USE_LIBDBUS_TRUE!$USE_LIBDBUS_TRUE$ac_delim _ACEOF if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then @@ -23943,6 +23960,8 @@ _ACEOF ac_delim='%!_!# ' for ac_last_try in false false false false false :; do cat >conf$$subs.sed <<_ACEOF +USE_STROKE_FALSE!$USE_STROKE_FALSE$ac_delim +USE_LIBDBUS_TRUE!$USE_LIBDBUS_TRUE$ac_delim USE_LIBDBUS_FALSE!$USE_LIBDBUS_FALSE$ac_delim USE_LIBXML_TRUE!$USE_LIBXML_TRUE$ac_delim USE_LIBXML_FALSE!$USE_LIBXML_FALSE$ac_delim @@ -24030,7 +24049,7 @@ LIBOBJS!$LIBOBJS$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim _ACEOF - if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 85; then + if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 87; then break elif $ac_last_try; then { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 diff --git a/configure.in b/configure.in index 4b0b0ed56..39623eba0 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ dnl =========================== dnl initialize & set some vars dnl =========================== -AC_INIT(strongSwan,4.1.10) +AC_INIT(strongSwan,4.1.11) AM_INIT_AUTOMAKE(tar-ustar) AC_C_BIGENDIAN AC_SUBST(confdir, '${sysconfdir}') @@ -60,6 +60,13 @@ AC_ARG_WITH( ) AC_ARG_WITH( + [piddir], + AS_HELP_STRING([--with-piddir=dir],[path for PID and UNIX socket files other than "/var/run"]), + [AC_SUBST(piddir, "$withval")], + [AC_SUBST(piddir, "/var/run")] +) + +AC_ARG_WITH( [ipsecdir], AS_HELP_STRING([--with-ipsecdir=dir],[installation path for ipsec tools other than "libexecdir/ipsec"]), [AC_SUBST(ipsecdir, "$withval")], @@ -67,37 +74,38 @@ AC_ARG_WITH( ) AC_ARG_WITH( - [piddir], - AS_HELP_STRING([--with-piddir=dir],[path for PID and UNIX socket files other than "/var/run"]), - [AC_SUBST(piddir, "$withval")], - [AC_SUBST(piddir, "/var/run")] + [plugindir], + AS_HELP_STRING([--with-plugindir=dir],[installation path for plugins other than "ipsecdir/plugins"]), + [AC_SUBST(plugindir, "$withval")], + [AC_SUBST(plugindir, "${ipsecdir}/plugins")] ) AC_ARG_WITH( [eapdir], - AS_HELP_STRING([--with-eapdir=dir],[path for pluggable EAP modules other than "ipsecdir/plugins/eap"]), + AS_HELP_STRING([--with-eapdir=dir],[path for pluggable EAP modules other than "plugindir/eap"]), [AC_SUBST(eapdir, "$withval")], - [AC_SUBST(eapdir, "${ipsecdir}/plugins/eap")] + [AC_SUBST(eapdir, "${plugindir}/eap")] ) AC_ARG_WITH( [backenddir], - AS_HELP_STRING([--with-backenddir=dir],[path for pluggable configuration backend modules other than "ipsecdir/plugins/backends"]), + AS_HELP_STRING([--with-backenddir=dir],[path for pluggable configuration backend modules other than "plugindir/backends"]), [AC_SUBST(backenddir, "$withval")], - [AC_SUBST(backenddir, "${ipsecdir}/plugins/backends")] + [AC_SUBST(backenddir, "${plugindir}/backends")] ) AC_ARG_WITH( [interfacedir], - AS_HELP_STRING([--with-interfacedir=dir],[path for pluggable control interface modules other than "ipsecdir/plugins/interfaces"]), + AS_HELP_STRING([--with-interfacedir=dir],[path for pluggable control interface modules other than "plugindir/interfaces"]), [AC_SUBST(interfacedir, "$withval")], - [AC_SUBST(interfacedir, "${ipsecdir}/plugins/interfaces")] + [AC_SUBST(interfacedir, "${plugindir}/interfaces")] ) AC_ARG_WITH( [sim-reader], - AS_HELP_STRING([--with-sim-reader=library.so],[library containing the sim_run_alg() function for EAP-SIM]), - [AC_DEFINE_UNQUOTED(SIM_READER_LIB, "$withval")] + AS_HELP_STRING([--with-sim-reader=library.so],[library containing the sim_run_alg()/sim_get_triplet() function for EAP-SIM]), + [AC_SUBST(simreader, "$withval")], + [AC_SUBST(simreader, "${plugindir}/libcharon-eapsim-file.so")] ) AC_ARG_WITH( diff --git a/src/Makefile.in b/src/Makefile.in index f2e6dcefe..17fc6f746 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -183,11 +183,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 6516a22fa..84ac628e6 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -186,11 +186,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 52f1109e5..4579ace58 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -168,11 +168,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index e30555c1b..c205632dd 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -168,11 +168,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index 9111191b6..1d7022336 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -104,7 +104,8 @@ endif INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ - -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" + -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" \ + -DSIM_READER_LIB=\"${simreader}\" charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lgmp -lpthread -lm -ldl if USE_LIBCURL @@ -126,6 +127,10 @@ if USE_EAP_SIM eap_LTLIBRARIES += libcharon-eapsim.la libcharon_eapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c libcharon_eapsim_la_LDFLAGS = -module + + plugin_LTLIBRARIES = libcharon-eapsim-file.la + libcharon_eapsim_file_la_SOURCES = sa/authenticators/eap/sim/eap_sim_file.c + libcharon_eapsim_file_la_LDFLAGS = -module endif if USE_EAP_MD5 diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index bbae1270a..41f1690e2 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -72,12 +72,14 @@ am__vpath_adj = case $$p in \ esac; am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; am__installdirs = "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" \ - "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)" + "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(plugindir)" \ + "$(DESTDIR)$(ipsecdir)" backendLTLIBRARIES_INSTALL = $(INSTALL) eapLTLIBRARIES_INSTALL = $(INSTALL) interfaceLTLIBRARIES_INSTALL = $(INSTALL) +pluginLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(backend_LTLIBRARIES) $(eap_LTLIBRARIES) \ - $(interface_LTLIBRARIES) + $(interface_LTLIBRARIES) $(plugin_LTLIBRARIES) am__DEPENDENCIES_1 = @USE_LIBDBUS_TRUE@libcharon_dbus_la_DEPENDENCIES = \ @USE_LIBDBUS_TRUE@ $(am__DEPENDENCIES_1) @@ -123,6 +125,18 @@ libcharon_eapmd5_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libcharon_eapmd5_la_LDFLAGS) $(LDFLAGS) -o $@ @USE_EAP_MD5_TRUE@am_libcharon_eapmd5_la_rpath = -rpath $(eapdir) +libcharon_eapsim_file_la_LIBADD = +am__libcharon_eapsim_file_la_SOURCES_DIST = \ + sa/authenticators/eap/sim/eap_sim_file.c +@USE_EAP_SIM_TRUE@am_libcharon_eapsim_file_la_OBJECTS = \ +@USE_EAP_SIM_TRUE@ eap_sim_file.lo +libcharon_eapsim_file_la_OBJECTS = \ + $(am_libcharon_eapsim_file_la_OBJECTS) +libcharon_eapsim_file_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libcharon_eapsim_file_la_LDFLAGS) $(LDFLAGS) -o $@ +@USE_EAP_SIM_TRUE@am_libcharon_eapsim_file_la_rpath = -rpath \ +@USE_EAP_SIM_TRUE@ $(plugindir) libcharon_eapsim_la_LIBADD = am__libcharon_eapsim_la_SOURCES_DIST = \ sa/authenticators/eap/eap_sim.h \ @@ -349,14 +363,16 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(libcharon_dbus_la_SOURCES) $(libcharon_eapaka_la_SOURCES) \ $(libcharon_eapidentity_la_SOURCES) \ - $(libcharon_eapmd5_la_SOURCES) $(libcharon_eapsim_la_SOURCES) \ - $(libcharon_local_la_SOURCES) $(libcharon_sqlite_la_SOURCES) \ - $(libcharon_stroke_la_SOURCES) $(libcharon_xml_la_SOURCES) \ - $(charon_SOURCES) + $(libcharon_eapmd5_la_SOURCES) \ + $(libcharon_eapsim_file_la_SOURCES) \ + $(libcharon_eapsim_la_SOURCES) $(libcharon_local_la_SOURCES) \ + $(libcharon_sqlite_la_SOURCES) $(libcharon_stroke_la_SOURCES) \ + $(libcharon_xml_la_SOURCES) $(charon_SOURCES) DIST_SOURCES = $(am__libcharon_dbus_la_SOURCES_DIST) \ $(am__libcharon_eapaka_la_SOURCES_DIST) \ $(am__libcharon_eapidentity_la_SOURCES_DIST) \ $(am__libcharon_eapmd5_la_SOURCES_DIST) \ + $(am__libcharon_eapsim_file_la_SOURCES_DIST) \ $(am__libcharon_eapsim_la_SOURCES_DIST) \ $(am__libcharon_local_la_SOURCES_DIST) \ $(am__libcharon_sqlite_la_SOURCES_DIST) \ @@ -484,11 +500,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ @@ -601,7 +619,8 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke \ $(am__append_13) $(am__append_15) AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ - -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" + -DIPSEC_EAPDIR=\"${eapdir}\" -DIPSEC_BACKENDDIR=\"${backenddir}\" -DIPSEC_INTERFACEDIR=\"${interfacedir}\" \ + -DSIM_READER_LIB=\"${simreader}\" charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ -lgmp -lpthread -lm -ldl $(am__append_4) @@ -614,6 +633,9 @@ eap_LTLIBRARIES = $(am__append_5) $(am__append_6) $(am__append_7) \ @USE_EAP_IDENTITY_TRUE@libcharon_eapidentity_la_LDFLAGS = -module @USE_EAP_SIM_TRUE@libcharon_eapsim_la_SOURCES = sa/authenticators/eap/eap_sim.h sa/authenticators/eap/eap_sim.c @USE_EAP_SIM_TRUE@libcharon_eapsim_la_LDFLAGS = -module +@USE_EAP_SIM_TRUE@plugin_LTLIBRARIES = libcharon-eapsim-file.la +@USE_EAP_SIM_TRUE@libcharon_eapsim_file_la_SOURCES = sa/authenticators/eap/sim/eap_sim_file.c +@USE_EAP_SIM_TRUE@libcharon_eapsim_file_la_LDFLAGS = -module @USE_EAP_MD5_TRUE@libcharon_eapmd5_la_SOURCES = sa/authenticators/eap/eap_md5.h sa/authenticators/eap/eap_md5.c @USE_EAP_MD5_TRUE@libcharon_eapmd5_la_LDFLAGS = -module @USE_EAP_AKA_TRUE@libcharon_eapaka_la_SOURCES = sa/authenticators/eap/eap_aka.h sa/authenticators/eap/eap_aka.c @@ -754,6 +776,33 @@ clean-interfaceLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \ + else :; fi; \ + done + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \ + $(LIBTOOL) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done libcharon-dbus.la: $(libcharon_dbus_la_OBJECTS) $(libcharon_dbus_la_DEPENDENCIES) $(libcharon_dbus_la_LINK) $(am_libcharon_dbus_la_rpath) $(libcharon_dbus_la_OBJECTS) $(libcharon_dbus_la_LIBADD) $(LIBS) libcharon-eapaka.la: $(libcharon_eapaka_la_OBJECTS) $(libcharon_eapaka_la_DEPENDENCIES) @@ -762,6 +811,8 @@ libcharon-eapidentity.la: $(libcharon_eapidentity_la_OBJECTS) $(libcharon_eapide $(libcharon_eapidentity_la_LINK) $(am_libcharon_eapidentity_la_rpath) $(libcharon_eapidentity_la_OBJECTS) $(libcharon_eapidentity_la_LIBADD) $(LIBS) libcharon-eapmd5.la: $(libcharon_eapmd5_la_OBJECTS) $(libcharon_eapmd5_la_DEPENDENCIES) $(libcharon_eapmd5_la_LINK) $(am_libcharon_eapmd5_la_rpath) $(libcharon_eapmd5_la_OBJECTS) $(libcharon_eapmd5_la_LIBADD) $(LIBS) +libcharon-eapsim-file.la: $(libcharon_eapsim_file_la_OBJECTS) $(libcharon_eapsim_file_la_DEPENDENCIES) + $(libcharon_eapsim_file_la_LINK) $(am_libcharon_eapsim_file_la_rpath) $(libcharon_eapsim_file_la_OBJECTS) $(libcharon_eapsim_file_la_LIBADD) $(LIBS) libcharon-eapsim.la: $(libcharon_eapsim_la_OBJECTS) $(libcharon_eapsim_la_DEPENDENCIES) $(libcharon_eapsim_la_LINK) $(am_libcharon_eapsim_la_rpath) $(libcharon_eapsim_la_OBJECTS) $(libcharon_eapsim_la_LIBADD) $(LIBS) libcharon-local.la: $(libcharon_local_la_OBJECTS) $(libcharon_local_la_DEPENDENCIES) @@ -838,6 +889,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_method.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_sim_file.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encodings.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/encryption_payload.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/endpoint_notify.Po@am__quote@ @@ -957,6 +1009,13 @@ eap_md5.lo: sa/authenticators/eap/eap_md5.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_md5.lo `test -f 'sa/authenticators/eap/eap_md5.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_md5.c +eap_sim_file.lo: sa/authenticators/eap/sim/eap_sim_file.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_sim_file.lo -MD -MP -MF $(DEPDIR)/eap_sim_file.Tpo -c -o eap_sim_file.lo `test -f 'sa/authenticators/eap/sim/eap_sim_file.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim/eap_sim_file.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/eap_sim_file.Tpo $(DEPDIR)/eap_sim_file.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/authenticators/eap/sim/eap_sim_file.c' object='eap_sim_file.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o eap_sim_file.lo `test -f 'sa/authenticators/eap/sim/eap_sim_file.c' || echo '$(srcdir)/'`sa/authenticators/eap/sim/eap_sim_file.c + eap_sim.lo: sa/authenticators/eap/eap_sim.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT eap_sim.lo -MD -MP -MF $(DEPDIR)/eap_sim.Tpo -c -o eap_sim.lo `test -f 'sa/authenticators/eap/eap_sim.c' || echo '$(srcdir)/'`sa/authenticators/eap/eap_sim.c @am__fastdepCC_TRUE@ mv -f $(DEPDIR)/eap_sim.Tpo $(DEPDIR)/eap_sim.Plo @@ -2294,7 +2353,7 @@ check-am: all-am check: check-am all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(ipsecdir)"; do \ + for dir in "$(DESTDIR)$(backenddir)" "$(DESTDIR)$(eapdir)" "$(DESTDIR)$(interfacedir)" "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -2325,7 +2384,7 @@ clean: clean-am clean-am: clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \ clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - mostlyclean-am + clean-pluginLTLIBRARIES mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) @@ -2344,7 +2403,8 @@ info: info-am info-am: install-data-am: install-backendLTLIBRARIES install-eapLTLIBRARIES \ - install-interfaceLTLIBRARIES install-ipsecPROGRAMS + install-interfaceLTLIBRARIES install-ipsecPROGRAMS \ + install-pluginLTLIBRARIES install-dvi: install-dvi-am @@ -2381,28 +2441,30 @@ ps: ps-am ps-am: uninstall-am: uninstall-backendLTLIBRARIES uninstall-eapLTLIBRARIES \ - uninstall-interfaceLTLIBRARIES uninstall-ipsecPROGRAMS + uninstall-interfaceLTLIBRARIES uninstall-ipsecPROGRAMS \ + uninstall-pluginLTLIBRARIES .MAKE: install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-am clean \ clean-backendLTLIBRARIES clean-eapLTLIBRARIES clean-generic \ clean-interfaceLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - ctags distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am \ + clean-pluginLTLIBRARIES ctags distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ install-backendLTLIBRARIES install-data install-data-am \ install-dvi install-dvi-am install-eapLTLIBRARIES install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-interfaceLTLIBRARIES \ install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-backendLTLIBRARIES \ - uninstall-eapLTLIBRARIES uninstall-interfaceLTLIBRARIES \ - uninstall-ipsecPROGRAMS + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-backendLTLIBRARIES uninstall-eapLTLIBRARIES \ + uninstall-interfaceLTLIBRARIES uninstall-ipsecPROGRAMS \ + uninstall-pluginLTLIBRARIES # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/charon/control/interface_manager.c b/src/charon/control/interface_manager.c index c14903c7d..4d5aa2ea6 100644 --- a/src/charon/control/interface_manager.c +++ b/src/charon/control/interface_manager.c @@ -171,14 +171,11 @@ static bool initiate_listener(interface_bus_listener_t *this, signal_t signal, static status_t initiate_execute(interface_job_t *job) { ike_sa_t *ike_sa; - ike_cfg_t *ike_cfg; interface_bus_listener_t *listener = &job->listener; peer_cfg_t *peer_cfg = listener->peer_cfg; - ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); - ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, - ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg), - peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg)); + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); listener->ike_sa = ike_sa; if (ike_sa->get_peer_cfg(ike_sa) == NULL) @@ -435,15 +432,11 @@ static bool route_listener(interface_bus_listener_t *this, signal_t signal, static status_t route_execute(interface_job_t *job) { ike_sa_t *ike_sa; - ike_cfg_t *ike_cfg; interface_bus_listener_t *listener = &job->listener; peer_cfg_t *peer_cfg = listener->peer_cfg; - ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); - - ike_sa = charon->ike_sa_manager->checkout_by_peer(charon->ike_sa_manager, - ike_cfg->get_my_host(ike_cfg), ike_cfg->get_other_host(ike_cfg), - peer_cfg->get_my_id(peer_cfg), peer_cfg->get_other_id(peer_cfg)); + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); listener->ike_sa = ike_sa; if (ike_sa->get_peer_cfg(ike_sa) == NULL) diff --git a/src/charon/control/interfaces/stroke_interface.c b/src/charon/control/interfaces/stroke_interface.c index b51d53ebd..3b4b246bd 100755 --- a/src/charon/control/interfaces/stroke_interface.c +++ b/src/charon/control/interfaces/stroke_interface.c @@ -535,6 +535,24 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) iterator = charon->backends->create_iterator(charon->backends); while (iterator->iterate(iterator, (void**)&peer_cfg)) { + host_t *my_vip_conf, *other_vip_conf; + bool my_vip_equals = FALSE, other_vip_equals = FALSE; + + my_vip_conf = peer_cfg->get_my_virtual_ip(peer_cfg); + if ((my_vip && my_vip_conf && my_vip->equals(my_vip, my_vip_conf)) || + (!my_vip_conf && !my_vip)) + { + my_vip_equals = TRUE; + } + DESTROY_IF(my_vip_conf); + other_vip_conf = peer_cfg->get_other_virtual_ip(peer_cfg, NULL); + if ((other_vip && other_vip_conf && other_vip->equals(other_vip, other_vip_conf)) || + (!other_vip_conf && !other_vip)) + { + other_vip_equals = TRUE; + } + DESTROY_IF(other_vip_conf); + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); if (my_id->equals(my_id, peer_cfg->get_my_id(peer_cfg)) && other_id->equals(other_id, peer_cfg->get_other_id(peer_cfg)) @@ -545,7 +563,8 @@ static void stroke_add_conn(stroke_msg_t *msg, FILE *out) && peer_cfg->get_ike_version(peer_cfg) == (msg->add_conn.ikev2 ? 2 : 1) && peer_cfg->get_auth_method(peer_cfg) == msg->add_conn.auth_method && peer_cfg->get_eap_type(peer_cfg, &vendor) == msg->add_conn.eap_type - && vendor == msg->add_conn.eap_vendor) + && vendor == msg->add_conn.eap_vendor + && my_vip_equals && other_vip_equals) { DBG1(DBG_CFG, "reusing existing configuration '%s'", peer_cfg->get_name(peer_cfg)); diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c index 345114af0..da2498c5e 100644 --- a/src/charon/encoding/payloads/eap_payload.c +++ b/src/charon/encoding/payloads/eap_payload.c @@ -312,13 +312,13 @@ eap_payload_t *eap_payload_create_data(chunk_t data) /* * Described in header */ -eap_payload_t *eap_payload_create_code(eap_code_t code) +eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier) { eap_payload_t *this = eap_payload_create(); chunk_t data = chunk_alloca(4); *(data.ptr + 0) = code; - *(data.ptr + 1) = 0; + *(data.ptr + 1) = identifier; *(u_int16_t*)(data.ptr + 2) = htons(data.len); this->set_data(this, data); @@ -328,13 +328,13 @@ eap_payload_t *eap_payload_create_code(eap_code_t code) /* * Described in header */ -eap_payload_t *eap_payload_create_nak() +eap_payload_t *eap_payload_create_nak(u_int8_t identifier) { eap_payload_t *this = eap_payload_create(); chunk_t data = chunk_alloca(5); *(data.ptr + 0) = EAP_RESPONSE; - *(data.ptr + 1) = 0; + *(data.ptr + 1) = identifier; *(u_int16_t*)(data.ptr + 2) = htons(data.len); *(data.ptr + 4) = EAP_NAK; diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h index 3addbb838..e4f8663c2 100644 --- a/src/charon/encoding/payloads/eap_payload.h +++ b/src/charon/encoding/payloads/eap_payload.h @@ -132,19 +132,22 @@ eap_payload_t *eap_payload_create_data(chunk_t data); * Could should be either EAP_SUCCESS/EAP_FAILURE, use * constructor above otherwise. * - * @return eap_payload_t object + * @param code EAP status code + * @param identifier EAP identifier to use in payload + * @return eap_payload_t object * * @ingroup payloads */ -eap_payload_t *eap_payload_create_code(eap_code_t code); +eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier); /** * @brief Creates an eap_payload_t EAP_RESPONSE containing an EAP_NAK. * - * @return eap_payload_t object + * @param identifier EAP identifier to use in payload + * @return eap_payload_t object * * @ingroup payloads */ -eap_payload_t *eap_payload_create_nak(); +eap_payload_t *eap_payload_create_nak(u_int8_t identifier); #endif /* EAP_PAYLOAD_H_ */ diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c index eee5e92db..aef8f6b7e 100644 --- a/src/charon/encoding/payloads/id_payload.c +++ b/src/charon/encoding/payloads/id_payload.c @@ -9,6 +9,7 @@ * Copyright (C) 2007 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -49,7 +50,7 @@ struct private_id_payload_t { /** * Next payload type. */ - payload_type_t next_payload; + u_int8_t next_payload; /** * Critical flag. diff --git a/src/charon/sa/authenticators/eap/eap_sim.c b/src/charon/sa/authenticators/eap/eap_sim.c index c9eb5ce8f..90898fb46 100644 --- a/src/charon/sa/authenticators/eap/eap_sim.c +++ b/src/charon/sa/authenticators/eap/eap_sim.c @@ -29,6 +29,21 @@ #define MAX_TRIES 3 +/* number of triplets for one authentication */ +#define TRIPLET_COUNT 3 + +typedef enum sim_subtype_t sim_subtype_t; + +/** + * Subtypes of SIM messages + */ +enum sim_subtype_t { + SIM_START = 10, + SIM_CHALLENGE = 11, + SIM_NOTIFICATION = 12, + SIM_CLIENT_ERROR = 14, +}; + ENUM(sim_subtype_names, SIM_START, SIM_CLIENT_ERROR, "SIM_START", "SIM_CHALLENGE", @@ -37,6 +52,40 @@ ENUM(sim_subtype_names, SIM_START, SIM_CLIENT_ERROR, "SIM_CLIENT_ERROR", ); +typedef enum sim_attribute_t sim_attribute_t; + +/** + * Attributes in SIM messages + */ +enum sim_attribute_t { + /** defines the end of attribute list */ + AT_END = -1, + AT_RAND = 1, + AT_AUTN = 2, + AT_RES = 3, + AT_AUTS = 4, + AT_PADDING = 6, + AT_NONCE_MT = 7, + AT_PERMANENT_ID_REQ = 10, + AT_MAC = 11, + AT_NOTIFICATION = 12, + AT_ANY_ID_REQ = 13, + AT_IDENTITY = 14, + AT_VERSION_LIST = 15, + AT_SELECTED_VERSION = 16, + AT_FULLAUTH_ID_REQ = 17, + AT_COUNTER = 19, + AT_COUNTER_TOO_SMALL = 20, + AT_NONCE_S = 21, + AT_CLIENT_ERROR_CODE = 22, + AT_IV = 129, + AT_ENCR_DATA = 130, + AT_NEXT_PSEUDONYM = 132, + AT_NEXT_REAUTH_ID = 133, + AT_CHECKCODE = 134, + AT_RESULT_IND = 135, +}; + ENUM_BEGIN(sim_attribute_names, AT_END, AT_CLIENT_ERROR_CODE, "AT_END", "AT_0", @@ -96,6 +145,11 @@ struct private_eap_sim_t { sim_algo_t alg; /** + * libraries get_triplet() function returning a triplet + */ + sim_get_triplet_t get_triplet; + + /** * handle of the loaded library */ void *handle; @@ -106,6 +160,16 @@ struct private_eap_sim_t { int tries; /** + * unique EAP identifier + */ + u_int8_t identifier; + + /** + * EAP message type this role sends + */ + u_int8_t type; + + /** * version this implementation uses */ chunk_t version; @@ -121,6 +185,11 @@ struct private_eap_sim_t { chunk_t nonce; /** + * concatenated SRES values + */ + chunk_t sreses; + + /** * k_encr key derived from MK */ chunk_t k_encr; @@ -147,6 +216,10 @@ struct private_eap_sim_t { #define MAC_LEN 16 /** length of the AT_RAND value */ #define RAND_LEN 16 +/** length of Kc */ +#define KC_LEN 8 +/** length of SRES */ +#define SRES_LEN 4 /** length of the k_encr key */ #define KENCR_LEN 16 /** length of the k_auth key */ @@ -156,6 +229,7 @@ struct private_eap_sim_t { /** length of the EMSK */ #define EMSK_LEN 64 +static char version[] = {0x00,0x01}; /* client error codes used in AT_CLIENT_ERROR_CODE */ char client_error_general_buf[] = {0x00, 0x01}; char client_error_unsupported_buf[] = {0x00, 0x02}; @@ -229,7 +303,7 @@ static eap_payload_t *build_payload(private_eap_sim_t *this, u_int8_t identifier chunk_t mac_data = chunk_empty; /* write EAP header, skip length bytes */ - *pos.ptr++ = EAP_RESPONSE; + *pos.ptr++ = this->type; *pos.ptr++ = identifier; pos.ptr += 2; pos.len -= 4; @@ -263,6 +337,7 @@ static eap_payload_t *build_payload(private_eap_sim_t *this, u_int8_t identifier break; } case AT_IDENTITY: + case AT_VERSION_LIST: { u_int16_t act_len = data.len; /* align up to four byte */ @@ -346,8 +421,8 @@ static eap_payload_t *build_payload(private_eap_sim_t *this, u_int8_t identifier /** * process an EAP-SIM/Request/Start message */ -static status_t process_start(private_eap_sim_t *this, eap_payload_t *in, - eap_payload_t **out) +static status_t peer_process_start(private_eap_sim_t *this, eap_payload_t *in, + eap_payload_t **out) { chunk_t message, data; sim_attribute_t attribute, include_id = AT_END; @@ -440,18 +515,56 @@ static status_t process_start(private_eap_sim_t *this, eap_payload_t *in, } /** + * derive EAP keys from kc + */ +static void derive_keys(private_eap_sim_t *this, chunk_t kcs) +{ + chunk_t tmp, mk; + hasher_t *hasher; + prf_t *prf; + int i; + + /* build MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */ + tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), kcs, + this->nonce, this->version_list, this->version); + hasher = hasher_create(HASH_SHA1); + mk = chunk_alloca(hasher->get_hash_size(hasher)); + hasher->get_hash(hasher, tmp, mk.ptr); + hasher->destroy(hasher); + DBG3(DBG_IKE, "MK = SHA1(%B\n) = %B", &tmp, &mk); + + /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() + * FIPS PRF has 320 bit block size, we need 160 byte for keys + * => run prf four times */ + prf = prf_create(PRF_FIPS_SHA1_160); + prf->set_key(prf, mk); + tmp = chunk_alloca(prf->get_block_size(prf) * 4); + for (i = 0; i < 4; i++) + { + prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * i); + } + prf->destroy(prf); + chunk_free(&this->k_encr); + chunk_free(&this->k_auth); + chunk_free(&this->msk); + chunk_free(&this->emsk); + chunk_split(tmp, "aaaa", KENCR_LEN, &this->k_encr, KAUTH_LEN, &this->k_auth, + MSK_LEN, &this->msk, EMSK_LEN, &this->emsk); + DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B\nEMSK %B", + &this->k_encr, &this->k_auth, &this->msk, &this->emsk); +} + +/** * process an EAP-SIM/Request/Challenge message */ -static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, - eap_payload_t **out) +static status_t peer_process_challenge(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) { - chunk_t message, data, tmp, kcs, kc, sreses, sres, mk; + chunk_t message, data, tmp, kcs, kc, sreses, sres; sim_attribute_t attribute; - u_int8_t identifier, i; + u_int8_t identifier; chunk_t mac = chunk_empty, rands = chunk_empty; signer_t *signer; - hasher_t *hasher; - prf_t *prf; if (this->tries-- <= 0) { @@ -541,7 +654,7 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, if (this->alg(rands.ptr, RAND_LEN, sres.ptr, &sres_len, kc.ptr, &kc_len)) { - DBG1(DBG_IKE, "unable to get triplets from SIM"); + DBG1(DBG_IKE, "unable to get EAP-SIM triplet"); *out = build_payload(this, identifier, SIM_CLIENT_ERROR, AT_CLIENT_ERROR_CODE, client_error_general, AT_END); @@ -554,34 +667,7 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, rands = chunk_skip(rands, RAND_LEN); } - /* build MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version) */ - tmp = chunk_cata("ccccc", this->peer->get_encoding(this->peer), kcs, - this->nonce, this->version_list, this->version); - hasher = hasher_create(HASH_SHA1); - mk = chunk_alloca(hasher->get_hash_size(hasher)); - hasher->get_hash(hasher, tmp, mk.ptr); - hasher->destroy(hasher); - DBG3(DBG_IKE, "MK = SHA1(%B\n) = %B", &tmp, &mk); - - /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() - * FIPS PRF has 320 bit block size, we need 160 byte for keys - * => run prf four times */ - prf = prf_create(PRF_FIPS_SHA1_160); - prf->set_key(prf, mk); - tmp = chunk_alloca(prf->get_block_size(prf) * 4); - for (i = 0; i < 4; i++) - { - prf->get_bytes(prf, chunk_empty, tmp.ptr + tmp.len / 4 * i); - } - prf->destroy(prf); - chunk_free(&this->k_encr); - chunk_free(&this->k_auth); - chunk_free(&this->msk); - chunk_free(&this->emsk); - chunk_split(tmp, "aaaa", KENCR_LEN, &this->k_encr, KAUTH_LEN, &this->k_auth, - MSK_LEN, &this->msk, EMSK_LEN, &this->emsk); - DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B\nEMSK %B", - &this->k_encr, &this->k_auth, &this->msk, &this->emsk); + derive_keys(this, kcs); /* verify AT_MAC attribute, signature is over "EAP packet | NONCE_MT" */ signer = signer_create(AUTH_HMAC_SHA1_128); @@ -606,10 +692,144 @@ static status_t process_challenge(private_eap_sim_t *this, eap_payload_t *in, } /** + * process an EAP-SIM/Response/Challenge message + */ +static status_t server_process_challenge(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + chunk_t message, data; + sim_attribute_t attribute; + chunk_t mac = chunk_empty, tmp; + signer_t *signer; + + message = in->get_data(in); + read_header(&message); + + while ((attribute = read_attribute(&message, &data)) != AT_END) + { + switch (attribute) + { + case AT_MAC: + /* MAC has two reserved bytes */ + if (data.len == MAC_LEN + 2) + { /* clone and zero MAC for verification */ + mac = chunk_clonea(chunk_skip(data, 2)); + memset(data.ptr, 0, data.len); + } + break; + default: + DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", + sim_attribute_names, attribute); + break; + } + } + if (!mac.ptr) + { + DBG1(DBG_IKE, "no valid AT_MAC attribute received"); + return FAILED; + } + /* verify AT_MAC attribute, signature is over "EAP packet | n*SRES" */ + signer = signer_create(AUTH_HMAC_SHA1_128); + signer->set_key(signer, this->k_auth); + tmp = chunk_cata("cc", in->get_data(in), this->sreses); + if (!signer->verify_signature(signer, tmp, mac)) + { + DBG1(DBG_IKE, "AT_MAC verification failed"); + signer->destroy(signer); + return FAILED; + } + signer->destroy(signer); + return SUCCESS; +} + +/** + * process an EAP-SIM/Response/Start message + */ +static status_t server_process_start(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + chunk_t message, data; + sim_attribute_t attribute; + bool supported = FALSE; + chunk_t rands, rand, kcs, kc, sreses, sres; + char id[64]; + int len, i, rand_len, kc_len, sres_len; + + message = in->get_data(in); + read_header(&message); + + while ((attribute = read_attribute(&message, &data)) != AT_END) + { + switch (attribute) + { + case AT_NONCE_MT: + if (data.len == NONCE_LEN + 2) + { + this->nonce = chunk_clone(chunk_skip(data, 2)); + } + break; + case AT_SELECTED_VERSION: + if (chunk_equals(data, this->version)) + { + supported = TRUE; + } + break; + default: + DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", + sim_attribute_names, attribute); + break; + } + } + if (!supported || !this->nonce.ptr) + { + DBG1(DBG_IKE, "received incomplete EAP-SIM/Response/Start"); + return FAILED; + } + len = snprintf(id, sizeof(id), "%D", this->peer); + if (len > sizeof(id) || len < 0) + { + return FAILED; + } + + /* read triplets from provider */ + rand = rands = chunk_alloca(RAND_LEN * TRIPLET_COUNT); + kc = kcs = chunk_alloca(KC_LEN * TRIPLET_COUNT); + sres = sreses = chunk_alloca(SRES_LEN * TRIPLET_COUNT); + rands.len = 0; + kcs.len = 0; + sreses.len = 0; + for (i = 0; i < TRIPLET_COUNT; i++) + { + rand_len = RAND_LEN; + kc_len = KC_LEN; + sres_len = SRES_LEN; + if (this->get_triplet(id, rand.ptr, &rand_len, sres.ptr, &sres_len, + kc.ptr, &kc_len)) + { + DBG1(DBG_IKE, "getting EAP-SIM triplet %d failed", i); + return FAILED; + } + rands.len += rand_len; + kcs.len += kc_len; + sreses.len += sres_len; + rand = chunk_skip(rand, rand_len); + kc = chunk_skip(kc, kc_len); + sres = chunk_skip(sres, sres_len); + } + derive_keys(this, kcs); + + /* build MAC over "EAP packet | NONCE_MT" */ + *out = build_payload(this, this->identifier++, SIM_CHALLENGE, AT_RAND, + rands, AT_MAC, this->nonce, AT_END); + this->sreses = chunk_clone(sreses); + return NEED_MORE; +} + +/** * process an EAP-SIM/Request/Notification message */ -static status_t process_notification(private_eap_sim_t *this, eap_payload_t *in, - eap_payload_t **out) +static status_t peer_process_notification(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) { chunk_t message, data; sim_attribute_t attribute; @@ -656,12 +876,44 @@ static status_t process_notification(private_eap_sim_t *this, eap_payload_t *in, return NEED_MORE; } +/** + * Process a client error + */ +static status_t server_process_client_error(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + chunk_t message, data; + sim_attribute_t attribute; + + message = in->get_data(in); + read_header(&message); + + while ((attribute = read_attribute(&message, &data)) != AT_END) + { + if (attribute == AT_CLIENT_ERROR_CODE) + { + u_int16_t code = 0; + if (data.len == 2) + { + code = ntohs(*(u_int16_t*)data.ptr); + } + DBG1(DBG_IKE, "received %N error %d", + sim_attribute_names, attribute, code); + } + else + { + DBG1(DBG_IKE, "ignoring EAP_SIM attribute %N", + sim_attribute_names, attribute); + } + } + return FAILED; +} /** * Implementation of eap_method_t.process for the peer */ -static status_t process(private_eap_sim_t *this, - eap_payload_t *in, eap_payload_t **out) +static status_t peer_process(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) { sim_subtype_t type; chunk_t message; @@ -672,11 +924,11 @@ static status_t process(private_eap_sim_t *this, switch (type) { case SIM_START: - return process_start(this, in, out); + return peer_process_start(this, in, out); case SIM_CHALLENGE: - return process_challenge(this, in, out); + return peer_process_challenge(this, in, out); case SIM_NOTIFICATION: - return process_notification(this, in, out); + return peer_process_notification(this, in, out); default: DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N", sim_subtype_names, type); @@ -687,15 +939,55 @@ static status_t process(private_eap_sim_t *this, } /** + * Implementation of eap_method_t.process for the server + */ +static status_t server_process(private_eap_sim_t *this, + eap_payload_t *in, eap_payload_t **out) +{ + sim_subtype_t type; + chunk_t message; + + message = in->get_data(in); + type = read_header(&message); + + switch (type) + { + case SIM_START: + return server_process_start(this, in, out); + case SIM_CHALLENGE: + return server_process_challenge(this, in, out); + case SIM_CLIENT_ERROR: + return server_process_client_error(this, in, out); + default: + DBG1(DBG_IKE, "unable to process EAP_SIM subtype %N", + sim_subtype_names, type); + return FAILED; + } +} + +/** * Implementation of eap_method_t.initiate for the peer */ -static status_t initiate(private_eap_sim_t *this, eap_payload_t **out) +static status_t peer_initiate(private_eap_sim_t *this, eap_payload_t **out) { /* peer never initiates */ return FAILED; } /** + * Implementation of eap_method_t.initiate for the server + */ +static status_t server_initiate(private_eap_sim_t *this, eap_payload_t **out) +{ + /* version_list to derive MK, no padding */ + this->version_list = chunk_clone(this->version); + /* build_payloads adds padding itself */ + *out = build_payload(this, this->identifier++, SIM_START, + AT_VERSION_LIST, this->version, AT_END); + return NEED_MORE; +} + +/** * Implementation of eap_method_t.get_type. */ static eap_type_t get_type(private_eap_sim_t *this, u_int32_t *vendor) @@ -732,6 +1024,7 @@ static void destroy(private_eap_sim_t *this) { dlclose(this->handle); chunk_free(&this->nonce); + chunk_free(&this->sreses); chunk_free(&this->version_list); chunk_free(&this->k_auth); chunk_free(&this->k_encr); @@ -748,60 +1041,85 @@ eap_sim_t *eap_create(eap_role_t role, { private_eap_sim_t *this; randomizer_t *randomizer; - static char version[] = {0x00,0x01}; - - if (role != EAP_PEER) - { - return NULL; - } - this = malloc_thing(private_eap_sim_t); + void *symbol; + char *name; + + this = malloc_thing(private_eap_sim_t); + this->alg = NULL; + this->get_triplet = NULL; + this->nonce = chunk_empty; + this->sreses = chunk_empty; + this->peer = peer; + this->tries = MAX_TRIES; + this->version.ptr = version; + this->version.len = sizeof(version); + this->version_list = chunk_empty; + this->k_auth = chunk_empty; + this->k_encr = chunk_empty; + this->msk = chunk_empty; + this->emsk = chunk_empty; + this->identifier = random(); this->handle = dlopen(SIM_READER_LIB, RTLD_LAZY); if (this->handle == NULL) { - DBG1(DBG_IKE, "unable to open SIM reader '%s'", SIM_READER_LIB); + DBG1(DBG_IKE, "unable to open SIM reader '%s'", SIM_READER_LIB); free(this); return NULL; } - this->alg = dlsym(this->handle, SIM_READER_ALG); - if (this->alg == NULL) + switch (role) { - DBG1(DBG_IKE, "unable to open SIM reader function '%s' in '%s'", - SIM_READER_ALG, SIM_READER_LIB); + case EAP_PEER: + name = SIM_READER_ALG; + break; + case EAP_SERVER: + name = SIM_READER_GET_TRIPLET; + break; + default: + free(this); + return NULL; + } + symbol = dlsym(this->handle, name); + if (symbol == NULL) + { + DBG1(DBG_IKE, "unable to open SIM function '%s' in '%s'", + name, SIM_READER_LIB); dlclose(this->handle); free(this); return NULL; } - - randomizer = randomizer_create(); - if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_LEN, - &this->nonce)) + switch (role) { - DBG1(DBG_IKE, "unable to generate NONCE for EAP_SIM"); - randomizer->destroy(randomizer); - free(this); - return NULL; + case EAP_SERVER: + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))server_initiate; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))server_process; + this->get_triplet = symbol; + this->type = EAP_REQUEST; + break; + case EAP_PEER: + this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))peer_initiate; + this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))peer_process; + this->alg = symbol; + this->type = EAP_RESPONSE; + randomizer = randomizer_create(); + if (randomizer->allocate_pseudo_random_bytes(randomizer, NONCE_LEN, + &this->nonce)) + { + DBG1(DBG_IKE, "unable to generate NONCE for EAP_SIM"); + randomizer->destroy(randomizer); + free(this); + return NULL; + } + randomizer->destroy(randomizer); + break; + default: + free(this); + return NULL; } - randomizer->destroy(randomizer); - - /* public functions */ - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - /* private data */ - this->peer = peer; - this->tries = MAX_TRIES; - this->version.ptr = version; - this->version.len = sizeof(version); - this->version_list = chunk_empty; - this->k_auth = chunk_empty; - this->k_encr = chunk_empty; - this->msk = chunk_empty; - this->emsk = chunk_empty; - return &this->public; } diff --git a/src/charon/sa/authenticators/eap/eap_sim.h b/src/charon/sa/authenticators/eap/eap_sim.h index 10640babe..d50cf7397 100644 --- a/src/charon/sa/authenticators/eap/eap_sim.h +++ b/src/charon/sa/authenticators/eap/eap_sim.h @@ -24,59 +24,13 @@ #define EAP_SIM_H_ typedef struct eap_sim_t eap_sim_t; -typedef enum sim_subtype_t sim_subtype_t; -typedef enum sim_attribute_t sim_attribute_t; #include <sa/authenticators/eap/eap_method.h> -/** - * Subtypes of SIM messages - */ -enum sim_subtype_t { - SIM_START = 10, - SIM_CHALLENGE = 11, - SIM_NOTIFICATION = 12, - SIM_CLIENT_ERROR = 14, -}; - -/** - * enum names for sim_subtype_t - */ -extern enum_name_t *sim_subtype_names; - -enum sim_attribute_t { - /** defines the end of attribute list */ - AT_END = -1, - AT_RAND = 1, - AT_AUTN = 2, - AT_RES = 3, - AT_AUTS = 4, - AT_PADDING = 6, - AT_NONCE_MT = 7, - AT_PERMANENT_ID_REQ = 10, - AT_MAC = 11, - AT_NOTIFICATION = 12, - AT_ANY_ID_REQ = 13, - AT_IDENTITY = 14, - AT_VERSION_LIST = 15, - AT_SELECTED_VERSION = 16, - AT_FULLAUTH_ID_REQ = 17, - AT_COUNTER = 19, - AT_COUNTER_TOO_SMALL = 20, - AT_NONCE_S = 21, - AT_CLIENT_ERROR_CODE = 22, - AT_IV = 129, - AT_ENCR_DATA = 130, - AT_NEXT_PSEUDONYM = 132, - AT_NEXT_REAUTH_ID = 133, - AT_CHECKCODE = 134, - AT_RESULT_IND = 135, -}; - -/** - * enum names for sim_subtype_t - */ -extern enum_name_t *sim_attribute_names; +/** the library containing with the triplet functions */ +#ifndef SIM_READER_LIB +#error SIM_READER_LIB not specified, use --with-sim-reader option +#endif /* SIM_READER_LIB */ /** * @brief Cardreaders SIM function. @@ -93,24 +47,42 @@ typedef int (*sim_algo_t)(const unsigned char *rand, int rand_length, unsigned char *sres, int *sres_length, unsigned char *kc, int *kc_length); -#ifndef SIM_READER_LIB -/** the library containing the cardreader with the SIM function */ -#error SIM_READER_LIB not specified, use --with-sim-reader option -#endif /* SIM_READER_LIB */ - #ifndef SIM_READER_ALG /** the SIM_READER_LIB's algorithm, uses sim_algo_t signature */ #define SIM_READER_ALG "sim_run_alg" #endif /* SIM_READER_ALG */ +/** + * @brief Function to get a SIM triplet. + * + * @param identity identity (imsi) to get a triplet for + * @param rand buffer to get RAND + * @param rand_length size of buffer in rand, returns bytes written to RAND + * @param sres buffer to get SRES + * @param sres_length size of buffer in sres, returns bytes written to SRES + * @param kc buffer to get Kc + * @param kc_length size of buffer in Kc, returns bytes written to Kc + * @return zero on success + */ +typedef int (*sim_get_triplet_t)(char *identity, + unsigned char *rand, int *rand_length, + unsigned char *sres, int *sres_length, + unsigned char *kc, int *kc_length); + +#ifndef SIM_READER_GET_TRIPLET +/** the SIM_READER_LIB's get-triplet function, uses sim_get_triplet_t signature */ +#define SIM_READER_GET_TRIPLET "sim_get_triplet" +#endif /* SIM_READER_GET_TRIPLET */ /** * @brief Implementation of the eap_method_t interface using EAP-SIM. * * This EAP-SIM client implementation uses another pluggable library to - * access the SIM card. This module is specified using the SIM_READER_LIB - * definition. The function to run the algorithm has the sim_algo_t type and - * is named as SIM_READER_ALG is defined. + * access the SIM card/triplet provider. This module is specified using the + * SIM_READER_LIB definition. It has to privde a sim_run_alg() function to + * calculate a triplet (client), and/or a sim_get_triplet() function to get + * a triplet (server). These functions are named to the SIM_READER_ALG and + * the SIM_READER_GET_TRIPLET definitions. * * @b Constructors: * - eap_create() of this module @@ -129,6 +101,7 @@ struct eap_sim_t { /** * @brief Creates the EAP method EAP-SIM. * + * @param role role of the module, client/server * @param server ID of the EAP server * @param peer ID of the EAP client * @return eap_sim_t object diff --git a/src/charon/sa/authenticators/eap/sim/eap_sim_file.c b/src/charon/sa/authenticators/eap/sim/eap_sim_file.c new file mode 100644 index 000000000..2ab45a578 --- /dev/null +++ b/src/charon/sa/authenticators/eap/sim/eap_sim_file.c @@ -0,0 +1,288 @@ +/**
+ * @file eap_sim.h
+ *
+ * @brief Interface of eap_sim_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdio.h>
+#include <errno.h>
+
+#include <daemon.h>
+
+#define IMSI_LEN 64
+#define RAND_LEN 16
+#define SRES_LEN 4
+#define KC_LEN 8
+
+typedef struct triplet_t triplet_t;
+
+struct triplet_t {
+ unsigned char imsi[IMSI_LEN];
+ unsigned char rand[RAND_LEN];
+ unsigned char sres[SRES_LEN];
+ unsigned char kc[KC_LEN];
+};
+
+static triplet_t *triplets = NULL;
+static int triplet_count = 0;
+
+#define TRIPLET_FILE IPSEC_CONFDIR "/ipsec.d/triplets.dat"
+
+/**
+ * convert a single HEX char to its integer value
+ */
+static int hexchr(char chr)
+{
+ switch (chr)
+ {
+ case '0'...'9':
+ return chr - '0';
+ case 'A'...'F':
+ return 10 + chr - 'A';
+ case 'a'...'f':
+ return 10 + chr - 'a';
+ }
+ return 0;
+}
+
+/**
+ * convert a HEX string into a char array bin, limited by array length len
+ */
+static void hex2bin(char *hex, unsigned char *bin, size_t len)
+{
+ char *pos;
+ int i, even = 1;
+
+ pos = hex - 1;
+ /* find the end, as we convert bottom up */
+ while (TRUE)
+ {
+ switch (*(pos+1))
+ {
+ case '0'...'9':
+ case 'A'...'F':
+ case 'a'...'f':
+ pos++;
+ continue;
+ }
+ break;
+ }
+ /* convert two hex chars into a single bin byte */
+ for (i = 0; pos >= hex && i < len; pos--)
+ {
+ if (even)
+ {
+ bin[len - 1 - i] = hexchr(*pos);
+ }
+ else
+ {
+ bin[len - 1 - i] |= 16 * hexchr(*pos);
+ i++;
+ }
+ even = !even;
+ }
+}
+
+/**
+ * free up allocated triplets
+ */
+static void __attribute__ ((destructor)) free_triplets()
+{
+ free(triplets);
+}
+
+/**
+ * read the triplets from the file, using freeradius triplet file syntax:
+ * http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
+ */
+static void __attribute__ ((constructor)) read_triplets()
+{
+ char line[512], *data[4], *pos;
+ FILE *file;
+ int i, nr = 0;
+ triplet_t *triplet;
+
+ file = fopen(TRIPLET_FILE, "r");
+ if (file == NULL)
+ {
+ DBG1(DBG_CFG, "opening triplet file %s failed: %s",
+ TRIPLET_FILE, strerror(errno));
+ return;
+ }
+
+ if (triplets)
+ {
+ free(triplets);
+ triplets = NULL;
+ triplet_count = 0;
+ }
+
+ /* read line by line */
+ while (fgets(line, sizeof(line), file))
+ {
+ nr++;
+ /* skip comments, empty lines */
+ switch (line[0])
+ {
+ case '\n':
+ case '\r':
+ case '#':
+ case '\0':
+ continue;
+ default:
+ break;
+ }
+ /* read comma separated values */
+ pos = line;
+ for (i = 0; i < 4; i++)
+ {
+ data[i] = pos;
+ pos = strchr(pos, ',');
+ if (pos)
+ {
+ *pos = '\0';
+ pos++;
+ }
+ else if (i != 3)
+ {
+ DBG1(DBG_CFG, "error in triplet file, line %d", nr);
+ fclose(file);
+ return;
+ }
+ }
+ /* allocate new triplet */
+ triplet_count++;
+ triplets = realloc(triplets, triplet_count * sizeof(triplet_t));
+ triplet = &triplets[triplet_count - 1];
+ memset(triplet, 0, sizeof(triplet_t));
+
+ /* convert/copy triplet data */
+ for (i = 0; i < IMSI_LEN - 1; i++)
+ {
+ switch (data[0][i])
+ {
+ case '\n':
+ case '\r':
+ case '\0':
+ break;
+ default:
+ triplet->imsi[i] = data[0][i];
+ continue;
+ }
+ break;
+ }
+ hex2bin(data[1], triplet->rand, RAND_LEN);
+ hex2bin(data[2], triplet->sres, SRES_LEN);
+ hex2bin(data[3], triplet->kc, KC_LEN);
+
+ DBG4(DBG_CFG, "triplet: imsi %b\nrand %b\nsres %b\nkc %b",
+ triplet->imsi, IMSI_LEN, triplet->rand, RAND_LEN,
+ triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
+ }
+ fclose(file);
+ DBG2(DBG_CFG, "read %d triplets from %s", triplet_count, TRIPLET_FILE);
+}
+
+/**
+ * Run the sim algorithm, see eap_sim.h
+ */
+int sim_run_alg(const unsigned char *rand, int rand_length,
+ unsigned char *sres, int *sres_length,
+ unsigned char *kc, int *kc_length)
+{
+ int current;
+
+ if (rand_length != RAND_LEN ||
+ *sres_length < SRES_LEN ||
+ *kc_length < KC_LEN)
+ {
+ return 1;
+ }
+
+ for (current = 0; current < triplet_count; current++)
+ {
+ if (memcmp(triplets[current].rand, rand, RAND_LEN) == 0)
+ {
+ memcpy(sres, triplets[current].sres, SRES_LEN);
+ memcpy(kc, triplets[current].kc, KC_LEN);
+ *sres_length = SRES_LEN;
+ *kc_length = KC_LEN;
+ return 0;
+ }
+ }
+ return 2;
+}
+
+/**
+ * Get a single triplet, see_eap_sim.h
+ */
+int sim_get_triplet(char *imsi,
+ unsigned char *rand, int *rand_length,
+ unsigned char *sres, int *sres_length,
+ unsigned char *kc, int *kc_length)
+{
+ int current;
+ triplet_t *triplet;
+ static int skip = -1;
+
+ DBG2(DBG_CFG, "getting triplet for %s", imsi);
+
+ if (*rand_length < RAND_LEN ||
+ *sres_length < SRES_LEN ||
+ *kc_length < KC_LEN)
+ {
+ return 1;
+ }
+ if (triplet_count == 0)
+ {
+ return 2;
+ }
+ for (current = 0; current < triplet_count; current++)
+ {
+ triplet = &triplets[current];
+
+ if (streq(imsi, triplet->imsi))
+ {
+ /* skip triplet if already used */
+ if (skip >= current)
+ {
+ continue;
+ }
+ *rand_length = RAND_LEN;
+ *sres_length = SRES_LEN;
+ *kc_length = KC_LEN;
+ memcpy(rand, triplet->rand, RAND_LEN);
+ memcpy(sres, triplet->sres, SRES_LEN);
+ memcpy(kc, triplet->kc, KC_LEN);
+ /* remember used triplet */
+ skip = current;
+ return 0;
+ }
+ }
+ if (skip > -1)
+ {
+ /* no triplet left, reuse triplets */
+ skip = -1;
+ return sim_get_triplet(imsi, rand, rand_length,
+ sres, sres_length, kc, kc_length);
+ }
+ return 2;
+}
+
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c index 6250604a6..edd75da43 100644 --- a/src/charon/sa/authenticators/eap_authenticator.c +++ b/src/charon/sa/authenticators/eap_authenticator.c @@ -147,7 +147,7 @@ static status_t initiate(private_eap_authenticator_t *this, eap_type_t type, { DBG1(DBG_IKE, "client requested EAP authentication, but configuration forbids it"); - *out = eap_payload_create_code(EAP_FAILURE); + *out = eap_payload_create_code(EAP_FAILURE, 0); return FAILED; } @@ -169,14 +169,14 @@ static status_t initiate(private_eap_authenticator_t *this, eap_type_t type, DBG1(DBG_IKE, "configured EAP server method not supported, sending %N", eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE); + *out = eap_payload_create_code(EAP_FAILURE, 0); return FAILED; } if (this->method->initiate(this->method, out) != NEED_MORE) { DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N", eap_type_names, type, eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE); + *out = eap_payload_create_code(EAP_FAILURE, 0); return FAILED; } return NEED_MORE; @@ -234,7 +234,7 @@ static status_t process_peer(private_eap_authenticator_t *this, { DBG1(DBG_IKE, "EAP server requested unsupported " "EAP method, sending EAP_NAK"); - *out = eap_payload_create_nak(); + *out = eap_payload_create_nak(in->get_identifier(in)); return NEED_MORE; } } @@ -303,7 +303,7 @@ static status_t process_server(private_eap_authenticator_t *this, DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established", eap_type_names, type, this->msk.ptr ? "" : "no "); } - *out = eap_payload_create_code(EAP_SUCCESS); + *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); return SUCCESS; case FAILED: default: @@ -319,7 +319,7 @@ static status_t process_server(private_eap_authenticator_t *this, eap_type_names, type, this->ike_sa->get_other_id(this->ike_sa)); } - *out = eap_payload_create_code(EAP_FAILURE); + *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in)); return FAILED; } } @@ -346,7 +346,8 @@ static status_t process(private_eap_authenticator_t *this, eap_payload_t *in, { DBG1(DBG_IKE, "received %N, sending %N", eap_code_names, code, eap_code_names, EAP_FAILURE); - *out = eap_payload_create_code(EAP_FAILURE); + *out = eap_payload_create_code(EAP_FAILURE, + in->get_identifier(in)); return FAILED; } } diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c index d0f3cde8d..06755fa9c 100644 --- a/src/charon/sa/connect_manager.c +++ b/src/charon/sa/connect_manager.c @@ -27,6 +27,7 @@ #include <daemon.h> #include <utils/linked_list.h> +#include <crypto/hashers/hasher.h> #include <processing/jobs/callback_job.h> #include <processing/jobs/initiate_mediation_job.h> @@ -493,29 +494,18 @@ static initiate_data_t *initiate_data_create(check_list_t *checklist, initiated_ /** * Find an initiated connection by the peers' ids */ +static bool match_initiated_by_ids(initiated_t *current, identification_t *id, + identification_t *peer_id) +{ + return id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id); +} + static status_t get_initiated_by_ids(private_connect_manager_t *this, identification_t *id, identification_t *peer_id, initiated_t **initiated) { - iterator_t *iterator; - initiated_t *current; - status_t status = NOT_FOUND; - - iterator = this->initiated->create_iterator(this->initiated, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (id->equals(id, current->id) && peer_id->equals(peer_id, current->peer_id)) - { - if (initiated) - { - *initiated = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return this->initiated->find_first(this->initiated, + (linked_list_match_t)match_initiated_by_ids, + (void**)initiated, id, peer_id); } /** @@ -541,56 +531,32 @@ static void remove_initiated(private_connect_manager_t *this, initiated_t *initi /** * Finds a waiting sa */ -static status_t get_waiting_sa(initiated_t *initiated, ike_sa_id_t *ike_sa_id, waiting_sa_t **waiting_sa) +static bool match_waiting_sa(waiting_sa_t *current, ike_sa_id_t *ike_sa_id) { - iterator_t *iterator; - waiting_sa_t *current; - status_t status = NOT_FOUND; - - iterator = initiated->mediated->create_iterator(initiated->mediated, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (ike_sa_id->equals(ike_sa_id, current->ike_sa_id)) - { - if (waiting_sa) - { - *waiting_sa = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); + return ike_sa_id->equals(ike_sa_id, current->ike_sa_id); +} - return status; +static status_t get_waiting_sa(initiated_t *initiated, ike_sa_id_t *ike_sa_id, waiting_sa_t **waiting_sa) +{ + return initiated->mediated->find_first(initiated->mediated, + (linked_list_match_t)match_waiting_sa, + (void**)waiting_sa, ike_sa_id); } /** * Find the checklist with a specific session ID */ +static bool match_checklist_by_id(check_list_t *current, chunk_t *session_id) +{ + return chunk_equals(*session_id, current->session_id); +} + static status_t get_checklist_by_id(private_connect_manager_t *this, chunk_t session_id, check_list_t **check_list) { - iterator_t *iterator; - check_list_t *current; - status_t status = NOT_FOUND; - - iterator = this->checklists->create_iterator(this->checklists, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (chunk_equals(session_id, current->session_id)) - { - if (check_list) - { - *check_list = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return this->checklists->find_first(this->checklists, + (linked_list_match_t)match_checklist_by_id, + (void**)check_list, &session_id); } /** @@ -616,28 +582,16 @@ static void remove_checklist(private_connect_manager_t *this, check_list_t *chec /** * Checks if a list of endpoint_notify_t contains a certain host_t */ +static bool match_endpoint_by_host(endpoint_notify_t *current, host_t *host) +{ + return host->equals(host, current->get_host(current)); +} + static status_t endpoints_contain(linked_list_t *endpoints, host_t *host, endpoint_notify_t **endpoint) { - iterator_t *iterator; - endpoint_notify_t *current; - status_t status = NOT_FOUND; - - iterator = endpoints->create_iterator(endpoints, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (host->equals(host, current->get_host(current))) - { - if (endpoint) - { - *endpoint = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return endpoints->find_first(endpoints, + (linked_list_match_t)match_endpoint_by_host, + (void**)endpoint, host); } /** @@ -715,88 +669,56 @@ static void insert_pair_by_priority(linked_list_t *pairs, endpoint_pair_t *pair) /** * Searches a list of endpoint_pair_t for a pair with specific host_ts */ +static bool match_pair_by_hosts(endpoint_pair_t *current, host_t *local, host_t *remote) +{ + return local->equals(local, current->local) && remote->equals(remote, current->remote); +} + static status_t get_pair_by_hosts(linked_list_t *pairs, host_t *local, host_t *remote, endpoint_pair_t **pair) { - iterator_t *iterator; - endpoint_pair_t *current; - status_t status = NOT_FOUND; - - iterator = pairs->create_iterator(pairs, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (local->equals(local, current->local) && - remote->equals(remote, current->remote)) - { - if (pair) - { - *pair = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return pairs->find_first(pairs, + (linked_list_match_t)match_pair_by_hosts, + (void**)pair, local, remote); } /** * Searches for a pair with a specific id */ +static bool match_pair_by_id(endpoint_pair_t *current, u_int32_t *id) +{ + return current->id == *id; +} + static status_t get_pair_by_id(check_list_t *checklist, u_int32_t id, endpoint_pair_t **pair) { - iterator_t *iterator; - endpoint_pair_t *current; - status_t status = NOT_FOUND; - - iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (current->id == id) - { - if (pair) - { - *pair = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return checklist->pairs->find_first(checklist->pairs, + (linked_list_match_t)match_pair_by_id, + (void**)pair, &id); } /** * Returns the best pair of state CHECK_SUCCEEDED from a checklist. */ +static bool match_succeeded_pair(endpoint_pair_t *current) +{ + return current->state == CHECK_SUCCEEDED; +} + static status_t get_best_valid_pair(check_list_t *checklist, endpoint_pair_t **pair) { - iterator_t *iterator; - endpoint_pair_t *current; - status_t status = NOT_FOUND; - - iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (current->state == CHECK_SUCCEEDED) - { - if (pair) - { - *pair = current; - } - status = SUCCESS; - break; - } - } - iterator->destroy(iterator); - - return status; + return checklist->pairs->find_first(checklist->pairs, + (linked_list_match_t)match_succeeded_pair, + (void**)pair); } /** - * Returns and removes the first triggered pair in state CHECK_WAITING. + * Returns and *removes* the first triggered pair in state CHECK_WAITING. */ +static bool match_waiting_pair(endpoint_pair_t *current) +{ + return current->state == CHECK_WAITING; +} + static status_t get_triggered_pair(check_list_t *checklist, endpoint_pair_t **pair) { iterator_t *iterator; @@ -1148,21 +1070,8 @@ static job_requeue_t sender(sender_data_t *data) { DBG1(DBG_IKE, "no triggered check queued, sending an ordinary check"); - iterator_t *iterator; - bool found_one = FALSE; - - iterator = checklist->pairs->create_iterator(checklist->pairs, TRUE); - while (iterator->iterate(iterator, (void**)&pair)) - { - if (pair->state == CHECK_WAITING) - { - found_one = TRUE; - break; - } - } - iterator->destroy(iterator); - - if (!found_one) + if (checklist->pairs->find_first(checklist->pairs, + (linked_list_match_t)match_waiting_pair, (void**)&pair) != SUCCESS) { pthread_mutex_unlock(&(this->mutex)); DBG1(DBG_IKE, "no pairs in waiting state, aborting"); diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 9cada2cb5..93aa08965 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -2090,7 +2090,14 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) { this->dns_servers->insert_first(this->dns_servers, ip); } - + + /* inherit NAT-T conditions */ + this->conditions = other->conditions; + if (this->conditions & COND_NAT_HERE) + { + send_keepalive(this); + } + /* adopt all children */ while (other->child_sas->remove_last(other->child_sas, (void**)&child_sa) == SUCCESS) diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index 5014ea0e2..5e7f78af0 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -483,16 +483,23 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, } /** - * Implementation of of ike_sa_manager.checkout_by_peer. + * Implementation of of ike_sa_manager.checkout_by_config. */ -static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this, - host_t *my_host, host_t *other_host, - identification_t *my_id, - identification_t *other_id) +static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, + peer_cfg_t *peer_cfg) { iterator_t *iterator; entry_t *entry; ike_sa_t *ike_sa = NULL; + identification_t *my_id, *other_id; + host_t *my_host, *other_host; + ike_cfg_t *ike_cfg; + + ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); + my_host = ike_cfg->get_my_host(ike_cfg); + other_host = ike_cfg->get_other_host(ike_cfg); + my_id = peer_cfg->get_my_id(peer_cfg); + other_id = peer_cfg->get_other_id(peer_cfg); pthread_mutex_lock(&(this->mutex)); @@ -535,7 +542,9 @@ static ike_sa_t* checkout_by_peer(private_ike_sa_manager_t *this, (other_host->is_anyaddr(other_host) || other_host->ip_equals(other_host, found_other_host)) && found_my_id->matches(found_my_id, my_id, &wc) && - found_other_id->matches(found_other_id, other_id, &wc)) + found_other_id->matches(found_other_id, other_id, &wc) && + streq(peer_cfg->get_name(peer_cfg), + entry->ike_sa->get_name(entry->ike_sa))) { /* looks good, we take this one */ DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]", @@ -902,7 +911,7 @@ ike_sa_manager_t *ike_sa_manager_create() this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout; this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new; this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message; - this->public.checkout_by_peer = (ike_sa_t*(*)(ike_sa_manager_t*,host_t*,host_t*,identification_t*,identification_t*))checkout_by_peer; + this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config; this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id; this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name; this->public.create_iterator = (iterator_t*(*)(ike_sa_manager_t*))create_iterator; diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h index 1125e5d16..a73a106ba 100644 --- a/src/charon/sa/ike_sa_manager.h +++ b/src/charon/sa/ike_sa_manager.h @@ -29,6 +29,7 @@ typedef struct ike_sa_manager_t ike_sa_manager_t; #include <library.h> #include <sa/ike_sa.h> #include <encoding/message.h> +#include <config/peer_cfg.h> /** * @brief The IKE_SA-Manager is responsible for managing all initiated and responded IKE_SA's. @@ -94,25 +95,21 @@ struct ike_sa_manager_t { ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message); /** - * @brief Checkout an existing IKE_SA by hosts and identifications. + * @brief Checkout an IKE_SA for initiation by a peer_config. * - * Allows the lookup of an IKE_SA by user IDs and hosts. It returns the - * first found occurence, if there are multiple candidates. Supplied IDs - * may contain wildcards, hosts may be %any. + * To initiate, a CHILD_SA may be established within an existing IKE_SA. + * This call checks for an existing IKE_SA by comparing the configuration. + * If the CHILD_SA can be created in an existing IKE_SA, the matching SA + * is returned. * If no IKE_SA is found, a new one is created. This is also the case when * the found IKE_SA is in the DELETING state. * * @param this the manager object - * @param my_host address of our host - * @param other_id address of remote host - * @param my_id ID used by us - * @param other_id ID used by remote + * @param peer_cfg configuration used to find an existing IKE_SA * @return checked out/created IKE_SA */ - ike_sa_t* (*checkout_by_peer) (ike_sa_manager_t* this, - host_t *my_host, host_t* other_host, - identification_t *my_id, - identification_t *other_id); + ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this, + peer_cfg_t *peer_cfg); /** * @brief Check out an IKE_SA a unique ID. diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 94ad6003a..3431641d5 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -198,11 +198,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 656073f87..2659b44ba 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -160,11 +160,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index a784572d6..b11c73060 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -168,11 +168,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/libcrypto/Makefile.in b/src/libcrypto/Makefile.in index 4d0cca10e..ecfca64c4 100644 --- a/src/libcrypto/Makefile.in +++ b/src/libcrypto/Makefile.in @@ -187,11 +187,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 04ae60340..dacd7e76b 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -200,11 +200,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index e8859ad4c..fc642c615 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -35,6 +35,7 @@ crypto/hmac.c crypto/hmac.h \ crypto/ietf_attr_list.c crypto/ietf_attr_list.h \ crypto/ocsp.c crypto/ocsp.h \ crypto/pkcs7.c crypto/pkcs7.h \ +crypto/pkcs9.c crypto/pkcs9.h \ crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \ crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \ crypto/prfs/prf.c crypto/prfs/prf.h \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 75d3dddd4..c8a471e00 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -75,17 +75,18 @@ am__libstrongswan_la_SOURCES_DIST = credential_store.h library.c \ crypto/hashers/md5_hasher.c crypto/hashers/md5_hasher.h \ crypto/hmac.c crypto/hmac.h crypto/ietf_attr_list.c \ crypto/ietf_attr_list.h crypto/ocsp.c crypto/ocsp.h \ - crypto/pkcs7.c crypto/pkcs7.h crypto/prfs/fips_prf.c \ - crypto/prfs/fips_prf.h crypto/prfs/hmac_prf.c \ - crypto/prfs/hmac_prf.h crypto/prfs/prf.c crypto/prfs/prf.h \ - crypto/prf_plus.h crypto/prf_plus.c \ - crypto/rsa/rsa_private_key.c crypto/rsa/rsa_private_key.h \ - crypto/rsa/rsa_public_key.h crypto/rsa/rsa_public_key.c \ - crypto/signers/hmac_signer.c crypto/signers/hmac_signer.h \ - crypto/signers/signer.c crypto/signers/signer.h crypto/x509.c \ - crypto/x509.h utils/fetcher.c utils/fetcher.h utils/host.c \ - utils/host.h utils/identification.c utils/identification.h \ - utils/iterator.h utils/leak_detective.c utils/leak_detective.h \ + crypto/pkcs7.c crypto/pkcs7.h crypto/pkcs9.c crypto/pkcs9.h \ + crypto/prfs/fips_prf.c crypto/prfs/fips_prf.h \ + crypto/prfs/hmac_prf.c crypto/prfs/hmac_prf.h \ + crypto/prfs/prf.c crypto/prfs/prf.h crypto/prf_plus.h \ + crypto/prf_plus.c crypto/rsa/rsa_private_key.c \ + crypto/rsa/rsa_private_key.h crypto/rsa/rsa_public_key.h \ + crypto/rsa/rsa_public_key.c crypto/signers/hmac_signer.c \ + crypto/signers/hmac_signer.h crypto/signers/signer.c \ + crypto/signers/signer.h crypto/x509.c crypto/x509.h \ + utils/fetcher.c utils/fetcher.h utils/host.c utils/host.h \ + utils/identification.c utils/identification.h utils/iterator.h \ + utils/leak_detective.c utils/leak_detective.h \ utils/lexparser.c utils/lexparser.h utils/linked_list.c \ utils/linked_list.h utils/enumerator.c utils/enumerator.h \ utils/optionsfrom.c utils/optionsfrom.h utils/randomizer.c \ @@ -100,14 +101,14 @@ am__libstrongswan_la_SOURCES_DIST = credential_store.h library.c \ @USE_INTEGRITY_TEST_FALSE@ hasher.lo sha1_hasher.lo \ @USE_INTEGRITY_TEST_FALSE@ sha2_hasher.lo md5_hasher.lo hmac.lo \ @USE_INTEGRITY_TEST_FALSE@ ietf_attr_list.lo ocsp.lo pkcs7.lo \ -@USE_INTEGRITY_TEST_FALSE@ fips_prf.lo hmac_prf.lo prf.lo \ -@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo rsa_private_key.lo \ -@USE_INTEGRITY_TEST_FALSE@ rsa_public_key.lo hmac_signer.lo \ -@USE_INTEGRITY_TEST_FALSE@ signer.lo x509.lo fetcher.lo host.lo \ -@USE_INTEGRITY_TEST_FALSE@ identification.lo leak_detective.lo \ -@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \ -@USE_INTEGRITY_TEST_FALSE@ enumerator.lo optionsfrom.lo \ -@USE_INTEGRITY_TEST_FALSE@ randomizer.lo +@USE_INTEGRITY_TEST_FALSE@ pkcs9.lo fips_prf.lo hmac_prf.lo \ +@USE_INTEGRITY_TEST_FALSE@ prf.lo prf_plus.lo \ +@USE_INTEGRITY_TEST_FALSE@ rsa_private_key.lo rsa_public_key.lo \ +@USE_INTEGRITY_TEST_FALSE@ hmac_signer.lo signer.lo x509.lo \ +@USE_INTEGRITY_TEST_FALSE@ fetcher.lo host.lo identification.lo \ +@USE_INTEGRITY_TEST_FALSE@ leak_detective.lo lexparser.lo \ +@USE_INTEGRITY_TEST_FALSE@ linked_list.lo enumerator.lo \ +@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo randomizer.lo @USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \ @USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \ @USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \ @@ -118,8 +119,8 @@ am__libstrongswan_la_SOURCES_DIST = credential_store.h library.c \ @USE_INTEGRITY_TEST_TRUE@ hasher.lo sha1_hasher.lo \ @USE_INTEGRITY_TEST_TRUE@ sha2_hasher.lo md5_hasher.lo hmac.lo \ @USE_INTEGRITY_TEST_TRUE@ ietf_attr_list.lo ocsp.lo pkcs7.lo \ -@USE_INTEGRITY_TEST_TRUE@ fips_prf.lo hmac_prf.lo prf.lo \ -@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo rsa_private_key.lo \ +@USE_INTEGRITY_TEST_TRUE@ pkcs9.lo fips_prf.lo hmac_prf.lo \ +@USE_INTEGRITY_TEST_TRUE@ prf.lo prf_plus.lo rsa_private_key.lo \ @USE_INTEGRITY_TEST_TRUE@ rsa_public_key.lo hmac_signer.lo \ @USE_INTEGRITY_TEST_TRUE@ signer.lo x509.lo fetcher.lo host.lo \ @USE_INTEGRITY_TEST_TRUE@ identification.lo leak_detective.lo \ @@ -269,11 +270,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ @@ -314,6 +317,7 @@ lib_LTLIBRARIES = libstrongswan.la @USE_INTEGRITY_TEST_FALSE@ crypto/ietf_attr_list.h \ @USE_INTEGRITY_TEST_FALSE@ crypto/ocsp.c crypto/ocsp.h \ @USE_INTEGRITY_TEST_FALSE@ crypto/pkcs7.c crypto/pkcs7.h \ +@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \ @USE_INTEGRITY_TEST_FALSE@ crypto/prfs/fips_prf.c \ @USE_INTEGRITY_TEST_FALSE@ crypto/prfs/fips_prf.h \ @USE_INTEGRITY_TEST_FALSE@ crypto/prfs/hmac_prf.c \ @@ -378,7 +382,8 @@ lib_LTLIBRARIES = libstrongswan.la @USE_INTEGRITY_TEST_TRUE@ crypto/ietf_attr_list.c \ @USE_INTEGRITY_TEST_TRUE@ crypto/ietf_attr_list.h crypto/ocsp.c \ @USE_INTEGRITY_TEST_TRUE@ crypto/ocsp.h crypto/pkcs7.c \ -@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs7.h crypto/prfs/fips_prf.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs7.h crypto/pkcs9.c \ +@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.h crypto/prfs/fips_prf.c \ @USE_INTEGRITY_TEST_TRUE@ crypto/prfs/fips_prf.h \ @USE_INTEGRITY_TEST_TRUE@ crypto/prfs/hmac_prf.c \ @USE_INTEGRITY_TEST_TRUE@ crypto/prfs/hmac_prf.h \ @@ -533,6 +538,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pem.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prf_plus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/printf_hook.Plo@am__quote@ @@ -706,6 +712,13 @@ pkcs7.lo: crypto/pkcs7.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs7.lo `test -f 'crypto/pkcs7.c' || echo '$(srcdir)/'`crypto/pkcs7.c +pkcs9.lo: crypto/pkcs9.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pkcs9.lo -MD -MP -MF $(DEPDIR)/pkcs9.Tpo -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pkcs9.Tpo $(DEPDIR)/pkcs9.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='crypto/pkcs9.c' object='pkcs9.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pkcs9.lo `test -f 'crypto/pkcs9.c' || echo '$(srcdir)/'`crypto/pkcs9.c + fips_prf.lo: crypto/prfs/fips_prf.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_prf.lo -MD -MP -MF $(DEPDIR)/fips_prf.Tpo -c -o fips_prf.lo `test -f 'crypto/prfs/fips_prf.c' || echo '$(srcdir)/'`crypto/prfs/fips_prf.c @am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_prf.Tpo $(DEPDIR)/fips_prf.Plo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 3191c89bd..3f0b829a9 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -1,6 +1,15 @@ -/* Simple ASN.1 parser - * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur - * Copyright (C) 2006 Martin Will, Hochschule fuer Technik Rapperswil +/** + * @file asn1.c + * + * @brief Simple ASN.1 parser + * + */ + +/* + * Copyright (C) 2006 Martin Will + * Copyright (C) 2000-2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -12,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: asn1.c 3299 2007-10-12 19:29:00Z andreas $ + * RCSID $Id: asn1.c 3451 2008-02-05 19:27:05Z andreas $ */ #include <stdio.h> @@ -77,6 +86,13 @@ static u_char ASN1_sha512_id_str[] = { 0x05,0x00 }; +static u_char ASN1_md2WithRSA_id_str[] = { + 0x30, 0x0D, + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x02, + 0x05, 0x00 +}; + static u_char ASN1_md5WithRSA_id_str[] = { 0x30, 0x0D, 0x06, 0x09, @@ -91,6 +107,27 @@ static u_char ASN1_sha1WithRSA_id_str[] = { 0x05, 0x00 }; +static u_char ASN1_sha256WithRSA_id_str[] = { + 0x30, 0x0D, + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, + 0x05, 0x00 +}; + +static u_char ASN1_sha384WithRSA_id_str[] = { + 0x30, 0x0D, + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0C, + 0x05, 0x00 +}; + +static u_char ASN1_sha512WithRSA_id_str[] = { + 0x30, 0x0D, + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0D, + 0x05, 0x00 +}; + static u_char ASN1_rsaEncryption_id_str[] = { 0x30, 0x0D, 0x06, 0x09, @@ -98,15 +135,19 @@ static u_char ASN1_rsaEncryption_id_str[] = { 0x05, 0x00 }; -const chunk_t ASN1_md2_id = chunk_from_buf(ASN1_md2_id_str); -const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str); -const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str); -const chunk_t ASN1_sha256_id = chunk_from_buf(ASN1_sha256_id_str); -const chunk_t ASN1_sha384_id = chunk_from_buf(ASN1_sha384_id_str); -const chunk_t ASN1_sha512_id = chunk_from_buf(ASN1_sha512_id_str); -const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str); -const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str); -const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str); +static const chunk_t ASN1_md2_id = chunk_from_buf(ASN1_md2_id_str); +static const chunk_t ASN1_md5_id = chunk_from_buf(ASN1_md5_id_str); +static const chunk_t ASN1_sha1_id = chunk_from_buf(ASN1_sha1_id_str); +static const chunk_t ASN1_sha256_id = chunk_from_buf(ASN1_sha256_id_str); +static const chunk_t ASN1_sha384_id = chunk_from_buf(ASN1_sha384_id_str); +static const chunk_t ASN1_sha512_id = chunk_from_buf(ASN1_sha512_id_str); +static const chunk_t ASN1_rsaEncryption_id = chunk_from_buf(ASN1_rsaEncryption_id_str); +static const chunk_t ASN1_md2WithRSA_id = chunk_from_buf(ASN1_md2WithRSA_id_str); +static const chunk_t ASN1_md5WithRSA_id = chunk_from_buf(ASN1_md5WithRSA_id_str); +static const chunk_t ASN1_sha1WithRSA_id = chunk_from_buf(ASN1_sha1WithRSA_id_str); +static const chunk_t ASN1_sha256WithRSA_id = chunk_from_buf(ASN1_sha256WithRSA_id_str); +static const chunk_t ASN1_sha384WithRSA_id = chunk_from_buf(ASN1_sha384WithRSA_id_str); +static const chunk_t ASN1_sha512WithRSA_id = chunk_from_buf(ASN1_sha512WithRSA_id_str); /* ASN.1 definiton of an algorithmIdentifier */ static const asn1Object_t algorithmIdentifierObjects[] = { @@ -128,14 +169,30 @@ chunk_t asn1_algorithmIdentifier(int oid) { case OID_RSA_ENCRYPTION: return ASN1_rsaEncryption_id; + case OID_MD2_WITH_RSA: + return ASN1_md2WithRSA_id; case OID_MD5_WITH_RSA: return ASN1_md5WithRSA_id; case OID_SHA1_WITH_RSA: return ASN1_sha1WithRSA_id; + case OID_SHA256_WITH_RSA: + return ASN1_sha256WithRSA_id; + case OID_SHA384_WITH_RSA: + return ASN1_sha384WithRSA_id; + case OID_SHA512_WITH_RSA: + return ASN1_sha512WithRSA_id; + case OID_MD2: + return ASN1_md2_id; case OID_MD5: return ASN1_md5_id; case OID_SHA1: return ASN1_sha1_id; + case OID_SHA256: + return ASN1_sha256_id; + case OID_SHA384: + return ASN1_sha384_id; + case OID_SHA512: + return ASN1_sha512_id; default: return chunk_empty; } @@ -620,13 +677,23 @@ bool is_asn1(chunk_t blob) DBG2(" file content is not binary ASN.1"); return FALSE; } + len = asn1_length(&blob); - if (len != blob.len) + + /* exact match */ + if (len == blob.len) { - DBG2(" file size does not match ASN.1 coded length"); - return FALSE; + return TRUE; } - return TRUE; + + /* some websites append a surplus newline character to the blob */ + if (len + 1 == blob.len && *(blob.ptr + len) == '\n') + { + return TRUE; + } + + DBG2(" file size does not match ASN.1 coded length"); + return FALSE; } /** @@ -706,6 +773,23 @@ chunk_t asn1_simple_object(asn1_t tag, chunk_t content) } /** + * Build an ASN.1 BITSTRING object + */ +chunk_t asn1_bitstring(const char *mode, chunk_t content) +{ + chunk_t object; + u_char *pos = build_asn1_object(&object, ASN1_BIT_STRING, 1 + content.len); + + *pos++ = 0x00; + memcpy(pos, content.ptr, content.len); + if (*mode == 'm') + { + free(content.ptr); + } + return object; +} + +/** * Build an ASN.1 object from a variable number of individual chunks. * Depending on the mode, chunks either are moved ('m') or copied ('c'). */ @@ -736,17 +820,12 @@ chunk_t asn1_wrap(asn1_t type, const char *mode, ...) { chunk_t ch = va_arg(chunks, chunk_t); - switch (*mode++) + memcpy(pos, ch.ptr, ch.len); + pos += ch.len; + + if (*mode++ == 'm') { - case 'm': - memcpy(pos, ch.ptr, ch.len); - pos += ch.len; - free(ch.ptr); - break; - case 'c': - default: - memcpy(pos, ch.ptr, ch.len); - pos += ch.len; + free(ch.ptr); } } va_end(chunks); diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 18742d18d..d9d85ba44 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -1,6 +1,15 @@ -/* Simple ASN.1 parser - * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur - * Copyright (C) 2006 Martin Will, Hochschule fuer Technik Rapperswil +/** + * @file asn1.h + * + * @brief Simple ASN.1 parser + * + */ + +/* + * Copyright (C) 2006 Martin Will + * Copyright (C) 2000-2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -12,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: asn1.h 3299 2007-10-12 19:29:00Z andreas $ + * RCSID $Id: asn1.h 3423 2008-01-22 10:32:37Z andreas $ */ #ifndef _ASN1_H @@ -114,19 +123,9 @@ extern const chunk_t ASN1_INTEGER_0; extern const chunk_t ASN1_INTEGER_1; extern const chunk_t ASN1_INTEGER_2; -/* some popular algorithmIdentifiers */ -extern const chunk_t ASN1_md2_id; -extern const chunk_t ASN1_md5_id; -extern const chunk_t ASN1_sha1_id; -extern const chunk_t ASN1_sha256_id; -extern const chunk_t ASN1_sha384_id; -extern const chunk_t ASN1_sha512_id; - -extern const chunk_t ASN1_rsaEncryption_id; -extern const chunk_t ASN1_md5WithRSA_id; -extern const chunk_t ASN1_sha1WithRSA_id; - +/* returns some popular algorithmIdentifiers */ extern chunk_t asn1_algorithmIdentifier(int oid); + extern int known_oid(chunk_t object); extern u_int asn1_length(chunk_t *blob); extern bool is_printablestring(chunk_t str); @@ -144,6 +143,7 @@ extern void code_asn1_length(size_t length, chunk_t *code); extern u_char* build_asn1_object(chunk_t *object, asn1_t type, size_t datalen); extern chunk_t asn1_integer_from_mpz(const mpz_t value); extern chunk_t asn1_simple_object(asn1_t tag, chunk_t content); +extern chunk_t asn1_bitstring(const char *mode, chunk_t content); extern chunk_t asn1_wrap(asn1_t type, const char *mode, ...); #endif /* _ASN1_H */ diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 28a915433..63896be6b 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -1,5 +1,5 @@ /* List of some useful object identifiers (OIDs) - * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur + * Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rapperswil * * This file has been automatically generated by the script oid.pl * Do not edit manually! @@ -62,7 +62,7 @@ const oid_t oid_names[] = { { 0x25, 50, 0, "extendedKeyUsage" }, /* 49 */ { 0x37, 51, 0, "targetInformation" }, /* 50 */ { 0x38, 0, 0, "noRevAvail" }, /* 51 */ - {0x2A, 94, 1, "" }, /* 52 */ + {0x2A, 95, 1, "" }, /* 52 */ { 0x86, 0, 1, "" }, /* 53 */ { 0x48, 0, 1, "" }, /* 54 */ { 0x86, 0, 1, "" }, /* 55 */ @@ -73,7 +73,7 @@ const oid_t oid_names[] = { { 0x00, 0, 0, "entrustVersInfo" }, /* 60 */ { 0xF7, 0, 1, "" }, /* 61 */ { 0x0D, 0, 1, "RSADSI" }, /* 62 */ - { 0x01, 89, 1, "PKCS" }, /* 63 */ + { 0x01, 90, 1, "PKCS" }, /* 63 */ { 0x01, 72, 1, "PKCS-1" }, /* 64 */ { 0x01, 66, 0, "rsaEncryption" }, /* 65 */ { 0x02, 67, 0, "md2WithRSAEncryption" }, /* 66 */ @@ -98,111 +98,112 @@ const oid_t oid_names[] = { { 0x06, 86, 0, "counterSignature" }, /* 85 */ { 0x07, 87, 0, "challengePassword" }, /* 86 */ { 0x08, 88, 0, "unstructuredAddress" }, /* 87 */ - { 0x0E, 0, 0, "extensionRequest" }, /* 88 */ - { 0x02, 92, 1, "digestAlgorithm" }, /* 89 */ - { 0x02, 91, 0, "md2" }, /* 90 */ - { 0x05, 0, 0, "md5" }, /* 91 */ - { 0x03, 0, 1, "encryptionAlgorithm" }, /* 92 */ - { 0x07, 0, 0, "3des-ede-cbc" }, /* 93 */ - {0x2B, 160, 1, "" }, /* 94 */ - { 0x06, 147, 1, "dod" }, /* 95 */ - { 0x01, 0, 1, "internet" }, /* 96 */ - { 0x04, 115, 1, "private" }, /* 97 */ - { 0x01, 0, 1, "enterprise" }, /* 98 */ - { 0x82, 108, 1, "" }, /* 99 */ - { 0x37, 0, 1, "Microsoft" }, /* 100 */ - { 0x0A, 105, 1, "" }, /* 101 */ - { 0x03, 0, 1, "" }, /* 102 */ - { 0x03, 104, 0, "msSGC" }, /* 103 */ - { 0x04, 0, 0, "msEncryptingFileSystem" }, /* 104 */ - { 0x14, 0, 1, "msEnrollmentInfrastructure"}, /* 105 */ - { 0x02, 0, 1, "msCertificateTypeExtension"}, /* 106 */ - { 0x02, 0, 0, "msSmartcardLogon" }, /* 107 */ - { 0x89, 0, 1, "" }, /* 108 */ - { 0x31, 0, 1, "" }, /* 109 */ - { 0x01, 0, 1, "" }, /* 110 */ - { 0x01, 0, 1, "" }, /* 111 */ - { 0x02, 0, 1, "" }, /* 112 */ - { 0x02, 114, 0, "" }, /* 113 */ - { 0x4B, 0, 0, "TCGID" }, /* 114 */ - { 0x05, 0, 1, "security" }, /* 115 */ - { 0x05, 0, 1, "mechanisms" }, /* 116 */ - { 0x07, 0, 1, "id-pkix" }, /* 117 */ - { 0x01, 120, 1, "id-pe" }, /* 118 */ - { 0x01, 0, 0, "authorityInfoAccess" }, /* 119 */ - { 0x03, 130, 1, "id-kp" }, /* 120 */ - { 0x01, 122, 0, "serverAuth" }, /* 121 */ - { 0x02, 123, 0, "clientAuth" }, /* 122 */ - { 0x03, 124, 0, "codeSigning" }, /* 123 */ - { 0x04, 125, 0, "emailProtection" }, /* 124 */ - { 0x05, 126, 0, "ipsecEndSystem" }, /* 125 */ - { 0x06, 127, 0, "ipsecTunnel" }, /* 126 */ - { 0x07, 128, 0, "ipsecUser" }, /* 127 */ - { 0x08, 129, 0, "timeStamping" }, /* 128 */ - { 0x09, 0, 0, "ocspSigning" }, /* 129 */ - { 0x08, 132, 1, "id-otherNames" }, /* 130 */ - { 0x05, 0, 0, "xmppAddr" }, /* 131 */ - { 0x0A, 137, 1, "id-aca" }, /* 132 */ - { 0x01, 134, 0, "authenticationInfo" }, /* 133 */ - { 0x02, 135, 0, "accessIdentity" }, /* 134 */ - { 0x03, 136, 0, "chargingIdentity" }, /* 135 */ - { 0x04, 0, 0, "group" }, /* 136 */ - { 0x30, 0, 1, "id-ad" }, /* 137 */ - { 0x01, 146, 1, "ocsp" }, /* 138 */ - { 0x01, 140, 0, "basic" }, /* 139 */ - { 0x02, 141, 0, "nonce" }, /* 140 */ - { 0x03, 142, 0, "crl" }, /* 141 */ - { 0x04, 143, 0, "response" }, /* 142 */ - { 0x05, 144, 0, "noCheck" }, /* 143 */ - { 0x06, 145, 0, "archiveCutoff" }, /* 144 */ - { 0x07, 0, 0, "serviceLocator" }, /* 145 */ - { 0x02, 0, 0, "caIssuers" }, /* 146 */ - { 0x0E, 153, 1, "oiw" }, /* 147 */ - { 0x03, 0, 1, "secsig" }, /* 148 */ - { 0x02, 0, 1, "algorithms" }, /* 149 */ - { 0x07, 151, 0, "des-cbc" }, /* 150 */ - { 0x1A, 152, 0, "sha-1" }, /* 151 */ - { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 152 */ - { 0x24, 0, 1, "TeleTrusT" }, /* 153 */ - { 0x03, 0, 1, "algorithm" }, /* 154 */ - { 0x03, 0, 1, "signatureAlgorithm" }, /* 155 */ - { 0x01, 0, 1, "rsaSignature" }, /* 156 */ - { 0x02, 158, 0, "rsaSigWithripemd160" }, /* 157 */ - { 0x03, 159, 0, "rsaSigWithripemd128" }, /* 158 */ - { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 159 */ - {0x60, 0, 1, "" }, /* 160 */ - { 0x86, 0, 1, "" }, /* 161 */ - { 0x48, 0, 1, "" }, /* 162 */ - { 0x01, 0, 1, "organization" }, /* 163 */ - { 0x65, 171, 1, "gov" }, /* 164 */ - { 0x03, 0, 1, "csor" }, /* 165 */ - { 0x04, 0, 1, "nistalgorithm" }, /* 166 */ - { 0x02, 0, 1, "hashalgs" }, /* 167 */ - { 0x01, 169, 0, "id-SHA-256" }, /* 168 */ - { 0x02, 170, 0, "id-SHA-384" }, /* 169 */ - { 0x03, 0, 0, "id-SHA-512" }, /* 170 */ - { 0x86, 0, 1, "" }, /* 171 */ - { 0xf8, 0, 1, "" }, /* 172 */ - { 0x42, 185, 1, "netscape" }, /* 173 */ - { 0x01, 180, 1, "" }, /* 174 */ - { 0x01, 176, 0, "nsCertType" }, /* 175 */ - { 0x03, 177, 0, "nsRevocationUrl" }, /* 176 */ - { 0x04, 178, 0, "nsCaRevocationUrl" }, /* 177 */ - { 0x08, 179, 0, "nsCaPolicyUrl" }, /* 178 */ - { 0x0d, 0, 0, "nsComment" }, /* 179 */ - { 0x03, 183, 1, "directory" }, /* 180 */ - { 0x01, 0, 1, "" }, /* 181 */ - { 0x03, 0, 0, "employeeNumber" }, /* 182 */ - { 0x04, 0, 1, "policy" }, /* 183 */ - { 0x01, 0, 0, "nsSGC" }, /* 184 */ - { 0x45, 0, 1, "verisign" }, /* 185 */ - { 0x01, 0, 1, "pki" }, /* 186 */ - { 0x09, 0, 1, "attributes" }, /* 187 */ - { 0x02, 189, 0, "messageType" }, /* 188 */ - { 0x03, 190, 0, "pkiStatus" }, /* 189 */ - { 0x04, 191, 0, "failInfo" }, /* 190 */ - { 0x05, 192, 0, "senderNonce" }, /* 191 */ - { 0x06, 193, 0, "recipientNonce" }, /* 192 */ - { 0x07, 194, 0, "transID" }, /* 193 */ - { 0x08, 0, 0, "extensionReq" } /* 194 */ + { 0x0E, 89, 0, "extensionRequest" }, /* 88 */ + { 0x0F, 0, 0, "S/MIME Capabilities" }, /* 89 */ + { 0x02, 93, 1, "digestAlgorithm" }, /* 90 */ + { 0x02, 92, 0, "md2" }, /* 91 */ + { 0x05, 0, 0, "md5" }, /* 92 */ + { 0x03, 0, 1, "encryptionAlgorithm" }, /* 93 */ + { 0x07, 0, 0, "3des-ede-cbc" }, /* 94 */ + {0x2B, 161, 1, "" }, /* 95 */ + { 0x06, 148, 1, "dod" }, /* 96 */ + { 0x01, 0, 1, "internet" }, /* 97 */ + { 0x04, 116, 1, "private" }, /* 98 */ + { 0x01, 0, 1, "enterprise" }, /* 99 */ + { 0x82, 109, 1, "" }, /* 100 */ + { 0x37, 0, 1, "Microsoft" }, /* 101 */ + { 0x0A, 106, 1, "" }, /* 102 */ + { 0x03, 0, 1, "" }, /* 103 */ + { 0x03, 105, 0, "msSGC" }, /* 104 */ + { 0x04, 0, 0, "msEncryptingFileSystem" }, /* 105 */ + { 0x14, 0, 1, "msEnrollmentInfrastructure"}, /* 106 */ + { 0x02, 0, 1, "msCertificateTypeExtension"}, /* 107 */ + { 0x02, 0, 0, "msSmartcardLogon" }, /* 108 */ + { 0x89, 0, 1, "" }, /* 109 */ + { 0x31, 0, 1, "" }, /* 110 */ + { 0x01, 0, 1, "" }, /* 111 */ + { 0x01, 0, 1, "" }, /* 112 */ + { 0x02, 0, 1, "" }, /* 113 */ + { 0x02, 115, 0, "" }, /* 114 */ + { 0x4B, 0, 0, "TCGID" }, /* 115 */ + { 0x05, 0, 1, "security" }, /* 116 */ + { 0x05, 0, 1, "mechanisms" }, /* 117 */ + { 0x07, 0, 1, "id-pkix" }, /* 118 */ + { 0x01, 121, 1, "id-pe" }, /* 119 */ + { 0x01, 0, 0, "authorityInfoAccess" }, /* 120 */ + { 0x03, 131, 1, "id-kp" }, /* 121 */ + { 0x01, 123, 0, "serverAuth" }, /* 122 */ + { 0x02, 124, 0, "clientAuth" }, /* 123 */ + { 0x03, 125, 0, "codeSigning" }, /* 124 */ + { 0x04, 126, 0, "emailProtection" }, /* 125 */ + { 0x05, 127, 0, "ipsecEndSystem" }, /* 126 */ + { 0x06, 128, 0, "ipsecTunnel" }, /* 127 */ + { 0x07, 129, 0, "ipsecUser" }, /* 128 */ + { 0x08, 130, 0, "timeStamping" }, /* 129 */ + { 0x09, 0, 0, "ocspSigning" }, /* 130 */ + { 0x08, 133, 1, "id-otherNames" }, /* 131 */ + { 0x05, 0, 0, "xmppAddr" }, /* 132 */ + { 0x0A, 138, 1, "id-aca" }, /* 133 */ + { 0x01, 135, 0, "authenticationInfo" }, /* 134 */ + { 0x02, 136, 0, "accessIdentity" }, /* 135 */ + { 0x03, 137, 0, "chargingIdentity" }, /* 136 */ + { 0x04, 0, 0, "group" }, /* 137 */ + { 0x30, 0, 1, "id-ad" }, /* 138 */ + { 0x01, 147, 1, "ocsp" }, /* 139 */ + { 0x01, 141, 0, "basic" }, /* 140 */ + { 0x02, 142, 0, "nonce" }, /* 141 */ + { 0x03, 143, 0, "crl" }, /* 142 */ + { 0x04, 144, 0, "response" }, /* 143 */ + { 0x05, 145, 0, "noCheck" }, /* 144 */ + { 0x06, 146, 0, "archiveCutoff" }, /* 145 */ + { 0x07, 0, 0, "serviceLocator" }, /* 146 */ + { 0x02, 0, 0, "caIssuers" }, /* 147 */ + { 0x0E, 154, 1, "oiw" }, /* 148 */ + { 0x03, 0, 1, "secsig" }, /* 149 */ + { 0x02, 0, 1, "algorithms" }, /* 150 */ + { 0x07, 152, 0, "des-cbc" }, /* 151 */ + { 0x1A, 153, 0, "sha-1" }, /* 152 */ + { 0x1D, 0, 0, "sha-1WithRSASignature" }, /* 153 */ + { 0x24, 0, 1, "TeleTrusT" }, /* 154 */ + { 0x03, 0, 1, "algorithm" }, /* 155 */ + { 0x03, 0, 1, "signatureAlgorithm" }, /* 156 */ + { 0x01, 0, 1, "rsaSignature" }, /* 157 */ + { 0x02, 159, 0, "rsaSigWithripemd160" }, /* 158 */ + { 0x03, 160, 0, "rsaSigWithripemd128" }, /* 159 */ + { 0x04, 0, 0, "rsaSigWithripemd256" }, /* 160 */ + {0x60, 0, 1, "" }, /* 161 */ + { 0x86, 0, 1, "" }, /* 162 */ + { 0x48, 0, 1, "" }, /* 163 */ + { 0x01, 0, 1, "organization" }, /* 164 */ + { 0x65, 172, 1, "gov" }, /* 165 */ + { 0x03, 0, 1, "csor" }, /* 166 */ + { 0x04, 0, 1, "nistalgorithm" }, /* 167 */ + { 0x02, 0, 1, "hashalgs" }, /* 168 */ + { 0x01, 170, 0, "id-SHA-256" }, /* 169 */ + { 0x02, 171, 0, "id-SHA-384" }, /* 170 */ + { 0x03, 0, 0, "id-SHA-512" }, /* 171 */ + { 0x86, 0, 1, "" }, /* 172 */ + { 0xf8, 0, 1, "" }, /* 173 */ + { 0x42, 186, 1, "netscape" }, /* 174 */ + { 0x01, 181, 1, "" }, /* 175 */ + { 0x01, 177, 0, "nsCertType" }, /* 176 */ + { 0x03, 178, 0, "nsRevocationUrl" }, /* 177 */ + { 0x04, 179, 0, "nsCaRevocationUrl" }, /* 178 */ + { 0x08, 180, 0, "nsCaPolicyUrl" }, /* 179 */ + { 0x0d, 0, 0, "nsComment" }, /* 180 */ + { 0x03, 184, 1, "directory" }, /* 181 */ + { 0x01, 0, 1, "" }, /* 182 */ + { 0x03, 0, 0, "employeeNumber" }, /* 183 */ + { 0x04, 0, 1, "policy" }, /* 184 */ + { 0x01, 0, 0, "nsSGC" }, /* 185 */ + { 0x45, 0, 1, "verisign" }, /* 186 */ + { 0x01, 0, 1, "pki" }, /* 187 */ + { 0x09, 0, 1, "attributes" }, /* 188 */ + { 0x02, 190, 0, "messageType" }, /* 189 */ + { 0x03, 191, 0, "pkiStatus" }, /* 190 */ + { 0x04, 192, 0, "failInfo" }, /* 191 */ + { 0x05, 193, 0, "senderNonce" }, /* 192 */ + { 0x06, 194, 0, "recipientNonce" }, /* 193 */ + { 0x07, 195, 0, "transID" }, /* 194 */ + { 0x08, 0, 0, "extensionReq" } /* 195 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 5814a3ba0..9980221ab 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -1,5 +1,5 @@ /* Object identifiers (OIDs) used by FreeS/WAN - * Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur + * Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rapperswil * * This file has been automatically generated by the script oid.pl * Do not edit manually! @@ -17,7 +17,7 @@ typedef struct { extern const oid_t oid_names[]; -#define OID_UNKNOWN -1 +#define OID_UNKNOWN -1 #define OID_ROLE 35 #define OID_SUBJECT_KEY_ID 38 #define OID_SUBJECT_ALT_NAME 41 @@ -46,40 +46,40 @@ extern const oid_t oid_names[]; #define OID_PKCS9_CONTENT_TYPE 82 #define OID_PKCS9_MESSAGE_DIGEST 83 #define OID_PKCS9_SIGNING_TIME 84 -#define OID_MD2 90 -#define OID_MD5 91 -#define OID_3DES_EDE_CBC 93 -#define OID_AUTHORITY_INFO_ACCESS 119 -#define OID_OCSP_SIGNING 129 -#define OID_XMPP_ADDR 131 -#define OID_AUTHENTICATION_INFO 133 -#define OID_ACCESS_IDENTITY 134 -#define OID_CHARGING_IDENTITY 135 -#define OID_GROUP 136 -#define OID_OCSP 138 -#define OID_BASIC 139 -#define OID_NONCE 140 -#define OID_CRL 141 -#define OID_RESPONSE 142 -#define OID_NO_CHECK 143 -#define OID_ARCHIVE_CUTOFF 144 -#define OID_SERVICE_LOCATOR 145 -#define OID_CA_ISSUERS 146 -#define OID_DES_CBC 150 -#define OID_SHA1 151 -#define OID_SHA1_WITH_RSA_OIW 152 -#define OID_SHA256 168 -#define OID_SHA384 169 -#define OID_SHA512 170 -#define OID_NS_REVOCATION_URL 176 -#define OID_NS_CA_REVOCATION_URL 177 -#define OID_NS_CA_POLICY_URL 178 -#define OID_NS_COMMENT 179 -#define OID_PKI_MESSAGE_TYPE 188 -#define OID_PKI_STATUS 189 -#define OID_PKI_FAIL_INFO 190 -#define OID_PKI_SENDER_NONCE 191 -#define OID_PKI_RECIPIENT_NONCE 192 -#define OID_PKI_TRANS_ID 193 +#define OID_MD2 91 +#define OID_MD5 92 +#define OID_3DES_EDE_CBC 94 +#define OID_AUTHORITY_INFO_ACCESS 120 +#define OID_OCSP_SIGNING 130 +#define OID_XMPP_ADDR 132 +#define OID_AUTHENTICATION_INFO 134 +#define OID_ACCESS_IDENTITY 135 +#define OID_CHARGING_IDENTITY 136 +#define OID_GROUP 137 +#define OID_OCSP 139 +#define OID_BASIC 140 +#define OID_NONCE 141 +#define OID_CRL 142 +#define OID_RESPONSE 143 +#define OID_NO_CHECK 144 +#define OID_ARCHIVE_CUTOFF 145 +#define OID_SERVICE_LOCATOR 146 +#define OID_CA_ISSUERS 147 +#define OID_DES_CBC 151 +#define OID_SHA1 152 +#define OID_SHA1_WITH_RSA_OIW 153 +#define OID_SHA256 169 +#define OID_SHA384 170 +#define OID_SHA512 171 +#define OID_NS_REVOCATION_URL 177 +#define OID_NS_CA_REVOCATION_URL 178 +#define OID_NS_CA_POLICY_URL 179 +#define OID_NS_COMMENT 180 +#define OID_PKI_MESSAGE_TYPE 189 +#define OID_PKI_STATUS 190 +#define OID_PKI_FAIL_INFO 191 +#define OID_PKI_SENDER_NONCE 192 +#define OID_PKI_RECIPIENT_NONCE 193 +#define OID_PKI_TRANS_ID 194 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.pl b/src/libstrongswan/asn1/oid.pl index 5db619755..04030d3ee 100644 --- a/src/libstrongswan/asn1/oid.pl +++ b/src/libstrongswan/asn1/oid.pl @@ -1,6 +1,8 @@ #!/usr/bin/perl # Generates oid.h and oid.c out of oid.txt -# Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur +# +# Copyright (C) 2003-2008 Andreas Steffen +# Hochschule fuer Technik Rapperswil # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the @@ -13,7 +15,7 @@ # for more details. # -$copyright="Copyright (C) 2003-2004 Andreas Steffen, Zuercher Hochschule Winterthur"; +$copyright="Copyright (C) 2003-2008 Andreas Steffen, Hochschule fuer Technik Rapperswil"; $automatic="This file has been automatically generated by the script oid.pl"; $warning="Do not edit manually!"; @@ -41,7 +43,7 @@ print OID_H "/* Object identifiers (OIDs) used by FreeS/WAN\n", "\n", "extern const oid_t oid_names[];\n", "\n", - "#define OID_UNKNOWN -1\n"; + "#define OID_UNKNOWN -1\n"; # parse oid.txt diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 6ae2dc29a..e6dede287 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -33,23 +33,23 @@ 0x2A "G" 0x2B "I" 0x2D "ID" - 0x48 "role" OID_ROLE + 0x48 "role" OID_ROLE 0x1D "id-ce" 0x09 "subjectDirectoryAttrs" - 0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID + 0x0E "subjectKeyIdentifier" OID_SUBJECT_KEY_ID 0x0F "keyUsage" 0x10 "privateKeyUsagePeriod" - 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME + 0x11 "subjectAltName" OID_SUBJECT_ALT_NAME 0x12 "issuerAltName" - 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS - 0x14 "crlNumber" OID_CRL_NUMBER - 0x15 "reasonCode" OID_CRL_REASON_CODE + 0x13 "basicConstraints" OID_BASIC_CONSTRAINTS + 0x14 "crlNumber" OID_CRL_NUMBER + 0x15 "reasonCode" OID_CRL_REASON_CODE 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS 0x20 "certificatePolicies" 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID - 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE - 0x37 "targetInformation" OID_TARGET_INFORMATION - 0x38 "noRevAvail" OID_NO_REV_AVAIL + 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE + 0x37 "targetInformation" OID_TARGET_INFORMATION + 0x38 "noRevAvail" OID_NO_REV_AVAIL 0x2A "" 0x86 "" 0x48 "" @@ -63,35 +63,36 @@ 0x0D "RSADSI" 0x01 "PKCS" 0x01 "PKCS-1" - 0x01 "rsaEncryption" OID_RSA_ENCRYPTION - 0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA - 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA + 0x01 "rsaEncryption" OID_RSA_ENCRYPTION + 0x02 "md2WithRSAEncryption" OID_MD2_WITH_RSA + 0x04 "md5WithRSAEncryption" OID_MD5_WITH_RSA 0x05 "sha-1WithRSAEncryption" OID_SHA1_WITH_RSA 0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA 0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA 0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA 0x07 "PKCS-7" - 0x01 "data" OID_PKCS7_DATA - 0x02 "signedData" OID_PKCS7_SIGNED_DATA - 0x03 "envelopedData" OID_PKCS7_ENVELOPED_DATA + 0x01 "data" OID_PKCS7_DATA + 0x02 "signedData" OID_PKCS7_SIGNED_DATA + 0x03 "envelopedData" OID_PKCS7_ENVELOPED_DATA 0x04 "signedAndEnvelopedData" OID_PKCS7_SIGNED_ENVELOPED_DATA - 0x05 "digestedData" OID_PKCS7_DIGESTED_DATA - 0x06 "encryptedData" OID_PKCS7_ENCRYPTED_DATA + 0x05 "digestedData" OID_PKCS7_DIGESTED_DATA + 0x06 "encryptedData" OID_PKCS7_ENCRYPTED_DATA 0x09 "PKCS-9" - 0x01 "E" OID_PKCS9_EMAIL + 0x01 "E" OID_PKCS9_EMAIL 0x02 "unstructuredName" - 0x03 "contentType" OID_PKCS9_CONTENT_TYPE - 0x04 "messageDigest" OID_PKCS9_MESSAGE_DIGEST - 0x05 "signingTime" OID_PKCS9_SIGNING_TIME + 0x03 "contentType" OID_PKCS9_CONTENT_TYPE + 0x04 "messageDigest" OID_PKCS9_MESSAGE_DIGEST + 0x05 "signingTime" OID_PKCS9_SIGNING_TIME 0x06 "counterSignature" 0x07 "challengePassword" 0x08 "unstructuredAddress" 0x0E "extensionRequest" + 0x0F "S/MIME Capabilities" 0x02 "digestAlgorithm" - 0x02 "md2" OID_MD2 - 0x05 "md5" OID_MD5 + 0x02 "md2" OID_MD2 + 0x05 "md5" OID_MD5 0x03 "encryptionAlgorithm" - 0x07 "3des-ede-cbc" OID_3DES_EDE_CBC + 0x07 "3des-ede-cbc" OID_3DES_EDE_CBC 0x2B "" 0x06 "dod" 0x01 "internet" @@ -117,7 +118,7 @@ 0x05 "mechanisms" 0x07 "id-pkix" 0x01 "id-pe" - 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS + 0x01 "authorityInfoAccess" OID_AUTHORITY_INFO_ACCESS 0x03 "id-kp" 0x01 "serverAuth" 0x02 "clientAuth" @@ -127,29 +128,29 @@ 0x06 "ipsecTunnel" 0x07 "ipsecUser" 0x08 "timeStamping" - 0x09 "ocspSigning" OID_OCSP_SIGNING + 0x09 "ocspSigning" OID_OCSP_SIGNING 0x08 "id-otherNames" - 0x05 "xmppAddr" OID_XMPP_ADDR + 0x05 "xmppAddr" OID_XMPP_ADDR 0x0A "id-aca" - 0x01 "authenticationInfo" OID_AUTHENTICATION_INFO - 0x02 "accessIdentity" OID_ACCESS_IDENTITY - 0x03 "chargingIdentity" OID_CHARGING_IDENTITY - 0x04 "group" OID_GROUP + 0x01 "authenticationInfo" OID_AUTHENTICATION_INFO + 0x02 "accessIdentity" OID_ACCESS_IDENTITY + 0x03 "chargingIdentity" OID_CHARGING_IDENTITY + 0x04 "group" OID_GROUP 0x30 "id-ad" - 0x01 "ocsp" OID_OCSP - 0x01 "basic" OID_BASIC - 0x02 "nonce" OID_NONCE - 0x03 "crl" OID_CRL - 0x04 "response" OID_RESPONSE - 0x05 "noCheck" OID_NO_CHECK - 0x06 "archiveCutoff" OID_ARCHIVE_CUTOFF - 0x07 "serviceLocator" OID_SERVICE_LOCATOR - 0x02 "caIssuers" OID_CA_ISSUERS + 0x01 "ocsp" OID_OCSP + 0x01 "basic" OID_BASIC + 0x02 "nonce" OID_NONCE + 0x03 "crl" OID_CRL + 0x04 "response" OID_RESPONSE + 0x05 "noCheck" OID_NO_CHECK + 0x06 "archiveCutoff" OID_ARCHIVE_CUTOFF + 0x07 "serviceLocator" OID_SERVICE_LOCATOR + 0x02 "caIssuers" OID_CA_ISSUERS 0x0E "oiw" 0x03 "secsig" 0x02 "algorithms" - 0x07 "des-cbc" OID_DES_CBC - 0x1A "sha-1" OID_SHA1 + 0x07 "des-cbc" OID_DES_CBC + 0x1A "sha-1" OID_SHA1 0x1D "sha-1WithRSASignature" OID_SHA1_WITH_RSA_OIW 0x24 "TeleTrusT" 0x03 "algorithm" @@ -166,18 +167,18 @@ 0x03 "csor" 0x04 "nistalgorithm" 0x02 "hashalgs" - 0x01 "id-SHA-256" OID_SHA256 - 0x02 "id-SHA-384" OID_SHA384 - 0x03 "id-SHA-512" OID_SHA512 + 0x01 "id-SHA-256" OID_SHA256 + 0x02 "id-SHA-384" OID_SHA384 + 0x03 "id-SHA-512" OID_SHA512 0x86 "" 0xf8 "" 0x42 "netscape" 0x01 "" 0x01 "nsCertType" - 0x03 "nsRevocationUrl" OID_NS_REVOCATION_URL - 0x04 "nsCaRevocationUrl" OID_NS_CA_REVOCATION_URL - 0x08 "nsCaPolicyUrl" OID_NS_CA_POLICY_URL - 0x0d "nsComment" OID_NS_COMMENT + 0x03 "nsRevocationUrl" OID_NS_REVOCATION_URL + 0x04 "nsCaRevocationUrl" OID_NS_CA_REVOCATION_URL + 0x08 "nsCaPolicyUrl" OID_NS_CA_POLICY_URL + 0x0d "nsComment" OID_NS_COMMENT 0x03 "directory" 0x01 "" 0x03 "employeeNumber" @@ -186,10 +187,10 @@ 0x45 "verisign" 0x01 "pki" 0x09 "attributes" - 0x02 "messageType" OID_PKI_MESSAGE_TYPE - 0x03 "pkiStatus" OID_PKI_STATUS - 0x04 "failInfo" OID_PKI_FAIL_INFO - 0x05 "senderNonce" OID_PKI_SENDER_NONCE - 0x06 "recipientNonce" OID_PKI_RECIPIENT_NONCE - 0x07 "transID" OID_PKI_TRANS_ID + 0x02 "messageType" OID_PKI_MESSAGE_TYPE + 0x03 "pkiStatus" OID_PKI_STATUS + 0x04 "failInfo" OID_PKI_FAIL_INFO + 0x05 "senderNonce" OID_PKI_SENDER_NONCE + 0x06 "recipientNonce" OID_PKI_RECIPIENT_NONCE + 0x07 "transID" OID_PKI_TRANS_ID 0x08 "extensionReq" diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c index 14bfb022f..9fa778aa6 100644 --- a/src/libstrongswan/crypto/hashers/hasher.c +++ b/src/libstrongswan/crypto/hashers/hasher.c @@ -6,8 +6,9 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: hasher.c 3304 2007-10-12 23:18:42Z andreas $ + * RCSID $Id: hasher.c 3423 2008-01-22 10:32:37Z andreas $ */ @@ -110,6 +111,39 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid) /* * Described in header. */ +int hasher_algorithm_to_oid(hash_algorithm_t alg) +{ + int oid; + + switch (alg) + { + case HASH_MD2: + oid = OID_MD2; + break; + case HASH_MD5: + oid = OID_MD5; + break; + case HASH_SHA1: + oid = OID_SHA1; + break; + case HASH_SHA256: + oid = OID_SHA256; + break; + case HASH_SHA384: + oid = OID_SHA384; + break; + case HASH_SHA512: + oid = OID_SHA512; + break; + default: + oid = OID_UNKNOWN; + } + return oid; +} + +/* + * Described in header. + */ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg) { int oid; diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h index 48b904576..e73de7f01 100644 --- a/src/libstrongswan/crypto/hashers/hasher.h +++ b/src/libstrongswan/crypto/hashers/hasher.h @@ -6,8 +6,9 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: hasher.h 3307 2007-10-17 02:56:24Z andreas $ + * RCSID $Id: hasher.h 3423 2008-01-22 10:32:37Z andreas $ */ #ifndef HASHER_H_ @@ -171,11 +172,23 @@ hasher_t *hasher_create(hash_algorithm_t hash_algorithm); hash_algorithm_t hasher_algorithm_from_oid(int oid); /** - * @brief Conversion of hash signature algorithm ASN.1 OID. + * @brief Conversion of hash algorithm into ASN.1 OID. + * + * @param alg hash algorithm + * @return + * - ASN.1 hash OID if known hash algorithm + * - OID_UNKNOW + * + * @ingroup hashers + */ +int hasher_algorithm_to_oid(hash_algorithm_t alg); + +/** + * @brief Conversion of hash signature algorithm into ASN.1 OID. * * @param alg hash algorithm * @return - * - ASN.1 OID if known hash algorithm + * - ASN.1 signature OID if known hash algorithm * - OID_UNKNOW * * @ingroup hashers diff --git a/src/libstrongswan/crypto/ocsp.c b/src/libstrongswan/crypto/ocsp.c index e4d907188..4bbec31de 100644 --- a/src/libstrongswan/crypto/ocsp.c +++ b/src/libstrongswan/crypto/ocsp.c @@ -6,8 +6,11 @@ */ /* Support of the Online Certificate Status Protocol (OCSP) + * * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen - * Zuercher Hochschule Winterthur + * Copyright (C) 2007 Andreas Steffen + * + * Hochschule für Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -19,6 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * + * RCSID $Id$ */ #include <unistd.h> @@ -325,7 +329,7 @@ static chunk_t build_request(private_ocsp_t *this, certinfo_t *certinfo) chunk_t serialNumber = certinfo->get_serialNumber(certinfo); chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm", - ASN1_sha1_id, + asn1_algorithmIdentifier(OID_SHA1), asn1_simple_object(ASN1_OCTET_STRING, this->authNameID), asn1_simple_object(ASN1_OCTET_STRING, this->authKeyID), asn1_simple_object(ASN1_INTEGER, serialNumber)); diff --git a/src/libstrongswan/crypto/ocsp.h b/src/libstrongswan/crypto/ocsp.h index 42059e1c6..e468bb8be 100644 --- a/src/libstrongswan/crypto/ocsp.h +++ b/src/libstrongswan/crypto/ocsp.h @@ -6,9 +6,11 @@ */ /* Support of the Online Certificate Status Protocol (OCSP) Support + * * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * Copyright (C) 2007 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland + * + * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -20,6 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * + * RCSID $Id$ */ #ifndef OCSP_H_ diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index 70510471a..48d3e2d78 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -7,7 +7,8 @@ /* * Copyright (C) 2005 Jan Hutter, Martin Willi - * Copyright (C) 2002-2005 Andreas Steffen + * Copyright (C) 2002-2008 Andreas Steffen + * * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: pkcs7.c 3302 2007-10-12 21:57:20Z andreas $ + * RCSID $Id: pkcs7.c 3438 2008-02-02 00:29:03Z andreas $ */ #include <stdlib.h> @@ -32,8 +33,11 @@ #include <asn1/asn1.h> #include <asn1/oid.h> #include <crypto/x509.h> +#include <crypto/pkcs9.h> #include <crypto/hashers/hasher.h> #include <crypto/crypters/crypter.h> +#include <crypto/rsa/rsa_public_key.h> +#include <utils/randomizer.h> #include <utils/linked_list.h> #include "pkcs7.h" @@ -77,7 +81,7 @@ struct private_pkcs7_t { /** * ASN.1 encoded attributes */ - chunk_t attributes; + pkcs9_t *attributes; /** * Linked list of X.509 certificates @@ -244,25 +248,7 @@ static const chunk_t ASN1_des_cbc_oid = chunk_from_buf(ASN1_des_cbc_oid_str); /** - * PKCS#7 attribute type OIDs - */ -static u_char ASN1_contentType_oid_str[] = { - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03 -}; - -static u_char ASN1_messageDigest_oid_str[] = { - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04 -}; - -static const chunk_t ASN1_contentType_oid = - chunk_from_buf(ASN1_contentType_oid_str); -static const chunk_t ASN1_messageDigest_oid = - chunk_from_buf(ASN1_messageDigest_oid_str); - -/** - * Implements pkcs7_t.is_signedData. + * Implements pkcs7_t.is_data. */ static bool is_data(private_pkcs7_t *this) { @@ -278,7 +264,7 @@ static bool is_signedData(private_pkcs7_t *this) } /** - * Implements pkcs7_t.is_signedData. + * Implements pkcs7_t.is_envelopedData. */ static bool is_envelopedData(private_pkcs7_t *this) { @@ -316,6 +302,11 @@ static bool parse_data(private_pkcs7_t *this) { return FALSE; } + if (data.len == 0) + { + this->data = chunk_empty; + return TRUE; + } if (parse_asn1_simple_object(&data, ASN1_OCTET_STRING, this->level, "data")) { this->data = chunk_clone(data); @@ -328,7 +319,7 @@ static bool parse_data(private_pkcs7_t *this) } /** - * Parse PKCS#7 signedData content + * Implements pkcs7_t.parse_signedData. */ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) { @@ -363,11 +354,27 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) digest_alg = parse_algorithmIdentifier(object, level, NULL); break; case PKCS7_SIGNED_CONTENT_INFO: - this->data = chunk_clone(object); + { + chunk_t pureData; + pkcs7_t *data = pkcs7_create_from_chunk(object, level+1); + + if (data == NULL) + { + return FALSE; + } + if (!data->parse_data(data)) + { + data->destroy(data); + return FALSE; + } + pureData = data->get_data(data); + this->data = (pureData.len)? chunk_clone(pureData) : chunk_empty; + data->destroy(data); + } break; case PKCS7_SIGNED_CERT: { - x509_t *cert = x509_create_from_chunk(object, level+1); + x509_t *cert = x509_create_from_chunk(chunk_clone(object), level+1); if (cert) { @@ -389,8 +396,9 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) } break; case PKCS7_AUTH_ATTRIBUTES: - this->attributes = object; - *this->attributes.ptr = ASN1_SET; + *object.ptr = ASN1_SET; + this->attributes = pkcs9_create_from_chunk(object, level+1); + *object.ptr = ASN1_CONTEXT_C_0; break; case PKCS7_DIGEST_ALGORITHM: digest_alg = parse_algorithmIdentifier(object, level, NULL); @@ -407,8 +415,8 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) /* check the signature only if a cacert is available */ if (cacert != NULL) { - rsa_public_key_t *signer = cacert->get_public_key(cacert); hash_algorithm_t algorithm = hasher_algorithm_from_oid(digest_alg); + rsa_public_key_t *signer = cacert->get_public_key(cacert); if (signerInfos == 0) { @@ -420,7 +428,7 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) DBG1("more than one signerInfo object found"); return FALSE; } - if (this->attributes.ptr == NULL) + if (this->attributes == NULL) { DBG1("no authenticatedAttributes object found"); return FALSE; @@ -431,7 +439,7 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) return FALSE; } if (signer->verify_emsa_pkcs1_signature(signer, algorithm, - this->attributes, encrypted_digest) != SUCCESS) + this->attributes->get_encoding(this->attributes), encrypted_digest) != SUCCESS) { DBG1("invalid digest signature"); return FALSE; @@ -440,6 +448,39 @@ static bool parse_signedData(private_pkcs7_t *this, x509_t *cacert) { DBG2("digest signature is valid"); } + if (this->data.ptr != NULL) + { + chunk_t messageDigest = this->attributes->get_messageDigest(this->attributes); + + if (messageDigest.ptr == NULL) + { + DBG1("messageDigest attribute not found"); + return FALSE; + } + else + { + hasher_t *hasher = hasher_create(algorithm); + chunk_t hash; + bool valid; + + hasher->allocate_hash(hasher, this->data, &hash); + hasher->destroy(hasher); + DBG3("hash: %B", &hash); + + valid = chunk_equals(messageDigest, hash); + free(messageDigest.ptr); + free(hash.ptr); + if (valid) + { + DBG2("messageDigest is valid"); + } + else + { + DBG1("invalid messageDigest"); + return FALSE; + } + } + } } return TRUE; } @@ -574,8 +615,9 @@ static bool parse_envelopedData(private_pkcs7_t *this, chunk_t serialNumber, } /* decrypt the content */ + crypter->set_key(crypter, symmetric_key); crypter->decrypt(crypter, encrypted_content, iv, &this->data); - DBG4("decrypted content with padding: %B", &this->data); + DBG3("decrypted content with padding: %B", &this->data); /* remove the padding */ { @@ -611,7 +653,7 @@ failed: } /** - * Implements pkcs7_t.get_data + * Implements pkcs7_t.get_data. */ static chunk_t get_data(private_pkcs7_t *this) { @@ -619,7 +661,49 @@ static chunk_t get_data(private_pkcs7_t *this) } /** - * Implements pkcs_t.create_crluri_iterator + * Implements pkcs7_t.get_contentInfo. + */ +static chunk_t get_contentInfo(private_pkcs7_t *this) +{ + chunk_t content_type; + + /* select DER-encoded OID for pkcs7_contentInfo type */ + switch(this->type) + { + case OID_PKCS7_DATA: + content_type = ASN1_pkcs7_data_oid; + break; + case OID_PKCS7_SIGNED_DATA: + content_type = ASN1_pkcs7_signed_data_oid; + break; + case OID_PKCS7_ENVELOPED_DATA: + content_type = ASN1_pkcs7_enveloped_data_oid; + break; + case OID_PKCS7_SIGNED_ENVELOPED_DATA: + content_type = ASN1_pkcs7_signed_enveloped_data_oid; + break; + case OID_PKCS7_DIGESTED_DATA: + content_type = ASN1_pkcs7_digested_data_oid; + break; + case OID_PKCS7_ENCRYPTED_DATA: + content_type = ASN1_pkcs7_encrypted_data_oid; + break; + case OID_UNKNOWN: + default: + DBG1("invalid pkcs7 contentInfo type"); + return chunk_empty; + } + + return (this->content.ptr == NULL) + ? asn1_simple_object(ASN1_SEQUENCE, content_type) + : asn1_wrap(ASN1_SEQUENCE, "cm", + content_type, + asn1_simple_object(ASN1_CONTEXT_C_0, this->content) + ); +} + +/** + * Implements pkcs7_t.create_certificate_iterator */ static iterator_t *create_certificate_iterator(const private_pkcs7_t *this) { @@ -627,11 +711,243 @@ static iterator_t *create_certificate_iterator(const private_pkcs7_t *this) } /** + * Implements pkcs7_t.set_certificate + */ +static void set_certificate(private_pkcs7_t *this, x509_t *cert) +{ + if (cert) + { + /* TODO the certificate is currently not cloned */ + this->certs->insert_last(this->certs, cert); + } +} + +/** + * Implements pkcs7_t.set_attributes + */ +static void set_attributes(private_pkcs7_t *this, pkcs9_t *attributes) +{ + this->attributes = attributes; +} + +/** + * build a DER-encoded issuerAndSerialNumber object + */ +chunk_t pkcs7_build_issuerAndSerialNumber(x509_t *cert) +{ + identification_t *issuer = cert->get_issuer(cert); + + return asn1_wrap(ASN1_SEQUENCE, "cm", + issuer->get_encoding(issuer), + asn1_simple_object(ASN1_INTEGER, cert->get_serialNumber(cert))); +} + +/** + * Implements pkcs7_t.build_envelopedData. + */ +bool build_envelopedData(private_pkcs7_t *this, x509_t *cert, + encryption_algorithm_t alg) +{ + chunk_t iv, symmetricKey, in, out, alg_oid; + crypter_t *crypter; + + /* select OID of symmetric encryption algorithm */ + switch (alg) + { + case ENCR_DES: + alg_oid = ASN1_des_cbc_oid; + break; + case ENCR_3DES: + alg_oid = ASN1_3des_ede_cbc_oid; + break; + default: + DBG1(" encryption algorithm %N not supported", + encryption_algorithm_names, alg); + return FALSE; + } + + crypter = crypter_create(alg, 0); + if (crypter == NULL) + { + DBG1(" could not create crypter for algorithm %N", + encryption_algorithm_names, alg); + return FALSE; + } + + /* generate a true random symmetric encryption key + * and a pseudo-random iv + */ + { + randomizer_t *randomizer = randomizer_create(); + + randomizer->allocate_random_bytes(randomizer, + crypter->get_key_size(crypter), &symmetricKey); + DBG4(" symmetric encryption key: %B", &symmetricKey); + + randomizer->allocate_pseudo_random_bytes(randomizer, + crypter->get_block_size(crypter), &iv); + DBG4(" initialization vector: %B", &iv); + + randomizer->destroy(randomizer); + } + + /* pad the data so that the total length becomes + * a multiple of the block size + */ + { + size_t block_size = crypter->get_block_size(crypter); + size_t padding = block_size - this->data.len % block_size; + + in.len = this->data.len + padding; + in.ptr = malloc(in.len); + + DBG2(" padding %d bytes of data to multiple block size of %d bytes", + (int)this->data.len, (int)in.len); + + /* copy data */ + memcpy(in.ptr, this->data.ptr, this->data.len); + /* append padding */ + memset(in.ptr + this->data.len, padding, padding); + } + DBG3(" padded unencrypted data: %B", &in); + + /* symmetric encryption of data object */ + crypter->set_key(crypter, symmetricKey); + crypter->encrypt(crypter, in, iv, &out); + crypter->destroy(crypter); + chunk_free_randomized(&in); + DBG3(" encrypted data: %B", &out); + + /* build pkcs7 enveloped data object */ + { + chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm", + alg_oid, + asn1_wrap(ASN1_OCTET_STRING, "m", iv)); + + chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm", + ASN1_pkcs7_data_oid, + contentEncryptionAlgorithm, + asn1_wrap(ASN1_CONTEXT_S_0, "m", out)); + + chunk_t wrappedKey, encryptedKey, recipientInfo; + + rsa_public_key_t *public_key = cert->get_public_key(cert); + + public_key->pkcs1_encrypt(public_key, symmetricKey, &wrappedKey); + chunk_free_randomized(&symmetricKey); + + encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", wrappedKey); + + recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm", + ASN1_INTEGER_0, + pkcs7_build_issuerAndSerialNumber(cert), + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + encryptedKey); + + this->content = asn1_wrap(ASN1_SEQUENCE, "cmm", + ASN1_INTEGER_0, + asn1_wrap(ASN1_SET, "m", recipientInfo), + encryptedContentInfo); + this->type = OID_PKCS7_ENVELOPED_DATA; + } + return TRUE; +} + +/** + * Implements pkcs7_t.build_signedData. + */ +bool build_signedData(private_pkcs7_t *this, rsa_private_key_t *private_key, + hash_algorithm_t alg) +{ + int signature_oid = hasher_signature_algorithm_to_oid(alg); + chunk_t authenticatedAttributes = chunk_empty; + chunk_t encryptedDigest = chunk_empty; + chunk_t signerInfo; + x509_t *cert; + + if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS) + { + DBG1(" no pkcs7 signer certificate found"); + return FALSE; + } + + if (this->attributes != NULL) + { + if (this->data.ptr != NULL) + { + /* take the current time as signingTime */ + time_t now = time(NULL); + chunk_t signingTime = timetoasn1(&now, ASN1_UTCTIME); + + chunk_t messageDigest, attributes; + hasher_t *hasher = hasher_create(alg); + + hasher->allocate_hash(hasher, this->data, &messageDigest); + hasher->destroy(hasher); + this->attributes->set_attribute(this->attributes, + OID_PKCS9_CONTENT_TYPE, ASN1_pkcs7_data_oid); + this->attributes->set_messageDigest(this->attributes, + messageDigest); + this->attributes->set_attribute(this->attributes, + OID_PKCS9_SIGNING_TIME, signingTime); + attributes = this->attributes->get_encoding(this->attributes); + + free(messageDigest.ptr); + free(signingTime.ptr); + + private_key->build_emsa_pkcs1_signature(private_key, alg, + attributes, &encryptedDigest); + authenticatedAttributes = chunk_clone(attributes); + *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0; + } + } + else if (this->data.ptr != NULL) + { + private_key->build_emsa_pkcs1_signature(private_key, alg, + this->data, &encryptedDigest); + } + if (encryptedDigest.ptr) + { + encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest); + } + + signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm", + ASN1_INTEGER_1, + pkcs7_build_issuerAndSerialNumber(cert), + asn1_algorithmIdentifier(signature_oid), + authenticatedAttributes, + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + encryptedDigest); + + if (this->data.ptr != NULL) + { + this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data); + chunk_free(&this->data); + } + this->type = OID_PKCS7_DATA; + this->data = get_contentInfo(this); + chunk_free(&this->content); + + this->type = OID_PKCS7_SIGNED_DATA; + + this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm", + ASN1_INTEGER_1, + asn1_simple_object(ASN1_SET, asn1_algorithmIdentifier(signature_oid)), + this->data, + asn1_simple_object(ASN1_CONTEXT_C_0, cert->get_certificate(cert)), + asn1_wrap(ASN1_SET, "m", signerInfo)); + + return TRUE; +} + +/** * Implements pkcs7_t.destroy */ static void destroy(private_pkcs7_t *this) { + DESTROY_IF(this->attributes); this->certs->destroy_offset(this->certs, offsetof(x509_t, destroy)); + free(this->content.ptr); free(this->data.ptr); free(this); } @@ -665,19 +981,19 @@ static bool parse_contentInfo(chunk_t blob, u_int level0, private_pkcs7_t *cInfo return FALSE; } } - else if (objectID == PKCS7_INFO_CONTENT) + else if (objectID == PKCS7_INFO_CONTENT && object.len > 0) { - cInfo->content = object; + cInfo->content = chunk_clone(object); } objectID++; } return TRUE; } -/* - * Described in header. +/** + * Generic private constructor */ -pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) +static private_pkcs7_t *pkcs7_create_empty(void) { private_pkcs7_t *this = malloc_thing(private_pkcs7_t); @@ -685,9 +1001,9 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) this->type = OID_UNKNOWN; this->content = chunk_empty; this->parsed = FALSE; - this->level = level + 2; + this->level = 0; this->data = chunk_empty; - this->attributes = chunk_empty; + this->attributes = NULL; this->certs = linked_list_create(); /*public functions */ @@ -698,9 +1014,25 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) this->public.parse_signedData = (bool (*) (pkcs7_t*,x509_t*))parse_signedData; this->public.parse_envelopedData = (bool (*) (pkcs7_t*,chunk_t,rsa_private_key_t*))parse_envelopedData; this->public.get_data = (chunk_t (*) (pkcs7_t*))get_data; + this->public.get_contentInfo = (chunk_t (*) (pkcs7_t*))get_contentInfo; this->public.create_certificate_iterator = (iterator_t* (*) (pkcs7_t*))create_certificate_iterator; + this->public.set_certificate = (void (*) (pkcs7_t*,x509_t*))set_certificate; + this->public.set_attributes = (void (*) (pkcs7_t*,pkcs9_t*))set_attributes; + this->public.build_envelopedData = (bool (*) (pkcs7_t*,x509_t*,encryption_algorithm_t))build_envelopedData; + this->public.build_signedData = (bool (*) (pkcs7_t*,rsa_private_key_t*,hash_algorithm_t))build_signedData; this->public.destroy = (void (*) (pkcs7_t*))destroy; + return this; +} + +/* + * Described in header. + */ +pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) +{ + private_pkcs7_t *this = pkcs7_create_empty(); + + this->level = level + 2; if (!parse_contentInfo(chunk, level, this)) { destroy(this); @@ -708,3 +1040,38 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level) } return &this->public; } + +/* + * Described in header. + */ +pkcs7_t *pkcs7_create_from_data(chunk_t data) +{ + private_pkcs7_t *this = pkcs7_create_empty(); + + this->data = chunk_clone(data); + this->parsed = TRUE; + + return &this->public; +} + +/* + * Described in header. + */ +pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label) +{ + bool pgp = FALSE; + chunk_t chunk = chunk_empty; + char cert_label[BUF_LEN]; + pkcs7_t *pkcs7; + + snprintf(cert_label, BUF_LEN, "%s pkcs7", label); + + if (!pem_asn1_load_file(filename, NULL, cert_label, &chunk, &pgp)) + { + return NULL; + } + + pkcs7 = pkcs7_create_from_chunk(chunk, 0); + free(chunk.ptr); + return pkcs7; +} diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h index c8434225a..74bd25361 100644 --- a/src/libstrongswan/crypto/pkcs7.h +++ b/src/libstrongswan/crypto/pkcs7.h @@ -7,7 +7,7 @@ /* * Copyright (C) 2005 Jan Hutter, Martin Willi - * Copyright (C) 2002-2007 Andreas Steffen + * Copyright (C) 2002-2008 Andreas Steffen * * Hochschule fuer Technik Rapperswil, Switzerland * @@ -21,7 +21,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: pkcs7.h 3302 2007-10-12 21:57:20Z andreas $ + * RCSID $Id: pkcs7.h 3437 2008-02-01 22:26:01Z andreas $ */ #ifndef _PKCS7_H @@ -31,7 +31,9 @@ typedef struct pkcs7_t pkcs7_t; #include <library.h> #include <crypto/x509.h> +#include <crypto/pkcs9.h> #include <crypto/rsa/rsa_private_key.h> +#include <crypto/crypters/crypter.h> #include <utils/iterator.h> /** @@ -39,6 +41,7 @@ typedef struct pkcs7_t pkcs7_t; * * @b Constructors: * -pkcs7_create_from_chunk() + * -pkcs7_create_from_data() * * @ingroup crypto */ @@ -103,14 +106,66 @@ struct pkcs7_t { chunk_t (*get_data) (pkcs7_t *this); /** + * @brief Returns the a DER-encoded contentInfo object + * + * @param this calling object + * @return chunk containing the contentInfo object + */ + chunk_t (*get_contentInfo) (pkcs7_t *this); + + /** * @brief Create an iterator for the certificates. * - * @param this calling object - * @return iterator for the certificates + * @param this calling object + * @return iterator for the certificates */ iterator_t *(*create_certificate_iterator) (pkcs7_t *this); /** + * @brief Add a certificate. + * + * @param this calling object + * @param cert certificate to be included + */ + void (*set_certificate) (pkcs7_t *this, x509_t *cert); + + /** + * @brief Add authenticated attributes. + * + * @param this calling object + * @param attributes attributes to be included + */ + void (*set_attributes) (pkcs7_t *this, pkcs9_t *attributes); + + /** + * @brief Build a data object + * + * @param this PKCS#7 data to be built + * @return TRUE if build was successful + */ + bool (*build_data) (pkcs7_t *this); + + /** + * @brief Build an envelopedData object + * + * @param this PKCS#7 data object to envelop + * @param cert receivers's certificate + * @param alg encryption algorithm + * @return TRUE if build was successful + */ + bool (*build_envelopedData) (pkcs7_t *this, x509_t *cert, encryption_algorithm_t alg); + + /** + * @brief Build an signedData object + * + * @param this PKCS#7 data object to sign + * @param key signer's RSA private key + * @param alg digest algorithm used for signature + * @return TRUE if build was successful + */ + bool (*build_signedData) (pkcs7_t *this, rsa_private_key_t *key, hash_algorithm_t alg); + + /** * @brief Destroys the contentInfo object. * * @param this PKCS#7 contentInfo object to destroy @@ -129,4 +184,26 @@ struct pkcs7_t { */ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level); +/** + * @brief Create a PKCS#7 contentInfo object + * + * @param chunk chunk containing data + * @return created pkcs7_contentInfo object. + * + * @ingroup crypto + */ +pkcs7_t *pkcs7_create_from_data(chunk_t data); + +/** + * @brief Read a X.509 certificate from a DER encoded file. + * + * @param filename file containing DER encoded data + * @param label label describing kind of PKCS#7 file + * @return created pkcs7_t object, or NULL if invalid. + * + * @ingroup crypto + */ +pkcs7_t *pkcs7_create_from_file(const char *filename, const char *label); + + #endif /* _PKCS7_H */ diff --git a/src/libstrongswan/crypto/pkcs9.c b/src/libstrongswan/crypto/pkcs9.c new file mode 100644 index 000000000..1003c9011 --- /dev/null +++ b/src/libstrongswan/crypto/pkcs9.c @@ -0,0 +1,470 @@ +/** + * @file pkcs9.c + * + * @brief Implementation of pkcs9_t. + * + */ + +/* + * Copyright (C)2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: pkcs7.c 3423 2008-01-22 10:32:37Z andreas $ + */ + +#include <library.h> +#include <debug.h> + +#include <asn1/oid.h> +#include <asn1/asn1.h> +#include <utils/linked_list.h> + +#include "pkcs9.h" + +typedef struct private_pkcs9_t private_pkcs9_t; + +/** + * Private data of a pkcs9_t attribute list. + */ +struct private_pkcs9_t { + /** + * Public interface + */ + pkcs9_t public; + + /** + * DER encoding of PKCS#9 attributes + */ + chunk_t encoding; + + /** + * Linked list of PKCS#9 attributes + */ + linked_list_t *attributes; +}; + +typedef struct attribute_t attribute_t; + +/** + * Definition of an attribute_t object. + */ +struct attribute_t { + /** + * Object Identifier (OID) + */ + int oid; + + /** + * Attribute value + */ + chunk_t value; + + /** + * ASN.1 encoding + */ + chunk_t encoding; + + /** + * Destroys the attribute. + * + * @param this attribute to destroy + */ + void (*destroy) (attribute_t *this); + +}; + +/* ASN.1 definition of the X.501 atttribute type */ + +static const asn1Object_t attributesObjects[] = { + { 0, "attributes", ASN1_SET, ASN1_LOOP }, /* 0 */ + { 1, "attribute", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "type", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "values", ASN1_SET, ASN1_LOOP }, /* 3 */ + { 3, "value", ASN1_EOC, ASN1_RAW }, /* 4 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 5 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ +}; + +#define ATTRIBUTE_OBJ_TYPE 2 +#define ATTRIBUTE_OBJ_VALUE 4 +#define ATTRIBUTE_OBJ_ROOF 7 + +/** + * PKCS#9 attribute type OIDs + */ +static u_char ASN1_contentType_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03 +}; + +static u_char ASN1_messageDigest_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04 +}; + +static u_char ASN1_signingTime_oid_str[] = { + 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x05 +}; + +static char ASN1_messageType_oid_str[] = { + 0x06, 0x0A, + 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x02 +}; + +static char ASN1_senderNonce_oid_str[] = { + 0x06, 0x0A, + 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x05 +}; + +static char ASN1_transId_oid_str[] = { + 0x06, 0x0A, + 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01, 0x09, 0x07 +}; + +static const chunk_t ASN1_contentType_oid = + chunk_from_buf(ASN1_contentType_oid_str); +static const chunk_t ASN1_messageDigest_oid = + chunk_from_buf(ASN1_messageDigest_oid_str); +static const chunk_t ASN1_signingTime_oid = + chunk_from_buf(ASN1_signingTime_oid_str); +static const chunk_t ASN1_messageType_oid = + chunk_from_buf(ASN1_messageType_oid_str); +static const chunk_t ASN1_senderNonce_oid = + chunk_from_buf(ASN1_senderNonce_oid_str); +static const chunk_t ASN1_transId_oid = + chunk_from_buf(ASN1_transId_oid_str); + +/** + * return the ASN.1 encoded OID of a PKCS#9 attribute + */ +static chunk_t asn1_attributeIdentifier(int oid) +{ + switch (oid) + { + case OID_PKCS9_CONTENT_TYPE: + return ASN1_contentType_oid; + case OID_PKCS9_MESSAGE_DIGEST: + return ASN1_messageDigest_oid; + case OID_PKCS9_SIGNING_TIME: + return ASN1_signingTime_oid; + case OID_PKI_MESSAGE_TYPE: + return ASN1_messageType_oid; + case OID_PKI_SENDER_NONCE: + return ASN1_senderNonce_oid; + case OID_PKI_TRANS_ID: + return ASN1_transId_oid;; + default: + return chunk_empty; + } +} + +/** + * return the ASN.1 encoding of a PKCS#9 attribute + */ +static asn1_t asn1_attributeType(int oid) +{ + asn1_t type; + + switch (oid) + { + case OID_PKCS9_CONTENT_TYPE: + type = ASN1_OID; + break; + case OID_PKCS9_SIGNING_TIME: + type = ASN1_UTCTIME; + break; + case OID_PKCS9_MESSAGE_DIGEST: + type = ASN1_OCTET_STRING; + break; + case OID_PKI_MESSAGE_TYPE: + type = ASN1_PRINTABLESTRING; + break; + case OID_PKI_STATUS: + type = ASN1_PRINTABLESTRING; + break; + case OID_PKI_FAIL_INFO: + type = ASN1_PRINTABLESTRING; + break; + case OID_PKI_SENDER_NONCE: + type = ASN1_OCTET_STRING; + break; + case OID_PKI_RECIPIENT_NONCE: + type = ASN1_OCTET_STRING; + break; + case OID_PKI_TRANS_ID: + type = ASN1_PRINTABLESTRING; + break; + default: + type = ASN1_EOC; + } + return type; +} + +/** + * Destroy an attribute_t object. + */ +static void attribute_destroy(attribute_t *this) +{ + free(this->value.ptr); + free(this->encoding.ptr); + free(this); +} + +/** + * Create an attribute_t object. + */ +static attribute_t *attribute_create(int oid, chunk_t value) +{ + attribute_t *this = malloc_thing(attribute_t); + + this->oid = oid; + this->value = chunk_clone(value); + this->encoding = asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_attributeIdentifier(oid), + asn1_simple_object(ASN1_SET, value)); + this->destroy = (void (*) (attribute_t*))attribute_destroy; + return this; +} + +/** + * Implements pkcs9_t.build_encoding + */ +static void build_encoding(private_pkcs9_t *this) +{ + iterator_t *iterator; + attribute_t *attribute; + u_int attributes_len = 0; + + if (this->encoding.ptr) + { + chunk_free(&this->encoding); + } + if (this->attributes->get_count(this->attributes) == 0) + { + return; + } + + /* compute the total length of the encoded attributes */ + iterator = this->attributes->create_iterator(this->attributes, TRUE); + + while (iterator->iterate(iterator, (void**)&attribute)) + { + attributes_len += attribute->encoding.len; + } + iterator->destroy(iterator); + + /* allocate memory for the attributes and build the encoding */ + { + u_char *pos = build_asn1_object(&this->encoding, ASN1_SET, attributes_len); + + iterator = this->attributes->create_iterator(this->attributes, TRUE); + + while (iterator->iterate(iterator, (void**)&attribute)) + { + memcpy(pos, attribute->encoding.ptr, attribute->encoding.len); + pos += attribute->encoding.len; + } + iterator->destroy(iterator); + } +} + +/** + * Implements pkcs9_t.get_encoding + */ +static chunk_t get_encoding(private_pkcs9_t *this) +{ + if (this->encoding.ptr == NULL) + { + build_encoding(this); + } + return this->encoding; +} + +/** + * Implements pkcs9_t.get_attribute + */ +static chunk_t get_attribute(private_pkcs9_t *this, int oid) +{ + iterator_t *iterator = this->attributes->create_iterator(this->attributes, TRUE); + chunk_t value = chunk_empty; + attribute_t *attribute; + + while (iterator->iterate(iterator, (void**)&attribute)) + { + if (attribute->oid == oid) + { + value = attribute->value; + break; + } + } + iterator->destroy(iterator); + return value; +} + +/** + * Implements pkcs9_t.set_attribute + */ +static void set_attribute(private_pkcs9_t *this, int oid, chunk_t value) +{ + attribute_t *attribute = attribute_create(oid, value); + + this->attributes->insert_last(this->attributes, (void*)attribute); +} + +/** + * Implements pkcs9_t.get_messageDigest + */ +static chunk_t get_messageDigest(private_pkcs9_t *this) +{ + const int oid = OID_PKCS9_MESSAGE_DIGEST; + chunk_t value = get_attribute(this, oid); + + if (value.ptr == NULL) + { + return chunk_empty; + } + if (!parse_asn1_simple_object(&value, asn1_attributeType(oid), 0, oid_names[oid].name)) + { + return chunk_empty; + } + return chunk_clone(value); +} + +/** + * Implements pkcs9_t.set_attribute + */ +static void set_messageDigest(private_pkcs9_t *this, chunk_t value) +{ + const int oid = OID_PKCS9_MESSAGE_DIGEST; + chunk_t messageDigest = asn1_simple_object(asn1_attributeType(oid), value); + + set_attribute(this, oid, messageDigest); + free(messageDigest.ptr); +} + +/** + * Implements pkcs9_t.destroy + */ +static void destroy(private_pkcs9_t *this) +{ + this->attributes->destroy_offset(this->attributes, offsetof(attribute_t, destroy)); + free(this->encoding.ptr); + free(this); +} + +/** + * Generic private constructor + */ +static private_pkcs9_t *pkcs9_create_empty(void) +{ + private_pkcs9_t *this = malloc_thing(private_pkcs9_t); + + /* initialize */ + this->encoding = chunk_empty; + this->attributes = linked_list_create(); + + /*public functions */ + this->public.build_encoding = (void (*) (pkcs9_t*))build_encoding; + this->public.get_encoding = (chunk_t (*) (pkcs9_t*))get_encoding; + this->public.get_attribute = (chunk_t (*) (pkcs9_t*,int))get_attribute; + this->public.set_attribute = (void (*) (pkcs9_t*,int,chunk_t))set_attribute; + this->public.get_messageDigest = (chunk_t (*) (pkcs9_t*))get_messageDigest; + this->public.set_messageDigest = (void (*) (pkcs9_t*,chunk_t))set_messageDigest; + this->public.destroy = (void (*) (pkcs9_t*))destroy; + + return this; +} + +/* + * Described in header. + */ +pkcs9_t *pkcs9_create(void) +{ + private_pkcs9_t *this = pkcs9_create_empty(); + + return &this->public; +} + +/** + * Parse a PKCS#9 attribute list + */ +static bool parse_attributes(chunk_t chunk, int level0, private_pkcs9_t* this) +{ + asn1_ctx_t ctx; + chunk_t object; + u_int level; + int oid = OID_UNKNOWN; + int objectID = 0; + + asn1_init(&ctx, chunk, level0, FALSE, FALSE); + + while (objectID < ATTRIBUTE_OBJ_ROOF) + { + if (!extract_object(attributesObjects, &objectID, &object, &level, &ctx)) + { + return FALSE; + } + + switch (objectID) + { + case ATTRIBUTE_OBJ_TYPE: + oid = known_oid(object); + break; + case ATTRIBUTE_OBJ_VALUE: + if (oid == OID_UNKNOWN) + { + break; + } + /* add the attribute to a linked list */ + { + attribute_t *attribute = attribute_create(oid, object); + + this->attributes->insert_last(this->attributes, (void*)attribute); + } + /* parse known attributes */ + { + asn1_t type = asn1_attributeType(oid); + + if (type != ASN1_EOC) + { + if (!parse_asn1_simple_object(&object, type, level+1, oid_names[oid].name)) + { + return FALSE; + } + } + } + } + objectID++; + } + return TRUE; +} + + + /* + * Described in header. + */ +pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level) +{ + private_pkcs9_t *this = pkcs9_create_empty(); + + this->encoding = chunk_clone(chunk); + + if (!parse_attributes(chunk, level, this)) + { + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/crypto/pkcs9.h b/src/libstrongswan/crypto/pkcs9.h new file mode 100644 index 000000000..44915720c --- /dev/null +++ b/src/libstrongswan/crypto/pkcs9.h @@ -0,0 +1,121 @@ +/** + * @file pkcs7.h + * + * @brief Interface of pkcs9_t. + * + */ + +/* + * Copyright (C) 2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil, Switzerland + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: pkcs7.h 3423 2008-01-22 10:32:37Z andreas $ + */ + +#ifndef _PKCS9_H +#define _PKCS9_H + +typedef struct pkcs9_t pkcs9_t; + +#include <library.h> + +/** + * @brief PKCS#9 . + * + * @b Constructors: + * -pkcs9_create_from_chunk() + * -pkcs9_create() + * + * @ingroup crypto + */ +struct pkcs9_t { + /** + * @brief generate ASN.1 encoding of attribute list + * + * @param this PKCS#9 attribute list to be encoded + */ + void (*build_encoding) (pkcs9_t *this); + + /** + * @brief gets ASN.1 encoding of PKCS#9 attribute list + * + * @param this calling object + * @return ASN.1 encoded PKCSI#9 list + */ + chunk_t (*get_encoding) (pkcs9_t *this); + + /** + * @brief gets a PKCS#9 attribute + * + * @param this calling object + * @param oid OID of the attribute + * @return ASN.1 encoded value of the attribute + */ + chunk_t (*get_attribute) (pkcs9_t *this, int oid); + + /** + * @brief adds a PKCS#9 attribute + * + * @param this calling object + * @param oid OID of the attribute + * @param value ASN.1 encoded value of the attribute + */ + void (*set_attribute) (pkcs9_t *this, int oid, chunk_t value); + + /** + * @brief gets a PKCS#9 messageDigest attribute + * + * @param this calling object + * @return messageDigest + */ + chunk_t (*get_messageDigest) (pkcs9_t *this); + + /** + * @brief add a PKCS#9 messageDigest attribute + * + * @param this calling object + * @param value messageDigest + */ + void (*set_messageDigest) (pkcs9_t *this, chunk_t value); + + /** + * @brief Destroys the PKCS#9 attribute list. + * + * @param this PKCS#9 attribute list to destroy + */ + void (*destroy) (pkcs9_t *this); +}; + +/** + * @brief Read a PKCS#9 attribute list from a DER encoded chunk. + * + * @param chunk chunk containing DER encoded data + * @param level ASN.1 parsing start level + * @return created pkcs9 attribute list, or NULL if invalid. + * + * @ingroup crypto + */ +pkcs9_t *pkcs9_create_from_chunk(chunk_t chunk, u_int level); + +/** + * @brief Create an empty PKCS#9 attribute list + * + * @param chunk chunk containing data + * @return created pkcs9 attribute list. + * + * @ingroup crypto + */ +pkcs9_t *pkcs9_create(void); + +#endif /* _PKCS9_H */ diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.c b/src/libstrongswan/crypto/rsa/rsa_private_key.c index ec2f2fc74..1b1499887 100644 --- a/src/libstrongswan/crypto/rsa/rsa_private_key.c +++ b/src/libstrongswan/crypto/rsa/rsa_private_key.c @@ -6,8 +6,10 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2007-2008 Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: rsa_private_key.c 3306 2007-10-17 02:55:53Z andreas $ + * RCSID $Id: rsa_private_key.c 3429 2008-01-27 20:59:22Z andreas $ */ #include <gmp.h> @@ -40,6 +42,7 @@ * defined in rsa_public_key.c */ extern chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e); +extern chunk_t rsa_public_key_id_create(const mpz_t n, const mpz_t e); /** * Public exponent to use for key generation. @@ -111,7 +114,6 @@ struct private_rsa_private_key_t { * Keyid formed as a SHA-1 hash of a publicKeyInfo object */ chunk_t keyid; - /** * @brief Implements the RSADP algorithm specified in PKCS#1. @@ -129,16 +131,6 @@ struct private_rsa_private_key_t { * @return processed data */ chunk_t (*rsasp1) (private_rsa_private_key_t *this, chunk_t data); - - /** - * @brief Generate a prime value. - * - * @param this calling object - * @param prime_size size of the prime, in bytes - * @param[out] prime uninitialized mpz - */ - status_t (*compute_prime) (private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime); - }; /* ASN.1 definition of a PKCS#1 RSA private key */ @@ -173,8 +165,6 @@ static const asn1Object_t privkey_objects[] = { #define PRIV_KEY_COEFF 9 #define PRIV_KEY_ROOF 16 -static private_rsa_private_key_t *rsa_private_key_create_empty(void); - /** * Auxiliary function overwriting private key material with * pseudo-random bytes before releasing it @@ -196,9 +186,9 @@ static void mpz_clear_randomized(mpz_t z) } /** - * Implementation of private_rsa_private_key_t.compute_prime. + * Generate a random prime number with prime_len bytes */ -static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size, mpz_t *prime) +static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_len, mpz_t *prime) { randomizer_t *randomizer; chunk_t random_bytes; @@ -209,7 +199,8 @@ static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size do { - status = randomizer->allocate_random_bytes(randomizer, prime_size, &random_bytes); + DBG1(" generating %d bit prime from %s ...", BITS_PER_BYTE * prime_len, DEV_RANDOM); + status = randomizer->allocate_random_bytes(randomizer, prime_len, &random_bytes); if (status != SUCCESS) { randomizer->destroy(randomizer); @@ -230,7 +221,7 @@ static status_t compute_prime(private_rsa_private_key_t *this, size_t prime_size chunk_free_randomized(&random_bytes); } /* check if it isnt too large */ - while (((mpz_sizeinbase(*prime, 2) + 7) / 8) > prime_size); + while (((mpz_sizeinbase(*prime, 2) + 7) / BITS_PER_BYTE) > prime_len); randomizer->destroy(randomizer); return SUCCESS; @@ -269,7 +260,7 @@ static chunk_t rsadp(private_rsa_private_key_t *this, chunk_t data) } /** - * Implementation of rsa_private_key_t.eme_pkcs1_decrypt. + * Implementation of rsa_private_key_t.pkcs1_decrypt. */ static status_t pkcs1_decrypt(private_rsa_private_key_t *this, chunk_t in, chunk_t *out) @@ -319,47 +310,14 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, chunk_t data, chunk_t *signature) { hasher_t *hasher; - chunk_t em, digestInfo, hash_id, hash; - - /* get oid string prepended to hash */ - switch (hash_algorithm) - { - case HASH_MD2: - { - hash_id =ASN1_md2_id; - break; - } - case HASH_MD5: - { - hash_id = ASN1_md5_id; - break; - } - case HASH_SHA1: - { - hash_id = ASN1_sha1_id; - break; - } - case HASH_SHA256: - { - hash_id = ASN1_sha256_id; - break; - } - case HASH_SHA384: - { - hash_id = ASN1_sha384_id; - break; - } - case HASH_SHA512: - { - hash_id = ASN1_sha512_id; - break; - } - default: - { - return NOT_SUPPORTED; - } + chunk_t em, digestInfo, hash; + int hash_oid = hasher_algorithm_to_oid(hash_algorithm); + + if (hash_oid == OID_UNKNOWN) + { + return NOT_SUPPORTED; } - + /* get hasher */ hasher = hasher_create(hash_algorithm); if (hasher == NULL) @@ -373,7 +331,7 @@ static status_t build_emsa_pkcs1_signature(private_rsa_private_key_t *this, /* build DER-encoded digestInfo */ digestInfo = asn1_wrap(ASN1_SEQUENCE, "cm", - hash_id, + asn1_algorithmIdentifier(hash_oid), asn1_simple_object(ASN1_OCTET_STRING, hash) ); chunk_free(&hash); @@ -432,7 +390,7 @@ static bool pkcs1_write(private_rsa_private_key_t *this, const char *filename, b */ rsa_public_key_t *get_public_key(private_rsa_private_key_t *this) { - return NULL; + return rsa_public_key_create(this->n, this->e); } /** @@ -455,13 +413,13 @@ static status_t check(private_rsa_private_key_t *this) /* PKCS#1 1.5 section 6 requires modulus to have at least 12 octets. * We actually require more (for security). */ - if (this->k < 512/8) + if (this->k < 512 / BITS_PER_BYTE) { return FAILED; } /* we picked a max modulus size to simplify buffer allocation */ - if (this->k > 8192/8) + if (this->k > 8192 / BITS_PER_BYTE) { return FAILED; } @@ -572,7 +530,6 @@ static private_rsa_private_key_t *rsa_private_key_create_empty(void) /* private functions */ this->rsadp = rsadp; this->rsasp1 = rsadp; /* same algorithm */ - this->compute_prime = compute_prime; this->keyid = chunk_empty; @@ -587,20 +544,17 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size) mpz_t p, q, n, e, d, exp1, exp2, coeff; mpz_t m, q1, t; private_rsa_private_key_t *this; - - this = rsa_private_key_create_empty(); - key_size = key_size / 8; + size_t key_len = key_size / BITS_PER_BYTE; + size_t prime_len = key_len / 2; /* Get values of primes p and q */ - if (this->compute_prime(this, key_size/2, &p) != SUCCESS) + if (compute_prime(this, prime_len, &p) != SUCCESS) { - free(this); return NULL; } - if (this->compute_prime(this, key_size/2, &q) != SUCCESS) + if (compute_prime(this, prime_len, &q) != SUCCESS) { mpz_clear(p); - free(this); return NULL; } @@ -648,7 +602,13 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size) mpz_clear_randomized(m); mpz_clear_randomized(t); - /* apply values */ + /* determine exact the modulus size in bits */ + key_size = mpz_sizeinbase(n, 2); + + /* create and fill in rsa_private_key_t object */ + this = rsa_private_key_create_empty(); + this->k = (key_size + 7) / BITS_PER_BYTE; + this->keyid = rsa_public_key_id_create(n, e); *(this->p) = *p; *(this->q) = *q; *(this->n) = *n; @@ -657,10 +617,8 @@ rsa_private_key_t *rsa_private_key_create(size_t key_size) *(this->exp1) = *exp1; *(this->exp2) = *exp2; *(this->coeff) = *coeff; - - /* set key size in bytes */ - this->k = key_size; - + DBG1("generated %d bit RSA key with keyid: %#B", key_size, &this->keyid); + return &this->public; } @@ -733,17 +691,8 @@ rsa_private_key_t *rsa_private_key_create_from_chunk(chunk_t blob) } this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; + this->keyid = rsa_public_key_id_create(this->n, this->e); - /* form the keyid as a SHA-1 hash of a publicKeyInfo object */ - { - chunk_t publicKeyInfo = rsa_public_key_info_to_asn1(this->n, this->e); - hasher_t *hasher = hasher_create(HASH_SHA1); - - hasher->allocate_hash(hasher, publicKeyInfo, &this->keyid); - hasher->destroy(hasher); - free(publicKeyInfo.ptr); - } - if (check(this) != SUCCESS) { destroy(this); diff --git a/src/libstrongswan/crypto/rsa/rsa_private_key.h b/src/libstrongswan/crypto/rsa/rsa_private_key.h index e5cf49810..8013f03c2 100644 --- a/src/libstrongswan/crypto/rsa/rsa_private_key.h +++ b/src/libstrongswan/crypto/rsa/rsa_private_key.h @@ -6,8 +6,10 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2007-2008 Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: rsa_private_key.h 3296 2007-10-12 15:23:29Z andreas $ + * RCSID $Id: rsa_private_key.h 3423 2008-01-22 10:32:37Z andreas $ */ #ifndef RSA_PRIVATE_KEY_H_ diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.c b/src/libstrongswan/crypto/rsa/rsa_public_key.c index 6f2158d2b..10af0527e 100644 --- a/src/libstrongswan/crypto/rsa/rsa_public_key.c +++ b/src/libstrongswan/crypto/rsa/rsa_public_key.c @@ -6,8 +6,10 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2007-2008 Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: rsa_public_key.c 3303 2007-10-12 22:49:39Z andreas $ + * RCSID $Id: rsa_public_key.c 3428 2008-01-27 20:58:52Z andreas $ */ #include <gmp.h> @@ -32,6 +34,7 @@ #include "rsa_public_key.h" #include <debug.h> +#include <utils/randomizer.h> #include <crypto/hashers/hasher.h> #include <asn1/asn1.h> #include <asn1/pem.h> @@ -110,8 +113,6 @@ struct private_rsa_public_key_t { chunk_t (*rsavp1) (const private_rsa_public_key_t *this, chunk_t data); }; -private_rsa_public_key_t *rsa_public_key_create_empty(void); - /** * Implementation of private_rsa_public_key_t.rsaep and private_rsa_public_key_t.rsavp1 */ @@ -137,6 +138,55 @@ static chunk_t rsaep(const private_rsa_public_key_t *this, chunk_t data) } /** + * Implementation of rsa_public_key_t.eme_pkcs1_encrypt. + */ +static status_t pkcs1_encrypt(private_rsa_public_key_t *this, + chunk_t in, chunk_t *out) +{ + chunk_t em; + u_char *pos; + int padding = this->k - in.len - 3; + + if (padding < 8) + { + DBG1("rsa padding of %d bytes is too small", padding); + return FAILED; + } + em.len = this->k; + em.ptr = pos = malloc(em.len); + + /* add padding according to PKCS#1 7.2.1 1.+2. */ + *pos++ = 0x00; + *pos++ = 0x02; + + /* pad with pseudo random bytes unequal to zero */ + { + randomizer_t *randomizer = randomizer_create(); + + /* pad with pseudo random bytes unequal to zero */ + while (padding--) + { + randomizer->get_pseudo_random_bytes(randomizer, 1, pos); + while (!*pos) + { + randomizer->get_pseudo_random_bytes(randomizer, 1, pos); + } + pos++; + } + randomizer->destroy(randomizer); + } + + /* append the padding terminator */ + *pos++ = 0x00; + + /* now add the data */ + memcpy(pos, in.ptr, in.len); + *out = this->rsaep(this, em); + free(em.ptr); + return SUCCESS; +} + +/** * Implementation of rsa_public_key.verify_emsa_pkcs1_signature. */ static status_t verify_emsa_pkcs1_signature(const private_rsa_public_key_t *this, @@ -297,19 +347,30 @@ static size_t get_keysize(const private_rsa_public_key_t *this) */ chunk_t rsa_public_key_info_to_asn1(const mpz_t n, const mpz_t e) { - chunk_t rawKey = asn1_wrap(ASN1_SEQUENCE, "mm", + chunk_t publicKey = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_integer_from_mpz(n), asn1_integer_from_mpz(e)); - chunk_t publicKey; - u_char *pos = build_asn1_object(&publicKey, ASN1_BIT_STRING, 1 + rawKey.len); + return asn1_wrap(ASN1_SEQUENCE, "cm", + asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), + asn1_bitstring("m", publicKey)); +} - *pos++ = 0x00; - memcpy(pos, rawKey.ptr, rawKey.len); - free(rawKey.ptr); +/** + * Form the RSA keyid as a SHA-1 hash of a publicKeyInfo object + * Also used in rsa_private_key.c. + */ +chunk_t rsa_public_key_id_create(mpz_t n, mpz_t e) +{ + chunk_t keyid; + chunk_t publicKeyInfo = rsa_public_key_info_to_asn1(n, e); + hasher_t *hasher = hasher_create(HASH_SHA1); + + hasher->allocate_hash(hasher, publicKeyInfo, &keyid); + hasher->destroy(hasher); + free(publicKeyInfo.ptr); - return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_rsaEncryption_id, - publicKey); + return keyid; } /** @@ -328,6 +389,9 @@ static chunk_t get_keyid(const private_rsa_public_key_t *this) return this->keyid; } +/* forward declaration used by rsa_public_key_t.clone */ +private_rsa_public_key_t *rsa_public_key_create_empty(void); + /** * Implementation of rsa_public_key_t.clone. */ @@ -362,6 +426,7 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void) private_rsa_public_key_t *this = malloc_thing(private_rsa_public_key_t); /* public functions */ + this->public.pkcs1_encrypt = (status_t (*) (rsa_public_key_t*,chunk_t,chunk_t*))pkcs1_encrypt; this->public.verify_emsa_pkcs1_signature = (status_t (*) (const rsa_public_key_t*,hash_algorithm_t,chunk_t,chunk_t))verify_emsa_pkcs1_signature; this->public.get_modulus = (mpz_t *(*) (const rsa_public_key_t*))get_modulus; this->public.get_keysize = (size_t (*) (const rsa_public_key_t*))get_keysize; @@ -380,6 +445,20 @@ private_rsa_public_key_t *rsa_public_key_create_empty(void) /* * See header */ +rsa_public_key_t *rsa_public_key_create(mpz_t n, mpz_t e) +{ + private_rsa_public_key_t *this = rsa_public_key_create_empty(); + + mpz_init_set(this->n, n); + mpz_init_set(this->e, e); + + this->k = (mpz_sizeinbase(n, 2) + 7) / BITS_PER_BYTE; + this->keyid = rsa_public_key_id_create(n, e); + return &this->public; +} +/* + * See header + */ rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob) { asn1_ctx_t ctx; @@ -412,19 +491,9 @@ rsa_public_key_t *rsa_public_key_create_from_chunk(chunk_t blob) } objectID++; } - - this->k = (mpz_sizeinbase(this->n, 2) + 7) / 8; - - /* form the keyid as a SHA-1 hash of a publicKeyInfo object */ - { - chunk_t publicKeyInfo = rsa_public_key_info_to_asn1(this->n, this->e); - hasher_t *hasher = hasher_create(HASH_SHA1); - - hasher->allocate_hash(hasher, publicKeyInfo, &this->keyid); - hasher->destroy(hasher); - free(publicKeyInfo.ptr); - } + this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; + this->keyid = rsa_public_key_id_create(this->n, this->e); return &this->public; } diff --git a/src/libstrongswan/crypto/rsa/rsa_public_key.h b/src/libstrongswan/crypto/rsa/rsa_public_key.h index 0a40c2204..c0bd3e351 100644 --- a/src/libstrongswan/crypto/rsa/rsa_public_key.h +++ b/src/libstrongswan/crypto/rsa/rsa_public_key.h @@ -6,8 +6,10 @@ */ /* - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2007-2008 Andreas Steffen + * * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,7 +22,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: rsa_public_key.h 3303 2007-10-12 22:49:39Z andreas $ + * RCSID $Id: rsa_public_key.h 3423 2008-01-22 10:32:37Z andreas $ */ #ifndef RSA_PUBLIC_KEY_H_ @@ -40,20 +42,29 @@ typedef struct rsa_public_key_t rsa_public_key_t; * the EMSA encoding (see PKCS1) * * @b Constructors: + * - rsa_public_key_create() * - rsa_public_key_create_from_chunk() * - rsa_public_key_create_from_file() - * - rsa_private_key_t.get_public_key() - * - * @see rsa_private_key_t - * - * @todo Implement getkey() and savekey() - * + * * @ingroup rsa */ struct rsa_public_key_t { /** - * @brief Verify a EMSA-PKCS1 encodined signature. + * @brief Encrypt a data block using EME-PKCS1 encoding. + * + * + * @param this calling object + * @param data plaintext input data + * @param out encrypted output data + * @return + * - SUCCESS + * - FAILED if data block is too large + */ + status_t (*pkcs1_encrypt) (rsa_public_key_t *this, chunk_t in, chunk_t *out); + + /** + * @brief Verify an EMSA-PKCS1 encoded signature. * * Processes the supplied signature with the RSAVP1 function, * selects the hash algorithm form the resultign ASN1-OID and @@ -123,6 +134,17 @@ struct rsa_public_key_t { }; /** + * @brief Create a RSA public key from modulus and public exponent. + * + * @param n modulus + * @param e public exponent + * @return created rsa_public_key_t + * + * @ingroup rsa + */ +rsa_public_key_t *rsa_public_key_create(mpz_t n, mpz_t e); + +/** * @brief Load an RSA public key from a chunk. * * Load a key from a chunk, encoded in the more frequently diff --git a/src/libstrongswan/crypto/x509.c b/src/libstrongswan/crypto/x509.c index 6f154b36f..eadf11327 100755 --- a/src/libstrongswan/crypto/x509.c +++ b/src/libstrongswan/crypto/x509.c @@ -9,8 +9,8 @@ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss * Copyright (C) 2002 Mario Strasser - * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur - * Copyright (C) 2006 Martin Willi, Andreas Steffen + * Copyright (C) 2006 Martin Willi + * Copyright (C) 2000-2008 Andreas Steffen * * Hochschule fuer Technik Rapperswil * @@ -24,7 +24,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: x509.c 3355 2007-11-20 12:06:40Z martin $ + * RCSID $Id: x509.c 3423 2008-01-22 10:32:37Z andreas $ */ #include <gmp.h> @@ -514,7 +514,7 @@ static identification_t *parse_generalName(chunk_t blob, int level0) id_type = ID_DER_ASN1_DN; break; case GN_OBJ_IP_ADDRESS: - id_type = ID_IPV4_ADDR; + id_type = (object.len == 4)? ID_IPV4_ADDR : ID_IPV6_ADDR; break; case GN_OBJ_OTHER_NAME: if (!parse_otherName(object, level + 1)) @@ -1243,6 +1243,22 @@ static void list(private_x509_t *this, FILE *out, bool utc) } } +/** + * Implements x509_t.add_subjectAltNames. + */ +static void add_subjectAltNames(private_x509_t *this, linked_list_t *subjectAltNames) +{ + iterator_t *iterator = subjectAltNames->create_iterator(subjectAltNames, TRUE); + identification_t *name = NULL; + + while (iterator->iterate(iterator, (void**)&name)) + { + name = name->clone(name); + this->subjectAltNames->insert_last(this->subjectAltNames, (void*)name); + } + iterator->destroy(iterator); +} + /* * Defined in header. */ @@ -1251,12 +1267,13 @@ chunk_t x509_build_generalNames(linked_list_t *list) linked_list_t *generalNames = linked_list_create(); iterator_t *iterator = list->create_iterator(list, TRUE); identification_t *name; + chunk_t names = chunk_empty; size_t len = 0; while (iterator->iterate(iterator, (void**)&name)) { asn1_t asn1_type = ASN1_EOC; - chunk_t *generalName = malloc_thing(chunk_t); + chunk_t *generalName; switch (name->get_type(name)) { @@ -1273,22 +1290,24 @@ chunk_t x509_build_generalNames(linked_list_t *list) asn1_type = ASN1_CONTEXT_S_6; break; case ID_IPV4_ADDR: + case ID_IPV6_ADDR: asn1_type = ASN1_CONTEXT_S_7; break; default: continue; } + generalName = malloc_thing(chunk_t); *generalName = asn1_simple_object(asn1_type, name->get_encoding(name)); len += generalName->len; - generalNames->insert_last(generalNames, generalName); + generalNames->insert_last(generalNames, (void*)generalName); } iterator->destroy(iterator); if (len > 0) { iterator_t *iterator = generalNames->create_iterator(generalNames, TRUE); - chunk_t names, *generalName; + chunk_t *generalName; u_char *pos = build_asn1_object(&names, ASN1_SEQUENCE, len); while (iterator->iterate(iterator, (void**)&generalName)) @@ -1299,14 +1318,9 @@ chunk_t x509_build_generalNames(linked_list_t *list) free(generalName); } iterator->destroy(iterator); - generalNames->destroy(generalNames); - - return asn1_wrap(ASN1_OCTET_STRING, "m", names); - } - else - { - return chunk_empty; } + generalNames->destroy(generalNames); + return names; } /* @@ -1330,11 +1344,54 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) } /** + * Build a to-be-signed X.509 certificate body + */ +static chunk_t x509_build_tbs(private_x509_t *this) +{ + /* version is always X.509v3 */ + chunk_t version = asn1_simple_object(ASN1_CONTEXT_C_0, ASN1_INTEGER_2); + + chunk_t extensions = chunk_empty; + + if (this->subjectAltNames->get_count(this->subjectAltNames)) + { + extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", + asn1_wrap(ASN1_SEQUENCE, "m", + x509_build_subjectAltNames(this->subjectAltNames))); + } + + return asn1_wrap(ASN1_SEQUENCE, "mmccmcmm", + version, + asn1_simple_object(ASN1_INTEGER, this->serialNumber), + asn1_algorithmIdentifier(this->signatureAlgorithm), + this->issuer->get_encoding(this->issuer), + asn1_wrap(ASN1_SEQUENCE, "mm", + timetoasn1(&this->notBefore, ASN1_UTCTIME), + timetoasn1(&this->notAfter, ASN1_UTCTIME) + ), + this->subject->get_encoding(this->subject), + this->public_key->get_publicKeyInfo(this->public_key), + extensions + ); +} + +/** * Implementation of x509_t.build_encoding. */ static void build_encoding(private_x509_t *this, hash_algorithm_t alg, rsa_private_key_t *private_key) { + chunk_t signature; + + this->signatureAlgorithm = hasher_signature_algorithm_to_oid(alg); + this->tbsCertificate = x509_build_tbs(this); + private_key->build_emsa_pkcs1_signature(private_key, alg, + this->tbsCertificate, &signature); + this->signature = asn1_bitstring("m", signature); + this->certificate = asn1_wrap(ASN1_SEQUENCE, "mcm", + this->tbsCertificate, + asn1_algorithmIdentifier(this->signatureAlgorithm), + this->signature); } @@ -1408,6 +1465,7 @@ static private_x509_t *x509_create_empty(void) this->public.create_ocspuri_iterator = (iterator_t* (*) (const x509_t*))create_ocspuri_iterator; this->public.verify = (bool (*) (const x509_t*,const rsa_public_key_t*))verify; this->public.list = (void (*) (x509_t*, FILE *out, bool utc))list; + this->public.add_subjectAltNames = (void (*) (x509_t*,linked_list_t*))add_subjectAltNames; this->public.build_encoding = (void (*) (x509_t*,hash_algorithm_t,rsa_private_key_t*))build_encoding; this->public.destroy = (void (*) (x509_t*))destroy; @@ -1417,13 +1475,19 @@ static private_x509_t *x509_create_empty(void) /* * Described in header. */ -x509_t *x509_create_(chunk_t serialNumber, identification_t *issuer, identification_t *subject) +x509_t *x509_create(chunk_t serialNumber, identification_t *issuer, + time_t notBefore, time_t notAfter, + identification_t *subject, + rsa_public_key_t *public_key) { private_x509_t *this = x509_create_empty(); this->serialNumber = serialNumber; this->issuer = issuer->clone(issuer); + this->notBefore = notBefore; + this->notAfter = notAfter; this->subject = subject->clone(subject); + this->public_key = public_key->clone(public_key); return &this->public; } diff --git a/src/libstrongswan/crypto/x509.h b/src/libstrongswan/crypto/x509.h index 1ab267dac..def45be6b 100755 --- a/src/libstrongswan/crypto/x509.h +++ b/src/libstrongswan/crypto/x509.h @@ -9,8 +9,8 @@ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss * Copyright (C) 2002 Mario Strasser - * Copyright (C) 2000-2004 Andreas Steffen, Zuercher Hochschule Winterthur - * Copyright (C) 2006 Martin Willi, Andreas Steffen + * Copyright (C) 2006 Martin Willi + * Copyright (C) 2000-2008 Andreas Steffen * * Hochschule fuer Technik Rapperswil * @@ -24,7 +24,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: x509.h 3301 2007-10-12 21:56:30Z andreas $ + * RCSID $Id: x509.h 3421 2008-01-22 01:09:19Z andreas $ */ #ifndef X509_H_ @@ -327,6 +327,7 @@ struct x509_t { * @param notBefore start date of validity * @param notAfter end date of validity * @param subject subject distinguished name + * @param public_key public key * * @return created x509_t certificate, or NULL if invalid. * @@ -334,7 +335,8 @@ struct x509_t { */ x509_t *x509_create(chunk_t serialNumber, identification_t *issuer, time_t notBefore, time_t notAfter, - identification_t *subject); + identification_t *subject, + rsa_public_key_t *public_key); /** * @brief Read a X.509 certificate from a DER encoded blob. diff --git a/src/libstrongswan/utils/linked_list.c b/src/libstrongswan/utils/linked_list.c index 5cd8ffd7a..63e1bcfbf 100644 --- a/src/libstrongswan/utils/linked_list.c +++ b/src/libstrongswan/utils/linked_list.c @@ -677,6 +677,52 @@ static status_t get_last(private_linked_list_t *this, void **item) } /** + * Implementation of linked_list_t.find_first. + */ +static status_t find_first(private_linked_list_t *this, linked_list_match_t match, + void **item, void *d1, void *d2, void *d3, void *d4, void *d5) +{ + element_t *current = this->first; + + while (current) + { + if (match(current->value, d1, d2, d3, d4, d5)) + { + if (item != NULL) + { + *item = current->value; + } + return SUCCESS; + } + current = current->next; + } + return NOT_FOUND; +} + +/** + * Implementation of linked_list_t.find_last. + */ +static status_t find_last(private_linked_list_t *this, linked_list_match_t match, + void **item, void *d1, void *d2, void *d3, void *d4, void *d5) +{ + element_t *current = this->last; + + while (current) + { + if (match(current->value, d1, d2, d3, d4, d5)) + { + if (item != NULL) + { + *item = current->value; + } + return SUCCESS; + } + current = current->previous; + } + return NOT_FOUND; +} + +/** * Implementation of linked_list_t.invoke_offset. */ static void invoke_offset(private_linked_list_t *this, size_t offset) @@ -843,6 +889,8 @@ linked_list_t *linked_list_create() this->public.create_enumerator = (enumerator_t*(*)(linked_list_t*))create_enumerator; this->public.get_first = (status_t (*) (linked_list_t *, void **item))get_first; this->public.get_last = (status_t (*) (linked_list_t *, void **item))get_last; + this->public.find_first = (status_t (*) (linked_list_t *, linked_list_match_t,void**,...))find_first; + this->public.find_last = (status_t (*) (linked_list_t *, linked_list_match_t,void**,...))find_last; this->public.insert_first = (void (*) (linked_list_t *, void *item))insert_first; this->public.insert_last = (void (*) (linked_list_t *, void *item))insert_last; this->public.remove_first = (status_t (*) (linked_list_t *, void **item))remove_first; diff --git a/src/libstrongswan/utils/linked_list.h b/src/libstrongswan/utils/linked_list.h index ebe5c187c..ac36ef46d 100644 --- a/src/libstrongswan/utils/linked_list.h +++ b/src/libstrongswan/utils/linked_list.h @@ -33,6 +33,19 @@ typedef struct linked_list_t linked_list_t; #include <utils/iterator.h> #include <utils/enumerator.h> + +/** + * Method to match elements in a linked list (used in find_* functions) + * + * @param item current list item + * @param ... user supplied data (only pointers, at most 5) + * @return + * - TRUE, if the item matched + * - FALSE, otherwise + * @ingroup utils + */ +typedef bool (*linked_list_match_t)(void *item, ...); + /** * @brief Class implementing a double linked list. * @@ -187,6 +200,50 @@ struct linked_list_t { */ status_t (*get_last) (linked_list_t *this, void **item); + /** @brief Find the first matching element in the list. + * + * The first object passed to the match function is the current list item, + * followed by the user supplied data. + * If the supplied function returns TRUE this function returns SUCCESS, and + * the current object is returned in the third parameter, otherwise, + * the next item is checked. + * + * @warning Only use pointers as user supplied data. + * + * @param this calling object + * @param match comparison function to call on each object + * @param[out] item + * - the list item, if found + * - NULL, otherwise + * @param ... user data to supply to match function (limited to 5 arguments) + * @return + * - SUCCESS, if found + * - NOT_FOUND, otherwise + */ + status_t (*find_first) (linked_list_t *this, linked_list_match_t match, void **item, ...); + + /** @brief Find the last matching element in the list. + * + * The first object passed to the match function is the current list item, + * followed by the user supplied data. + * If the supplied function returns TRUE this function returns SUCCESS, and + * the current object is returned in the third parameter, otherwise, + * the next item is checked. + * + * @warning Only use pointers as user supplied data. + * + * @param this calling object + * @param match comparison function to call on each object + * @param[out] item + * - the list item, if found + * - NULL, otherwise + * @param ... user data to supply to match function (limited to 5 arguments) + * @return + * - SUCCESS, if found + * - NOT_FOUND, otherwise + */ + status_t (*find_last) (linked_list_t *this, linked_list_match_t match, void **item, ...); + /** * @brief Invoke a method on all of the contained objects. * diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c index ffa571b05..39e38cc58 100644 --- a/src/libstrongswan/utils/optionsfrom.c +++ b/src/libstrongswan/utils/optionsfrom.c @@ -6,8 +6,10 @@ */ /* - * Copyright (C) 1998, 1999 Henry Spencer. - * + * Copyright (C) 2007-2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil + * * This library is free software; you can redistribute it and/or modify it * under the terms of the GNU Library General Public License as published by * the Free Software Foundation; either version 2 of the License, or (at your @@ -18,6 +20,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public * License for more details. * + * RCSID $Id$ */ #include <stdio.h> @@ -30,29 +33,64 @@ #include "optionsfrom.h" #define MAX_USES 20 /* loop-detection limit */ -#define SOME_ARGS 10 /* first guess at how many arguments we'll need */ +#define MORE_ARGS 10 /* first guess at how many arguments we'll need */ /* * Defined in header. */ -bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind) -{ - static int nuses = 0; + +typedef struct private_options_t private_options_t; + +/** + * Private data of a options_t object. + */ +struct private_options_t { + /** + * Public interface + */ + options_t public; + + /** + * reallocated argv array + */ char **newargv; + + /** + * number of free arguments in newargv + */ + int room; + + /** + * number of included option files + */ + int nuses; + + /** + * allocated space for option files + */ + char *buffers[MAX_USES]; +}; + +/** + * Defined in header + */ +bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], + int optind) +{ int newargc; int next; /* place for next argument */ - int room; /* how many more new arguments we can hold */ + char **newargv; size_t bytes; - chunk_t chunk, src, line, token; + chunk_t src, line, token; bool good = TRUE; int linepos = 0; FILE *fd; /* avoid endless loops with recursive --optionsfrom arguments */ - nuses++; - if (nuses >= MAX_USES) + this->nuses++; + if (this->nuses >= MAX_USES) { - DBG1("optionsfrom called %d times - looping?", (*argvp)[0], nuses); + DBG1("optionsfrom called %d times by \"%s\" - looping?", this->nuses + 1, (*argvp)[0]); return FALSE; } @@ -66,26 +104,31 @@ bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind) /* determine the file size */ fseek(fd, 0, SEEK_END); - chunk.len = ftell(fd); + src.len = ftell(fd); rewind(fd); /* allocate one byte more just in case of a missing final newline */ - chunk.ptr = malloc(chunk.len + 1); + src.ptr = this->buffers[this->nuses] = malloc(src.len + 1); /* read the whole file into a chunk */ - bytes = fread(chunk.ptr, 1, chunk.len, fd); + bytes = fread(src.ptr, 1, src.len, fd); fclose(fd); - newargc = *argcp + SOME_ARGS; - newargv = malloc((newargc + 1) * sizeof(char *)); + if (this->room) + { + newargc = *argcp; + newargv = malloc((newargc + 1 + this->room) * sizeof(char *)); + } + else + { + newargc = *argcp + MORE_ARGS; + this->room = MORE_ARGS; + newargv = malloc((newargc + 1) * sizeof(char *)); + } memcpy(newargv, *argvp, optind * sizeof(char *)); - room = SOME_ARGS; next = optind; newargv[next] = NULL; - /* we keep the chunk pointer so that we can still free it */ - src = chunk; - while (fetchline(&src, &line) && good) { linepos++; @@ -116,11 +159,11 @@ bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind) } /* do we have to allocate more memory for additional arguments? */ - if (room == 0) + if (this->room == 0) { - newargc += SOME_ARGS; - newargv = realloc(newargv, (newargc+1) * sizeof(char *)); - room = SOME_ARGS; + newargc += MORE_ARGS; + newargv = realloc(newargv, (newargc + 1) * sizeof(char *)); + this->room = MORE_ARGS; } /* terminate the token by replacing the delimiter with a null character */ @@ -129,20 +172,54 @@ bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind) /* assign the token to the next argument */ newargv[next] = token.ptr; next++; - room--; + this->room--; } } - if (!good) /* error of some kind */ + /* assign newargv to argv */ + if (good) { - free(chunk.ptr); - free(newargv); - return FALSE; + memcpy(newargv + next, *argvp + optind, (*argcp + 1 - optind) * sizeof(char *)); + *argcp += next - optind; + *argvp = newargv; } - memcpy(newargv + next, *argvp + optind, (*argcp + 1 - optind) * sizeof(char *)); - *argcp += next - optind; - *argvp = newargv; - return TRUE; + /* keep a pointer to the latest newargv and free any earlier version */ + free(this->newargv); + this->newargv = newargv; + + return good; +} + +/** + * Defined in header + */ +void destroy(private_options_t *this) +{ + while (this->nuses >= 0) + { + free(this->buffers[this->nuses--]); + } + free(this->newargv); + free(this); } +/* + * Defined in header + */ +options_t *options_create(void) +{ + private_options_t *this = malloc_thing(private_options_t); + + /* initialize */ + this->newargv = NULL; + this->room = 0; + this->nuses = -1; + memset(this->buffers, '\0', MAX_USES); + + /* public functions */ + this->public.from = (bool (*) (options_t*,char*,int*,char***,int))from; + this->public.destroy = (void (*) (options_t*))destroy; + + return &this->public; +} diff --git a/src/libstrongswan/utils/optionsfrom.h b/src/libstrongswan/utils/optionsfrom.h index d6b9efde5..0014cec36 100644 --- a/src/libstrongswan/utils/optionsfrom.h +++ b/src/libstrongswan/utils/optionsfrom.h @@ -6,8 +6,9 @@ */ /* - * Copyright (C) 1998, 1999 Henry Spencer. - * Copyright (C) 2007 Andreas Steffen, Hochschule fuer Technik Rapperswil + * Copyright (C) 2007-2008 Andreas Steffen + * + * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -18,20 +19,51 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * RCSID $Id$ */ #ifndef OPTIONSFROM_H_ #define OPTIONSFROM_H_ +typedef struct options_t options_t; + /** - * @brief Pick up more options from a file, in the middle of an option scan + * @brief options object. * - * @param filename file containing the options - * @param argcp pointer to argc - * @param argvp pointer to argv[] - * @param optind current optind, number of next argument - * @return TRUE if optionsfrom parsing successful + * @b Constructors: + * - options_create() + * + * @ingroup utils + */ +struct options_t { + /** + * @brief Check if the PKCS#7 contentType is data + * + * @param this calling object + * @param filename file containing the options + * @param argcp pointer to argc + * @param argvp pointer to argv[] + * @param optind current optind, number of next argument + * @return TRUE if optionsfrom parsing successful + */ + bool (*from) (options_t * this, char *filename, int *argcp, char **argvp[], int optind); + + /** + * @brief Destroys the options_t object. + * + * @param this options_t object to destroy + */ + void (*destroy) (options_t *this); +}; + +/** + * @brief Create an options object. + * + * @return created options_t object + * + * @ingroup utils */ -bool optionsfrom(const char *filename, int *argcp, char **argvp[], int optind); +options_t *options_create(void); #endif /*OPTIONSFROM_H_*/ diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 3830d37fc..d8cb38881 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -221,11 +221,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/manager/lib/request.c b/src/manager/lib/request.c index 2e18bded5..bbaec10cc 100644 --- a/src/manager/lib/request.c +++ b/src/manager/lib/request.c @@ -27,6 +27,7 @@ #include <library.h> #include <stdlib.h> #include <string.h> +#include <pthread.h> #include <ClearSilver/ClearSilver.h> typedef struct private_request_t private_request_t; @@ -58,22 +59,28 @@ struct private_request_t { }; /** - * thread specific FCGX_Request, used for ClearSilver cgiwrap callbacks. - * ClearSilver cgiwrap is not threadsave, so we use a private + * key to a thread specific FCGX_Request, used for ClearSilver cgiwrap callbacks. + * ClearSilver cgiwrap is not threadsave, so we use a private * context for each thread. */ -static __thread FCGX_Request *req; +static pthread_key_t req_key; /** * length of param list in req->envp */ -static __thread int req_env_len; +static pthread_key_t req_env_len_key; + +/** + * control variable for pthread_once + */ +pthread_once_t once = PTHREAD_ONCE_INIT; /** * fcgiwrap read callback */ static int read_cb(void *null, char *buf, int size) { + FCGX_Request *req = (FCGX_Request*)pthread_getspecific(req_key); return FCGX_GetStr(buf, size, req->in); } @@ -82,6 +89,7 @@ static int read_cb(void *null, char *buf, int size) */ static int writef_cb(void *null, const char *format, va_list args) { + FCGX_Request *req = (FCGX_Request*)pthread_getspecific(req_key); FCGX_VFPrintF(req->out, format, args); return 0; } @@ -90,6 +98,7 @@ static int writef_cb(void *null, const char *format, va_list args) */ static int write_cb(void *null, const char *buf, int size) { + FCGX_Request *req = (FCGX_Request*)pthread_getspecific(req_key); return FCGX_PutStr(buf, size, req->out); } @@ -99,7 +108,7 @@ static int write_cb(void *null, const char *buf, int size) static char *getenv_cb(void *null, const char *key) { char *value; - + FCGX_Request *req = (FCGX_Request*)pthread_getspecific(req_key); value = FCGX_GetParam(key, req->envp); return value ? strdup(value) : NULL; } @@ -120,7 +129,8 @@ static int iterenv_cb(void *null, int num, char **key, char **value) { *key = NULL; *value = NULL; - + FCGX_Request *req = (FCGX_Request*)pthread_getspecific(req_key); + int req_env_len = (int)pthread_getspecific(req_env_len_key); if (num < req_env_len) { char *eq; @@ -256,13 +266,24 @@ static void destroy(private_request_t *this) free(this); } +/** + * This initialization method is guaranteed to run only once + * for all threads. + */ +static void init(void) +{ + cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb, + getenv_cb, putenv_cb, iterenv_cb); + pthread_key_create(&req_key, NULL); + pthread_key_create(&req_env_len_key, NULL); +} + /* * see header file */ request_t *request_create(FCGX_Request *request, bool debug) { NEOERR* err; - static bool initialized = FALSE; private_request_t *this = malloc_thing(private_request_t); this->public.get_path = (char*(*)(request_t*))get_path; @@ -277,21 +298,19 @@ request_t *request_create(FCGX_Request *request, bool debug) this->public.setf = (void(*)(request_t*, char *format, ...))setf; this->public.destroy = (void(*)(request_t*))destroy; - if (!initialized) - { - cgiwrap_init_emu(NULL, read_cb, writef_cb, write_cb, - getenv_cb, putenv_cb, iterenv_cb); - initialized = TRUE; - } + pthread_once(&once, init); this->req = request; - req = request; - req_env_len = 0; - while (req->envp[req_env_len] != NULL) + pthread_setspecific(req_key, (void*)request); + + int req_env_len = 0; + while (request->envp[req_env_len] != NULL) { req_env_len++; } + pthread_setspecific(req_env_len_key, (void*)req_env_len); + err = hdf_init(&this->hdf); if (!err) { diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index d0f7817dc..3cca270a7 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -187,11 +187,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/openac/build.c b/src/openac/build.c index d03e73048..40c8b7964 100644 --- a/src/openac/build.c +++ b/src/openac/build.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: build.c 3270 2007-10-08 20:09:57Z andreas $ + * RCSID $Id: build.c 3424 2008-01-22 10:34:44Z andreas $ */ #include <stdlib.h> @@ -167,7 +167,7 @@ static chunk_t build_attr_cert_info(void) ASN1_INTEGER_1, build_holder(), build_v2_form(), - ASN1_sha1WithRSA_id, + asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), asn1_simple_object(ASN1_INTEGER, serial), build_attr_cert_validity(), build_attributes(), @@ -180,21 +180,14 @@ static chunk_t build_attr_cert_info(void) */ chunk_t build_attr_cert(void) { - u_char *pos; - chunk_t rawSignature, signatureValue; + chunk_t signatureValue; chunk_t attributeCertificateInfo = build_attr_cert_info(); - /* build the signature */ signerkey->build_emsa_pkcs1_signature(signerkey, HASH_SHA1, - attributeCertificateInfo, &rawSignature); - pos = build_asn1_object(&signatureValue, ASN1_BIT_STRING, - 1 + rawSignature.len); - *pos++ = 0x00; - memcpy(pos, rawSignature.ptr, rawSignature.len); - free(rawSignature.ptr); + attributeCertificateInfo, &signatureValue); return asn1_wrap(ASN1_SEQUENCE, "mcm", attributeCertificateInfo, - ASN1_sha1WithRSA_id, - signatureValue); + asn1_algorithmIdentifier(OID_SHA1_WITH_RSA), + asn1_bitstring("m", signatureValue)); } diff --git a/src/openac/openac.c b/src/openac/openac.c index 075f0039a..3d82940c2 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -20,7 +20,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: openac.c 3305 2007-10-17 02:55:17Z andreas $ + * RCSID $Id: openac.c 3442 2008-02-04 14:46:43Z andreas $ */ #include <stdio.h> @@ -234,6 +234,8 @@ int main(int argc, char **argv) time_t validity = 0; int status = 1; + options_t *options = options_create(); + /* enable openac debugging hook */ dbg = openac_dbg; @@ -300,7 +302,7 @@ int main(int argc, char **argv) { snprintf(path, BUF_LEN, "%s/%s", OPENAC_PATH, optarg); } - if (!optionsfrom(path, &argc, &argv, optind)) + if (!options->from(options, path, &argc, &argv, optind)) { status = 1; goto end; @@ -509,5 +511,6 @@ end: free(serial.ptr); closelog(); dbg = dbg_default; + options->destroy(options); exit(status); } diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 77a0a7548..a9ae01d65 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -237,11 +237,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/pluto/asn1.c b/src/pluto/asn1.c index 0e50b8211..7436d4d1a 100644 --- a/src/pluto/asn1.c +++ b/src/pluto/asn1.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: asn1.c 3252 2007-10-06 21:24:50Z andreas $ + * RCSID $Id: asn1.c 3451 2008-02-05 19:27:05Z andreas $ */ #include <stdlib.h> @@ -758,13 +758,23 @@ is_asn1(chunk_t blob) ) return FALSE; } + len = asn1_length(&blob); - if (len != blob.len) + + /* exact match */ + if (len == blob.len) { - DBG(DBG_PARSING, - DBG_log(" file size does not match ASN.1 coded length"); - ) - return FALSE; + return TRUE; } - return TRUE; + + /* some websites append a surplus newline character to the blob */ + if (len + 1 == blob.len && *(blob.ptr + len) == '\n') + { + return TRUE; + } + + DBG(DBG_PARSING, + DBG_log(" file size does not match ASN.1 coded length"); + ) + return FALSE; } diff --git a/src/pluto/pkcs1.c b/src/pluto/pkcs1.c index bb8afde0a..49a06a8bc 100644 --- a/src/pluto/pkcs1.c +++ b/src/pluto/pkcs1.c @@ -13,7 +13,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: pkcs1.c 3252 2007-10-06 21:24:50Z andreas $ + * RCSID $Id: pkcs1.c 3427 2008-01-27 20:17:15Z andreas $ */ #include <stddef.h> @@ -442,11 +442,13 @@ RSA_encrypt(const RSA_public_key_t *key, chunk_t in) *pos++ = 0x02; /* pad with pseudo random bytes unequal to zero */ - get_rnd_bytes(pos, padding); for (i = 0; i < padding; i++) { + get_rnd_bytes(pos, padding); while (!*pos) - get_rnd_bytes(pos, 1); + { + get_rnd_bytes(pos, 1); + } pos++; } diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c index 0e6e3d9b7..c31a4195b 100644 --- a/src/pluto/vendor.c +++ b/src/pluto/vendor.c @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.c 3380 2007-12-04 23:54:32Z andreas $ + * RCSID $Id: vendor.c 3472 2008-02-14 21:26:21Z andreas $ */ #include <stdlib.h> @@ -206,7 +206,8 @@ static struct vid_struct _vid_tab[] = { /* * strongSwan */ - DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.10") + DEC_MD5_VID(STRONGSWAN, "strongSwan 4.1.11") + DEC_MD5_VID(STRONGSWAN_4_1_10,"strongSwan 4.1.10") DEC_MD5_VID(STRONGSWAN_4_1_9, "strongSwan 4.1.9") DEC_MD5_VID(STRONGSWAN_4_1_8, "strongSwan 4.1.8") DEC_MD5_VID(STRONGSWAN_4_1_7, "strongSwan 4.1.7") diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h index d0853b08c..03d2fde77 100644 --- a/src/pluto/vendor.h +++ b/src/pluto/vendor.h @@ -11,7 +11,7 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * - * RCSID $Id: vendor.h 3380 2007-12-04 23:54:32Z andreas $ + * RCSID $Id: vendor.h 3413 2007-12-24 18:07:55Z andreas $ */ #ifndef _VENDOR_H_ @@ -113,6 +113,7 @@ enum known_vendorid { VID_STRONGSWAN_4_1_7 = 95, VID_STRONGSWAN_4_1_8 = 96, VID_STRONGSWAN_4_1_9 = 97, + VID_STRONGSWAN_4_1_10 = 98, /* 101 - 200 : NAT-Traversal */ VID_NATT_STENBERG_01 =101, diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index 52304d44a..1f0cbf48f 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -198,11 +198,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 509ec6668..a9e86fab0 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -194,11 +194,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index dbb15c0e0..ad3df98d5 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -182,11 +182,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 44ac0c8da..258102021 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -182,11 +182,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/testing/INSTALL b/testing/INSTALL index 079bf7f41..39338b6bd 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,7 +53,7 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.23.11.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.24.2.tar.bz2 * Starting with Linux kernel 2.6.9 no patch must be applied any more in order to make the vanilla kernel UML-capable. For older kernels you'll find @@ -63,7 +63,7 @@ are required for the strongSwan testing environment: * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.23 + http://download.strongswan.org/uml/.config-2.6.24 * A gentoo-based UML file system (compressed size 130 MBytes) found at @@ -71,7 +71,7 @@ are required for the strongSwan testing environment: * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.1.10.tar.gz + http://download.strongswan.org/strongswan-4.1.11.tar.gz 3. Creating the environment @@ -146,5 +146,5 @@ README document. ----------------------------------------------------------------------------- -This file is RCSID $Id: INSTALL 3410 2007-12-19 21:01:19Z andreas $ +This file is RCSID $Id: INSTALL 3472 2008-02-14 21:26:21Z andreas $ diff --git a/testing/Makefile.in b/testing/Makefile.in index 234607599..d132220fb 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -163,11 +163,13 @@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ piddir = @piddir@ +plugindir = @plugindir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ +simreader = @simreader@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index b205f62a6..48d74950f 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: build-umlrootfs 3404 2007-12-19 00:47:56Z andreas $ +# RCSID $Id: build-umlrootfs 3471 2008-02-14 21:25:38Z andreas $ DIR=`dirname $0` @@ -146,6 +146,11 @@ then echo -n " --enable-eap-aka" >> $INSTALLSHELL fi +if [ "$USE_EAP_SIM" = "yes" ] +then + echo -n " --enable-eap-sim" >> $INSTALLSHELL + fi + if [ "$USE_P2P" = "yes" ] then echo -n " --enable-p2p" >> $INSTALLSHELL diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls index 91ec00b60..b953ddeac 100755 --- a/testing/scripts/kstart-umls +++ b/testing/scripts/kstart-umls @@ -14,7 +14,7 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. # -# RCSID $Id: kstart-umls 3273 2007-10-08 20:18:34Z andreas $ +# RCSID $Id: kstart-umls 3470 2008-02-14 21:24:54Z andreas $ DIR=`dirname $0` @@ -116,6 +116,12 @@ do else cgecho "up" fi + + if [ "$host" = "alice" ] + then + eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`" + ssh $ipv4_alice /etc/init.d/net.eth1 stop + fi done cecho " * All uml instances are up now" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat index f5aa989fe..89e487ad3 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat @@ -2,3 +2,4 @@ carol::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/description.txt b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt new file mode 100644 index 000000000..5fc75e1b1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/description.txt @@ -0,0 +1,7 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +<b>carol</b> uses the <i>Extensible Authentication Protocol</i> +in association with a GSM <i>Subscriber Identity Module</i> (<b>EAP-SIM</b>) +to authenticate against the gateway. In this scenario triplets from the file +<b>/etc/ipsec.d/triplets.dat</b> are used instead of a physical SIM card. +Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate +itself against <b>carol</b>. diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat new file mode 100644 index 000000000..194434a1e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-eapsim.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c2fe02639 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..759585439 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +moon.strongswan.org,100,210,310 +moon.strongswan.org,200,220,320 +moon.strongswan.org,300,230,330 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3f88b2ade --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eapsim + authby=rsasig + eap=sim + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + rightid=*@strongswan.org + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..b15a1dd72 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +carol@strongswan.org,100,210,310 +carol@strongswan.org,200,220,320 +carol@strongswan.org,300,230,330 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat new file mode 100644 index 000000000..23c7a62b2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/ipsec.d/triplets.dat +carol::cat /etc/ipsec.d/triplets.dat +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf new file mode 100644 index 000000000..2bd21499b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" |