summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2015-04-11 22:03:59 +0200
committerYves-Alexis Perez <corsac@debian.org>2015-04-11 22:03:59 +0200
commit83b8aebb19fe6e49e13a05d4e8f5ab9a06177642 (patch)
tree51255545ba43b84aa5d673bd0eb557cbd0155c9e
parent2b8de74ff4c334c25e89988c4a401b24b5bcf03d (diff)
downloadvyos-strongswan-83b8aebb19fe6e49e13a05d4e8f5ab9a06177642.tar.gz
vyos-strongswan-83b8aebb19fe6e49e13a05d4e8f5ab9a06177642.zip
Imported Upstream version 5.3.0
-rw-r--r--Android.common.mk2
-rw-r--r--Doxyfile.in2
-rw-r--r--Makefile.am2
-rw-r--r--Makefile.in7
-rw-r--r--NEWS83
-rw-r--r--conf/Makefile.am3
-rw-r--r--conf/Makefile.in8
-rw-r--r--conf/options/charon.conf13
-rw-r--r--conf/options/charon.opt32
-rw-r--r--conf/plugins/bliss.conf11
-rw-r--r--conf/plugins/bliss.opt2
-rw-r--r--conf/plugins/forecast.conf17
-rw-r--r--conf/plugins/forecast.opt29
-rw-r--r--conf/plugins/imc-attestation.opt18
-rw-r--r--conf/plugins/imv-attestation.opt18
-rw-r--r--conf/plugins/kernel-netlink.conf21
-rw-r--r--conf/plugins/kernel-netlink.opt32
-rw-r--r--conf/plugins/kernel-pfkey.conf11
-rw-r--r--conf/plugins/kernel-pfkey.opt7
-rw-r--r--conf/plugins/tnccs-20.conf13
-rw-r--r--conf/plugins/tnccs-20.opt9
-rw-r--r--conf/strongswan.conf.5.main125
-rwxr-xr-xconfigure584
-rw-r--r--configure.ac77
-rw-r--r--init/Makefile.in5
-rw-r--r--init/systemd-swanctl/Makefile.in5
-rw-r--r--init/systemd/Makefile.in5
-rw-r--r--man/Makefile.in5
-rw-r--r--man/ipsec.conf.5.in145
-rw-r--r--scripts/Makefile.in5
-rw-r--r--scripts/dh_speed.c10
-rw-r--r--src/Makefile.am2
-rw-r--r--src/Makefile.in13
-rw-r--r--src/_copyright/Makefile.in5
-rw-r--r--src/_updown/Makefile.am1
-rw-r--r--src/_updown/Makefile.in76
-rw-r--r--src/_updown/_updown.816
-rw-r--r--src/_updown/_updown.in201
-rw-r--r--src/_updown_espmark/Makefile.am2
-rw-r--r--src/_updown_espmark/_updown_espmark438
-rw-r--r--src/_updown_espmark/_updown_espmark.815
-rw-r--r--src/aikgen/Makefile.in5
-rw-r--r--src/charon-cmd/Makefile.in5
-rw-r--r--src/charon-nm/Makefile.in5
-rw-r--r--src/charon-nm/nm/nm_backend.c6
-rw-r--r--src/charon-nm/nm/nm_handler.c5
-rw-r--r--src/charon-svc/Makefile.in5
-rw-r--r--src/charon-systemd/Makefile.in5
-rw-r--r--src/charon-systemd/charon-systemd.c28
-rw-r--r--src/charon-tkm/Makefile.in5
-rw-r--r--src/charon-tkm/src/charon-tkm.c4
-rw-r--r--src/charon-tkm/src/ees/ees_callbacks.c22
-rw-r--r--src/charon-tkm/src/tkm/tkm.c4
-rw-r--r--src/charon-tkm/src/tkm/tkm.h8
-rw-r--r--src/charon-tkm/src/tkm/tkm_diffie_hellman.c15
-rw-r--r--src/charon-tkm/src/tkm/tkm_encoder.c~106
-rw-r--r--src/charon-tkm/src/tkm/tkm_id_manager.c2
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_ipsec.c39
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.c66
-rw-r--r--src/charon-tkm/src/tkm/tkm_kernel_sad.h19
-rw-r--r--src/charon-tkm/src/tkm/tkm_keymat.c29
-rw-r--r--src/charon-tkm/src/tkm/tkm_listener.c20
-rw-r--r--src/charon-tkm/tests/diffie_hellman_tests.c2
-rw-r--r--src/charon-tkm/tests/kernel_sad_tests.c40
-rw-r--r--src/charon-tkm/tests/keymat_tests.c4
-rw-r--r--src/charon-tkm/tests/tests.c4
-rw-r--r--src/charon/Makefile.in5
-rw-r--r--src/checksum/Makefile.in5
-rw-r--r--src/conftest/Makefile.in5
-rw-r--r--src/conftest/actions.c16
-rw-r--r--src/dumm/Makefile.in5
-rw-r--r--src/dumm/ext/dumm.c4
-rw-r--r--src/include/Makefile.in5
-rw-r--r--src/ipsec/Makefile.in5
-rw-r--r--src/ipsec/_ipsec.817
-rw-r--r--src/ipsec/_ipsec.8.in15
-rw-r--r--src/libcharon/Android.mk8
-rw-r--r--src/libcharon/Makefile.am54
-rw-r--r--src/libcharon/Makefile.in406
-rw-r--r--src/libcharon/attributes/attribute_handler.h (renamed from src/libhydra/attributes/attribute_handler.h)20
-rw-r--r--src/libcharon/attributes/attribute_manager.c (renamed from src/libhydra/attributes/attribute_manager.c)39
-rw-r--r--src/libcharon/attributes/attribute_manager.h (renamed from src/libhydra/attributes/attribute_manager.h)27
-rw-r--r--src/libcharon/attributes/attribute_provider.h (renamed from src/libhydra/attributes/attribute_provider.h)14
-rw-r--r--src/libcharon/attributes/attributes.c (renamed from src/libhydra/attributes/attributes.c)0
-rw-r--r--src/libcharon/attributes/attributes.h (renamed from src/libhydra/attributes/attributes.h)0
-rw-r--r--src/libcharon/attributes/mem_pool.c (renamed from src/libhydra/attributes/mem_pool.c)186
-rw-r--r--src/libcharon/attributes/mem_pool.h (renamed from src/libhydra/attributes/mem_pool.h)10
-rw-r--r--src/libcharon/bus/bus.c28
-rw-r--r--src/libcharon/bus/bus.h9
-rw-r--r--src/libcharon/bus/listeners/listener.h11
-rw-r--r--src/libcharon/config/ike_cfg.c17
-rw-r--r--src/libcharon/config/proposal.c2
-rw-r--r--src/libcharon/control/controller.c44
-rw-r--r--src/libcharon/control/controller.h4
-rw-r--r--src/libcharon/daemon.c7
-rw-r--r--src/libcharon/daemon.h15
-rw-r--r--src/libcharon/encoding/message.c16
-rw-r--r--src/libcharon/encoding/parser.c21
-rw-r--r--src/libcharon/encoding/parser.h12
-rw-r--r--src/libcharon/encoding/payloads/delete_payload.c15
-rw-r--r--src/libcharon/encoding/payloads/delete_payload.h10
-rw-r--r--src/libcharon/encoding/payloads/encrypted_payload.c1
-rw-r--r--src/libcharon/encoding/payloads/id_payload.c7
-rw-r--r--src/libcharon/encoding/payloads/ke_payload.c10
-rw-r--r--src/libcharon/encoding/payloads/ke_payload.h2
-rw-r--r--src/libcharon/encoding/payloads/notify_payload.c22
-rw-r--r--src/libcharon/encoding/payloads/notify_payload.h2
-rw-r--r--src/libcharon/encoding/payloads/payload.c62
-rw-r--r--src/libcharon/encoding/payloads/payload.h3
-rw-r--r--src/libcharon/encoding/payloads/proposal_substructure.c276
-rw-r--r--src/libcharon/kernel/kernel_handler.c25
-rw-r--r--src/libcharon/plugins/addrblock/Makefile.in5
-rw-r--r--src/libcharon/plugins/android_dns/Makefile.in5
-rw-r--r--src/libcharon/plugins/android_dns/android_dns_handler.c7
-rw-r--r--src/libcharon/plugins/android_dns/android_dns_plugin.c9
-rw-r--r--src/libcharon/plugins/android_log/Makefile.in5
-rw-r--r--src/libcharon/plugins/attr/Makefile.am (renamed from src/libhydra/plugins/attr/Makefile.am)3
-rw-r--r--src/libcharon/plugins/attr/Makefile.in (renamed from src/libhydra/plugins/attr/Makefile.in)14
-rw-r--r--src/libcharon/plugins/attr/attr_plugin.c (renamed from src/libhydra/plugins/attr/attr_plugin.c)10
-rw-r--r--src/libcharon/plugins/attr/attr_plugin.h (renamed from src/libhydra/plugins/attr/attr_plugin.h)2
-rw-r--r--src/libcharon/plugins/attr/attr_provider.c (renamed from src/libhydra/plugins/attr/attr_provider.c)4
-rw-r--r--src/libcharon/plugins/attr/attr_provider.h (renamed from src/libhydra/plugins/attr/attr_provider.h)0
-rw-r--r--src/libcharon/plugins/attr_sql/Makefile.am (renamed from src/libhydra/plugins/attr_sql/Makefile.am)5
-rw-r--r--src/libcharon/plugins/attr_sql/Makefile.in (renamed from src/libhydra/plugins/attr_sql/Makefile.in)20
-rw-r--r--src/libcharon/plugins/attr_sql/attr_sql_plugin.c (renamed from src/libhydra/plugins/attr_sql/attr_sql_plugin.c)16
-rw-r--r--src/libcharon/plugins/attr_sql/attr_sql_plugin.h (renamed from src/libhydra/plugins/attr_sql/attr_sql_plugin.h)4
-rw-r--r--src/libcharon/plugins/attr_sql/attr_sql_provider.c (renamed from src/libhydra/plugins/attr_sql/sql_attribute.c)45
-rw-r--r--src/libcharon/plugins/attr_sql/attr_sql_provider.h (renamed from src/libhydra/plugins/attr_sql/sql_attribute.h)20
-rw-r--r--src/libcharon/plugins/certexpire/Makefile.in5
-rw-r--r--src/libcharon/plugins/connmark/Makefile.am20
-rw-r--r--src/libcharon/plugins/connmark/Makefile.in (renamed from src/libcharon/plugins/unit_tester/Makefile.in)111
-rw-r--r--src/libcharon/plugins/connmark/connmark_listener.c538
-rw-r--r--src/libcharon/plugins/connmark/connmark_listener.h49
-rw-r--r--src/libcharon/plugins/connmark/connmark_plugin.c105
-rw-r--r--src/libcharon/plugins/connmark/connmark_plugin.h42
-rw-r--r--src/libcharon/plugins/coupling/Makefile.in5
-rw-r--r--src/libcharon/plugins/dhcp/Makefile.in5
-rw-r--r--src/libcharon/plugins/dhcp/dhcp_plugin.c9
-rw-r--r--src/libcharon/plugins/dhcp/dhcp_provider.c12
-rw-r--r--src/libcharon/plugins/dnscert/Makefile.in5
-rw-r--r--src/libcharon/plugins/duplicheck/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_aka/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_aka_3gpp2/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_dynamic/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_gtc/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_identity/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_md5/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_mschapv2/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_peap/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_radius/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_accounting.c2
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_plugin.c23
-rw-r--r--src/libcharon/plugins/eap_radius/eap_radius_provider.c24
-rw-r--r--src/libcharon/plugins/eap_sim/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_sim_file/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_sim_pcsc/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_simaka_reauth/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_simaka_sql/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_tls/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_tls/eap_tls.c7
-rw-r--r--src/libcharon/plugins/eap_tnc/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_tnc/eap_tnc.c27
-rw-r--r--src/libcharon/plugins/eap_ttls/Makefile.in5
-rw-r--r--src/libcharon/plugins/eap_ttls/eap_ttls.c7
-rw-r--r--src/libcharon/plugins/error_notify/Makefile.in5
-rw-r--r--src/libcharon/plugins/ext_auth/Makefile.in5
-rw-r--r--src/libcharon/plugins/farp/Makefile.in5
-rw-r--r--src/libcharon/plugins/forecast/Makefile.am21
-rw-r--r--src/libcharon/plugins/forecast/Makefile.in784
-rw-r--r--src/libcharon/plugins/forecast/forecast_forwarder.c496
-rw-r--r--src/libcharon/plugins/forecast/forecast_forwarder.h47
-rw-r--r--src/libcharon/plugins/forecast/forecast_listener.c680
-rw-r--r--src/libcharon/plugins/forecast/forecast_listener.h68
-rw-r--r--src/libcharon/plugins/forecast/forecast_plugin.c118
-rw-r--r--src/libcharon/plugins/forecast/forecast_plugin.h42
-rw-r--r--src/libcharon/plugins/ha/Makefile.in5
-rw-r--r--src/libcharon/plugins/ha/ha_attribute.c4
-rw-r--r--src/libcharon/plugins/ha/ha_cache.c29
-rw-r--r--src/libcharon/plugins/ha/ha_child.c4
-rw-r--r--src/libcharon/plugins/ha/ha_dispatcher.c15
-rw-r--r--src/libcharon/plugins/ha/ha_ike.c10
-rw-r--r--src/libcharon/plugins/ha/ha_plugin.c10
-rw-r--r--src/libcharon/plugins/ipseckey/Makefile.in5
-rw-r--r--src/libcharon/plugins/kernel_iph/Makefile.in5
-rw-r--r--src/libcharon/plugins/kernel_libipsec/Makefile.in5
-rw-r--r--src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c20
-rw-r--r--src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c110
-rw-r--r--src/libcharon/plugins/kernel_wfp/Makefile.in5
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c36
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h10
-rw-r--r--src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c258
-rw-r--r--src/libcharon/plugins/led/Makefile.in5
-rw-r--r--src/libcharon/plugins/load_tester/Makefile.in5
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_config.c24
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c51
-rw-r--r--src/libcharon/plugins/load_tester/load_tester_ipsec.c8
-rw-r--r--src/libcharon/plugins/lookip/Makefile.in5
-rw-r--r--src/libcharon/plugins/maemo/Makefile.in5
-rw-r--r--src/libcharon/plugins/medcli/Makefile.in5
-rw-r--r--src/libcharon/plugins/medsrv/Makefile.in5
-rw-r--r--src/libcharon/plugins/osx_attr/Makefile.in5
-rw-r--r--src/libcharon/plugins/osx_attr/osx_attr_handler.c6
-rw-r--r--src/libcharon/plugins/osx_attr/osx_attr_plugin.c9
-rw-r--r--src/libcharon/plugins/radattr/Makefile.in5
-rw-r--r--src/libcharon/plugins/resolve/Makefile.am (renamed from src/libhydra/plugins/resolve/Makefile.am)1
-rw-r--r--src/libcharon/plugins/resolve/Makefile.in (renamed from src/libhydra/plugins/resolve/Makefile.in)12
-rw-r--r--src/libcharon/plugins/resolve/resolve_handler.c (renamed from src/libhydra/plugins/resolve/resolve_handler.c)11
-rw-r--r--src/libcharon/plugins/resolve/resolve_handler.h (renamed from src/libhydra/plugins/resolve/resolve_handler.h)0
-rw-r--r--src/libcharon/plugins/resolve/resolve_plugin.c (renamed from src/libhydra/plugins/resolve/resolve_plugin.c)11
-rw-r--r--src/libcharon/plugins/resolve/resolve_plugin.h (renamed from src/libhydra/plugins/resolve/resolve_plugin.h)0
-rw-r--r--src/libcharon/plugins/smp/Makefile.in5
-rw-r--r--src/libcharon/plugins/socket_default/Makefile.in5
-rw-r--r--src/libcharon/plugins/socket_default/socket_default_socket.c76
-rw-r--r--src/libcharon/plugins/socket_dynamic/Makefile.in5
-rw-r--r--src/libcharon/plugins/socket_win/Makefile.in5
-rw-r--r--src/libcharon/plugins/sql/Makefile.in5
-rw-r--r--src/libcharon/plugins/stroke/Makefile.in5
-rw-r--r--src/libcharon/plugins/stroke/stroke_attribute.c27
-rw-r--r--src/libcharon/plugins/stroke/stroke_ca.c81
-rw-r--r--src/libcharon/plugins/stroke/stroke_config.c74
-rw-r--r--src/libcharon/plugins/stroke/stroke_control.c8
-rw-r--r--src/libcharon/plugins/stroke/stroke_cred.c315
-rw-r--r--src/libcharon/plugins/stroke/stroke_cred.h7
-rw-r--r--src/libcharon/plugins/stroke/stroke_handler.c3
-rw-r--r--src/libcharon/plugins/stroke/stroke_list.c16
-rw-r--r--src/libcharon/plugins/stroke/stroke_plugin.c1
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c13
-rw-r--r--src/libcharon/plugins/systime_fix/Makefile.in5
-rw-r--r--src/libcharon/plugins/tnc_ifmap/Makefile.in5
-rw-r--r--src/libcharon/plugins/tnc_pdp/Makefile.in5
-rw-r--r--src/libcharon/plugins/tnc_pdp/tnc_pdp.c25
-rw-r--r--src/libcharon/plugins/uci/Makefile.in5
-rw-r--r--src/libcharon/plugins/unit_tester/Makefile.am26
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_agent.c67
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_auth_info.c140
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_cert.c108
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_curl.c44
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_med_db.c54
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_mysql.c89
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_pool.c100
-rw-r--r--src/libcharon/plugins/unit_tester/tests/test_sqlite.c93
-rw-r--r--src/libcharon/plugins/unit_tester/unit_tester.c152
-rw-r--r--src/libcharon/plugins/unity/Makefile.in5
-rw-r--r--src/libcharon/plugins/unity/unity_handler.c29
-rw-r--r--src/libcharon/plugins/unity/unity_handler.h5
-rw-r--r--src/libcharon/plugins/unity/unity_narrow.c90
-rw-r--r--src/libcharon/plugins/unity/unity_plugin.c17
-rw-r--r--src/libcharon/plugins/unity/unity_provider.c6
-rw-r--r--src/libcharon/plugins/updown/Makefile.in5
-rw-r--r--src/libcharon/plugins/updown/updown_handler.c57
-rw-r--r--src/libcharon/plugins/updown/updown_listener.c1
-rw-r--r--src/libcharon/plugins/updown/updown_plugin.c9
-rw-r--r--src/libcharon/plugins/vici/Makefile.am4
-rw-r--r--src/libcharon/plugins/vici/Makefile.in10
-rw-r--r--src/libcharon/plugins/vici/README.md97
-rw-r--r--src/libcharon/plugins/vici/libvici.c8
-rw-r--r--src/libcharon/plugins/vici/python/LICENSE19
-rw-r--r--src/libcharon/plugins/vici/python/MANIFEST.in1
-rw-r--r--src/libcharon/plugins/vici/python/Makefile.am33
-rw-r--r--src/libcharon/plugins/vici/python/Makefile.in (renamed from src/_updown_espmark/Makefile.in)308
-rw-r--r--src/libcharon/plugins/vici/python/setup.py.in34
-rw-r--r--src/libcharon/plugins/vici/python/vici/__init__.py1
-rw-r--r--src/libcharon/plugins/vici/python/vici/compat.py14
-rw-r--r--src/libcharon/plugins/vici/python/vici/exception.py10
-rw-r--r--src/libcharon/plugins/vici/python/vici/protocol.py196
-rw-r--r--src/libcharon/plugins/vici/python/vici/session.py327
-rw-r--r--src/libcharon/plugins/vici/python/vici/test/__init__.py0
-rw-r--r--src/libcharon/plugins/vici/python/vici/test/test_protocol.py144
-rw-r--r--src/libcharon/plugins/vici/ruby/Makefile.am6
-rw-r--r--src/libcharon/plugins/vici/ruby/Makefile.in11
-rw-r--r--src/libcharon/plugins/vici/ruby/lib/vici.rb30
-rw-r--r--src/libcharon/plugins/vici/ruby/vici.gemspec.in2
-rw-r--r--src/libcharon/plugins/vici/vici_attribute.c67
-rw-r--r--src/libcharon/plugins/vici/vici_builder.c79
-rw-r--r--src/libcharon/plugins/vici/vici_builder.h8
-rw-r--r--src/libcharon/plugins/vici/vici_config.c51
-rw-r--r--src/libcharon/plugins/vici/vici_control.c4
-rw-r--r--src/libcharon/plugins/vici/vici_plugin.c9
-rw-r--r--src/libcharon/plugins/vici/vici_query.c17
-rw-r--r--src/libcharon/plugins/whitelist/Makefile.in5
-rw-r--r--src/libcharon/plugins/xauth_eap/Makefile.in5
-rw-r--r--src/libcharon/plugins/xauth_generic/Makefile.in5
-rw-r--r--src/libcharon/plugins/xauth_noauth/Makefile.in5
-rw-r--r--src/libcharon/plugins/xauth_pam/Makefile.in5
-rw-r--r--src/libcharon/processing/jobs/adopt_children_job.c58
-rw-r--r--src/libcharon/processing/jobs/delete_child_sa_job.c26
-rw-r--r--src/libcharon/processing/jobs/delete_child_sa_job.h9
-rw-r--r--src/libcharon/processing/jobs/dpd_timeout_job.c6
-rw-r--r--src/libcharon/processing/jobs/inactivity_job.c16
-rw-r--r--src/libcharon/processing/jobs/inactivity_job.h4
-rw-r--r--src/libcharon/processing/jobs/initiate_tasks_job.c96
-rw-r--r--src/libcharon/processing/jobs/initiate_tasks_job.h49
-rw-r--r--src/libcharon/processing/jobs/migrate_job.c62
-rw-r--r--src/libcharon/processing/jobs/migrate_job.h2
-rw-r--r--src/libcharon/processing/jobs/rekey_child_sa_job.c27
-rw-r--r--src/libcharon/processing/jobs/rekey_child_sa_job.h10
-rw-r--r--src/libcharon/processing/jobs/rekey_ike_sa_job.c3
-rw-r--r--src/libcharon/processing/jobs/update_sa_job.c33
-rw-r--r--src/libcharon/processing/jobs/update_sa_job.h8
-rw-r--r--src/libcharon/sa/authenticator.c9
-rw-r--r--src/libcharon/sa/authenticator.h10
-rw-r--r--src/libcharon/sa/child_sa.c147
-rw-r--r--src/libcharon/sa/child_sa.h25
-rw-r--r--src/libcharon/sa/child_sa_manager.c333
-rw-r--r--src/libcharon/sa/child_sa_manager.h89
-rw-r--r--src/libcharon/sa/eap/eap_method.h12
-rw-r--r--src/libcharon/sa/ike_sa.c82
-rw-r--r--src/libcharon/sa/ike_sa.h10
-rw-r--r--src/libcharon/sa/ike_sa_manager.c95
-rw-r--r--src/libcharon/sa/ike_sa_manager.h10
-rw-r--r--src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c10
-rw-r--r--src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c11
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c9
-rw-r--r--src/libcharon/sa/ikev1/phase1.c14
-rw-r--r--src/libcharon/sa/ikev1/task_manager_v1.c5
-rw-r--r--src/libcharon/sa/ikev1/tasks/isakmp_delete.c39
-rw-r--r--src/libcharon/sa/ikev1/tasks/main_mode.c39
-rw-r--r--src/libcharon/sa/ikev1/tasks/mode_config.c137
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_delete.c6
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.c76
-rw-r--r--src/libcharon/sa/ikev1/tasks/quick_mode.h8
-rw-r--r--src/libcharon/sa/ikev2/authenticators/eap_authenticator.c7
-rw-r--r--src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c314
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.c35
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.h18
-rw-r--r--src/libcharon/sa/ikev2/task_manager_v2.c113
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.c84
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.h8
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c4
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_rekey.c10
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.c4
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_config.c19
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.c206
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.c27
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth.h2
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c102
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h56
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_rekey.c36
-rw-r--r--src/libcharon/sa/task.c1
-rw-r--r--src/libcharon/sa/task.h6
-rw-r--r--src/libcharon/sa/trap_manager.c11
-rw-r--r--src/libcharon/tests/Makefile.am21
-rw-r--r--src/libcharon/tests/Makefile.in874
-rw-r--r--src/libcharon/tests/libcharon_tests.c56
-rw-r--r--src/libcharon/tests/libcharon_tests.h16
-rw-r--r--src/libcharon/tests/suites/test_mem_pool.c230
-rw-r--r--src/libfast/Makefile.in5
-rw-r--r--src/libhydra/Android.mk7
-rw-r--r--src/libhydra/Makefile.am24
-rw-r--r--src/libhydra/Makefile.in73
-rw-r--r--src/libhydra/hydra.c4
-rw-r--r--src/libhydra/hydra.h9
-rw-r--r--src/libhydra/kernel/kernel_interface.c276
-rw-r--r--src/libhydra/kernel/kernel_interface.h76
-rw-r--r--src/libhydra/kernel/kernel_ipsec.h28
-rw-r--r--src/libhydra/kernel/kernel_listener.h13
-rw-r--r--src/libhydra/plugins/kernel_netlink/Makefile.am21
-rw-r--r--src/libhydra/plugins/kernel_netlink/Makefile.in267
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c299
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c46
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c477
-rw-r--r--src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h4
-rw-r--r--src/libhydra/plugins/kernel_netlink/suites/test_socket.c302
-rw-r--r--src/libhydra/plugins/kernel_netlink/tests.c51
-rw-r--r--src/libhydra/plugins/kernel_netlink/tests.h16
-rw-r--r--src/libhydra/plugins/kernel_pfkey/Makefile.in5
-rw-r--r--src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c112
-rw-r--r--src/libhydra/plugins/kernel_pfroute/Makefile.in5
-rw-r--r--src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c9
-rw-r--r--src/libhydra/tests/Makefile.am18
-rw-r--r--src/libhydra/tests/Makefile.in839
-rw-r--r--src/libhydra/tests/hydra_tests.c53
-rw-r--r--src/libhydra/tests/hydra_tests.h14
-rw-r--r--src/libimcv/Makefile.am3
-rw-r--r--src/libimcv/Makefile.in11
-rw-r--r--src/libimcv/imv/data.sql155
-rw-r--r--src/libimcv/imv/imv_agent.c76
-rw-r--r--src/libimcv/imv/imv_database.c111
-rw-r--r--src/libimcv/imv/imv_policy_manager.c76
-rw-r--r--src/libimcv/imv/imv_session.c33
-rw-r--r--src/libimcv/imv/imv_session.h14
-rw-r--r--src/libimcv/imv/imv_session_manager.c40
-rw-r--r--src/libimcv/imv/imv_session_manager.h7
-rw-r--r--src/libimcv/imv/tables-mysql.sql8
-rw-r--r--src/libimcv/imv/tables.sql8
-rw-r--r--src/libimcv/plugins/imc_attestation/Makefile.in5
-rw-r--r--src/libimcv/plugins/imc_attestation/imc_attestation_process.c12
-rw-r--r--src/libimcv/plugins/imc_os/Makefile.in5
-rw-r--r--src/libimcv/plugins/imc_scanner/Makefile.in5
-rw-r--r--src/libimcv/plugins/imc_swid/Makefile.in5
-rw-r--r--src/libimcv/plugins/imc_test/Makefile.in5
-rw-r--r--src/libimcv/plugins/imv_attestation/Makefile.in5
-rw-r--r--src/libimcv/plugins/imv_attestation/attest_db.c18
-rwxr-xr-xsrc/libimcv/plugins/imv_attestation/build-database.sh2
-rw-r--r--src/libimcv/plugins/imv_attestation/imv_attestation_build.c6
-rw-r--r--src/libimcv/plugins/imv_attestation/imv_attestation_process.c8
-rw-r--r--src/libimcv/plugins/imv_os/Makefile.in5
-rw-r--r--src/libimcv/plugins/imv_scanner/Makefile.in5
-rw-r--r--src/libimcv/plugins/imv_swid/Makefile.in5
-rw-r--r--src/libimcv/plugins/imv_test/Makefile.in5
-rw-r--r--src/libimcv/pts/components/ita/ita_comp_tboot.c9
-rw-r--r--src/libimcv/pts/pts.c18
-rw-r--r--src/libimcv/pts/pts.h6
-rw-r--r--src/libimcv/seg/seg_env.c3
-rw-r--r--src/libimcv/seg/seg_env.h2
-rw-r--r--src/libimcv/suites/test_imcv_seg.c12
-rw-r--r--src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c3
-rw-r--r--src/libipsec/Makefile.in5
-rw-r--r--src/libipsec/ip_packet.c2
-rw-r--r--src/libipsec/ipsec_event_listener.h6
-rw-r--r--src/libipsec/ipsec_event_relay.c34
-rw-r--r--src/libipsec/ipsec_event_relay.h6
-rw-r--r--src/libipsec/ipsec_sa.c11
-rw-r--r--src/libipsec/ipsec_sa.h6
-rw-r--r--src/libipsec/ipsec_sa_mgr.c14
-rw-r--r--src/libipsec/ipsec_sa_mgr.h9
-rw-r--r--src/libpttls/Makefile.in5
-rw-r--r--src/libradius/Makefile.in5
-rw-r--r--src/libradius/radius_socket.c87
-rw-r--r--src/libsimaka/Makefile.in5
-rw-r--r--src/libstrongswan/Android.mk2
-rw-r--r--src/libstrongswan/Makefile.am29
-rw-r--r--src/libstrongswan/Makefile.in190
-rw-r--r--src/libstrongswan/asn1/oid.c518
-rw-r--r--src/libstrongswan/asn1/oid.h199
-rw-r--r--src/libstrongswan/asn1/oid.txt22
-rw-r--r--src/libstrongswan/credentials/auth_cfg.c60
-rw-r--r--src/libstrongswan/credentials/auth_cfg.h4
-rw-r--r--src/libstrongswan/credentials/cred_encoding.h4
-rw-r--r--src/libstrongswan/credentials/credential_manager.c3
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c168
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h41
-rw-r--r--src/libstrongswan/credentials/sets/cert_cache.c17
-rw-r--r--src/libstrongswan/credentials/sets/mem_cred.c19
-rw-r--r--src/libstrongswan/credentials/sets/mem_cred.h12
-rw-r--r--src/libstrongswan/crypto/crypters/crypter.c7
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c27
-rw-r--r--src/libstrongswan/crypto/diffie_hellman.c87
-rw-r--r--src/libstrongswan/crypto/diffie_hellman.h30
-rw-r--r--src/libstrongswan/crypto/hashers/hash_algorithm_set.c113
-rw-r--r--src/libstrongswan/crypto/hashers/hash_algorithm_set.h76
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.c102
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.h40
-rw-r--r--src/libstrongswan/crypto/mgf1/mgf1.c (renamed from src/libstrongswan/plugins/ntru/ntru_mgf1.c)42
-rw-r--r--src/libstrongswan/crypto/mgf1/mgf1.h (renamed from src/libstrongswan/plugins/ntru/ntru_mgf1.h)30
-rw-r--r--src/libstrongswan/crypto/mgf1/mgf1_bitspender.c208
-rw-r--r--src/libstrongswan/crypto/mgf1/mgf1_bitspender.h67
-rw-r--r--src/libstrongswan/crypto/pkcs5.c32
-rw-r--r--src/libstrongswan/ipsec/ipsec_types.c10
-rw-r--r--src/libstrongswan/ipsec/ipsec_types.h4
-rw-r--r--src/libstrongswan/library.h3
-rw-r--r--src/libstrongswan/networking/host.c38
-rw-r--r--src/libstrongswan/networking/host.h21
-rw-r--r--src/libstrongswan/networking/host_resolver.c17
-rw-r--r--src/libstrongswan/networking/tun_device.c25
-rw-r--r--src/libstrongswan/networking/tun_device.h4
-rw-r--r--src/libstrongswan/plugins/acert/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/af_alg/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_prf.c1
-rw-r--r--src/libstrongswan/plugins/af_alg/af_alg_signer.c1
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/bliss/Makefile.am54
-rw-r--r--src/libstrongswan/plugins/bliss/Makefile.in862
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_bitpacker.c207
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_bitpacker.h85
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_fft.c199
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_fft.h71
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_fft_params.c215
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_fft_params.h75
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman.c433
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_code.c42
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_code.h80
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c160
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c261
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c435
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_coder.c138
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_huffman_coder.h77
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_param_set.c339
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_param_set.h201
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_plugin.c101
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_plugin.h42
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_private_key.c1316
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_private_key.h62
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_public_key.c515
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_public_key.h101
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_sampler.c250
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_sampler.h94
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_signature.c233
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_signature.h75
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_utils.c167
-rw-r--r--src/libstrongswan/plugins/bliss/bliss_utils.h70
-rw-r--r--src/libstrongswan/plugins/bliss/tests/Makefile.am27
-rw-r--r--src/libstrongswan/plugins/bliss/tests/Makefile.in985
-rw-r--r--src/libstrongswan/plugins/bliss/tests/bliss_tests.c60
-rw-r--r--src/libstrongswan/plugins/bliss/tests/bliss_tests.h23
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c112
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c110
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c122
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c249
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c97
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c211
-rw-r--r--src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c141
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/ccm/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/cmac/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/cmac/cmac.c3
-rw-r--r--src/libstrongswan/plugins/constraints/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/constraints/constraints_validator.c217
-rw-r--r--src/libstrongswan/plugins/ctr/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/des/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/dnskey/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/files/Makefile.am16
-rw-r--r--src/libstrongswan/plugins/files/Makefile.in775
-rw-r--r--src/libstrongswan/plugins/files/files_fetcher.c117
-rw-r--r--src/libstrongswan/plugins/files/files_fetcher.h (renamed from src/libcharon/plugins/unit_tester/tests.h)36
-rw-r--r--src/libstrongswan/plugins/files/files_plugin.c76
-rw-r--r--src/libstrongswan/plugins/files/files_plugin.h (renamed from src/libcharon/plugins/unit_tester/unit_tester.h)28
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/fips_prf/fips_prf.c7
-rw-r--r--src/libstrongswan/plugins/gcm/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_dh.c21
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c23
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/hmac/hmac.c3
-rw-r--r--src/libstrongswan/plugins/keychain/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/nonce/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/ntru/Makefile.am1
-rw-r--r--src/libstrongswan/plugins/ntru/Makefile.in12
-rw-r--r--src/libstrongswan/plugins/ntru/ntru_ke.c38
-rw-r--r--src/libstrongswan/plugins/ntru/ntru_poly.c62
-rw-r--r--src/libstrongswan/plugins/ntru/ntru_trits.c39
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crypter.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c21
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c23
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pem/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pem/pem_builder.c25
-rw-r--r--src/libstrongswan/plugins/pem/pem_encoder.c11
-rw-r--r--src/libstrongswan/plugins/pem/pem_plugin.c5
-rw-r--r--src/libstrongswan/plugins/pgp/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pkcs1/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_builder.c9
-rw-r--r--src/libstrongswan/plugins/pkcs11/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_dh.c30
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_library.c44
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c21
-rw-r--r--src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c50
-rw-r--r--src/libstrongswan/plugins/pkcs12/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pkcs7/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/pkcs8/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c16
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/random/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/rc2/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/rdrand/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/revocation/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/soup/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/sshkey/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/unbound/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/winhttp/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/x509/x509_ac.c4
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c2
-rw-r--r--src/libstrongswan/plugins/x509/x509_crl.c25
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_request.c6
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_response.c4
-rw-r--r--src/libstrongswan/plugins/x509/x509_pkcs10.c2
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.in5
-rw-r--r--src/libstrongswan/plugins/xcbc/xcbc.c4
-rw-r--r--src/libstrongswan/processing/processor.h2
-rw-r--r--src/libstrongswan/processing/scheduler.c19
-rw-r--r--src/libstrongswan/processing/scheduler.h7
-rw-r--r--src/libstrongswan/processing/watcher.c113
-rw-r--r--src/libstrongswan/selectors/traffic_selector.c121
-rw-r--r--src/libstrongswan/selectors/traffic_selector.h19
-rw-r--r--src/libstrongswan/settings/settings_lexer.c190
-rw-r--r--src/libstrongswan/settings/settings_lexer.l5
-rw-r--r--src/libstrongswan/tests/Makefile.am4
-rw-r--r--src/libstrongswan/tests/Makefile.in81
-rw-r--r--src/libstrongswan/tests/suites/test_certnames.c398
-rw-r--r--src/libstrongswan/tests/suites/test_certpolicy.c637
-rw-r--r--src/libstrongswan/tests/suites/test_chunk.c13
-rw-r--r--src/libstrongswan/tests/suites/test_enum.c166
-rw-r--r--src/libstrongswan/tests/suites/test_hasher.c3
-rw-r--r--src/libstrongswan/tests/suites/test_host.c137
-rw-r--r--src/libstrongswan/tests/suites/test_identification.c114
-rw-r--r--src/libstrongswan/tests/suites/test_mgf1.c268
-rw-r--r--src/libstrongswan/tests/suites/test_ntru.c222
-rw-r--r--src/libstrongswan/tests/suites/test_settings.c4
-rw-r--r--src/libstrongswan/tests/suites/test_threading.c236
-rw-r--r--src/libstrongswan/tests/suites/test_traffic_selector.c284
-rw-r--r--src/libstrongswan/tests/suites/test_utils.c45
-rw-r--r--src/libstrongswan/tests/tests.h5
-rw-r--r--src/libstrongswan/threading/semaphore.h6
-rw-r--r--src/libstrongswan/threading/thread.h63
-rw-r--r--src/libstrongswan/threading/windows/rwlock.c2
-rw-r--r--src/libstrongswan/utils/chunk.c2
-rw-r--r--src/libstrongswan/utils/compat/apple.h119
-rw-r--r--src/libstrongswan/utils/compat/windows.c (renamed from src/libstrongswan/utils/windows.c)45
-rw-r--r--src/libstrongswan/utils/compat/windows.h (renamed from src/libstrongswan/utils/windows.h)45
-rw-r--r--src/libstrongswan/utils/enum.c93
-rw-r--r--src/libstrongswan/utils/enum.h35
-rw-r--r--src/libstrongswan/utils/identification.c87
-rw-r--r--src/libstrongswan/utils/identification.h9
-rw-r--r--src/libstrongswan/utils/utils.h6
-rw-r--r--src/libtls/Makefile.in5
-rw-r--r--src/libtls/tests/Makefile.in5
-rw-r--r--src/libtls/tls.c9
-rw-r--r--src/libtls/tls.h7
-rw-r--r--src/libtls/tls_eap.c7
-rw-r--r--src/libtls/tls_eap.h7
-rw-r--r--src/libtls/tls_fragmentation.c35
-rw-r--r--src/libtls/tls_fragmentation.h4
-rw-r--r--src/libtls/tls_handshake.h7
-rw-r--r--src/libtls/tls_peer.c40
-rw-r--r--src/libtls/tls_protection.c11
-rw-r--r--src/libtls/tls_server.c23
-rw-r--r--src/libtls/tls_socket.c15
-rw-r--r--src/libtnccs/Android.mk2
-rw-r--r--src/libtnccs/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnc_imc/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c1
-rw-r--r--src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h2
-rw-r--r--src/libtnccs/plugins/tnc_imv/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h2
-rw-r--r--src/libtnccs/plugins/tnc_tnccs/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c48
-rw-r--r--src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h2
-rw-r--r--src/libtnccs/plugins/tnccs_11/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnccs_11/tnccs_11.c57
-rw-r--r--src/libtnccs/plugins/tnccs_11/tnccs_11.h15
-rw-r--r--src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h2
-rw-r--r--src/libtnccs/plugins/tnccs_20/Makefile.am4
-rw-r--r--src/libtnccs/plugins/tnccs_20/Makefile.in39
-rw-r--r--src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c85
-rw-r--r--src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h30
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c174
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h75
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c92
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h44
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c22
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h20
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20.c945
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20.h15
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_client.c820
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_client.h65
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h105
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h2
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_server.c693
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_server.h71
-rw-r--r--src/libtnccs/plugins/tnccs_dynamic/Makefile.in5
-rw-r--r--src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c61
-rw-r--r--src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h15
-rw-r--r--src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h2
-rw-r--r--src/libtnccs/tnc/imc/imc.h2
-rw-r--r--src/libtnccs/tnc/imv/imv.h2
-rw-r--r--src/libtnccs/tnc/tnc.h7
-rw-r--r--src/libtnccs/tnc/tnccs/tnccs.h30
-rw-r--r--src/libtnccs/tnc/tnccs/tnccs_manager.h15
-rw-r--r--src/libtncif/Makefile.in5
-rw-r--r--src/libtncif/tncif_names.c14
-rw-r--r--src/libtncif/tncif_names.h4
-rw-r--r--src/manager/Makefile.in5
-rw-r--r--src/medsrv/Makefile.in5
-rw-r--r--src/pki/Makefile.am1
-rw-r--r--src/pki/Makefile.in11
-rw-r--r--src/pki/command.h2
-rw-r--r--src/pki/commands/acert.c11
-rw-r--r--src/pki/commands/gen.c14
-rw-r--r--src/pki/commands/issue.c12
-rw-r--r--src/pki/commands/keyid.c7
-rw-r--r--src/pki/commands/pkcs12.c247
-rw-r--r--src/pki/commands/print.c34
-rw-r--r--src/pki/commands/pub.c10
-rw-r--r--src/pki/commands/req.c17
-rw-r--r--src/pki/commands/self.c20
-rw-r--r--src/pki/commands/signcrl.c8
-rw-r--r--src/pki/man/Makefile.in21
-rw-r--r--src/pki/man/pki---acert.1.in4
-rw-r--r--src/pki/man/pki---issue.1.in20
-rw-r--r--src/pki/man/pki---pkcs12.1.in62
-rw-r--r--src/pki/man/pki---req.1.in4
-rw-r--r--src/pki/man/pki---self.1.in20
-rw-r--r--src/pki/man/pki---signcrl.1.in4
-rw-r--r--src/pki/pki.c46
-rw-r--r--src/pki/pki.h8
-rw-r--r--src/pool/Makefile.am4
-rw-r--r--src/pool/Makefile.in12
-rw-r--r--src/pt-tls-client/Makefile.in5
-rw-r--r--src/pt-tls-client/pt-tls-client.c43
-rw-r--r--src/scepclient/Makefile.in5
-rw-r--r--src/starter/Makefile.in5
-rw-r--r--src/starter/cmp.c2
-rw-r--r--src/starter/parser/lexer.c230
-rw-r--r--src/starter/parser/lexer.l5
-rw-r--r--src/starter/starterstroke.c14
-rw-r--r--src/starter/tests/Makefile.in5
-rw-r--r--src/stroke/Makefile.in5
-rw-r--r--src/stroke/stroke_msg.h2
-rw-r--r--src/swanctl/Makefile.am1
-rw-r--r--src/swanctl/Makefile.in6
-rw-r--r--src/swanctl/commands/list_conns.c5
-rw-r--r--src/swanctl/commands/list_sas.c6
-rw-r--r--src/swanctl/commands/load_conns.c47
-rw-r--r--src/swanctl/commands/load_creds.c290
-rw-r--r--src/swanctl/swanctl.conf14
-rw-r--r--src/swanctl/swanctl.conf.5.main80
-rw-r--r--src/swanctl/swanctl.h5
-rw-r--r--src/swanctl/swanctl.opt52
-rw-r--r--testing/Makefile.in5
-rw-r--r--testing/config/kernel/config-3.182165
-rw-r--r--testing/config/kernel/config-3.192181
-rw-r--r--testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.derbin0 -> 1310 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261bin1190 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192ebbin0 -> 1212 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1bin1212 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491abin0 -> 1188 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2dabin1188 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488bin1210 -> 0 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329fbin0 -> 1210 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3dbin0 -> 1190 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/duckCert.pem36
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/duckKey.pem50
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/index.txt2
-rw-r--r--testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem36
-rwxr-xr-xtesting/hosts/winnetou/etc/openssl/generate-crl4
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt3
-rw-r--r--testing/hosts/winnetou/etc/openssl/index.txt.old3
-rw-r--r--testing/hosts/winnetou/etc/openssl/newcerts/32.pem25
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspCert.pem30
-rw-r--r--testing/hosts/winnetou/etc/openssl/ocspKey.pem50
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt3
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/index.txt.old3
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem23
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/research/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/.randbin1024 -> 1024 bytes
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/index.txt12
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old10
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem28
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem28
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem27
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf15
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/rfc3779/serial.old2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial2
-rw-r--r--testing/hosts/winnetou/etc/openssl/serial.old2
-rwxr-xr-xtesting/scripts/build-baseimage2
-rw-r--r--testing/scripts/recipes/013_strongswan.mk5
-rw-r--r--testing/tests/ha/both-active/description.txt4
-rw-r--r--testing/tests/ikev1/double-nat-net/evaltest.dat4
-rw-r--r--testing/tests/ikev1/double-nat/evaltest.dat4
-rw-r--r--testing/tests/ikev1/nat-rw/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown93
-rw-r--r--testing/tests/ikev1/net2net-fragmentation/evaltest.dat4
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem27
-rw-r--r--testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem27
-rw-r--r--testing/tests/ikev2/double-nat-net/evaltest.dat4
-rw-r--r--testing/tests/ikev2/double-nat/evaltest.dat4
-rw-r--r--testing/tests/ikev2/forecast/description.txt8
-rw-r--r--testing/tests/ikev2/forecast/evaltest.dat20
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf16
-rw-r--r--testing/tests/ikev2/forecast/posttest.dat6
-rw-r--r--testing/tests/ikev2/forecast/pretest.dat7
-rw-r--r--testing/tests/ikev2/forecast/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/description.txt8
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/evaltest.dat7
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf18
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf17
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/posttest.dat5
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/pretest.dat11
-rw-r--r--testing/tests/ikev2/host2host-transport-connmark/test.conf21
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/description.txt3
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/evaltest.dat13
-rw-r--r--testing/tests/ikev2/host2host-transport-nat/pretest.dat1
-rw-r--r--testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat8
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem36
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem50
-rw-r--r--testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem36
-rw-r--r--testing/tests/ikev2/nat-rw-mark/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown300
-rw-r--r--testing/tests/ikev2/nat-rw-psk/evaltest.dat6
-rw-r--r--testing/tests/ikev2/nat-rw/evaltest.dat8
-rwxr-xr-xtesting/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown94
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/description.txt7
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/evaltest.dat9
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/posttest.dat5
-rw-r--r--testing/tests/ikev2/net2net-cert-sha2/pretest.dat6
-rw-r--r--[-rwxr-xr-x]testing/tests/ikev2/net2net-cert-sha2/test.conf (renamed from testing/tests/swanctl/net2net-cert-ipv6/test.conf)2
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf1
-rw-r--r--testing/tests/ikev2/net2net-fragmentation/evaltest.dat4
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem36
-rw-r--r--testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem50
-rwxr-xr-xtesting/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown48
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt8
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf22
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf20
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/description.txt7
-rw-r--r--testing/tests/ikev2/reauth-mbb/evaltest.dat7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf21
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf19
-rw-r--r--testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/reauth-mbb/posttest.dat4
-rw-r--r--testing/tests/ikev2/reauth-mbb/pretest.dat6
-rw-r--r--testing/tests/ikev2/reauth-mbb/test.conf21
-rw-r--r--testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-dynamic/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat4
-rwxr-xr-xtesting/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown296
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/description.txt15
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/evaltest.dat26
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.derbin0 -> 2172 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.derbin0 -> 1182 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.derbin0 -> 2173 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf25
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.derbin0 -> 2094 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.derbin0 -> 2190 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.derbin0 -> 1310 bytes
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/posttest.dat9
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/pretest.dat13
-rw-r--r--testing/tests/ikev2/rw-ntru-bliss/test.conf21
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat4
-rw-r--r--testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/evaltest.dat2
-rw-r--r--testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf1
-rw-r--r--testing/tests/ikev2/rw-sig-auth/description.txt10
-rw-r--r--testing/tests/ikev2/rw-sig-auth/evaltest.dat20
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf30
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf5
-rw-r--r--testing/tests/ikev2/rw-sig-auth/posttest.dat6
-rw-r--r--testing/tests/ikev2/rw-sig-auth/pretest.dat12
-rw-r--r--testing/tests/ikev2/rw-sig-auth/test.conf26
-rw-r--r--testing/tests/ikev2/rw-whitelist/evaltest.dat4
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem36
-rw-r--r--testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem34
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem34
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem50
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem36
-rw-r--r--testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem50
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/host2host-cert/hosts/sun/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-3des/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-3des/hosts/sun/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/moon/etc/updown303
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/sun/etc/updown303
-rw-r--r--testing/tests/libipsec/rw-suite-b/evaltest.dat6
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/carol/etc/updown311
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/dave/etc/updown311
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/moon/etc/updown311
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem27
-rw-r--r--testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem27
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat4
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf1
-rw-r--r--testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat8
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat2
-rw-r--r--testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat2
-rw-r--r--testing/tests/sql/rw-eap-aka-rsa/evaltest.dat2
-rw-r--r--testing/tests/sql/rw-psk-rsa-split/evaltest.dat2
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/description.txt6
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/evaltest.dat5
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf35
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf35
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/posttest.dat11
-rwxr-xr-xtesting/tests/swanctl/net2net-cert-ipv6/pretest.dat16
-rw-r--r--testing/tests/tkm/host2host-initiator/evaltest.dat4
-rw-r--r--testing/tests/tkm/host2host-xfrmproxy/evaltest.dat1
-rw-r--r--testing/tests/tkm/multiple-clients/evaltest.dat3
-rw-r--r--testing/tests/tkm/net2net-xfrmproxy/evaltest.dat1
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/description.txt6
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/evaltest.dat22
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf8
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.derbin0 -> 1191 bytes
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.derbin0 -> 956 bytes
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf21
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf21
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf5
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/posttest.dat5
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/pretest.dat12
-rw-r--r--testing/tests/tkm/xfrmproxy-expire/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-11-radius/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/description.txt10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/evaltest.dat10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/posttest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/pretest.dat12
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat5
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/posttest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/pretest.dat8
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/description.txt3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat11
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-eap/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options8
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf16
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf9
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat1
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf21
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat4
1013 files changed, 42598 insertions, 10170 deletions
diff --git a/Android.common.mk b/Android.common.mk
index c650cb8d3..d33062aa7 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.2.1"
+strongswan_VERSION := "5.3.0"
diff --git a/Doxyfile.in b/Doxyfile.in
index 8adf83c7f..eaf02d7de 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -743,7 +743,7 @@ WARN_LOGFILE =
# spaces.
# Note: If this tag is empty the current directory is searched.
-INPUT = @SRC_DIR@/
+INPUT = @SRC_DIR@/src @SRC_DIR@/README.md
# This tag can be used to specify the character encoding of the source files
# that doxygen parses. Internally doxygen uses the UTF-8 encoding. Doxygen uses
diff --git a/Makefile.am b/Makefile.am
index 0703abc10..bea4ba7c0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -34,7 +34,7 @@ Doxyfile : Doxyfile.in
sed \
-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
- -e "s:\@SRC_DIR\@:$(srcdir):" \
+ -e "s:\@SRC_DIR\@:$(srcdir):g" \
$(srcdir)/$@.in > $@
apidoc : Doxyfile
diff --git a/Makefile.in b/Makefile.in
index 8effaa3bc..e10818f54 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -257,6 +257,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -317,10 +318,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -394,6 +397,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -991,7 +996,7 @@ Doxyfile : Doxyfile.in
sed \
-e "s:\@PACKAGE_VERSION\@:$(PACKAGE_VERSION):" \
-e "s:\@PACKAGE_NAME\@:$(PACKAGE_NAME):" \
- -e "s:\@SRC_DIR\@:$(srcdir):" \
+ -e "s:\@SRC_DIR\@:$(srcdir):g" \
$(srcdir)/$@.in > $@
apidoc : Doxyfile
diff --git a/NEWS b/NEWS
index f1a4b2146..81a7fc5fc 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,86 @@
+strongswan-5.3.0
+----------------
+
+- Added support for IKEv2 make-before-break reauthentication. By using a global
+ CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
+ This allows the use of make-before-break instead of the previously supported
+ break-before-make reauthentication, avoiding connectivity gaps during that
+ procedure. As the new mechanism may fail with peers not supporting it (such
+ as any previous strongSwan release) it must be explicitly enabled using
+ the charon.make_before_break strongswan.conf option.
+
+- Support for "Signature Authentication in IKEv2" (RFC 7427) has been added.
+ This allows the use of stronger hash algorithms for public key authentication.
+ By default, signature schemes are chosen based on the strength of the
+ signature key, but specific hash algorithms may be configured in leftauth.
+
+- Key types and hash algorithms specified in rightauth are now also checked
+ against IKEv2 signature schemes. If such constraints are used for certificate
+ chain validation in existing configurations, in particular with peers that
+ don't support RFC 7427, it may be necessary to disable this feature with the
+ charon.signature_authentication_constraints setting, because the signature
+ scheme used in classic IKEv2 public key authentication may not be strong
+ enough.
+
+- The new connmark plugin allows a host to bind conntrack flows to a specific
+ CHILD_SA by applying and restoring the SA mark to conntrack entries. This
+ allows a peer to handle multiple transport mode connections coming over the
+ same NAT device for client-initiated flows. A common use case is to protect
+ L2TP/IPsec, as supported by some systems.
+
+- The forecast plugin can forward broadcast and multicast messages between
+ connected clients and a LAN. For CHILD_SA using unique marks, it sets up
+ the required Netfilter rules and uses a multicast/broadcast listener that
+ forwards such messages to all connected clients. This plugin is designed for
+ Windows 7 IKEv2 clients, which announces its services over the tunnel if the
+ negotiated IPsec policy allows it.
+
+- For the vici plugin a Python Egg has been added to allow Python applications
+ to control or monitor the IKE daemon using the VICI interface, similar to the
+ existing ruby gem. The Python library has been contributed by Björn Schuberg.
+
+- EAP server methods now can fulfill public key constraints, such as rightcert
+ or rightca. Additionally, public key and signature constraints can be
+ specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
+ EAP-TTLS methods provide verification details to constraints checking.
+
+- Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
+ variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
+ algorithms with SHA512 being the default.
+
+- The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
+ as seen by the TNC server available to all IMVs. This information can be
+ forwarded to policy enforcement points (e.g. firewalls or routers).
+
+- The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
+ in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
+ PT-TLS transport medium.
+
+
+strongswan-5.2.2
+----------------
+
+- Fixed a denial-of-service vulnerability triggered by an IKEv2 Key Exchange
+ payload that contains the Diffie-Hellman group 1025. This identifier was
+ used internally for DH groups with custom generator and prime. Because
+ these arguments are missing when creating DH objects based on the KE payload
+ an invalid pointer dereference occurred. This allowed an attacker to crash
+ the IKE daemon with a single IKE_SA_INIT message containing such a KE
+ payload. The vulnerability has been registered as CVE-2014-9221.
+
+- The left/rightid options in ipsec.conf, or any other identity in strongSwan,
+ now accept prefixes to enforce an explicit type, such as email: or fqdn:.
+ Note that no conversion is done for the remaining string, refer to
+ ipsec.conf(5) for details.
+
+- The post-quantum Bimodal Lattice Signature Scheme (BLISS) can be used as
+ an IKEv2 public key authentication method. The pki tool offers full support
+ for the generation of BLISS key pairs and certificates.
+
+- Fixed mapping of integrity algorithms negotiated for AH via IKEv1. This could
+ cause interoperability issues when connecting to older versions of charon.
+
+
strongswan-5.2.1
----------------
diff --git a/conf/Makefile.am b/conf/Makefile.am
index e5077391a..f10af25a2 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -28,6 +28,7 @@ plugins = \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
+ plugins/bliss.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -46,6 +47,7 @@ plugins = \
plugins/eap-ttls.opt \
plugins/error-notify.opt \
plugins/ext-auth.opt \
+ plugins/forecast.opt \
plugins/gcrypt.opt \
plugins/ha.opt \
plugins/imc-attestation.opt \
@@ -62,6 +64,7 @@ plugins = \
plugins/led.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
+ plugins/kernel-pfkey.opt \
plugins/kernel-pfroute.opt \
plugins/load-tester.opt \
plugins/lookip.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index d5bb3ffa7..4b391402a 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -180,6 +180,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -240,10 +241,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -317,6 +320,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -405,6 +410,7 @@ plugins = \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
+ plugins/bliss.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -423,6 +429,7 @@ plugins = \
plugins/eap-ttls.opt \
plugins/error-notify.opt \
plugins/ext-auth.opt \
+ plugins/forecast.opt \
plugins/gcrypt.opt \
plugins/ha.opt \
plugins/imc-attestation.opt \
@@ -439,6 +446,7 @@ plugins = \
plugins/led.opt \
plugins/kernel-libipsec.opt \
plugins/kernel-netlink.opt \
+ plugins/kernel-pfkey.opt \
plugins/kernel-pfroute.opt \
plugins/load-tester.opt \
plugins/lookip.opt \
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index 0bec9bb0a..bd8e29940 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -58,6 +58,10 @@ charon {
# Allow IKEv1 Aggressive Mode with pre-shared keys as responder.
# i_dont_care_about_security_and_use_aggressive_mode_psk = no
+ # Whether to ignore the traffic selectors from the kernel's acquire events
+ # for IKEv2 connections (they are not used for IKEv1).
+ # ignore_acquire_ts = no
+
# A space-separated list of routing tables to be excluded from route
# lookups.
# ignore_routing_tables =
@@ -116,6 +120,9 @@ charon {
# Determine plugins to load via each plugin's load option.
# load_modular = no
+ # Initiate IKEv2 reauthentication with a make-before-break scheme.
+ # make_before_break = no
+
# Maximum packet size accepted by charon.
# max_packet = 10000
@@ -197,6 +204,12 @@ charon {
# Send strongSwan vendor ID payload
# send_vendor_id = no
+ # Whether to enable Signature Authentication as per RFC 7427.
+ # signature_authentication = yes
+
+ # Whether to enable constraints against IKEv2 signature schemes.
+ # signature_authentication_constraints = yes
+
# Number of worker threads in charon.
# threads = 16
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 678aa37bc..bbc50ba37 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -117,6 +117,17 @@ charon.i_dont_care_about_security_and_use_aggressive_mode_psk = no
charon.ignore_routing_tables
A space-separated list of routing tables to be excluded from route lookups.
+charon.ignore_acquire_ts = no
+ Whether to ignore the traffic selectors from the kernel's acquire events for
+ IKEv2 connections (they are not used for IKEv1).
+
+ If this is disabled the traffic selectors from the kernel's acquire events,
+ which are derived from the triggering packet, are prepended to the traffic
+ selectors from the configuration for IKEv2 connection. By enabling this,
+ such specific traffic selectors will be ignored and only the ones in the
+ config will be sent. This always happens for IKEv1 connections as the
+ protocol only supports one set of traffic selectors per CHILD_SA.
+
charon.ikesa_limit = 0
Maximum number of IKE_SAs that can be established at the same time before
new connection attempts are blocked.
@@ -196,6 +207,16 @@ charon.load_modular = no
charon.max_packet = 10000
Maximum packet size accepted by charon.
+charon.make_before_break = no
+ Initiate IKEv2 reauthentication with a make-before-break scheme.
+
+ Initiate IKEv2 reauthentication with a make-before-break instead of a
+ break-before-make scheme. Make-before-break uses overlapping IKE and
+ CHILD_SA during reauthentication by first recreating all new SAs before
+ deleting the old ones. This behavior can be beneficial to avoid connectivity
+ gaps during reauthentication, but requires support for overlapping SAs by
+ the peer. strongSwan can handle such overlapping SAs since version 5.3.0.
+
charon.multiple_authentication = yes
Enable multiple authentication exchanges (RFC 4739).
@@ -277,6 +298,17 @@ charon.send_delay_type = 0
charon.send_vendor_id = no
Send strongSwan vendor ID payload
+charon.signature_authentication = yes
+ Whether to enable Signature Authentication as per RFC 7427.
+
+charon.signature_authentication_constraints = yes
+ Whether to enable constraints against IKEv2 signature schemes.
+
+ If enabled, signature schemes configured in _rightauth_, in addition to
+ getting used as constraints against signature schemes employed in the
+ certificate chain, are also used as constraints against the signature scheme
+ used by peers during IKEv2.
+
charon.start-scripts {}
Section containing a list of scripts (name = path) that are executed when
the daemon is started.
diff --git a/conf/plugins/bliss.conf b/conf/plugins/bliss.conf
new file mode 100644
index 000000000..e35c27dc4
--- /dev/null
+++ b/conf/plugins/bliss.conf
@@ -0,0 +1,11 @@
+bliss {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Use the enhanced BLISS-B key generation and signature algorithm.
+ # use_bliss_b = yes
+
+}
+
diff --git a/conf/plugins/bliss.opt b/conf/plugins/bliss.opt
new file mode 100644
index 000000000..0983da026
--- /dev/null
+++ b/conf/plugins/bliss.opt
@@ -0,0 +1,2 @@
+charon.plugins.bliss.use_bliss_b = yes
+ Use the enhanced BLISS-B key generation and signature algorithm.
diff --git a/conf/plugins/forecast.conf b/conf/plugins/forecast.conf
new file mode 100644
index 000000000..79edb4bc8
--- /dev/null
+++ b/conf/plugins/forecast.conf
@@ -0,0 +1,17 @@
+forecast {
+
+ # Multicast groups to join locally, allowing forwarding of them.
+ # groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+
+ # Local interface to listen for broadcasts to forward.
+ # interface =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # CHILD_SA configurations names to perform multi/broadcast reinjection.
+ # reinject =
+
+}
+
diff --git a/conf/plugins/forecast.opt b/conf/plugins/forecast.opt
new file mode 100644
index 000000000..444cced63
--- /dev/null
+++ b/conf/plugins/forecast.opt
@@ -0,0 +1,29 @@
+charon.plugins.forecast.interface =
+ Local interface to listen for broadcasts to forward.
+
+ Name of the local interface to listen for broadcasts messages to forward.
+ If no interface is configured, the first usable interface is used, which
+ is usually just fine for single-homed hosts. If your host has multiple
+ interfaces, set this option to the local LAN interface you want to forward
+ broadcasts from/to.
+
+charon.plugins.forecast.reinject =
+ CHILD_SA configurations names to perform multi/broadcast reinjection.
+
+ Comma separated list of CHILD_SA configuration names for which to perform
+ multi/broadcast reinjection. For clients connecting over such a
+ configuration, any multi/broadcast received over the tunnel gets reinjected
+ to all active tunnels. This makes the broadcasts visible to other peers,
+ and for examples allows clients to see others shares. If disabled,
+ multi/broadcast messages received over a tunnel are injected to the local
+ network only, but not to other IPsec clients.
+
+charon.plugins.forecast.groups = 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
+ Multicast groups to join locally, allowing forwarding of them.
+
+ Comma separated list of multicast groups to join locally. The local host
+ receives and forwards packets in the local LAN for joined multicast groups
+ only. Packets matching the list of multicast groups get forwarded to
+ connected clients. The default group includes host multicasts, IGMP, mDNS,
+ LLMNR and SSDP/WS-Discovery, and is usually a good choice for Windows
+ clients.
diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt
index 9b60b9ede..7a40bc962 100644
--- a/conf/plugins/imc-attestation.opt
+++ b/conf/plugins/imc-attestation.opt
@@ -18,3 +18,21 @@ libimcv.plugins.imc-attestation.use_quote2 = yes
libimcv.plugins.imc-attestation.pcr_info = no
Whether to send pcr_before and pcr_after info.
+
+libimcv.plugins.imc-attestation.pcr17_before =
+ PCR17 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr17_meas =
+ Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr17_after =
+ PCR17 value after measurement.
+
+libimcv.plugins.imc-attestation.pcr18_before =
+ PCR18 value before measurement.
+
+libimcv.plugins.imc-attestation.pcr18_meas =
+ Dummy measurement value extended into PCR17 if the TBOOT log is not available.
+
+libimcv.plugins.imc-attestation.pcr18_after =
+ PCR18 value after measurement.
diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt
index 3ad51625d..f55225023 100644
--- a/conf/plugins/imv-attestation.opt
+++ b/conf/plugins/imv-attestation.opt
@@ -12,21 +12,3 @@ libimcv.plugins.imv-attestation.hash_algorithm = sha256
libimcv.plugins.imv-attestation.min_nonce_len = 0
DH minimum nonce length.
-
-libimcv.plugins.imc-attestation.pcr17_after
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_before
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr17_meas
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_after
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_before
- Dummy data if the TBOOT log is not retrieved.
-
-libimcv.plugins.imc-attestation.pcr18_meas
- Dummy data if the TBOOT log is not retrieved.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index f05f486b1..723bf0a49 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -4,6 +4,9 @@ kernel-netlink {
# routing table.
# fwmark =
+ # Whether to ignore errors potentially resulting from a retransmission.
+ # ignore_retransmit_errors = no
+
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
@@ -14,6 +17,21 @@ kernel-netlink {
# MTU to set on installed routes, 0 to disable.
# mtu = 0
+ # Whether to perform concurrent Netlink ROUTE queries on a single socket.
+ # parallel_route = no
+
+ # Whether to perform concurrent Netlink XFRM queries on a single socket.
+ # parallel_xfrm = no
+
+ # Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+ # policy_update = no
+
+ # Whether to use port or socket based IKE XFRM bypass policies.
+ # port_bypass = no
+
+ # Number of Netlink message retransmissions to send on timeout.
+ # retries = 0
+
# Whether to trigger roam events when interfaces, addresses or routes
# change.
# roam_events = yes
@@ -22,6 +40,9 @@ kernel-netlink {
# mode IPsec SAs in the kernel.
# set_proto_port_transport_sa = no
+ # Netlink message retransmission timeout, 0 to disable retransmissions.
+ # timeout = 0
+
# Lifetime of XFRM acquire state in kernel.
# xfrm_acq_expires = 165
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 7d44581a5..800ba20c0 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -13,6 +13,29 @@ charon.plugins.kernel-netlink.mss = 0
charon.plugins.kernel-netlink.mtu = 0
MTU to set on installed routes, 0 to disable.
+charon.plugins.kernel-netlink.parallel_route = no
+ Whether to perform concurrent Netlink ROUTE queries on a single socket.
+
+ Whether to perform concurrent Netlink ROUTE queries on a single socket.
+ While parallel queries can improve throughput, it has more overhead. On
+ vanilla Linux, DUMP queries fail with EBUSY and must be retried, further
+ decreasing performance.
+
+charon.plugins.kernel-netlink.parallel_xfrm = no
+ Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+charon.plugins.kernel-netlink.policy_update = no
+ Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+charon.plugins.kernel-netlink.port_bypass = no
+ Whether to use port or socket based IKE XFRM bypass policies.
+
+ Whether to use port or socket based IKE XFRM bypass policies.
+ IKE bypass policies are used to exempt IKE traffic from XFRM processing.
+ The default socket based policies are directly tied to the IKE UDP sockets,
+ port based policies use global XFRM bypass policies for the used IKE UDP
+ ports.
+
charon.plugins.kernel-netlink.roam_events = yes
Whether to trigger roam events when interfaces, addresses or routes change.
@@ -25,6 +48,15 @@ charon.plugins.kernel-netlink.set_proto_port_transport_sa = no
traffic, it also prevents the use of a single IPsec SA by more than one
traffic selector.
+charon.plugins.kernel-netlink.retries = 0
+ Number of Netlink message retransmissions to send on timeout.
+
+charon.plugins.kernel-netlink.timeout = 0
+ Netlink message retransmission timeout, 0 to disable retransmissions.
+
+charon.plugins.kernel-netlink.ignore_retransmit_errors = no
+ Whether to ignore errors potentially resulting from a retransmission.
+
charon.plugins.kernel-netlink.xfrm_acq_expires = 165
Lifetime of XFRM acquire state in kernel.
diff --git a/conf/plugins/kernel-pfkey.conf b/conf/plugins/kernel-pfkey.conf
new file mode 100644
index 000000000..2d4733e74
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.conf
@@ -0,0 +1,11 @@
+kernel-pfkey {
+
+ # Size of the receive buffer for the event socket (0 for default size).
+ # events_buffer_size = 0
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
diff --git a/conf/plugins/kernel-pfkey.opt b/conf/plugins/kernel-pfkey.opt
new file mode 100644
index 000000000..ec05215d3
--- /dev/null
+++ b/conf/plugins/kernel-pfkey.opt
@@ -0,0 +1,7 @@
+charon.plugins.kernel-pfkey.events_buffer_size = 0
+ Size of the receive buffer for the event socket (0 for default size).
+
+ Size of the receive buffer for the event socket (0 for default size).
+ Because events are received asynchronously installing e.g. lots of policies
+ may require a larger buffer than the default on certain platforms in order
+ to receive all messages.
diff --git a/conf/plugins/tnccs-20.conf b/conf/plugins/tnccs-20.conf
index 9a57ee14d..e8c45ae5c 100644
--- a/conf/plugins/tnccs-20.conf
+++ b/conf/plugins/tnccs-20.conf
@@ -10,5 +10,18 @@ tnccs-20 {
# Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
# max_message_size = 65490
+ # Enable PB-TNC mutual protocol.
+ # mutual = no
+
+ tests {
+
+ # Send an unsupported PB-TNC message type with the NOSKIP flag set.
+ # pb_tnc_noskip = no
+
+ # Send a PB-TNC batch with a modified PB-TNC version.
+ # pb_tnc_version = 2
+
+ }
+
}
diff --git a/conf/plugins/tnccs-20.opt b/conf/plugins/tnccs-20.opt
index b15bc3fa1..8d16d1cb2 100644
--- a/conf/plugins/tnccs-20.opt
+++ b/conf/plugins/tnccs-20.opt
@@ -3,3 +3,12 @@ charon.plugins.tnccs-20.max_batch_size = 65522
charon.plugins.tnccs-20.max_message_size = 65490
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497).
+
+charon.plugins.tnccs-20.mutual = no
+ Enable PB-TNC mutual protocol.
+
+charon.plugins.tnccs-20.tests.pb_tnc_noskip = no
+ Send an unsupported PB-TNC message type with the NOSKIP flag set.
+
+charon.plugins.tnccs-20.tests.pb_tnc_version = 2
+ Send a PB-TNC batch with a modified PB-TNC version.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index 28f6b12ec..b6db9c914 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -198,6 +198,15 @@ keys, which is discouraged due to security concerns (offline attacks on the
openly transmitted hash of the PSK).
.TP
+.BR charon.ignore_acquire_ts " [no]"
+If this is disabled the traffic selectors from the kernel's acquire events,
+which are derived from the triggering packet, are prepended to the traffic
+selectors from the configuration for IKEv2 connection. By enabling this, such
+specific traffic selectors will be ignored and only the ones in the config will
+be sent. This always happens for IKEv1 connections as the protocol only supports
+one set of traffic selectors per CHILD_SA.
+
+.TP
.BR charon.ignore_routing_tables " []"
A space\-separated list of routing tables to be excluded from route lookups.
@@ -322,6 +331,15 @@ preserved. Enabled plugins not found in that list are ordered alphabetically
before other plugins with the same priority.
.TP
+.BR charon.make_before_break " [no]"
+Initiate IKEv2 reauthentication with a make\-before\-break instead of a
+break\-before\-make scheme. Make\-before\-break uses overlapping IKE and CHILD_SA
+during reauthentication by first recreating all new SAs before deleting the old
+ones. This behavior can be beneficial to avoid connectivity gaps during
+reauthentication, but requires support for overlapping SAs by the peer.
+strongSwan can handle such overlapping SAs since version 5.3.0.
+
+.TP
.BR charon.max_packet " [10000]"
Maximum packet size accepted by charon.
@@ -374,6 +392,10 @@ sure to adjust the permissions of the config file accordingly.
Enable logging of SQL IP pool leases.
.TP
+.BR charon.plugins.bliss.use_bliss_b " [yes]"
+Use the enhanced BLISS\-B key generation and signature algorithm.
+
+.TP
.BR charon.plugins.certexpire.csv.cron " []"
Cron style string specifying CSV export times.
@@ -762,6 +784,31 @@ Remote IKE identity.
Remote EAP or XAuth identity, if used.
.TP
+.BR charon.plugins.forecast.groups " [224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250]"
+Comma separated list of multicast groups to join locally. The local host
+receives and forwards packets in the local LAN for joined multicast groups only.
+Packets matching the list of multicast groups get forwarded to connected
+clients. The default group includes host multicasts, IGMP, mDNS, LLMNR and
+SSDP/WS\-Discovery, and is usually a good choice for Windows clients.
+
+.TP
+.BR charon.plugins.forecast.interface " []"
+Name of the local interface to listen for broadcasts messages to forward. If no
+interface is configured, the first usable interface is used, which is usually
+just fine for single\-homed hosts. If your host has multiple interfaces, set this
+option to the local LAN interface you want to forward broadcasts from/to.
+
+.TP
+.BR charon.plugins.forecast.reinject " []"
+Comma separated list of CHILD_SA configuration names for which to perform
+multi/broadcast reinjection. For clients connecting over such a configuration,
+any multi/broadcast received over the tunnel gets reinjected to all active
+tunnels. This makes the broadcasts visible to other peers, and for examples
+allows clients to see others shares. If disabled, multi/broadcast messages
+received over a tunnel are injected to the local network only, but not to other
+IPsec clients.
+
+.TP
.BR charon.plugins.gcrypt.quick_random " [no]"
Use faster random numbers in gcrypt; for testing only, produces weak keys!
@@ -812,6 +859,10 @@ table. The format is [!]mark[/mask], where the optional exclamation mark inverts
the meaning (i.e. the rule only applies to packets that don't match the mark).
.TP
+.BR charon.plugins.kernel-netlink.ignore_retransmit_errors " [no]"
+Whether to ignore errors potentially resulting from a retransmission.
+
+.TP
.BR charon.plugins.kernel-netlink.mss " [0]"
MSS to set on installed routes, 0 to disable.
@@ -820,6 +871,32 @@ MSS to set on installed routes, 0 to disable.
MTU to set on installed routes, 0 to disable.
.TP
+.BR charon.plugins.kernel-netlink.parallel_route " [no]"
+Whether to perform concurrent Netlink ROUTE queries on a single socket. While
+parallel queries can improve throughput, it has more overhead. On vanilla Linux,
+DUMP queries fail with EBUSY and must be retried, further decreasing
+performance.
+
+.TP
+.BR charon.plugins.kernel-netlink.parallel_xfrm " [no]"
+Whether to perform concurrent Netlink XFRM queries on a single socket.
+
+.TP
+.BR charon.plugins.kernel-netlink.policy_update " [no]"
+Whether to always use XFRM_MSG_UPDPOLICY to install policies.
+
+.TP
+.BR charon.plugins.kernel-netlink.port_bypass " [no]"
+Whether to use port or socket based IKE XFRM bypass policies. IKE bypass
+policies are used to exempt IKE traffic from XFRM processing. The default socket
+based policies are directly tied to the IKE UDP sockets, port based policies use
+global XFRM bypass policies for the used IKE UDP ports.
+
+.TP
+.BR charon.plugins.kernel-netlink.retries " [0]"
+Number of Netlink message retransmissions to send on timeout.
+
+.TP
.BR charon.plugins.kernel-netlink.roam_events " [yes]"
Whether to trigger roam events when interfaces, addresses or routes change.
@@ -830,12 +907,23 @@ IPsec SAs in the kernel. While doing so enforces policies for inbound traffic,
it also prevents the use of a single IPsec SA by more than one traffic selector.
.TP
+.BR charon.plugins.kernel-netlink.timeout " [0]"
+Netlink message retransmission timeout, 0 to disable retransmissions.
+
+.TP
.BR charon.plugins.kernel-netlink.xfrm_acq_expires " [165]"
Lifetime of XFRM acquire state in kernel. The value gets written to
/proc/sys/net/core/xfrm_acq_expires. Indirectly controls the delay of XFRM
acquire messages sent.
.TP
+.BR charon.plugins.kernel-pfkey.events_buffer_size " [0]"
+Size of the receive buffer for the event socket (0 for default size). Because
+events are received asynchronously installing e.g. lots of policies may require
+a larger buffer than the default on certain platforms in order to receive all
+messages.
+
+.TP
.BR charon.plugins.kernel-pfroute.vip_wait " [1000]"
Time in ms to wait until virtual IP addresses appear/disappear before failing.
@@ -1291,6 +1379,18 @@ Maximum size of a PB\-TNC batch (upper limit via PT\-EAP = 65529).
Maximum size of a PA\-TNC message (upper limit via PT\-EAP = 65497).
.TP
+.BR charon.plugins.tnccs-20.mutual " [no]"
+Enable PB\-TNC mutual protocol.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_noskip " [no]"
+Send an unsupported PB\-TNC message type with the NOSKIP flag set.
+
+.TP
+.BR charon.plugins.tnccs-20.tests.pb_tnc_version " [2]"
+Send a PB\-TNC batch with a modified PB\-TNC version.
+
+.TP
.BR charon.plugins.unbound.dlv_anchors " []"
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as
@@ -1444,6 +1544,19 @@ Specific IKEv2 message type to delay, 0 for any.
Send strongSwan vendor ID payload
.TP
+.BR charon.signature_authentication " [yes]"
+Whether to enable Signature Authentication as per RFC 7427.
+
+.TP
+.BR charon.signature_authentication_constraints " [yes]"
+If enabled, signature schemes configured in
+.RI "" "rightauth" ","
+in addition to getting
+used as constraints against signature schemes employed in the certificate chain,
+are also used as constraints against the signature scheme used by peers during
+IKEv2.
+
+.TP
.B charon.start-scripts
.br
Section containing a list of scripts (name = path) that are executed when the
@@ -1581,27 +1694,27 @@ DH nonce length.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value after measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR17 value before measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr17_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_after " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value after measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_before " []"
-Dummy data if the TBOOT log is not retrieved.
+PCR18 value before measurement.
.TP
.BR libimcv.plugins.imc-attestation.pcr18_meas " []"
-Dummy data if the TBOOT log is not retrieved.
+Dummy measurement value extended into PCR17 if the TBOOT log is not available.
.TP
.BR libimcv.plugins.imc-attestation.pcr_info " [no]"
diff --git a/configure b/configure
index ee7d4cb05..811e45288 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.2.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.3.0.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.2.1'
-PACKAGE_STRING='strongSwan 5.2.1'
+PACKAGE_VERSION='5.3.0'
+PACKAGE_STRING='strongSwan 5.3.0'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -633,6 +633,10 @@ am__EXEEXT_TRUE
LTLIBOBJS
LIBOBJS
strongswan_options
+USE_PY_TEST_FALSE
+USE_PY_TEST_TRUE
+USE_PYTHON_EGGS_FALSE
+USE_PYTHON_EGGS_TRUE
USE_RUBY_GEMS_FALSE
USE_RUBY_GEMS_TRUE
USE_LEGACY_SYSTEMD_FALSE
@@ -727,8 +731,6 @@ USE_LOCK_PROFILER_FALSE
USE_LOCK_PROFILER_TRUE
USE_LEAK_DETECTIVE_FALSE
USE_LEAK_DETECTIVE_TRUE
-USE_RESOLVE_FALSE
-USE_RESOLVE_TRUE
USE_KERNEL_PFROUTE_FALSE
USE_KERNEL_PFROUTE_TRUE
USE_KERNEL_PFKEY_FALSE
@@ -739,12 +741,18 @@ USE_ATTR_SQL_FALSE
USE_ATTR_SQL_TRUE
USE_ATTR_FALSE
USE_ATTR_TRUE
+USE_RESOLVE_FALSE
+USE_RESOLVE_TRUE
USE_UNITY_FALSE
USE_UNITY_TRUE
USE_ADDRBLOCK_FALSE
USE_ADDRBLOCK_TRUE
USE_FARP_FALSE
USE_FARP_TRUE
+USE_FORECAST_FALSE
+USE_FORECAST_TRUE
+USE_CONNMARK_FALSE
+USE_CONNMARK_TRUE
USE_SOCKET_WIN_FALSE
USE_SOCKET_WIN_TRUE
USE_SOCKET_DYNAMIC_FALSE
@@ -861,8 +869,6 @@ USE_HA_FALSE
USE_HA_TRUE
USE_LOAD_TESTER_FALSE
USE_LOAD_TESTER_TRUE
-USE_UNIT_TESTS_FALSE
-USE_UNIT_TESTS_TRUE
USE_DHCP_FALSE
USE_DHCP_TRUE
USE_UPDOWN_FALSE
@@ -893,6 +899,8 @@ USE_VICI_FALSE
USE_VICI_TRUE
USE_STROKE_FALSE
USE_STROKE_TRUE
+USE_BLISS_FALSE
+USE_BLISS_TRUE
USE_NTRU_FALSE
USE_NTRU_TRUE
USE_AF_ALG_FALSE
@@ -985,6 +993,8 @@ USE_UNBOUND_FALSE
USE_UNBOUND_TRUE
USE_WINHTTP_FALSE
USE_WINHTTP_TRUE
+USE_FILES_FALSE
+USE_FILES_TRUE
USE_CURL_FALSE
USE_CURL_TRUE
USE_TEST_VECTORS_FALSE
@@ -1005,6 +1015,9 @@ attest_plugins
pool_plugins
starter_plugins
charon_plugins
+PY_TEST
+PYTHONEGGINSTALLDIR
+EASY_INSTALL
RUBYGEMDIR
GEM
COVERAGE_LDFLAGS
@@ -1017,6 +1030,8 @@ USE_DEV_HEADERS_FALSE
USE_DEV_HEADERS_TRUE
UNWINDLIB
BFDLIB
+libiptc_LIBS
+libiptc_CFLAGS
nm_LIBS
nm_CFLAGS
pcsclite_LIBS
@@ -1238,6 +1253,7 @@ with_mpz_powm_sec
with_dev_headers
with_printf_hooks
with_rubygemdir
+with_pythoneggdir
with_systemdsystemunitdir
with_user
with_group
@@ -1245,6 +1261,7 @@ with_charon_udp_port
with_charon_natt_port
enable_aes
enable_af_alg
+enable_bliss
enable_blowfish
enable_ccm
enable_cmac
@@ -1278,6 +1295,7 @@ enable_pubkey
enable_sshkey
enable_x509
enable_curl
+enable_files
enable_ldap
enable_soup
enable_unbound
@@ -1358,6 +1376,8 @@ enable_tnccs_20
enable_tnccs_dynamic
enable_android_log
enable_certexpire
+enable_connmark
+enable_forecast
enable_duplicheck
enable_error_notify
enable_farp
@@ -1369,7 +1389,6 @@ enable_maemo
enable_radattr
enable_systime_fix
enable_test_vectors
-enable_unit_tester
enable_updown
enable_aikgen
enable_charon
@@ -1398,6 +1417,7 @@ enable_load_warning
enable_mediation
enable_unwind_backtraces
enable_ruby_gems
+enable_python_eggs
enable_coverage
enable_leak_detective
enable_lock_profiler
@@ -1446,7 +1466,9 @@ maemo_LIBS
pcsclite_CFLAGS
pcsclite_LIBS
nm_CFLAGS
-nm_LIBS'
+nm_LIBS
+libiptc_CFLAGS
+libiptc_LIBS'
# Initialize some variables set by options.
@@ -1987,7 +2009,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 5.2.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.3.0 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2057,7 +2079,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 5.2.1:";;
+ short | recursive ) echo "Configuration of strongSwan 5.3.0:";;
esac
cat <<\_ACEOF
@@ -2069,6 +2091,7 @@ Optional Features:
--disable-silent-rules verbose build output (undo: "make V=0")
--disable-aes disable AES software implementation plugin.
--enable-af-alg enable AF_ALG crypto interface to Linux Crypto API.
+ --enable-bliss enable BLISS software implementation plugin.
--enable-blowfish enable Blowfish software implementation plugin.
--enable-ccm enables the CCM AEAD wrapper crypto plugin.
--disable-cmac disable CMAC crypto implementation plugin.
@@ -2105,6 +2128,7 @@ Optional Features:
--disable-x509 disable X509 certificate implementation plugin.
--enable-curl enable CURL fetcher plugin to fetch files via
libcurl. Requires libcurl.
+ --enable-files enable simple file:// URI fetcher.
--enable-ldap enable LDAP fetching plugin to fetch files via
libldap. Requires openLDAP.
--enable-soup enable soup fetcher plugin to fetch from HTTP via
@@ -2210,6 +2234,10 @@ Optional Features:
--enable-android-log enable Android specific logger plugin.
--enable-certexpire enable CSV export of expiration dates of used
certificates.
+ --enable-connmark enable connmark plugin using conntrack based marks
+ to select return path SA.
+ --enable-forecast enable forecast plugin forwarding
+ broadcast/multicast messages.
--enable-duplicheck advanced duplicate checking plugin using liveness
checks.
--enable-error-notify enable error notification plugin.
@@ -2227,7 +2255,6 @@ Optional Features:
--enable-systime-fix enable plugin to handle cert lifetimes with invalid
system time gracefully.
--enable-test-vectors enable plugin providing crypto test vectors.
- --enable-unit-tester enable unit tests on IKEv2 daemon startup.
--disable-updown disable updown firewall script plugin.
--enable-aikgen enable AIK generator.
--disable-charon disable the IKEv1/IKEv2 keying daemon charon.
@@ -2267,6 +2294,7 @@ Optional Features:
use libunwind to create backtraces for memory leaks
and segfaults.
--enable-ruby-gems enable installation of provided ruby gems.
+ --enable-python-eggs enable installation of provided python eggs.
--enable-coverage enable lcov coverage report generation.
--enable-leak-detective enable malloc hooks to find memory leaks.
--enable-lock-profiler enable lock/mutex profiling code.
@@ -2343,6 +2371,8 @@ Optional Packages:
(default: auto).
--with-rubygemdir=arg path to install ruby gems to (default: "gem
environment gemdir").
+ --with-pythoneggdir=arg path to install python eggs to to (default: "main
+ site-packages directory").
--with-systemdsystemunitdir=arg
directory for systemd service files (default:
$systemdsystemunitdir_default).
@@ -2411,6 +2441,10 @@ Some influential environment variables:
linker flags for pcsclite, overriding pkg-config
nm_CFLAGS C compiler flags for nm, overriding pkg-config
nm_LIBS linker flags for nm, overriding pkg-config
+ libiptc_CFLAGS
+ C compiler flags for libiptc, overriding pkg-config
+ libiptc_LIBS
+ linker flags for libiptc, overriding pkg-config
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
@@ -2478,7 +2512,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 5.2.1
+strongSwan configure 5.3.0
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3000,7 +3034,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.2.1, which was
+It was created by strongSwan $as_me 5.3.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3863,7 +3897,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='5.2.1'
+ VERSION='5.3.0'
cat >>confdefs.h <<_ACEOF
@@ -4595,6 +4629,16 @@ fi
+# Check whether --with-pythoneggdir was given.
+if test "${with_pythoneggdir+set}" = set; then :
+ withval=$with_pythoneggdir; pythoneggdir="$withval"
+else
+ pythoneggdir="main site-packages directory"
+
+fi
+
+
+
if test -n "$PKG_CONFIG"; then
systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
fi
@@ -4738,6 +4782,22 @@ fi
disabled_by_default=${disabled_by_default}" af_alg"
+# Check whether --enable-bliss was given.
+if test "${enable_bliss+set}" = set; then :
+ enableval=$enable_bliss; bliss_given=true
+ if test x$enableval = xyes; then
+ bliss=true
+ else
+ bliss=false
+ fi
+else
+ bliss=false
+ bliss_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" bliss"
+
# Check whether --enable-blowfish was given.
if test "${enable_blowfish+set}" = set; then :
enableval=$enable_blowfish; blowfish_given=true
@@ -5268,6 +5328,22 @@ fi
disabled_by_default=${disabled_by_default}" curl"
+# Check whether --enable-files was given.
+if test "${enable_files+set}" = set; then :
+ enableval=$enable_files; files_given=true
+ if test x$enableval = xyes; then
+ files=true
+ else
+ files=false
+ fi
+else
+ files=false
+ files_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" files"
+
# Check whether --enable-ldap was given.
if test "${enable_ldap+set}" = set; then :
enableval=$enable_ldap; ldap_given=true
@@ -6555,6 +6631,38 @@ fi
disabled_by_default=${disabled_by_default}" certexpire"
+# Check whether --enable-connmark was given.
+if test "${enable_connmark+set}" = set; then :
+ enableval=$enable_connmark; connmark_given=true
+ if test x$enableval = xyes; then
+ connmark=true
+ else
+ connmark=false
+ fi
+else
+ connmark=false
+ connmark_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" connmark"
+
+# Check whether --enable-forecast was given.
+if test "${enable_forecast+set}" = set; then :
+ enableval=$enable_forecast; forecast_given=true
+ if test x$enableval = xyes; then
+ forecast=true
+ else
+ forecast=false
+ fi
+else
+ forecast=false
+ forecast_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" forecast"
+
# Check whether --enable-duplicheck was given.
if test "${enable_duplicheck+set}" = set; then :
enableval=$enable_duplicheck; duplicheck_given=true
@@ -6731,22 +6839,6 @@ fi
disabled_by_default=${disabled_by_default}" test_vectors"
-# Check whether --enable-unit-tester was given.
-if test "${enable_unit_tester+set}" = set; then :
- enableval=$enable_unit_tester; unit_tester_given=true
- if test x$enableval = xyes; then
- unit_tester=true
- else
- unit_tester=false
- fi
-else
- unit_tester=false
- unit_tester_given=false
-
-fi
-
- disabled_by_default=${disabled_by_default}" unit_tester"
-
# Check whether --enable-updown was given.
if test "${enable_updown+set}" = set; then :
enableval=$enable_updown; updown_given=true
@@ -7197,6 +7289,22 @@ fi
disabled_by_default=${disabled_by_default}" ruby_gems"
+# Check whether --enable-python-eggs was given.
+if test "${enable_python_eggs+set}" = set; then :
+ enableval=$enable_python_eggs; python_eggs_given=true
+ if test x$enableval = xyes; then
+ python_eggs=true
+ else
+ python_eggs=false
+ fi
+else
+ python_eggs=false
+ python_eggs_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" python_eggs"
+
# compile options
# Check whether --enable-coverage was given.
if test "${enable_coverage+set}" = set; then :
@@ -20878,6 +20986,102 @@ fi
fi
+if test x$connmark = xtrue -o x$forecast = xtrue; then
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libiptc" >&5
+$as_echo_n "checking for libiptc... " >&6; }
+
+if test -n "$libiptc_CFLAGS"; then
+ pkg_cv_libiptc_CFLAGS="$libiptc_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_libiptc_CFLAGS=`$PKG_CONFIG --cflags "libiptc" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+if test -n "$libiptc_LIBS"; then
+ pkg_cv_libiptc_LIBS="$libiptc_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libiptc\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libiptc") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_libiptc_LIBS=`$PKG_CONFIG --libs "libiptc" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ libiptc_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libiptc" 2>&1`
+ else
+ libiptc_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libiptc" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$libiptc_PKG_ERRORS" >&5
+
+ as_fn_error $? "Package requirements (libiptc) were not met:
+
+$libiptc_PKG_ERRORS
+
+Consider adjusting the PKG_CONFIG_PATH environment variable if you
+installed software in a non-standard prefix.
+
+Alternatively, you may set the environment variables libiptc_CFLAGS
+and libiptc_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details." "$LINENO" 5
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it
+is in your PATH or set the PKG_CONFIG environment variable to the full
+path to pkg-config.
+
+Alternatively, you may set the environment variables libiptc_CFLAGS
+and libiptc_LIBS to avoid the need to call pkg-config.
+See the pkg-config man page for more details.
+
+To get pkg-config, see <http://pkg-config.freedesktop.org/>.
+See \`config.log' for more details" "$LINENO" 5; }
+else
+ libiptc_CFLAGS=$pkg_cv_libiptc_CFLAGS
+ libiptc_LIBS=$pkg_cv_libiptc_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+fi
+
+
+fi
+
if test x$capabilities = xnative; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5
$as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;}
@@ -21326,6 +21530,101 @@ fi
fi
+if test x$python_eggs = xtrue; then
+ # Extract the first word of "easy_install", so it can be a program name with args.
+set dummy easy_install; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_EASY_INSTALL+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $EASY_INSTALL in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_EASY_INSTALL="$EASY_INSTALL" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_EASY_INSTALL="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+EASY_INSTALL=$ac_cv_path_EASY_INSTALL
+if test -n "$EASY_INSTALL"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $EASY_INSTALL" >&5
+$as_echo "$EASY_INSTALL" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ if test x$EASY_INSTALL = x; then
+ as_fn_error $? "Python easy_install not found" "$LINENO" 5
+ fi
+ if test "x$pythoneggdir" = "xmain site-packages directory"; then
+ PYTHONEGGINSTALLDIR=""
+
+ else
+ PYTHONEGGINSTALLDIR="--install-dir $pythoneggdir"
+
+ fi
+ # Extract the first word of "py.test", so it can be a program name with args.
+set dummy py.test; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PY_TEST+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $PY_TEST in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_PY_TEST="$PY_TEST" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_dummy="$PATH:/bin:/usr/bin:/usr/local/bin"
+for as_dir in $as_dummy
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_path_PY_TEST="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+fi
+PY_TEST=$ac_cv_path_PY_TEST
+if test -n "$PY_TEST"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PY_TEST" >&5
+$as_echo "$PY_TEST" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+
# ===============================================
# collect plugin list for strongSwan components
# ===============================================
@@ -21382,26 +21681,6 @@ if test x$ldap = xtrue; then
fi
-if test x$mysql = xtrue; then
- s_plugins=${s_plugins}" mysql"
- charon_plugins=${charon_plugins}" mysql"
- pool_plugins=${pool_plugins}" mysql"
- manager_plugins=${manager_plugins}" mysql"
- medsrv_plugins=${medsrv_plugins}" mysql"
- attest_plugins=${attest_plugins}" mysql"
-
- fi
-
-if test x$sqlite = xtrue; then
- s_plugins=${s_plugins}" sqlite"
- charon_plugins=${charon_plugins}" sqlite"
- pool_plugins=${pool_plugins}" sqlite"
- manager_plugins=${manager_plugins}" sqlite"
- medsrv_plugins=${medsrv_plugins}" sqlite"
- attest_plugins=${attest_plugins}" sqlite"
-
- fi
-
if test x$pkcs11 = xtrue; then
s_plugins=${s_plugins}" pkcs11"
charon_plugins=${charon_plugins}" pkcs11"
@@ -21794,6 +22073,7 @@ if test x$cmac = xtrue; then
if test x$hmac = xtrue; then
s_plugins=${s_plugins}" hmac"
charon_plugins=${charon_plugins}" hmac"
+ pki_plugins=${pki_plugins}" hmac"
scripts_plugins=${scripts_plugins}" hmac"
nm_plugins=${nm_plugins}" hmac"
cmd_plugins=${cmd_plugins}" hmac"
@@ -21836,6 +22116,16 @@ if test x$ntru = xtrue; then
fi
+if test x$bliss = xtrue; then
+ s_plugins=${s_plugins}" bliss"
+ charon_plugins=${charon_plugins}" bliss"
+ pki_plugins=${pki_plugins}" bliss"
+ scripts_plugins=${scripts_plugins}" bliss"
+ nm_plugins=${nm_plugins}" bliss"
+ cmd_plugins=${cmd_plugins}" bliss"
+
+ fi
+
if test x$curl = xtrue; then
s_plugins=${s_plugins}" curl"
charon_plugins=${charon_plugins}" curl"
@@ -21847,6 +22137,17 @@ if test x$curl = xtrue; then
fi
+if test x$files = xtrue; then
+ s_plugins=${s_plugins}" files"
+ charon_plugins=${charon_plugins}" files"
+ scepclient_plugins=${scepclient_plugins}" files"
+ pki_plugins=${pki_plugins}" files"
+ scripts_plugins=${scripts_plugins}" files"
+ nm_plugins=${nm_plugins}" files"
+ cmd_plugins=${cmd_plugins}" files"
+
+ fi
+
if test x$winhttp = xtrue; then
s_plugins=${s_plugins}" winhttp"
charon_plugins=${charon_plugins}" winhttp"
@@ -21865,14 +22166,34 @@ if test x$soup = xtrue; then
fi
+if test x$mysql = xtrue; then
+ s_plugins=${s_plugins}" mysql"
+ charon_plugins=${charon_plugins}" mysql"
+ pool_plugins=${pool_plugins}" mysql"
+ manager_plugins=${manager_plugins}" mysql"
+ medsrv_plugins=${medsrv_plugins}" mysql"
+ attest_plugins=${attest_plugins}" mysql"
+
+ fi
+
+if test x$sqlite = xtrue; then
+ s_plugins=${s_plugins}" sqlite"
+ charon_plugins=${charon_plugins}" sqlite"
+ pool_plugins=${pool_plugins}" sqlite"
+ manager_plugins=${manager_plugins}" sqlite"
+ medsrv_plugins=${medsrv_plugins}" sqlite"
+ attest_plugins=${attest_plugins}" sqlite"
+
+ fi
+
if test x$attr = xtrue; then
- h_plugins=${h_plugins}" attr"
+ c_plugins=${c_plugins}" attr"
charon_plugins=${charon_plugins}" attr"
fi
if test x$attr_sql = xtrue; then
- h_plugins=${h_plugins}" attr-sql"
+ c_plugins=${c_plugins}" attr-sql"
charon_plugins=${charon_plugins}" attr-sql"
fi
@@ -21930,7 +22251,7 @@ if test x$kernel_netlink = xtrue; then
fi
if test x$resolve = xtrue; then
- h_plugins=${h_plugins}" resolve"
+ c_plugins=${c_plugins}" resolve"
charon_plugins=${charon_plugins}" resolve"
cmd_plugins=${cmd_plugins}" resolve"
@@ -21957,6 +22278,18 @@ if test x$socket_win = xtrue; then
fi
+if test x$connmark = xtrue; then
+ c_plugins=${c_plugins}" connmark"
+ charon_plugins=${charon_plugins}" connmark"
+
+ fi
+
+if test x$forecast = xtrue; then
+ c_plugins=${c_plugins}" forecast"
+ charon_plugins=${charon_plugins}" forecast"
+
+ fi
+
if test x$farp = xtrue; then
c_plugins=${c_plugins}" farp"
charon_plugins=${charon_plugins}" farp"
@@ -22315,12 +22648,6 @@ if test x$unity = xtrue; then
fi
-if test x$unit_tester = xtrue; then
- c_plugins=${c_plugins}" unit-tester"
- charon_plugins=${charon_plugins}" unit-tester"
-
- fi
-
@@ -22362,6 +22689,14 @@ else
USE_CURL_FALSE=
fi
+ if test x$files = xtrue; then
+ USE_FILES_TRUE=
+ USE_FILES_FALSE='#'
+else
+ USE_FILES_TRUE='#'
+ USE_FILES_FALSE=
+fi
+
if test x$winhttp = xtrue; then
USE_WINHTTP_TRUE=
USE_WINHTTP_FALSE='#'
@@ -22730,6 +23065,14 @@ else
USE_NTRU_FALSE=
fi
+ if test x$bliss = xtrue; then
+ USE_BLISS_TRUE=
+ USE_BLISS_FALSE='#'
+else
+ USE_BLISS_TRUE='#'
+ USE_BLISS_FALSE=
+fi
+
# charon plugins
# ----------------
@@ -22853,14 +23196,6 @@ else
USE_DHCP_FALSE=
fi
- if test x$unit_tester = xtrue; then
- USE_UNIT_TESTS_TRUE=
- USE_UNIT_TESTS_FALSE='#'
-else
- USE_UNIT_TESTS_TRUE='#'
- USE_UNIT_TESTS_FALSE=
-fi
-
if test x$load_tester = xtrue; then
USE_LOAD_TESTER_TRUE=
USE_LOAD_TESTER_FALSE='#'
@@ -23325,6 +23660,22 @@ else
USE_SOCKET_WIN_FALSE=
fi
+ if test x$connmark = xtrue; then
+ USE_CONNMARK_TRUE=
+ USE_CONNMARK_FALSE='#'
+else
+ USE_CONNMARK_TRUE='#'
+ USE_CONNMARK_FALSE=
+fi
+
+ if test x$forecast = xtrue; then
+ USE_FORECAST_TRUE=
+ USE_FORECAST_FALSE='#'
+else
+ USE_FORECAST_TRUE='#'
+ USE_FORECAST_FALSE=
+fi
+
if test x$farp = xtrue; then
USE_FARP_TRUE=
USE_FARP_FALSE='#'
@@ -23349,9 +23700,14 @@ else
USE_UNITY_FALSE=
fi
+ if test x$resolve = xtrue; then
+ USE_RESOLVE_TRUE=
+ USE_RESOLVE_FALSE='#'
+else
+ USE_RESOLVE_TRUE='#'
+ USE_RESOLVE_FALSE=
+fi
-# hydra plugins
-# ---------------
if test x$attr = xtrue; then
USE_ATTR_TRUE=
USE_ATTR_FALSE='#'
@@ -23368,6 +23724,9 @@ else
USE_ATTR_SQL_FALSE=
fi
+
+# hydra plugins
+# ---------------
if test x$kernel_netlink = xtrue; then
USE_KERNEL_NETLINK_TRUE=
USE_KERNEL_NETLINK_FALSE='#'
@@ -23392,14 +23751,6 @@ else
USE_KERNEL_PFROUTE_FALSE=
fi
- if test x$resolve = xtrue; then
- USE_RESOLVE_TRUE=
- USE_RESOLVE_FALSE='#'
-else
- USE_RESOLVE_TRUE='#'
- USE_RESOLVE_FALSE=
-fi
-
# other options
# ---------------
@@ -23779,6 +24130,22 @@ else
USE_RUBY_GEMS_FALSE=
fi
+ if test x$python_eggs = xtrue; then
+ USE_PYTHON_EGGS_TRUE=
+ USE_PYTHON_EGGS_FALSE='#'
+else
+ USE_PYTHON_EGGS_TRUE='#'
+ USE_PYTHON_EGGS_FALSE=
+fi
+
+ if test "x$PY_TEST" != x; then
+ USE_PY_TEST_TRUE=
+ USE_PY_TEST_FALSE='#'
+else
+ USE_PY_TEST_TRUE='#'
+ USE_PY_TEST_FALSE=
+fi
+
# ========================
# set global definitions
@@ -23862,14 +24229,14 @@ fi
# build Makefiles
# =================
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/rdrand/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/nonce/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/acert/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pkcs7/Makefile src/libstrongswan/plugins/pkcs8/Makefile src/libstrongswan/plugins/pkcs12/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/sshkey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/files/Makefile src/libstrongswan/plugins/winhttp/Makefile src/libstrongswan/plugins/unbound/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/keychain/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/ntru/Makefile src/libstrongswan/plugins/bliss/Makefile src/libstrongswan/plugins/bliss/tests/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libstrongswan/tests/Makefile src/libhydra/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/tests/Makefile src/libipsec/Makefile src/libsimaka/Makefile src/libtls/Makefile src/libtls/tests/Makefile src/libradius/Makefile src/libtncif/Makefile src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile src/libpttls/Makefile src/libimcv/Makefile src/libimcv/plugins/imc_test/Makefile src/libimcv/plugins/imv_test/Makefile src/libimcv/plugins/imc_scanner/Makefile src/libimcv/plugins/imv_scanner/Makefile src/libimcv/plugins/imc_os/Makefile src/libimcv/plugins/imv_os/Makefile src/libimcv/plugins/imc_attestation/Makefile src/libimcv/plugins/imv_attestation/Makefile src/libimcv/plugins/imc_swid/Makefile src/libimcv/plugins/imv_swid/Makefile src/charon/Makefile src/charon-nm/Makefile src/charon-tkm/Makefile src/charon-cmd/Makefile src/charon-svc/Makefile src/charon-systemd/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_dynamic/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_sim_pcsc/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_peap/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/xauth_generic/Makefile src/libcharon/plugins/xauth_eap/Makefile src/libcharon/plugins/xauth_pam/Makefile src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/socket_win/Makefile src/libcharon/plugins/connmark/Makefile src/libcharon/plugins/forecast/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/dnscert/Makefile src/libcharon/plugins/ipseckey/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/unity/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/kernel_libipsec/Makefile src/libcharon/plugins/kernel_wfp/Makefile src/libcharon/plugins/kernel_iph/Makefile src/libcharon/plugins/whitelist/Makefile src/libcharon/plugins/ext_auth/Makefile src/libcharon/plugins/lookip/Makefile src/libcharon/plugins/error_notify/Makefile src/libcharon/plugins/certexpire/Makefile src/libcharon/plugins/systime_fix/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/duplicheck/Makefile src/libcharon/plugins/coupling/Makefile src/libcharon/plugins/radattr/Makefile src/libcharon/plugins/osx_attr/Makefile src/libcharon/plugins/android_dns/Makefile src/libcharon/plugins/android_log/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/vici/Makefile src/libcharon/plugins/vici/ruby/Makefile src/libcharon/plugins/vici/python/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/load_tester/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/attr/Makefile src/libcharon/plugins/attr_sql/Makefile src/libcharon/tests/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/starter/tests/Makefile src/_updown/Makefile src/_copyright/Makefile src/scepclient/Makefile src/aikgen/Makefile src/pki/Makefile src/pki/man/Makefile src/pool/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile src/pt-tls-client/Makefile src/swanctl/Makefile scripts/Makefile testing/Makefile"
# =================
# build man pages
# =================
-ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail"
+ac_config_files="$ac_config_files conf/strongswan.conf.5.head conf/strongswan.conf.5.tail man/ipsec.conf.5 man/ipsec.secrets.5 src/charon-cmd/charon-cmd.8 src/pki/man/pki.1 src/pki/man/pki---gen.1 src/pki/man/pki---issue.1 src/pki/man/pki---keyid.1 src/pki/man/pki---pkcs7.1 src/pki/man/pki---pkcs12.1 src/pki/man/pki---print.1 src/pki/man/pki---pub.1 src/pki/man/pki---req.1 src/pki/man/pki---self.1 src/pki/man/pki---signcrl.1 src/pki/man/pki---acert.1 src/pki/man/pki---verify.1 src/swanctl/swanctl.8 src/swanctl/swanctl.conf.5.head src/swanctl/swanctl.conf.5.tail"
cat >confcache <<\_ACEOF
@@ -24026,6 +24393,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then
as_fn_error $? "conditional \"USE_CURL\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_FILES_TRUE}" && test -z "${USE_FILES_FALSE}"; then
+ as_fn_error $? "conditional \"USE_FILES\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_WINHTTP_TRUE}" && test -z "${USE_WINHTTP_FALSE}"; then
as_fn_error $? "conditional \"USE_WINHTTP\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24210,6 +24581,10 @@ if test -z "${USE_NTRU_TRUE}" && test -z "${USE_NTRU_FALSE}"; then
as_fn_error $? "conditional \"USE_NTRU\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_BLISS_TRUE}" && test -z "${USE_BLISS_FALSE}"; then
+ as_fn_error $? "conditional \"USE_BLISS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then
as_fn_error $? "conditional \"USE_STROKE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24270,10 +24645,6 @@ if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then
as_fn_error $? "conditional \"USE_DHCP\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
-if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then
- as_fn_error $? "conditional \"USE_UNIT_TESTS\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
if test -z "${USE_LOAD_TESTER_TRUE}" && test -z "${USE_LOAD_TESTER_FALSE}"; then
as_fn_error $? "conditional \"USE_LOAD_TESTER\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24506,6 +24877,14 @@ if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then
as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_CONNMARK_TRUE}" && test -z "${USE_CONNMARK_FALSE}"; then
+ as_fn_error $? "conditional \"USE_CONNMARK\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_FORECAST_TRUE}" && test -z "${USE_FORECAST_FALSE}"; then
+ as_fn_error $? "conditional \"USE_FORECAST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then
as_fn_error $? "conditional \"USE_FARP\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24518,6 +24897,10 @@ if test -z "${USE_UNITY_TRUE}" && test -z "${USE_UNITY_FALSE}"; then
as_fn_error $? "conditional \"USE_UNITY\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
+ as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then
as_fn_error $? "conditional \"USE_ATTR\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24538,10 +24921,6 @@ if test -z "${USE_KERNEL_PFROUTE_TRUE}" && test -z "${USE_KERNEL_PFROUTE_FALSE}"
as_fn_error $? "conditional \"USE_KERNEL_PFROUTE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
-if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then
- as_fn_error $? "conditional \"USE_RESOLVE\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
if test -z "${USE_LEAK_DETECTIVE_TRUE}" && test -z "${USE_LEAK_DETECTIVE_FALSE}"; then
as_fn_error $? "conditional \"USE_LEAK_DETECTIVE\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -24730,6 +25109,14 @@ if test -z "${USE_RUBY_GEMS_TRUE}" && test -z "${USE_RUBY_GEMS_FALSE}"; then
as_fn_error $? "conditional \"USE_RUBY_GEMS\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_PYTHON_EGGS_TRUE}" && test -z "${USE_PYTHON_EGGS_FALSE}"; then
+ as_fn_error $? "conditional \"USE_PYTHON_EGGS\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${USE_PY_TEST_TRUE}" && test -z "${USE_PY_TEST_FALSE}"; then
+ as_fn_error $? "conditional \"USE_PY_TEST\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
@@ -25127,7 +25514,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 5.2.1, which was
+This file was extended by strongSwan $as_me 5.3.0, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -25193,7 +25580,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 5.2.1
+strongSwan config.status 5.3.0
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -25641,6 +26028,7 @@ do
"src/libstrongswan/plugins/sshkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sshkey/Makefile" ;;
"src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;;
"src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;;
+ "src/libstrongswan/plugins/files/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/files/Makefile" ;;
"src/libstrongswan/plugins/winhttp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/winhttp/Makefile" ;;
"src/libstrongswan/plugins/unbound/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/unbound/Makefile" ;;
"src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;;
@@ -25658,15 +26046,15 @@ do
"src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;;
"src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;;
"src/libstrongswan/plugins/ntru/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ntru/Makefile" ;;
+ "src/libstrongswan/plugins/bliss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/Makefile" ;;
+ "src/libstrongswan/plugins/bliss/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/bliss/tests/Makefile" ;;
"src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;;
"src/libstrongswan/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/tests/Makefile" ;;
"src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;;
- "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;;
- "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;;
"src/libhydra/plugins/kernel_netlink/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_netlink/Makefile" ;;
"src/libhydra/plugins/kernel_pfkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfkey/Makefile" ;;
"src/libhydra/plugins/kernel_pfroute/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/kernel_pfroute/Makefile" ;;
- "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;;
+ "src/libhydra/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/tests/Makefile" ;;
"src/libipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/libipsec/Makefile" ;;
"src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;;
"src/libtls/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtls/Makefile" ;;
@@ -25726,6 +26114,8 @@ do
"src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
"src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
"src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;;
+ "src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;;
+ "src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;;
"src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
"src/libcharon/plugins/smp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/smp/Makefile" ;;
"src/libcharon/plugins/sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/sql/Makefile" ;;
@@ -25757,16 +26147,19 @@ do
"src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;;
"src/libcharon/plugins/vici/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/Makefile" ;;
"src/libcharon/plugins/vici/ruby/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/ruby/Makefile" ;;
+ "src/libcharon/plugins/vici/python/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/vici/python/Makefile" ;;
"src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;;
"src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;;
- "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;;
"src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;;
+ "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;;
+ "src/libcharon/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr/Makefile" ;;
+ "src/libcharon/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr_sql/Makefile" ;;
+ "src/libcharon/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/tests/Makefile" ;;
"src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
"src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
"src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
"src/starter/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/tests/Makefile" ;;
"src/_updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown/Makefile" ;;
- "src/_updown_espmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/_updown_espmark/Makefile" ;;
"src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
"src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
"src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;;
@@ -25794,6 +26187,7 @@ do
"src/pki/man/pki---issue.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---issue.1" ;;
"src/pki/man/pki---keyid.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---keyid.1" ;;
"src/pki/man/pki---pkcs7.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs7.1" ;;
+ "src/pki/man/pki---pkcs12.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pkcs12.1" ;;
"src/pki/man/pki---print.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---print.1" ;;
"src/pki/man/pki---pub.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---pub.1" ;;
"src/pki/man/pki---req.1") CONFIG_FILES="$CONFIG_FILES src/pki/man/pki---req.1" ;;
diff --git a/configure.ac b/configure.ac
index 7a3c3281b..73c288495 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
#
-# Copyright (C) 2007-2014 Tobias Brunner
+# Copyright (C) 2007-2015 Tobias Brunner
# Copyright (C) 2006-2014 Andreas Steffen
# Copyright (C) 2006-2014 Martin Willi
# Hochschule fuer Technik Rapperswil
@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
-AC_INIT([strongSwan],[5.2.1])
+AC_INIT([strongSwan],[5.3.0])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
@@ -69,6 +69,7 @@ ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant
ARG_WITH_SET([dev-headers], [no], [install strongSwan development headers to directory.])
ARG_WITH_SET([printf-hooks], [auto], [force the use of a specific printf hook implementation (auto, builtin, glibc, vstr).])
ARG_WITH_SET([rubygemdir], ["gem environment gemdir"], [path to install ruby gems to])
+ARG_WITH_SET([pythoneggdir], ["main site-packages directory"], [path to install python eggs to to])
if test -n "$PKG_CONFIG"; then
systemdsystemunitdir_default=$($PKG_CONFIG --variable=systemdsystemunitdir systemd)
@@ -123,6 +124,7 @@ m4_include(m4/macros/enable-disable.m4)
# crypto plugins
ARG_DISBL_SET([aes], [disable AES software implementation plugin.])
ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.])
+ARG_ENABL_SET([bliss], [enable BLISS software implementation plugin.])
ARG_ENABL_SET([blowfish], [enable Blowfish software implementation plugin.])
ARG_ENABL_SET([ccm], [enables the CCM AEAD wrapper crypto plugin.])
ARG_DISBL_SET([cmac], [disable CMAC crypto implementation plugin.])
@@ -158,6 +160,7 @@ ARG_DISBL_SET([sshkey], [disable SSH key decoding plugin.])
ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.])
# fetcher/resolver plugins
ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.])
+ARG_ENABL_SET([files], [enable simple file:// URI fetcher.])
ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.])
ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.])
ARG_ENABL_SET([unbound], [enable UNBOUND resolver plugin to perform DNS queries via libunbound. Requires libldns and libunbound.])
@@ -245,6 +248,8 @@ ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.
# misc plugins
ARG_ENABL_SET([android-log], [enable Android specific logger plugin.])
ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.])
+ARG_ENABL_SET([connmark], [enable connmark plugin using conntrack based marks to select return path SA.])
+ARG_ENABL_SET([forecast], [enable forecast plugin forwarding broadcast/multicast messages.])
ARG_ENABL_SET([duplicheck], [advanced duplicate checking plugin using liveness checks.])
ARG_ENABL_SET([error-notify], [enable error notification plugin.])
ARG_ENABL_SET([farp], [enable ARP faking plugin that responds to ARP requests to peers virtual IP])
@@ -256,7 +261,6 @@ ARG_ENABL_SET([maemo], [enable Maemo specific plugin.])
ARG_ENABL_SET([radattr], [enable plugin to inject and process custom RADIUS attributes as IKEv2 client.])
ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.])
ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
-ARG_ENABL_SET([unit-tester], [enable unit tests on IKEv2 daemon startup.])
ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
# programs/components
ARG_ENABL_SET([aikgen], [enable AIK generator.])
@@ -287,6 +291,7 @@ ARG_DISBL_SET([load-warning], [disable the charon plugin load option warning i
ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.])
ARG_ENABL_SET([unwind-backtraces],[use libunwind to create backtraces for memory leaks and segfaults.])
ARG_ENABL_SET([ruby-gems], [enable installation of provided ruby gems.])
+ARG_ENABL_SET([python-eggs], [enable installation of provided python eggs.])
# compile options
ARG_ENABL_SET([coverage], [enable lcov coverage report generation.])
ARG_ENABL_SET([leak-detective], [enable malloc hooks to find memory leaks.])
@@ -1076,6 +1081,12 @@ if test x$xauth_pam = xtrue; then
AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
fi
+if test x$connmark = xtrue -o x$forecast = xtrue; then
+ PKG_CHECK_MODULES(libiptc, [libiptc])
+ AC_SUBST(libiptc_CFLAGS)
+ AC_SUBST(libiptc_LIBS)
+fi
+
if test x$capabilities = xnative; then
AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead])
# Linux requires the following for capset(), Android does not have it,
@@ -1177,6 +1188,19 @@ if test x$ruby_gems = xtrue; then
AC_SUBST(RUBYGEMDIR, "$rubygemdir")
fi
+if test x$python_eggs = xtrue; then
+ AC_PATH_PROG([EASY_INSTALL], [easy_install], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+ if test x$EASY_INSTALL = x; then
+ AC_MSG_ERROR(Python easy_install not found)
+ fi
+ if test "x$pythoneggdir" = "xmain site-packages directory"; then
+ AC_SUBST(PYTHONEGGINSTALLDIR, "")
+ else
+ AC_SUBST(PYTHONEGGINSTALLDIR, "--install-dir $pythoneggdir")
+ fi
+ AC_PATH_PROG([PY_TEST], [py.test], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
+fi
+
# ===============================================
# collect plugin list for strongSwan components
# ===============================================
@@ -1207,8 +1231,6 @@ t_plugins=
ADD_PLUGIN([test-vectors], [s charon scepclient pki])
ADD_PLUGIN([unbound], [s charon scripts])
ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd])
-ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
-ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest])
ADD_PLUGIN([pkcs11], [s charon pki nm cmd])
ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
@@ -1246,16 +1268,20 @@ ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([xcbc], [s charon nm cmd])
ADD_PLUGIN([cmac], [s charon nm cmd])
-ADD_PLUGIN([hmac], [s charon scripts nm cmd])
+ADD_PLUGIN([hmac], [s charon pki scripts nm cmd])
ADD_PLUGIN([ctr], [s charon scripts nm cmd])
ADD_PLUGIN([ccm], [s charon scripts nm cmd])
ADD_PLUGIN([gcm], [s charon scripts nm cmd])
ADD_PLUGIN([ntru], [s charon scripts nm cmd])
+ADD_PLUGIN([bliss], [s charon pki scripts nm cmd])
ADD_PLUGIN([curl], [s charon scepclient pki scripts nm cmd])
+ADD_PLUGIN([files], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([winhttp], [s charon pki scripts])
ADD_PLUGIN([soup], [s charon pki scripts nm cmd])
-ADD_PLUGIN([attr], [h charon])
-ADD_PLUGIN([attr-sql], [h charon])
+ADD_PLUGIN([mysql], [s charon pool manager medsrv attest])
+ADD_PLUGIN([sqlite], [s charon pool manager medsrv attest])
+ADD_PLUGIN([attr], [c charon])
+ADD_PLUGIN([attr-sql], [c charon])
ADD_PLUGIN([load-tester], [c charon])
ADD_PLUGIN([kernel-libipsec], [c charon cmd])
ADD_PLUGIN([kernel-wfp], [c charon])
@@ -1263,10 +1289,12 @@ ADD_PLUGIN([kernel-iph], [c charon])
ADD_PLUGIN([kernel-pfkey], [h charon starter nm cmd])
ADD_PLUGIN([kernel-pfroute], [h charon starter nm cmd])
ADD_PLUGIN([kernel-netlink], [h charon starter nm cmd])
-ADD_PLUGIN([resolve], [h charon cmd])
+ADD_PLUGIN([resolve], [c charon cmd])
ADD_PLUGIN([socket-default], [c charon nm cmd])
ADD_PLUGIN([socket-dynamic], [c charon cmd])
ADD_PLUGIN([socket-win], [c charon])
+ADD_PLUGIN([connmark], [c charon])
+ADD_PLUGIN([forecast], [c charon])
ADD_PLUGIN([farp], [c charon])
ADD_PLUGIN([stroke], [c charon])
ADD_PLUGIN([vici], [c charon])
@@ -1324,7 +1352,6 @@ ADD_PLUGIN([maemo], [c charon])
ADD_PLUGIN([uci], [c charon])
ADD_PLUGIN([addrblock], [c charon])
ADD_PLUGIN([unity], [c charon])
-ADD_PLUGIN([unit-tester], [c charon])
AC_SUBST(charon_plugins)
AC_SUBST(starter_plugins)
@@ -1352,6 +1379,7 @@ AC_SUBST(t_plugins)
# -----------------------
AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue)
AM_CONDITIONAL(USE_CURL, test x$curl = xtrue)
+AM_CONDITIONAL(USE_FILES, test x$files = xtrue)
AM_CONDITIONAL(USE_WINHTTP, test x$winhttp = xtrue)
AM_CONDITIONAL(USE_UNBOUND, test x$unbound = xtrue)
AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue)
@@ -1398,6 +1426,7 @@ AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue)
AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue)
AM_CONDITIONAL(USE_NTRU, test x$ntru = xtrue)
+AM_CONDITIONAL(USE_BLISS, test x$bliss = xtrue)
# charon plugins
# ----------------
@@ -1416,7 +1445,6 @@ AM_CONDITIONAL(USE_DNSCERT, test x$dnscert = xtrue)
AM_CONDITIONAL(USE_IPSECKEY, test x$ipseckey = xtrue)
AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue)
AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue)
-AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tester = xtrue)
AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue)
AM_CONDITIONAL(USE_HA, test x$ha = xtrue)
AM_CONDITIONAL(USE_KERNEL_LIBIPSEC, test x$kernel_libipsec = xtrue)
@@ -1475,18 +1503,20 @@ AM_CONDITIONAL(USE_IMV_SWID, test x$imv_swid = xtrue)
AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
+AM_CONDITIONAL(USE_CONNMARK, test x$connmark = xtrue)
+AM_CONDITIONAL(USE_FORECAST, test x$forecast = xtrue)
AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue)
AM_CONDITIONAL(USE_UNITY, test x$unity = xtrue)
+AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
+AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
+AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
# hydra plugins
# ---------------
-AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
-AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
AM_CONDITIONAL(USE_KERNEL_NETLINK, test x$kernel_netlink = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFKEY, test x$kernel_pfkey = xtrue)
AM_CONDITIONAL(USE_KERNEL_PFROUTE, test x$kernel_pfroute = xtrue)
-AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue)
# other options
# ---------------
@@ -1537,6 +1567,8 @@ AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
AM_CONDITIONAL(USE_LEGACY_SYSTEMD, test -n "$systemdsystemunitdir" -a "x$systemdsystemunitdir" != xno)
AM_CONDITIONAL(USE_RUBY_GEMS, test x$ruby_gems = xtrue)
+AM_CONDITIONAL(USE_PYTHON_EGGS, test x$python_eggs = xtrue)
+AM_CONDITIONAL(USE_PY_TEST, test "x$PY_TEST" != x)
# ========================
# set global definitions
@@ -1624,6 +1656,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/sshkey/Makefile
src/libstrongswan/plugins/pem/Makefile
src/libstrongswan/plugins/curl/Makefile
+ src/libstrongswan/plugins/files/Makefile
src/libstrongswan/plugins/winhttp/Makefile
src/libstrongswan/plugins/unbound/Makefile
src/libstrongswan/plugins/soup/Makefile
@@ -1641,15 +1674,15 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/gcm/Makefile
src/libstrongswan/plugins/af_alg/Makefile
src/libstrongswan/plugins/ntru/Makefile
+ src/libstrongswan/plugins/bliss/Makefile
+ src/libstrongswan/plugins/bliss/tests/Makefile
src/libstrongswan/plugins/test_vectors/Makefile
src/libstrongswan/tests/Makefile
src/libhydra/Makefile
- src/libhydra/plugins/attr/Makefile
- src/libhydra/plugins/attr_sql/Makefile
src/libhydra/plugins/kernel_netlink/Makefile
src/libhydra/plugins/kernel_pfkey/Makefile
src/libhydra/plugins/kernel_pfroute/Makefile
- src/libhydra/plugins/resolve/Makefile
+ src/libhydra/tests/Makefile
src/libipsec/Makefile
src/libsimaka/Makefile
src/libtls/Makefile
@@ -1709,6 +1742,8 @@ AC_CONFIG_FILES([
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/socket_win/Makefile
+ src/libcharon/plugins/connmark/Makefile
+ src/libcharon/plugins/forecast/Makefile
src/libcharon/plugins/farp/Makefile
src/libcharon/plugins/smp/Makefile
src/libcharon/plugins/sql/Makefile
@@ -1740,16 +1775,19 @@ AC_CONFIG_FILES([
src/libcharon/plugins/stroke/Makefile
src/libcharon/plugins/vici/Makefile
src/libcharon/plugins/vici/ruby/Makefile
+ src/libcharon/plugins/vici/python/Makefile
src/libcharon/plugins/updown/Makefile
src/libcharon/plugins/dhcp/Makefile
- src/libcharon/plugins/unit_tester/Makefile
src/libcharon/plugins/load_tester/Makefile
+ src/libcharon/plugins/resolve/Makefile
+ src/libcharon/plugins/attr/Makefile
+ src/libcharon/plugins/attr_sql/Makefile
+ src/libcharon/tests/Makefile
src/stroke/Makefile
src/ipsec/Makefile
src/starter/Makefile
src/starter/tests/Makefile
src/_updown/Makefile
- src/_updown_espmark/Makefile
src/_copyright/Makefile
src/scepclient/Makefile
src/aikgen/Makefile
@@ -1784,6 +1822,7 @@ AC_CONFIG_FILES([
src/pki/man/pki---issue.1
src/pki/man/pki---keyid.1
src/pki/man/pki---pkcs7.1
+ src/pki/man/pki---pkcs12.1
src/pki/man/pki---print.1
src/pki/man/pki---pub.1
src/pki/man/pki---req.1
diff --git a/init/Makefile.in b/init/Makefile.in
index 3da1e6514..18c69f1b0 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -204,6 +204,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -264,10 +265,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -341,6 +344,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index 14089c479..28cedbda8 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -172,6 +172,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index a8c7af61c..808023eb2 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -172,6 +172,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -232,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -309,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/man/Makefile.in b/man/Makefile.in
index 08aee19c0..501361003 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -178,6 +178,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -238,10 +239,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -315,6 +318,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index fe37dff83..39c3b2b79 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -23,8 +23,7 @@ as are empty lines which are not within a section.
A line which contains
.B include
and a file name, separated by white space,
-is replaced by the contents of that file,
-preceded and followed by empty lines.
+is replaced by the contents of that file.
If the file name is not a full pathname,
it is considered to be relative to the directory containing the
including file.
@@ -61,12 +60,9 @@ indicates what type of section follows, and
.I name
is an arbitrary name which distinguishes the section from others
of the same type.
-Names must start with a letter and may contain only
-letters, digits, periods, underscores, and hyphens.
All subsequent non-empty lines
-which begin with white space are part of the section;
-comments within a section must begin with white space too.
-There may be only one section of a given type with a given name.
+which begin with white space are part of the section.
+Sections of the same type that share the same name are merged.
.PP
Lines within the section are generally of the form
.PP
@@ -75,24 +71,30 @@ Lines within the section are generally of the form
(note the mandatory preceding white space).
There can be white space on either side of the
.BR = .
-Parameter names follow the same syntax as section names,
-and are specific to a section type.
-Unless otherwise explicitly specified,
-no parameter name may appear more than once in a section.
+Parameter names are specific to a section type.
.PP
An empty
.I value
stands for the system default value (if any) of the parameter,
-i.e. it is roughly equivalent to omitting the parameter line entirely.
+i.e. it is roughly equivalent to omitting the parameter line entirely. This may
+be useful to clear a setting inherited from a
+.B %default
+section or via
+.B also
+parameter (see below).
A
.I value
-may contain white space only if the entire
-.I value
-is enclosed in double quotes (\fB"\fR);
-a
+may contain single spaces (additional white space is reduced to one space).
+To preserve white space as written enclose the entire
.I value
-cannot itself contain a double quote,
-nor may it be continued across more than one line.
+in double quotes (\fB"\fR); in such values double quotes themselves may be
+escaped by prefixing them with
+.B \\\\
+characters. A double-quoted string may span multiple lines by ending them with
+.B \\\\
+characters (following lines don't have to begin with white space, as that will
+be preserved). Additionally, the following control characters may be encoded in
+double-quoted strings: \\n, \\r, \\t, \\b, \\f.
.PP
Numeric values are specified to be either an ``integer''
(a sequence of digits) or a ``decimal number''
@@ -102,38 +104,24 @@ There is currently one parameter which is available in any type of
section:
.TP
.B also
-the value is a section name;
-the parameters of that section are appended to this section,
-as if they had been written as part of it.
-The specified section must exist, must follow the current one,
-and must have the same section type.
-(Nesting is permitted,
-and there may be more than one
+the value is a section name; the parameters of that section are inherited by
+the current section. Parameters in the current section always override inherited
+parameters, even if an
+.B also
+follows after them.
+The specified section must exist and must have the same section type; it doesn't
+if it is defined before or after the current section.
+Nesting is permitted, and there may be more than one
+.B also
+in a single section (parameters from referenced sections are inherited and
+overridden in the order of these
.B also
-in a single section,
-although it is forbidden to append the same section more than once.)
+parameters).
.PP
A section with name
.B %default
-specifies defaults for sections of the same type.
-For each parameter in it,
-any section of that type which does not have a parameter of the same name
-gets a copy of the one from the
-.B %default
-section.
-There may be multiple
-.B %default
-sections of a given type,
-but only one default may be supplied for any specific parameter name,
-and all
-.B %default
-sections of a given type must precede all non-\c
-.B %default
-sections of that type.
-.B %default
-sections may not contain the
-.B also
-parameter.
+specifies defaults for sections of the same type. All parameters in it, are
+inherited by all other sections of that type.
.PP
Currently there are three types of sections:
a
@@ -446,19 +434,20 @@ This may help to surmount restrictive firewalls. In order to force the peer to
encapsulate packets, NAT detection payloads are faked.
.TP
.BR fragmentation " = yes | force | " no
-whether to use IKE fragmentation (proprietary IKEv1 extension). Acceptable
-values are
+whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2
+fragmentation as per RFC 7383). Acceptable values are
.BR yes ,
.B force
and
.B no
-(the default). Fragmented messages sent by a peer are always accepted
+(the default). Fragmented IKE messages sent by a peer are always accepted
irrespective of the value of this option. If set to
.BR yes ,
and the peer supports it, larger IKE messages will be sent in fragments.
If set to
.B force
-the initial IKE message will already be fragmented if required.
+(only supported for IKEv1) the initial IKE message will already be fragmented
+if required.
.TP
.BR ike " = <cipher suites>"
comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms
@@ -583,6 +572,7 @@ for pre-shared key authentication,
to (require the) use of the Extensible Authentication Protocol in IKEv2, and
.B xauth
for IKEv1 eXtended Authentication.
+
To require a trustchain public key strength for the remote side, specify the
key type followed by the minimum strength in bits (for example
.BR ecdsa-384
@@ -595,6 +585,20 @@ or a key strength definition (for example
.BR pubkey-sha1-sha256
or
.BR rsa-2048-ecdsa-256-sha256-sha384-sha512 ).
+Unless disabled in
+.BR strongswan.conf (5)
+such key types and hash algorithms are also applied as constraints against IKEv2
+signature authentication schemes used by the remote side.
+
+If both peers support RFC 7427 ("Signature Authentication in IKEv2") specific
+hash algorithms to be used during IKEv2 authentication may be configured.
+The syntax is the same as above. For example, with
+.B pubkey-sha384-sha256
+a public key signature scheme with either SHA-384 or SHA-256 would get used for
+authentication, in that order and depending on the hash algorithms supported by
+the peer. If no specific hash algorithms are configured, the default is to
+prefer an algorithm that matches or exceeds the strength of the signature key.
+
For
.BR eap ,
an optional EAP method can be appended. Currently defined methods are
@@ -613,7 +617,9 @@ Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
EAP methods are defined in the form
.B eap-type-vendor
.RB "(e.g. " eap-7-12345 ).
-For
+To specify signature and trust chain constraints for EAP-(T)TLS, append a colon
+to the EAP method, followed by the key type/size and hash algorithm as discussed
+above. For
.B xauth,
an XAuth authentication backend can be specified, such as
.B xauth-generic
@@ -750,11 +756,36 @@ defaults to
.B left
or the subject of the certificate configured with
.BR leftcert .
-Can be an IP address, a fully-qualified domain name, an email address, or
-a keyid. If
+If
.B leftcert
is configured the identity has to be confirmed by the certificate.
+Can be an IP address, a fully-qualified domain name, an email address or a
+Distinguished Name for which the ID type is determined automatically and the
+string is converted to the appropriate encoding. To enforce a specific identity
+type, a prefix may be used, followed by a colon (:). If the number sign (#)
+follows the colon, the remaining data is interpreted as hex encoding, otherwise
+the string is used as-is as the identification data. Note that this implies
+that no conversion is performed for non-string identities. For example,
+\fIipv4:10.0.0.1\fP does not create a valid ID_IPV4_ADDR IKE identity, as it
+does not get converted to binary 0x0a000001. Instead, one could use
+\fIipv4:#0a000001\fP to get a valid identity, but just using the implicit type
+with automatic conversion is usually simpler. The same applies to the ASN1
+encoded types. The following prefixes are known:
+.BR ipv4 ,
+.BR ipv6 ,
+.BR rfc822 ,
+.BR email ,
+.BR userfqdn ,
+.BR fqdn ,
+.BR dns ,
+.BR asn1dn ,
+.B asn1gn
+and
+.BR keyid .
+Custom type prefixes may be specified by surrounding the numerical type value by
+curly brackets.
+
For IKEv2 and
.B rightid
the prefix
@@ -828,13 +859,15 @@ an address of the given address family will be requested explicitly.
If an IP address is configured, it will be requested from the responder,
which is free to respond with a different address.
.TP
-.BR rightsourceip " = %config | <network>/<netmask> | %poolname"
+.BR rightsourceip " = %config | <network>/<netmask> | <from>-<to> | %poolname"
Comma separated list of internal source IPs to use in a tunnel for the remote
peer. If the value is
.B %config
on the responder side, the initiator must propose an address which is then
echoed back. Also supported are address pools expressed as
\fInetwork\fB/\fInetmask\fR
+and
+\fIfrom\fB-\fIto\fR
or the use of an external IP address pool using %\fIpoolname\fR,
where \fIpoolname\fR is the name of the IP address pool used for the lookup.
.TP
@@ -959,7 +992,9 @@ sets an XFRM mark in the inbound and outbound
IPsec SAs and policies. If the mask is missing then a default
mask of
.B 0xffffffff
-is assumed.
+is assumed. The special value
+.B %unique
+assigns a unique value to each newly created IPsec SA.
.TP
.BR mark_in " = <value>[/<mask>]"
sets an XFRM mark in the inbound IPsec SA and
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 811dc2919..d28783b4c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -279,6 +279,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -339,10 +340,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -416,6 +419,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 8a782d80b..0643ea92a 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <time.h>
+#include <assert.h>
#include <library.h>
#include <utils/debug.h>
#include <crypto/diffie_hellman.h>
@@ -88,16 +89,16 @@ static void run_test(diffie_hellman_group_t group, int rounds)
for (round = 0; round < rounds; round++)
{
- l[round]->get_my_public_value(l[round], &chunk);
- r->set_other_public_value(r, chunk);
+ assert(l[round]->get_my_public_value(l[round], &chunk));
+ assert(r->set_other_public_value(r, chunk));
chunk_free(&chunk);
}
- r->get_my_public_value(r, &chunk);
+ assert(r->get_my_public_value(r, &chunk));
start_timing(&timing);
for (round = 0; round < rounds; round++)
{
- l[round]->set_other_public_value(l[round], chunk);
+ assert(l[round]->set_other_public_value(l[round], chunk));
}
printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
chunk_free(&chunk);
@@ -143,4 +144,3 @@ int main(int argc, char *argv[])
}
return 0;
}
-
diff --git a/src/Makefile.am b/src/Makefile.am
index 38363d4f7..9608a3a13 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -69,7 +69,7 @@ if USE_STROKE
endif
if USE_UPDOWN
- SUBDIRS += _updown _updown_espmark
+ SUBDIRS += _updown
endif
if USE_SCEPCLIENT
diff --git a/src/Makefile.in b/src/Makefile.in
index 2dd046042..7596e7e55 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -94,7 +94,7 @@ host_triplet = @host@
@USE_SYSTEMD_TRUE@am__append_15 = charon-systemd
@USE_NM_TRUE@am__append_16 = charon-nm
@USE_STROKE_TRUE@am__append_17 = stroke
-@USE_UPDOWN_TRUE@am__append_18 = _updown _updown_espmark
+@USE_UPDOWN_TRUE@am__append_18 = _updown
@USE_SCEPCLIENT_TRUE@am__append_19 = scepclient
@USE_PKI_TRUE@am__append_20 = pki
@USE_SWANCTL_TRUE@am__append_21 = swanctl
@@ -187,9 +187,9 @@ CTAGS = ctags
DIST_SUBDIRS = . include libstrongswan libhydra libipsec libsimaka \
libtls libradius libtncif libtnccs libpttls libimcv libcharon \
starter ipsec _copyright charon charon-systemd charon-nm \
- stroke _updown _updown_espmark scepclient pki swanctl conftest \
- dumm libfast manager medsrv pool charon-tkm charon-cmd \
- charon-svc pt-tls-client checksum aikgen
+ stroke _updown scepclient pki swanctl conftest dumm libfast \
+ manager medsrv pool charon-tkm charon-cmd charon-svc \
+ pt-tls-client checksum aikgen
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -241,6 +241,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index a17bbcc1a..2a4838c9a 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -195,6 +195,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -255,10 +256,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -332,6 +335,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/_updown/Makefile.am b/src/_updown/Makefile.am
index b6a81f547..32fa0423a 100644
--- a/src/_updown/Makefile.am
+++ b/src/_updown/Makefile.am
@@ -1,6 +1,5 @@
ipsec_SCRIPTS = _updown
CLEANFILES = _updown
-dist_man8_MANS = _updown.8
EXTRA_DIST = _updown.in
_updown : _updown.in
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index a215a2548..fe31dff64 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -79,8 +79,7 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = src/_updown
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(dist_man8_MANS)
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -125,7 +124,7 @@ am__uninstall_files_from_dir = { \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
SCRIPTS = $(ipsec_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -146,9 +145,6 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man8_MANS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
@@ -176,6 +172,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -236,10 +233,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -313,6 +312,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -373,7 +374,6 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
ipsec_SCRIPTS = _updown
CLEANFILES = _updown
-dist_man8_MANS = _updown.8
EXTRA_DIST = _updown.in
all: all-am
@@ -449,47 +449,6 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(dist_man8_MANS)
- @$(NORMAL_INSTALL)
- @list1='$(dist_man8_MANS)'; \
- list2=''; \
- test -n "$(man8dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.8[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
- done; }
-
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
@@ -529,9 +488,9 @@ distdir: $(DISTFILES)
done
check-am: all-am
check: check-am
-all-am: Makefile $(SCRIPTS) $(MANS)
+all-am: Makefile $(SCRIPTS)
installdirs:
- for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
+ for dir in "$(DESTDIR)$(ipsecdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
@@ -585,7 +544,7 @@ info: info-am
info-am:
-install-data-am: install-ipsecSCRIPTS install-man
+install-data-am: install-ipsecSCRIPTS
install-dvi: install-dvi-am
@@ -601,7 +560,7 @@ install-info: install-info-am
install-info-am:
-install-man: install-man8
+install-man:
install-pdf: install-pdf-am
@@ -629,9 +588,7 @@ ps: ps-am
ps-am:
-uninstall-am: uninstall-ipsecSCRIPTS uninstall-man
-
-uninstall-man: uninstall-man8
+uninstall-am: uninstall-ipsecSCRIPTS
.MAKE: install-am install-strip
@@ -641,13 +598,12 @@ uninstall-man: uninstall-man8
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am \
- install-ipsecSCRIPTS install-man install-man8 install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
+ install-ipsecSCRIPTS install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
- uninstall-am uninstall-ipsecSCRIPTS uninstall-man \
- uninstall-man8
+ uninstall-am uninstall-ipsecSCRIPTS
_updown : _updown.in
diff --git a/src/_updown/_updown.8 b/src/_updown/_updown.8
deleted file mode 100644
index 8c88e5fb8..000000000
--- a/src/_updown/_updown.8
+++ /dev/null
@@ -1,16 +0,0 @@
-.TH _UPDOWN 8 "27 Apr 2006"
-.SH NAME
-ipsec _updown \- route and firewall manipulation script
-.SH SYNOPSIS
-.I _updown
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing entries for IPsec operation.
-It can also be used to insert and delete dynamic iptables firewall rules.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux FreeS/WAN project <http://www.freeswan.org/>
-by Michael Richardson. Original program written by Henry Spencer. Extended
-for the Linux strongSwan project <http://www.strongswan.org/> by Andreas
-Steffen.
diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in
index 532bd2437..4090fe074 100644
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -128,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -142,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=@routing_table@
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=@routing_table_prio@
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -178,120 +166,9 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
# use protocol specific options to set ports
case "$PLUTO_MY_PROTOCOL" in
@@ -334,59 +211,7 @@ fi
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -567,16 +392,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/src/_updown_espmark/Makefile.am b/src/_updown_espmark/Makefile.am
deleted file mode 100644
index 456702690..000000000
--- a/src/_updown_espmark/Makefile.am
+++ /dev/null
@@ -1,2 +0,0 @@
-dist_ipsec_SCRIPTS = _updown_espmark
-dist_man8_MANS = _updown_espmark.8
diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark
deleted file mode 100644
index 864a91708..000000000
--- a/src/_updown_espmark/_updown_espmark
+++ /dev/null
@@ -1,438 +0,0 @@
-#! /bin/sh
-# iproute2 version, default updown script
-#
-# Copyright (C) 2003-2004 Nigel Meteringham
-# Copyright (C) 2003-2004 Tuomo Soini
-# Copyright (C) 2002-2004 Michael Richardson
-# Copyright (C) 2005 Andreas Steffen <andreas.steffen@strongsec.com>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
-# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# for more details.
-
-
-
-# CAUTION: Installing a new version of strongSwan will install a new
-# copy of this script, wiping out any custom changes you make. If
-# you need changes, make a copy of this under another name, and customize
-# that, and use the (left/right)updown parameters in ipsec.conf to make
-# FreeS/WAN use yours instead of this default one.
-
-# things that this script gets (from ipsec_pluto(8) man page)
-#
-#
-# PLUTO_VERSION
-# indicates what version of this interface is being
-# used. This document describes version 1.1. This
-# is upwardly compatible with version 1.0.
-#
-# PLUTO_VERB
-# specifies the name of the operation to be performed
-# (prepare-host, prepare-client, up-host, up-client,
-# down-host, or down-client). If the address family
-# for security gateway to security gateway communica-
-# tions is IPv6, then a suffix of -v6 is added to the
-# verb.
-#
-# PLUTO_CONNECTION
-# is the name of the connection for which we are
-# routing.
-#
-# PLUTO_INTERFACE
-# is the name of the ipsec interface to be used.
-#
-# PLUTO_ME
-# is the IP address of our host.
-#
-# PLUTO_MY_ID
-# is the ID of our host.
-#
-# PLUTO_MY_CLIENT
-# is the IP address / count of our client subnet. If
-# the client is just the host, this will be the
-# host's own IP address / max (where max is 32 for
-# IPv4 and 128 for IPv6).
-#
-# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
-#
-# PLUTO_MY_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_MY_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
-#
-# PLUTO_PEER
-# is the IP address of our peer.
-#
-# PLUTO_PEER_ID
-# is the ID of our peer.
-#
-# PLUTO_PEER_CLIENT
-# is the IP address / count of the peer's client sub-
-# net. If the client is just the peer, this will be
-# the peer's own IP address / max (where max is 32
-# for IPv4 and 128 for IPv6).
-#
-# PLUTO_PEER_PROTOCOL
-# is the IP protocol that will be transported.
-#
-# PLUTO_PEER_PORT
-# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
-#
-# PLUTO_XAUTH_ID
-# is an optional user ID employed by the XAUTH protocol
-#
-# PLUTO_MARK_IN
-# is an optional XFRM mark set on the inbound IPsec SA
-#
-# PLUTO_MARK_OUT
-# is an optional XFRM mark set on the outbound IPsec SA
-#
-# PLUTO_UDP_ENC
-# contains the remote UDP port in the case of ESP_IN_UDP
-# encapsulation
-#
-
-# logging of VPN connections
-#
-# tag put in front of each log entry:
-TAG=vpn
-#
-# syslog facility and priority used:
-FAC_PRIO=local0.notice
-#
-# to create a special vpn logging file, put the following line into
-# the syslog configuration file /etc/syslog.conf:
-#
-# local0.notice -/var/log/vpn
-#
-
-# check interface version
-case "$PLUTO_VERSION" in
-1.[0]) # Older Pluto?!? Play it safe, script may be using new features.
- echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
- exit 2
- ;;
-1.*) ;;
-*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
- exit 2
- ;;
-esac
-
-# check parameter(s)
-case "$1:$*" in
-':') # no parameters
- ;;
-ipfwadm:ipfwadm) # due to (left/right)firewall; for default script only
- ;;
-custom:*) # custom parameters (see above CAUTION comment)
- ;;
-*) echo "$0: unknown parameters \`$*'" >&2
- exit 2
- ;;
-esac
-
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
- parms="$PLUTO_PEER_CLIENT"
-
- parms2=
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- parms3=
- if test "$1" = "add" -a -n "$PLUTO_MY_SOURCEIP"
- then
- addsource
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# define ESP mark
-ESP_MARK=50
-
-# add the following static rule to the INPUT chain in the mangle table
-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
-
-# NAT traversal via UDP encapsulation is supported with the rule
-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
-
-# in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- CHECK_MARK=""
-else
- CHECK_MARK="-m mark --mark $ESP_MARK"
-fi
-
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
-# resolve octal escape sequences
-PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
-PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-
-# the big choice
-case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
-up-host:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- ;;
-down-host:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_ME $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
- fi
- ;;
-up-client:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $CHECK_MARK -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO \
- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- ;;
-down-client:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
- -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
- -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
- -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
- $CHECK_MARK -j ACCEPT
- #
- if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
- then
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- else
- logger -t $TAG -p $FAC_PRIO -- \
- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
- fi
- ;;
-up-client:ipfwadm)
- # connection to client subnet, with (left/right)firewall=yes, coming up
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- ipfwadm -F -i accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
- -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
- ;;
-down-client:ipfwadm)
- # connection to client subnet, with (left/right)firewall=yes, going down
- # This is used only by the default updown script, not by your custom
- # ones, so do not mess with it; see CAUTION comment up at top.
- ipfwadm -F -d accept -b -S $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
- -D $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK
- ;;
-#
-# IPv6
-#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
-up-host-v6:*)
- # connection to me coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-host-v6:*)
- # connection to me going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-up-client-v6:)
- # connection to my client subnet coming up
- # If you are doing a custom version, firewall commands go here.
- ;;
-down-client-v6:)
- # connection to my client subnet going down
- # If you are doing a custom version, firewall commands go here.
- ;;
-*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
- exit 1
- ;;
-esac
diff --git a/src/_updown_espmark/_updown_espmark.8 b/src/_updown_espmark/_updown_espmark.8
deleted file mode 100644
index 34383cb8e..000000000
--- a/src/_updown_espmark/_updown_espmark.8
+++ /dev/null
@@ -1,15 +0,0 @@
-.TH _UPDOWN_ESPMARK 8 "7 Apr 2005"
-.SH NAME
-ipsec _updown_espmark \- manages routes and firewall rules
-.SH SYNOPSIS
-.I _updown_espmark
-is invoked by pluto when it has brought up a new connection. This script
-is used to insert the appropriate routing and iptables firewall entries for
-IPsec operation. The incoming ESP traffic must be marked by a static rule
-in the mangle table. The default value for the mark is 50.
-The interface to the script is documented in the pluto man page.
-.SH "SEE ALSO"
-ipsec(8), ipsec_pluto(8).
-.SH HISTORY
-Man page written for the Linux strongSwan project <http://www.strongswan.org/>
-by Andreas Steffen. Original program written by Henry Spencer.
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 2bd5be64b..33ed13397 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -198,6 +198,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index 9f67eec1f..64dea34c7 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 69cbfe07e..82f6fbcb2 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -203,6 +203,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -263,10 +264,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -340,6 +343,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-nm/nm/nm_backend.c b/src/charon-nm/nm/nm_backend.c
index 613c2f6b5..601daca0a 100644
--- a/src/charon-nm/nm/nm_backend.c
+++ b/src/charon-nm/nm/nm_backend.c
@@ -18,7 +18,6 @@
#include "nm_creds.h"
#include "nm_handler.h"
-#include <hydra.h>
#include <daemon.h>
#include <processing/jobs/callback_job.h>
@@ -97,7 +96,8 @@ static void nm_backend_deinit()
g_object_unref(this->plugin);
}
lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
- hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
this->creds->destroy(this->creds);
this->handler->destroy(this->handler);
free(this);
@@ -130,7 +130,7 @@ static bool nm_backend_init()
this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
nm_backend = this;
- hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+ charon->attributes->add_handler(charon->attributes, &this->handler->handler);
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
if (!this->plugin)
{
diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
index 28aa04b31..bdc0667cf 100644
--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@@ -41,7 +41,7 @@ struct private_nm_handler_t {
};
METHOD(attribute_handler_t, handle, bool,
- private_nm_handler_t *this, identification_t *server,
+ private_nm_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
linked_list_t *list;
@@ -92,7 +92,7 @@ static bool enumerate_dns(enumerator_t *this,
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
- private_nm_handler_t *this, identification_t *server, linked_list_t *vips)
+ private_nm_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
{
if (vips->get_count(vips))
{
@@ -185,4 +185,3 @@ nm_handler_t *nm_handler_create()
return &this->public;
}
-
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index 3783ac9f0..1c0a4058d 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -197,6 +197,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index 790c8ef8f..d6e1c471c 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -200,6 +200,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -260,10 +261,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -337,6 +340,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 4a2136fc9..e391a5397 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -40,6 +40,17 @@
#include <threading/rwlock.h>
/**
+ * Default user and group
+ */
+#ifndef IPSEC_USER
+#define IPSEC_USER NULL
+#endif
+
+#ifndef IPSEC_GROUP
+#define IPSEC_GROUP NULL
+#endif
+
+/**
* hook in library for debugging messages
*/
extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -268,18 +279,20 @@ static int run()
*/
static bool lookup_uid_gid()
{
-#ifdef IPSEC_USER
- if (!lib->caps->resolve_uid(lib->caps, IPSEC_USER))
+ char *name;
+
+ name = lib->settings->get_str(lib->settings, "%s.user", IPSEC_USER,
+ lib->ns);
+ if (name && !lib->caps->resolve_uid(lib->caps, name))
{
return FALSE;
}
-#endif /* IPSEC_USER */
-#ifdef IPSEC_GROUP
- if (!lib->caps->resolve_gid(lib->caps, IPSEC_GROUP))
+ name = lib->settings->get_str(lib->settings, "%s.group", IPSEC_GROUP,
+ lib->ns);
+ if (name && !lib->caps->resolve_gid(lib->caps, name))
{
return FALSE;
}
-#endif /* IPSEC_GROUP */
return TRUE;
}
@@ -365,7 +378,8 @@ int main(int argc, char *argv[])
lib->plugins->add_static_features(lib->plugins, lib->ns, features,
countof(features), TRUE, journal_reload, &journal);
- if (!charon->initialize(charon, PLUGINS))
+ if (!charon->initialize(charon,
+ lib->settings->get_str(lib->settings, "%s.load", PLUGINS, lib->ns)))
{
sd_notifyf(0, "STATUS=charon initialization failed");
return SS_RC_INITIALIZATION_FAILED;
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index fe6606bc5..bff198ab8 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index a6770fc50..7c60f0ca8 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -276,6 +276,10 @@ int main(int argc, char *argv[])
goto deinit;
}
+ /* the authorize hook currently does not support RFC 7427 signature auth */
+ lib->settings->set_bool(lib->settings, "%s.signature_authentication", FALSE,
+ dmn_name);
+
/* make sure we log to the DAEMON facility by default */
lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
diff --git a/src/charon-tkm/src/ees/ees_callbacks.c b/src/charon-tkm/src/ees/ees_callbacks.c
index 2d9653837..74c0d3618 100644
--- a/src/charon-tkm/src/ees/ees_callbacks.c
+++ b/src/charon-tkm/src/ees/ees_callbacks.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -19,11 +19,12 @@
#include <tkm/constants.h>
#include <tkm/types.h>
+#include "tkm.h"
#include "ees_callbacks.h"
void charon_esa_acquire(result_type *res, const sp_id_type sp_id)
{
- DBG1(DBG_KNL, "ees: acquire received for reqid {%d}", sp_id);
+ DBG1(DBG_KNL, "ees: acquire received for reqid %u", sp_id);
hydra->kernel_interface->acquire(hydra->kernel_interface, sp_id, NULL,
NULL);
*res = TKM_OK;
@@ -33,8 +34,19 @@ void charon_esa_expire(result_type *res, const sp_id_type sp_id,
const esp_spi_type spi_rem, const protocol_type protocol,
const expiry_flag_type hard)
{
- DBG1(DBG_KNL, "ees: expire received for reqid {%d}", sp_id);
- hydra->kernel_interface->expire(hydra->kernel_interface, sp_id, protocol,
- spi_rem, hard != 0);
+ host_t *dst;
+
+ dst = tkm->sad->get_dst_host(tkm->sad, sp_id, spi_rem, protocol);
*res = TKM_OK;
+ if (dst == NULL)
+ {
+ DBG3(DBG_KNL, "ees: destination host not found for reqid %u, spi %x, "
+ "proto %u", sp_id, ntohl(spi_rem), protocol);
+ return;
+ }
+
+ DBG1(DBG_KNL, "ees: expire received for reqid %u, spi %x, dst %H", sp_id,
+ ntohl(spi_rem), dst);
+ hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+ spi_rem, dst, hard != 0);
}
diff --git a/src/charon-tkm/src/tkm/tkm.c b/src/charon-tkm/src/tkm/tkm.c
index 61eb6056c..333b699a0 100644
--- a/src/charon-tkm/src/tkm/tkm.c
+++ b/src/charon-tkm/src/tkm/tkm.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -95,6 +95,7 @@ bool tkm_init()
.public = {
.idmgr = tkm_id_manager_create(limits),
.chunk_map = tkm_chunk_map_create(),
+ .sad = tkm_kernel_sad_create(),
},
);
tkm = &this->public;
@@ -114,6 +115,7 @@ void tkm_deinit()
private_tkm_t *this = (private_tkm_t*)tkm;
this->public.idmgr->destroy(this->public.idmgr);
this->public.chunk_map->destroy(this->public.chunk_map);
+ this->public.sad->destroy(this->public.sad);
ees_server_finalize();
diff --git a/src/charon-tkm/src/tkm/tkm.h b/src/charon-tkm/src/tkm/tkm.h
index fb5acd117..4aed08602 100644
--- a/src/charon-tkm/src/tkm/tkm.h
+++ b/src/charon-tkm/src/tkm/tkm.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -72,6 +72,7 @@
#include "tkm_id_manager.h"
#include "tkm_chunk_map.h"
+#include "tkm_kernel_sad.h"
typedef struct tkm_t tkm_t;
@@ -90,6 +91,11 @@ struct tkm_t {
*/
tkm_chunk_map_t *chunk_map;
+ /**
+ * CHILD/ESP SA database.
+ */
+ tkm_kernel_sad_t *sad;
+
};
/**
diff --git a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
index 67db5e6d8..c4953b6aa 100644
--- a/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
+++ b/src/charon-tkm/src/tkm/tkm_diffie_hellman.c
@@ -41,7 +41,7 @@ struct private_tkm_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Diffie Hellman public value.
@@ -55,30 +55,29 @@ struct private_tkm_diffie_hellman_t {
};
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_tkm_diffie_hellman_t *this, chunk_t *value)
{
sequence_to_chunk(this->pubvalue.data, this->pubvalue.size, value);
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_tkm_diffie_hellman_t *this, chunk_t *secret)
{
*secret = chunk_empty;
- return SUCCESS;
+ return TRUE;
}
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_tkm_diffie_hellman_t *this, chunk_t value)
{
- // TODO: unvoid this function
-
dh_pubvalue_type othervalue;
othervalue.size = value.len;
memcpy(&othervalue.data, value.ptr, value.len);
- ike_dh_generate_key(this->context_id, othervalue);
+ return ike_dh_generate_key(this->context_id, othervalue) == TKM_OK;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/charon-tkm/src/tkm/tkm_encoder.c~ b/src/charon-tkm/src/tkm/tkm_encoder.c~
new file mode 100644
index 000000000..145615f14
--- /dev/null
+++ b/src/charon-tkm/src/tkm/tkm_encoder.c~
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2013 Reto Buerki
+ * Copyright (C) 2013 Adrian-Ken Rueegsegger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <utils/debug.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#include "tkm_encoder.h"
+
+/**
+ * Build the SHA1 hash of pubkey(info) ASN.1 data.
+ */
+static bool hash_pubkey(chunk_t pubkey, chunk_t *hash)
+{
+ hasher_t *hasher;
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher || !hasher->allocate_hash(hasher, pubkey, hash))
+ {
+ DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+ "fingerprinting failed");
+ DESTROY_IF(hasher);
+ chunk_free(&pubkey);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+ chunk_free(&pubkey);
+ return TRUE;
+}
+
+/**
+ * Encode the public key blob into subjectPublicKeyInfo.
+ */
+static bool build_pub_info(chunk_t *encoding, va_list args)
+{
+ chunk_t blob;
+
+ if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+ CRED_PART_END))
+ {
+ *encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_bitstring("c", blob, 0));
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKeyInfo object.
+ */
+static bool build_info_sha1(chunk_t *encoding, va_list args)
+{
+ chunk_t pubkey;
+
+ if (build_pub_info(&pubkey, args))
+ {
+ return hash_pubkey(pubkey, encoding);
+ }
+ return FALSE;
+}
+
+/**
+ * Build the fingerprint of the subjectPublicKey object.
+ */
+static bool build_sha1(chunk_t *encoding, va_list args)
+{
+ chunk_t blob;
+
+ if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, &blob,
+ CRED_PART_END))
+ {
+ return hash_pubkey(chunk_clone(blob), encoding);
+ }
+ return FALSE;
+}
+
+/**
+ * See header.
+ */
+bool tkm_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
+ va_list args)
+{
+ switch (type)
+ {
+ case KEYID_PUBKEY_INFO_SHA1:
+ return build_info_sha1(encoding, args);
+ case KEYID_PUBKEY_SHA1:
+ return build_sha1(encoding, args);
+ default:
+ return FALSE;
+ }
+}
diff --git a/src/charon-tkm/src/tkm/tkm_id_manager.c b/src/charon-tkm/src/tkm/tkm_id_manager.c
index 0fadf1acf..e6d571b83 100644
--- a/src/charon-tkm/src/tkm/tkm_id_manager.c
+++ b/src/charon-tkm/src/tkm/tkm_id_manager.c
@@ -24,7 +24,7 @@
ENUM_BEGIN(tkm_context_kind_names, TKM_CTX_NONCE, TKM_CTX_ESA,
"NONCE_CONTEXT",
"DH_CONTEXT",
- "CC_CONTEXT"
+ "CC_CONTEXT",
"ISA_CONTEXT",
"AE_CONTEXT",
"ESA_CONTEXT");
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
index dbeea93f2..734b1ec55 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -26,7 +26,6 @@
#include "tkm_utils.h"
#include "tkm_types.h"
#include "tkm_keymat.h"
-#include "tkm_kernel_sad.h"
#include "tkm_kernel_ipsec.h"
/** From linux/in.h */
@@ -51,16 +50,11 @@ struct private_tkm_kernel_ipsec_t {
*/
rng_t *rng;
- /**
- * CHILD/ESP SA database.
- */
- tkm_kernel_sad_t *sad;
-
};
METHOD(kernel_ipsec_t, get_spi, status_t,
private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
bool result;
@@ -74,7 +68,6 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
}
}
- DBG1(DBG_KNL, "getting SPI for reqid {%u}", reqid);
result = this->rng->get_bytes(this->rng, sizeof(u_int32_t),
(u_int8_t *)spi);
return result ? SUCCESS : FAILED;
@@ -82,7 +75,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_tkm_kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
return NOT_SUPPORTED;
}
@@ -93,11 +86,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool _initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t* src_ts, linked_list_t* dst_ts)
{
esa_info_t esa;
- bool initiator;
esp_spi_type spi_loc, spi_rem;
host_t *local, *peer;
chunk_t *nonce_loc, *nonce_rem;
@@ -120,9 +112,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
return SUCCESS;
}
- /* Initiator if encr_r is passed as enc_key to the inbound add_sa call */
- /* TODO: does the new _initiator parameter have the same meaning? */
- initiator = esa.is_encr_r && inbound;
if (initiator)
{
spi_loc = spi;
@@ -143,7 +132,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
}
esa_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ESA);
- if (!this->sad->insert(this->sad, esa_id, peer, local, spi_loc, protocol))
+ if (!tkm->sad->insert(tkm->sad, reqid, esa_id, local, peer, spi_rem,
+ protocol))
{
DBG1(DBG_KNL, "unable to add entry (%llu) to SAD", esa_id);
goto sad_failure;
@@ -207,7 +197,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
return SUCCESS;
failure:
- this->sad->remove(this->sad, esa_id);
+ tkm->sad->remove(tkm->sad, esa_id);
sad_failure:
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
chunk_free(&esa.nonce_i);
@@ -229,7 +219,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
{
esa_id_type esa_id;
- esa_id = this->sad->get_esa_id(this->sad, src, dst, spi, protocol);
+ esa_id = tkm->sad->get_esa_id(tkm->sad, src, dst, spi, protocol);
if (esa_id)
{
DBG1(DBG_KNL, "deleting child SA (esa: %llu, spi: %x)", esa_id,
@@ -239,7 +229,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t,
DBG1(DBG_KNL, "child SA (%llu) deletion failed", esa_id);
return FAILED;
}
- this->sad->remove(this->sad, esa_id);
+ tkm->sad->remove(tkm->sad, esa_id);
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ESA, esa_id);
}
return SUCCESS;
@@ -350,7 +340,6 @@ METHOD(kernel_ipsec_t, destroy, void,
private_tkm_kernel_ipsec_t *this)
{
DESTROY_IF(this->rng);
- DESTROY_IF(this->sad);
free(this);
}
@@ -380,15 +369,7 @@ tkm_kernel_ipsec_t *tkm_kernel_ipsec_create()
.destroy = _destroy,
},
},
- .sad = tkm_kernel_sad_create(),
);
- if (!this->sad)
- {
- DBG1(DBG_KNL, "unable to create SAD");
- destroy(this);
- return NULL;
- }
-
return &this->public;
}
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.c b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
index 360a47bdc..3394b58af 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.c
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -57,6 +57,11 @@ struct sad_entry_t {
esa_id_type esa_id;
/**
+ * Reqid.
+ */
+ u_int32_t reqid;
+
+ /**
* Source address of CHILD SA.
*/
host_t *src;
@@ -109,6 +114,19 @@ static bool sad_entry_match(sad_entry_t * const entry, const host_t * const src,
}
/**
+ * Find a list entry with given reqid, spi and proto values.
+ */
+static bool sad_entry_match_dst(sad_entry_t * const entry,
+ const u_int32_t * const reqid,
+ const u_int32_t * const spi,
+ const u_int8_t * const proto)
+{
+ return entry->reqid == *reqid &&
+ entry->spi == *spi &&
+ entry->proto == *proto;
+}
+
+/**
* Compare two SAD entries for equality.
*/
static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
@@ -119,6 +137,7 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
return FALSE;
}
return left->esa_id == right->esa_id &&
+ left->reqid == right->reqid &&
left->src->ip_equals(left->src, right->src) &&
left->dst->ip_equals(left->dst, right->dst) &&
left->spi == right->spi && left->proto == right->proto;
@@ -126,14 +145,15 @@ static bool sad_entry_equal(sad_entry_t * const left, sad_entry_t * const right)
METHOD(tkm_kernel_sad_t, insert, bool,
private_tkm_kernel_sad_t * const this, const esa_id_type esa_id,
- const host_t * const src, const host_t * const dst, const u_int32_t spi,
- const u_int8_t proto)
+ const u_int32_t reqid, const host_t * const src, const host_t * const dst,
+ const u_int32_t spi, const u_int8_t proto)
{
status_t result;
sad_entry_t *new_entry;
INIT(new_entry,
.esa_id = esa_id,
+ .reqid = reqid,
.src = (host_t *)src,
.dst = (host_t *)dst,
.spi = spi,
@@ -146,8 +166,9 @@ METHOD(tkm_kernel_sad_t, insert, bool,
new_entry);
if (result == NOT_FOUND)
{
- DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, src: %H, dst: %H, "
- "spi: %x, proto: %u)", esa_id, src, dst, ntohl(spi), proto);
+ DBG3(DBG_KNL, "inserting SAD entry (esa: %llu, reqid: %u, src: %H, "
+ "dst: %H, spi: %x, proto: %u)", esa_id, reqid, src, dst,
+ ntohl(spi), proto);
new_entry->src = src->clone((host_t *)src);
new_entry->dst = dst->clone((host_t *)dst);
this->data->insert_last(this->data, new_entry);
@@ -176,18 +197,44 @@ METHOD(tkm_kernel_sad_t, get_esa_id, esa_id_type,
if (res == SUCCESS && entry)
{
id = entry->esa_id;
- DBG3(DBG_KNL, "getting ESA id of SAD entry (esa: %llu, src: %H, "
- "dst: %H, spi: %x, proto: %u)", id, src, dst, ntohl(spi),
- proto);
+ DBG3(DBG_KNL, "returning ESA id %llu of SAD entry (src: %H, dst: %H, "
+ "spi: %x, proto: %u)", id, src, dst, ntohl(spi), proto);
}
else
{
- DBG3(DBG_KNL, "no SAD entry found");
+ DBG3(DBG_KNL, "no SAD entry found for src %H, dst %H, spi %x, proto %u",
+ src, dst, ntohl(spi), proto);
}
this->mutex->unlock(this->mutex);
return id;
}
+METHOD(tkm_kernel_sad_t, get_dst_host, host_t *,
+ private_tkm_kernel_sad_t * const this, const u_int32_t reqid,
+ const u_int32_t spi, const u_int8_t proto)
+{
+ host_t *dst = NULL;
+ sad_entry_t *entry = NULL;
+
+ this->mutex->lock(this->mutex);
+ const status_t res = this->data->find_first(this->data,
+ (linked_list_match_t)sad_entry_match_dst,
+ (void**)&entry, &reqid, &spi, &proto);
+ if (res == SUCCESS && entry)
+ {
+ dst = entry->dst;
+ DBG3(DBG_KNL, "returning destination host %H of SAD entry (reqid: %u,"
+ " spi: %x, proto: %u)", dst, reqid, ntohl(spi), proto);
+ }
+ else
+ {
+ DBG3(DBG_KNL, "no SAD entry found for reqid %u, spi %x, proto: %u",
+ reqid, ntohl(spi), proto);
+ }
+ this->mutex->unlock(this->mutex);
+ return dst;
+}
+
METHOD(tkm_kernel_sad_t, _remove, bool,
private_tkm_kernel_sad_t * const this, const esa_id_type esa_id)
{
@@ -242,6 +289,7 @@ tkm_kernel_sad_t *tkm_kernel_sad_create()
.public = {
.insert = _insert,
.get_esa_id = _get_esa_id,
+ .get_dst_host = _get_dst_host,
.remove = __remove,
.destroy = _destroy,
},
diff --git a/src/charon-tkm/src/tkm/tkm_kernel_sad.h b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
index 0194cd3bc..38b19dd01 100644
--- a/src/charon-tkm/src/tkm/tkm_kernel_sad.h
+++ b/src/charon-tkm/src/tkm/tkm_kernel_sad.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -37,6 +37,7 @@ struct tkm_kernel_sad_t {
* Insert new SAD entry with specified parameters.
*
* @param esa_id ESP SA context identifier
+ * @param reqid reqid of the SA
* @param src source address of CHILD SA
* @param dst destination address of CHILD SA
* @param spi SPI of CHILD SA
@@ -44,8 +45,9 @@ struct tkm_kernel_sad_t {
* @return TRUE if entry was inserted, FALSE otherwise
*/
bool (*insert)(tkm_kernel_sad_t * const this, const esa_id_type esa_id,
- const host_t * const src, const host_t * const dst,
- const u_int32_t spi, const u_int8_t proto);
+ const u_int32_t reqid, const host_t * const src,
+ const host_t * const dst, const u_int32_t spi,
+ const u_int8_t proto);
/**
* Get ESA id for entry with given parameters.
@@ -61,6 +63,17 @@ struct tkm_kernel_sad_t {
const u_int32_t spi, const u_int8_t proto);
/**
+ * Get destination host for entry with given parameters.
+ *
+ * @param reqid reqid of CHILD SA
+ * @param spi SPI of CHILD SA
+ * @param proto protocol of CHILD SA (ESP/AH)
+ * @return destination host of entry if found, NULL otherwise
+ */
+ host_t * (*get_dst_host)(tkm_kernel_sad_t * const this,
+ const u_int32_t reqid, const u_int32_t spi, const u_int8_t proto);
+
+ /**
* Remove entry with given ESA id from SAD.
*
* @param esa_id ESA identifier of entry to remove
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 772fac8b0..80721fafe 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyrigth (C) 2012 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
@@ -17,6 +18,7 @@
#include <daemon.h>
#include <tkm/constants.h>
#include <tkm/client.h>
+#include <crypto/hashers/hash_algorithm_set.h>
#include "tkm.h"
#include "tkm_types.h"
@@ -71,6 +73,10 @@ struct private_tkm_keymat_t {
*/
chunk_t other_init_msg;
+ /**
+ * Set of hash algorithms supported by peer for signature authentication
+ */
+ hash_algorithm_set_t *hash_algorithms;
};
/**
@@ -417,6 +423,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
return FALSE;
}
+METHOD(keymat_v2_t, hash_algorithm_supported, bool,
+ private_tkm_keymat_t *this, hash_algorithm_t hash)
+{
+ if (!this->hash_algorithms)
+ {
+ return FALSE;
+ }
+ return this->hash_algorithms->contains(this->hash_algorithms, hash);
+}
+
+METHOD(keymat_v2_t, add_hash_algorithm, void,
+ private_tkm_keymat_t *this, hash_algorithm_t hash)
+{
+ if (!this->hash_algorithms)
+ {
+ this->hash_algorithms = hash_algorithm_set_create();
+ }
+ this->hash_algorithms->add(this->hash_algorithms, hash);
+}
+
METHOD(keymat_t, destroy, void,
private_tkm_keymat_t *this)
{
@@ -435,6 +461,7 @@ METHOD(keymat_t, destroy, void,
tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
}
+ DESTROY_IF(this->hash_algorithms);
DESTROY_IF(this->aead_in);
DESTROY_IF(this->aead_out);
chunk_free(&this->auth_payload);
@@ -488,6 +515,8 @@ tkm_keymat_t *tkm_keymat_create(bool initiator)
.get_skd = _get_skd,
.get_auth_octets = _get_auth_octets,
.get_psk_sig = _get_psk_sig,
+ .add_hash_algorithm = _add_hash_algorithm,
+ .hash_algorithm_supported = _hash_algorithm_supported,
},
.get_isa_id = _get_isa_id,
.set_auth_payload = _set_auth_payload,
diff --git a/src/charon-tkm/src/tkm/tkm_listener.c b/src/charon-tkm/src/tkm/tkm_listener.c
index b2692a586..bb1218266 100644
--- a/src/charon-tkm/src/tkm/tkm_listener.c
+++ b/src/charon-tkm/src/tkm/tkm_listener.c
@@ -240,6 +240,8 @@ METHOD(listener_t, authorize, bool,
return TRUE;
}
+ *success = FALSE;
+
keymat = (tkm_keymat_t*)ike_sa->get_keymat(ike_sa);
isa_id = keymat->get_isa_id(keymat);
DBG1(DBG_IKE, "TKM authorize listener called for ISA context %llu", isa_id);
@@ -248,28 +250,26 @@ METHOD(listener_t, authorize, bool,
if (!cc_id)
{
DBG1(DBG_IKE, "unable to acquire CC context id");
- *success = FALSE;
return TRUE;
}
if (!build_cert_chain(ike_sa, cc_id))
{
DBG1(DBG_IKE, "unable to build certificate chain");
- *success = FALSE;
- return TRUE;
+ goto cc_reset;
}
auth = keymat->get_auth_payload(keymat);
if (!auth->ptr)
{
DBG1(DBG_IKE, "no AUTHENTICATION data available");
- *success = FALSE;
+ goto cc_reset;
}
other_init_msg = keymat->get_peer_init_msg(keymat);
if (!other_init_msg->ptr)
{
DBG1(DBG_IKE, "no peer init message available");
- *success = FALSE;
+ goto cc_reset;
}
chunk_to_sequence(auth, &signature, sizeof(signature_type));
@@ -279,7 +279,7 @@ METHOD(listener_t, authorize, bool,
{
DBG1(DBG_IKE, "TKM based authentication failed"
" for ISA context %llu", isa_id);
- *success = FALSE;
+ goto cc_reset;
}
else
{
@@ -288,7 +288,13 @@ METHOD(listener_t, authorize, bool,
*success = TRUE;
}
- return TRUE;
+cc_reset:
+ if (ike_cc_reset(cc_id) != TKM_OK)
+ {
+ DBG1(DBG_IKE, "unable to reset CC context %llu", cc_id);
+ }
+ tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_CC, cc_id);
+ return TRUE; /* stay registered */
}
METHOD(listener_t, message, bool,
diff --git a/src/charon-tkm/tests/diffie_hellman_tests.c b/src/charon-tkm/tests/diffie_hellman_tests.c
index 89658a770..5ef6f41ab 100644
--- a/src/charon-tkm/tests/diffie_hellman_tests.c
+++ b/src/charon-tkm/tests/diffie_hellman_tests.c
@@ -40,7 +40,7 @@ START_TEST(test_dh_get_my_pubvalue)
fail_if(!dh, "Unable to create DH");
chunk_t value;
- dh->dh.get_my_public_value(&dh->dh, &value);
+ ck_assert(dh->dh.get_my_public_value(&dh->dh, &value));
dh->dh.destroy(&dh->dh);
fail_if(value.ptr == NULL, "Pubvalue is NULL");
diff --git a/src/charon-tkm/tests/kernel_sad_tests.c b/src/charon-tkm/tests/kernel_sad_tests.c
index 6f0b396d3..b9ab3cb5e 100644
--- a/src/charon-tkm/tests/kernel_sad_tests.c
+++ b/src/charon-tkm/tests/kernel_sad_tests.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -34,7 +34,7 @@ START_TEST(test_insert)
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
"Error inserting SAD entry");
sad->destroy(sad);
@@ -47,9 +47,9 @@ START_TEST(test_insert_duplicate)
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 1, 2, addr, addr, 42, 50),
"Error inserting SAD entry");
- fail_if(sad->insert(sad, 1, addr, addr, 42, 50),
+ fail_if(sad->insert(sad, 1, 2, addr, addr, 42, 50),
"Expected error inserting duplicate entry");
sad->destroy(sad);
@@ -61,7 +61,7 @@ START_TEST(test_get_esa_id)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
"Error inserting SAD entry");
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
"Error getting esa id");
@@ -81,11 +81,34 @@ START_TEST(test_get_esa_id_nonexistent)
}
END_TEST
+START_TEST(test_get_dst_host)
+{
+ host_t *addr = host_create_from_string("127.0.0.1", 1024);
+ tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
+ "Error inserting SAD entry");
+
+ host_t *dst = sad->get_dst_host(sad, 54, 42, 50);
+ fail_unless(addr->equals(addr, dst), "Error getting dst host");
+ sad->destroy(sad);
+ addr->destroy(addr);
+}
+END_TEST
+
+START_TEST(test_get_dst_host_nonexistent)
+{
+ tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
+ fail_unless(sad->get_dst_host(sad, 1, 12, 50) == NULL,
+ "Got dst for nonexistent SAD entry");
+ sad->destroy(sad);
+}
+END_TEST
+
START_TEST(test_remove)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
- fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
+ fail_unless(sad->insert(sad, 23, 54, addr, addr, 42, 50),
"Error inserting SAD entry");
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
"Error getting esa id");
@@ -128,6 +151,11 @@ Suite *make_kernel_sad_tests()
tcase_add_test(tc, test_get_esa_id_nonexistent);
suite_add_tcase(s, tc);
+ tc = tcase_create("get_dst_host");
+ tcase_add_test(tc, test_get_dst_host);
+ tcase_add_test(tc, test_get_dst_host_nonexistent);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("remove");
tcase_add_test(tc, test_remove);
tcase_add_test(tc, test_remove_nonexistent);
diff --git a/src/charon-tkm/tests/keymat_tests.c b/src/charon-tkm/tests/keymat_tests.c
index 1982671d3..889965a78 100644
--- a/src/charon-tkm/tests/keymat_tests.c
+++ b/src/charon-tkm/tests/keymat_tests.c
@@ -53,8 +53,8 @@ START_TEST(test_derive_ike_keys)
/* Use the same pubvalue for both sides */
chunk_t pubvalue;
- dh->dh.get_my_public_value(&dh->dh, &pubvalue);
- dh->dh.set_other_public_value(&dh->dh, pubvalue);
+ ck_assert(dh->dh.get_my_public_value(&dh->dh, &pubvalue));
+ ck_assert(dh->dh.set_other_public_value(&dh->dh, pubvalue));
fail_unless(keymat->keymat_v2.derive_ike_keys(&keymat->keymat_v2, proposal,
&dh->dh, nonce, nonce, ike_sa_id, PRF_UNDEFINED, chunk_empty),
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index 80894a133..669f4d500 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2012 Reto Buerki
+ * Copyright (C) 2012-2014 Reto Buerki
* Copyright (C) 2012 Adrian-Ken Rueegsegger
* Hochschule fuer Technik Rapperswil
*
@@ -53,7 +53,7 @@ static bool test_runner_init(bool init)
libhydra_init();
libcharon_init();
lib->settings->set_int(lib->settings,
- "test_runner.filelog.stdout.default", 0);
+ "test-runner.filelog.stdout.default", 0);
charon->load_loggers(charon, NULL, FALSE);
/* Register TKM specific plugins */
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f4dcf4fb0..e1cc5c202 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -199,6 +199,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -259,10 +260,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -336,6 +339,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 86e7ca6dd..4e4134625 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -266,6 +266,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index e3c2e4335..78438d8f5 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -213,6 +213,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -273,10 +274,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -350,6 +353,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/conftest/actions.c b/src/conftest/actions.c
index 7532e95cf..474672ca1 100644
--- a/src/conftest/actions.c
+++ b/src/conftest/actions.c
@@ -117,19 +117,20 @@ static job_requeue_t rekey_child(char *config)
enumerator_t *enumerator, *children;
ike_sa_t *ike_sa;
child_sa_t *child_sa;
- u_int32_t reqid = 0, spi = 0;
- protocol_id_t proto = PROTO_ESP;
+ u_int32_t spi, proto;
+ host_t *dst = NULL;
enumerator = charon->controller->create_ike_sa_enumerator(
charon->controller, TRUE);
while (enumerator->enumerate(enumerator, &ike_sa))
{
children = ike_sa->create_child_sa_enumerator(ike_sa);
- while (children->enumerate(children, (void**)&child_sa))
+ while (children->enumerate(children, &child_sa))
{
if (streq(config, child_sa->get_name(child_sa)))
{
- reqid = child_sa->get_reqid(child_sa);
+ dst = ike_sa->get_my_host(ike_sa);
+ dst = dst->clone(dst);
proto = child_sa->get_protocol(child_sa);
spi = child_sa->get_spi(child_sa, TRUE);
break;
@@ -138,11 +139,12 @@ static job_requeue_t rekey_child(char *config)
children->destroy(children);
}
enumerator->destroy(enumerator);
- if (reqid)
+ if (dst)
{
DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config);
lib->processor->queue_job(lib->processor,
- (job_t*)rekey_child_sa_job_create(reqid, proto, spi));
+ (job_t*)rekey_child_sa_job_create(proto, spi, dst));
+ dst->destroy(dst);
}
else
{
@@ -236,7 +238,7 @@ static job_requeue_t close_child(char *config)
{
if (streq(config, child_sa->get_name(child_sa)))
{
- id = child_sa->get_reqid(child_sa);
+ id = child_sa->get_unique_id(child_sa);
break;
}
}
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 56ac3447f..2ecf61194 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -234,6 +234,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/dumm/ext/dumm.c b/src/dumm/ext/dumm.c
index d791c089d..df7ec4703 100644
--- a/src/dumm/ext/dumm.c
+++ b/src/dumm/ext/dumm.c
@@ -629,7 +629,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
linked_list_t *list;
iface_t *iface;
host_t *addr;
- char buf[64];
+ char buf[64], *fmt = "%H";
if (!rb_block_given_p())
{
@@ -645,7 +645,7 @@ static VALUE iface_each_addr(int argc, VALUE *argv, VALUE self)
enumerator->destroy(enumerator);
while (list->remove_first(list, (void**)&addr) == SUCCESS)
{
- snprintf(buf, sizeof(buf), "%H", addr);
+ snprintf(buf, sizeof(buf), fmt, addr);
addr->destroy(addr);
rb_yield(rb_str_new2(buf));
}
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 042c46cab..64be6ac4f 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 526c7c46e..d4dafcb0c 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -176,6 +176,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -236,10 +237,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -313,6 +316,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 9ba9bd842..d2d0c2edd 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.2.1" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.3.0" "strongSwan"
.
.SH NAME
.
@@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
.
.TP
.B "rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
+removes previously loaded CA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+of Certification Authority (CA) certificates. This does not affect certificates
+explicitly defined in a
+.BR ipsec.conf (5)
+ca section, which may be separately updated using the \fBupdate\fP command.
.
.TP
.B "rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
+removes previously loaded AA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+of Authorization Authority (AA) certificates.
.
.TP
.B "rereadocspcerts"
diff --git a/src/ipsec/_ipsec.8.in b/src/ipsec/_ipsec.8.in
index 210d74ef8..0aef8c031 100644
--- a/src/ipsec/_ipsec.8.in
+++ b/src/ipsec/_ipsec.8.in
@@ -210,15 +210,18 @@ flushes and rereads all secrets defined in \fIipsec.secrets\fP.
.
.TP
.B "rereadcacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP
-directory and adds them to the list of Certification Authority (CA)
-certificates.
+removes previously loaded CA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/cacerts\fP directory and adds them to the list
+of Certification Authority (CA) certificates. This does not affect certificates
+explicitly defined in a
+.BR ipsec.conf (5)
+ca section, which may be separately updated using the \fBupdate\fP command.
.
.TP
.B "rereadaacerts"
-reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP
-directory and adds them to the list of Authorization Authority (AA)
-certificates.
+removes previously loaded AA certificates, reads all certificate files
+contained in the \fI/etc/ipsec.d/aacerts\fP directory and adds them to the list
+of Authorization Authority (AA) certificates.
.
.TP
.B "rereadocspcerts"
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 4212ee87a..5eef6fdc6 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -3,6 +3,10 @@ include $(CLEAR_VARS)
# copy-n-paste from Makefile.am
libcharon_la_SOURCES := \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h \
bus/bus.c bus/bus.h \
bus/listeners/listener.h \
bus/listeners/logger.h \
@@ -62,6 +66,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \
sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -72,6 +77,7 @@ sa/ike_sa.c sa/ike_sa.h \
sa/ike_sa_id.c sa/ike_sa_id.h \
sa/keymat.h sa/keymat.c \
sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/child_sa_manager.c sa/child_sa_manager.h \
sa/task_manager.h sa/task_manager.c \
sa/shunt_manager.c sa/shunt_manager.h \
sa/trap_manager.c sa/trap_manager.h \
@@ -97,6 +103,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
@@ -238,4 +245,3 @@ LOCAL_PRELINK_MODULE := false
LOCAL_SHARED_LIBRARIES += libstrongswan libhydra
include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index e98f5e137..cd81a5eee 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -1,6 +1,10 @@
ipseclib_LTLIBRARIES = libcharon.la
libcharon_la_SOURCES = \
+attributes/attributes.c attributes/attributes.h \
+attributes/attribute_provider.h attributes/attribute_handler.h \
+attributes/attribute_manager.c attributes/attribute_manager.h \
+attributes/mem_pool.c attributes/mem_pool.h \
bus/bus.c bus/bus.h \
bus/listeners/listener.h \
bus/listeners/logger.h \
@@ -60,6 +64,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
processing/jobs/roam_job.c processing/jobs/roam_job.h \
processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
+processing/jobs/initiate_tasks_job.c processing/jobs/initiate_tasks_job.h \
sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -70,6 +75,7 @@ sa/ike_sa.c sa/ike_sa.h \
sa/ike_sa_id.c sa/ike_sa_id.h \
sa/keymat.h sa/keymat.c \
sa/ike_sa_manager.c sa/ike_sa_manager.h \
+sa/child_sa_manager.c sa/child_sa_manager.h \
sa/task_manager.h sa/task_manager.c \
sa/shunt_manager.c sa/shunt_manager.h \
sa/trap_manager.c sa/trap_manager.h \
@@ -96,6 +102,7 @@ sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
endif
@@ -203,6 +210,20 @@ if MONOLITHIC
endif
endif
+if USE_CONNMARK
+ SUBDIRS += plugins/connmark
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/connmark/libstrongswan-connmark.la
+endif
+endif
+
+if USE_FORECAST
+ SUBDIRS += plugins/forecast
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/forecast/libstrongswan-forecast.la
+endif
+endif
+
if USE_FARP
SUBDIRS += plugins/farp
if MONOLITHIC
@@ -595,13 +616,6 @@ if MONOLITHIC
endif
endif
-if USE_UNIT_TESTS
- SUBDIRS += plugins/unit_tester
-if MONOLITHIC
- libcharon_la_LIBADD += plugins/unit_tester/libstrongswan-unit-tester.la
-endif
-endif
-
if USE_XAUTH_GENERIC
SUBDIRS += plugins/xauth_generic
if MONOLITHIC
@@ -629,3 +643,29 @@ if MONOLITHIC
libcharon_la_LIBADD += plugins/xauth_noauth/libstrongswan-xauth-noauth.la
endif
endif
+
+if USE_RESOLVE
+ SUBDIRS += plugins/resolve
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
+endif
+endif
+
+if USE_ATTR
+ SUBDIRS += plugins/attr
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/attr/libstrongswan-attr.la
+endif
+endif
+
+if USE_ATTR_SQL
+ SUBDIRS += plugins/attr_sql
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la
+endif
+endif
+
+if MONOLITHIC
+ SUBDIRS += .
+endif
+SUBDIRS += tests
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index 4d89794b5..3d425e0b4 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -98,6 +98,7 @@ host_triplet = @host@
@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_reauth_complete.c sa/ikev2/tasks/ike_reauth_complete.h \
@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_auth_lifetime.c sa/ikev2/tasks/ike_auth_lifetime.h \
@USE_IKEV2_TRUE@sa/ikev2/tasks/ike_vendor.c sa/ikev2/tasks/ike_vendor.h
@@ -146,124 +147,132 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_SOCKET_DYNAMIC_TRUE@am__append_11 = plugins/socket_dynamic/libstrongswan-socket-dynamic.la
@USE_SOCKET_WIN_TRUE@am__append_12 = plugins/socket_win
@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE@am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
-@USE_FARP_TRUE@am__append_14 = plugins/farp
-@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_15 = plugins/farp/libstrongswan-farp.la
-@USE_STROKE_TRUE@am__append_16 = plugins/stroke
-@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_17 = plugins/stroke/libstrongswan-stroke.la
-@USE_VICI_TRUE@am__append_18 = plugins/vici
-@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_19 = plugins/vici/libstrongswan-vici.la
-@USE_SMP_TRUE@am__append_20 = plugins/smp
-@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_21 = plugins/smp/libstrongswan-smp.la
-@USE_SQL_TRUE@am__append_22 = plugins/sql
-@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_23 = plugins/sql/libstrongswan-sql.la
-@USE_DNSCERT_TRUE@am__append_24 = plugins/dnscert
-@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_25 = plugins/dnscert/libstrongswan-dnscert.la
-@USE_IPSECKEY_TRUE@am__append_26 = plugins/ipseckey
-@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_27 = plugins/ipseckey/libstrongswan-ipseckey.la
-@USE_UPDOWN_TRUE@am__append_28 = plugins/updown
-@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_29 = plugins/updown/libstrongswan-updown.la
-@USE_EXT_AUTH_TRUE@am__append_30 = plugins/ext_auth
-@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_31 = plugins/ext_auth/libstrongswan-ext-auth.la
-@USE_EAP_IDENTITY_TRUE@am__append_32 = plugins/eap_identity
-@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_33 = plugins/eap_identity/libstrongswan-eap-identity.la
-@USE_EAP_SIM_TRUE@am__append_34 = plugins/eap_sim
-@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_35 = plugins/eap_sim/libstrongswan-eap-sim.la
-@USE_EAP_SIM_FILE_TRUE@am__append_36 = plugins/eap_sim_file
-@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_37 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
-@USE_EAP_SIM_PCSC_TRUE@am__append_38 = plugins/eap_sim_pcsc
-@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_39 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
-@USE_EAP_SIMAKA_SQL_TRUE@am__append_40 = plugins/eap_simaka_sql
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_41 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
-@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_42 = plugins/eap_simaka_pseudonym
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_43 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
-@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_44 = plugins/eap_simaka_reauth
-@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_45 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
-@USE_EAP_AKA_TRUE@am__append_46 = plugins/eap_aka
-@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_47 = plugins/eap_aka/libstrongswan-eap-aka.la
-@USE_EAP_AKA_3GPP2_TRUE@am__append_48 = plugins/eap_aka_3gpp2
-@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_49 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
-@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_50 = $(top_builddir)/src/libsimaka/libsimaka.la
-@USE_EAP_MD5_TRUE@am__append_51 = plugins/eap_md5
-@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_52 = plugins/eap_md5/libstrongswan-eap-md5.la
-@USE_EAP_GTC_TRUE@am__append_53 = plugins/eap_gtc
-@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_54 = plugins/eap_gtc/libstrongswan-eap-gtc.la
-@USE_EAP_MSCHAPV2_TRUE@am__append_55 = plugins/eap_mschapv2
-@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_56 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
-@USE_EAP_DYNAMIC_TRUE@am__append_57 = plugins/eap_dynamic
-@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_58 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
-@USE_EAP_RADIUS_TRUE@am__append_59 = plugins/eap_radius
-@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_60 = plugins/eap_radius/libstrongswan-eap-radius.la
-@USE_EAP_TLS_TRUE@am__append_61 = plugins/eap_tls
-@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_62 = plugins/eap_tls/libstrongswan-eap-tls.la
-@USE_EAP_TTLS_TRUE@am__append_63 = plugins/eap_ttls
-@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_64 = plugins/eap_ttls/libstrongswan-eap-ttls.la
-@USE_EAP_PEAP_TRUE@am__append_65 = plugins/eap_peap
-@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_66 = plugins/eap_peap/libstrongswan-eap-peap.la
-@USE_EAP_TNC_TRUE@am__append_67 = plugins/eap_tnc
-@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_68 = plugins/eap_tnc/libstrongswan-eap-tnc.la
-@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_69 = $(top_builddir)/src/libtls/libtls.la
-@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_70 = $(top_builddir)/src/libradius/libradius.la
-@USE_TNC_IFMAP_TRUE@am__append_71 = plugins/tnc_ifmap
-@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_72 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
-@USE_TNC_PDP_TRUE@am__append_73 = plugins/tnc_pdp
-@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_74 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
-@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_75 = $(top_builddir)/src/libtnccs/libtnccs.la
-@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv
-@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_77 = plugins/medsrv/libstrongswan-medsrv.la
-@USE_MEDCLI_TRUE@am__append_78 = plugins/medcli
-@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli/libstrongswan-medcli.la
-@USE_DHCP_TRUE@am__append_80 = plugins/dhcp
-@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_81 = plugins/dhcp/libstrongswan-dhcp.la
-@USE_OSX_ATTR_TRUE@am__append_82 = plugins/osx_attr
-@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_83 = plugins/osx_attr/libstrongswan-osx-attr.la
-@USE_ANDROID_DNS_TRUE@am__append_84 = plugins/android_dns
-@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_85 = plugins/android_dns/libstrongswan-android-dns.la
-@USE_ANDROID_LOG_TRUE@am__append_86 = plugins/android_log
-@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_87 = plugins/android_log/libstrongswan-android-log.la
-@USE_MAEMO_TRUE@am__append_88 = plugins/maemo
-@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_89 = plugins/maemo/libstrongswan-maemo.la
-@USE_HA_TRUE@am__append_90 = plugins/ha
-@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_91 = plugins/ha/libstrongswan-ha.la
-@USE_KERNEL_LIBIPSEC_TRUE@am__append_92 = plugins/kernel_libipsec
-@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_93 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
-@USE_KERNEL_WFP_TRUE@am__append_94 = plugins/kernel_wfp
-@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_95 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
-@USE_KERNEL_IPH_TRUE@am__append_96 = plugins/kernel_iph
-@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_97 = plugins/kernel_iph/libstrongswan-kernel-iph.la
-@USE_WHITELIST_TRUE@am__append_98 = plugins/whitelist
-@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_99 = plugins/whitelist/libstrongswan-whitelist.la
-@USE_LOOKIP_TRUE@am__append_100 = plugins/lookip
-@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_101 = plugins/lookip/libstrongswan-lookip.la
-@USE_ERROR_NOTIFY_TRUE@am__append_102 = plugins/error_notify
-@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_103 = plugins/error_notify/libstrongswan-error-notify.la
-@USE_CERTEXPIRE_TRUE@am__append_104 = plugins/certexpire
-@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_105 = plugins/certexpire/libstrongswan-certexpire.la
-@USE_SYSTIME_FIX_TRUE@am__append_106 = plugins/systime_fix
-@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_107 = plugins/systime_fix/libstrongswan-systime-fix.la
-@USE_LED_TRUE@am__append_108 = plugins/led
-@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_109 = plugins/led/libstrongswan-led.la
-@USE_DUPLICHECK_TRUE@am__append_110 = plugins/duplicheck
-@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_111 = plugins/duplicheck/libstrongswan-duplicheck.la
-@USE_COUPLING_TRUE@am__append_112 = plugins/coupling
-@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_113 = plugins/coupling/libstrongswan-coupling.la
-@USE_RADATTR_TRUE@am__append_114 = plugins/radattr
-@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_115 = plugins/radattr/libstrongswan-radattr.la
-@USE_UCI_TRUE@am__append_116 = plugins/uci
-@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_117 = plugins/uci/libstrongswan-uci.la
-@USE_ADDRBLOCK_TRUE@am__append_118 = plugins/addrblock
-@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_119 = plugins/addrblock/libstrongswan-addrblock.la
-@USE_UNITY_TRUE@am__append_120 = plugins/unity
-@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_121 = plugins/unity/libstrongswan-unity.la
-@USE_UNIT_TESTS_TRUE@am__append_122 = plugins/unit_tester
-@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_123 = plugins/unit_tester/libstrongswan-unit-tester.la
-@USE_XAUTH_GENERIC_TRUE@am__append_124 = plugins/xauth_generic
-@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_125 = plugins/xauth_generic/libstrongswan-xauth-generic.la
-@USE_XAUTH_EAP_TRUE@am__append_126 = plugins/xauth_eap
-@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_127 = plugins/xauth_eap/libstrongswan-xauth-eap.la
-@USE_XAUTH_PAM_TRUE@am__append_128 = plugins/xauth_pam
-@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_129 = plugins/xauth_pam/libstrongswan-xauth-pam.la
-@USE_XAUTH_NOAUTH_TRUE@am__append_130 = plugins/xauth_noauth
-@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_131 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_CONNMARK_TRUE@am__append_14 = plugins/connmark
+@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE@am__append_15 = plugins/connmark/libstrongswan-connmark.la
+@USE_FORECAST_TRUE@am__append_16 = plugins/forecast
+@MONOLITHIC_TRUE@@USE_FORECAST_TRUE@am__append_17 = plugins/forecast/libstrongswan-forecast.la
+@USE_FARP_TRUE@am__append_18 = plugins/farp
+@MONOLITHIC_TRUE@@USE_FARP_TRUE@am__append_19 = plugins/farp/libstrongswan-farp.la
+@USE_STROKE_TRUE@am__append_20 = plugins/stroke
+@MONOLITHIC_TRUE@@USE_STROKE_TRUE@am__append_21 = plugins/stroke/libstrongswan-stroke.la
+@USE_VICI_TRUE@am__append_22 = plugins/vici
+@MONOLITHIC_TRUE@@USE_VICI_TRUE@am__append_23 = plugins/vici/libstrongswan-vici.la
+@USE_SMP_TRUE@am__append_24 = plugins/smp
+@MONOLITHIC_TRUE@@USE_SMP_TRUE@am__append_25 = plugins/smp/libstrongswan-smp.la
+@USE_SQL_TRUE@am__append_26 = plugins/sql
+@MONOLITHIC_TRUE@@USE_SQL_TRUE@am__append_27 = plugins/sql/libstrongswan-sql.la
+@USE_DNSCERT_TRUE@am__append_28 = plugins/dnscert
+@MONOLITHIC_TRUE@@USE_DNSCERT_TRUE@am__append_29 = plugins/dnscert/libstrongswan-dnscert.la
+@USE_IPSECKEY_TRUE@am__append_30 = plugins/ipseckey
+@MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE@am__append_31 = plugins/ipseckey/libstrongswan-ipseckey.la
+@USE_UPDOWN_TRUE@am__append_32 = plugins/updown
+@MONOLITHIC_TRUE@@USE_UPDOWN_TRUE@am__append_33 = plugins/updown/libstrongswan-updown.la
+@USE_EXT_AUTH_TRUE@am__append_34 = plugins/ext_auth
+@MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE@am__append_35 = plugins/ext_auth/libstrongswan-ext-auth.la
+@USE_EAP_IDENTITY_TRUE@am__append_36 = plugins/eap_identity
+@MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE@am__append_37 = plugins/eap_identity/libstrongswan-eap-identity.la
+@USE_EAP_SIM_TRUE@am__append_38 = plugins/eap_sim
+@MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE@am__append_39 = plugins/eap_sim/libstrongswan-eap-sim.la
+@USE_EAP_SIM_FILE_TRUE@am__append_40 = plugins/eap_sim_file
+@MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_41 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+@USE_EAP_SIM_PCSC_TRUE@am__append_42 = plugins/eap_sim_pcsc
+@MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE@am__append_43 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+@USE_EAP_SIMAKA_SQL_TRUE@am__append_44 = plugins/eap_simaka_sql
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_45 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_46 = plugins/eap_simaka_pseudonym
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_47 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_48 = plugins/eap_simaka_reauth
+@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_49 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+@USE_EAP_AKA_TRUE@am__append_50 = plugins/eap_aka
+@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_51 = plugins/eap_aka/libstrongswan-eap-aka.la
+@USE_EAP_AKA_3GPP2_TRUE@am__append_52 = plugins/eap_aka_3gpp2
+@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_53 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_54 = $(top_builddir)/src/libsimaka/libsimaka.la
+@USE_EAP_MD5_TRUE@am__append_55 = plugins/eap_md5
+@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_56 = plugins/eap_md5/libstrongswan-eap-md5.la
+@USE_EAP_GTC_TRUE@am__append_57 = plugins/eap_gtc
+@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_58 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+@USE_EAP_MSCHAPV2_TRUE@am__append_59 = plugins/eap_mschapv2
+@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_60 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+@USE_EAP_DYNAMIC_TRUE@am__append_61 = plugins/eap_dynamic
+@MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE@am__append_62 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+@USE_EAP_RADIUS_TRUE@am__append_63 = plugins/eap_radius
+@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_64 = plugins/eap_radius/libstrongswan-eap-radius.la
+@USE_EAP_TLS_TRUE@am__append_65 = plugins/eap_tls
+@MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE@am__append_66 = plugins/eap_tls/libstrongswan-eap-tls.la
+@USE_EAP_TTLS_TRUE@am__append_67 = plugins/eap_ttls
+@MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE@am__append_68 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+@USE_EAP_PEAP_TRUE@am__append_69 = plugins/eap_peap
+@MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE@am__append_70 = plugins/eap_peap/libstrongswan-eap-peap.la
+@USE_EAP_TNC_TRUE@am__append_71 = plugins/eap_tnc
+@MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_72 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+@MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_73 = $(top_builddir)/src/libtls/libtls.la
+@MONOLITHIC_TRUE@@USE_RADIUS_TRUE@am__append_74 = $(top_builddir)/src/libradius/libradius.la
+@USE_TNC_IFMAP_TRUE@am__append_75 = plugins/tnc_ifmap
+@MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE@am__append_76 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+@USE_TNC_PDP_TRUE@am__append_77 = plugins/tnc_pdp
+@MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE@am__append_78 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+@MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE@am__append_79 = $(top_builddir)/src/libtnccs/libtnccs.la
+@USE_MEDSRV_TRUE@am__append_80 = plugins/medsrv
+@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
+@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
+@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_83 = plugins/medcli/libstrongswan-medcli.la
+@USE_DHCP_TRUE@am__append_84 = plugins/dhcp
+@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
+@USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
+@MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE@am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
+@USE_ANDROID_DNS_TRUE@am__append_88 = plugins/android_dns
+@MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE@am__append_89 = plugins/android_dns/libstrongswan-android-dns.la
+@USE_ANDROID_LOG_TRUE@am__append_90 = plugins/android_log
+@MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE@am__append_91 = plugins/android_log/libstrongswan-android-log.la
+@USE_MAEMO_TRUE@am__append_92 = plugins/maemo
+@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_93 = plugins/maemo/libstrongswan-maemo.la
+@USE_HA_TRUE@am__append_94 = plugins/ha
+@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_95 = plugins/ha/libstrongswan-ha.la
+@USE_KERNEL_LIBIPSEC_TRUE@am__append_96 = plugins/kernel_libipsec
+@MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE@am__append_97 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+@USE_KERNEL_WFP_TRUE@am__append_98 = plugins/kernel_wfp
+@MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE@am__append_99 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+@USE_KERNEL_IPH_TRUE@am__append_100 = plugins/kernel_iph
+@MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE@am__append_101 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+@USE_WHITELIST_TRUE@am__append_102 = plugins/whitelist
+@MONOLITHIC_TRUE@@USE_WHITELIST_TRUE@am__append_103 = plugins/whitelist/libstrongswan-whitelist.la
+@USE_LOOKIP_TRUE@am__append_104 = plugins/lookip
+@MONOLITHIC_TRUE@@USE_LOOKIP_TRUE@am__append_105 = plugins/lookip/libstrongswan-lookip.la
+@USE_ERROR_NOTIFY_TRUE@am__append_106 = plugins/error_notify
+@MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE@am__append_107 = plugins/error_notify/libstrongswan-error-notify.la
+@USE_CERTEXPIRE_TRUE@am__append_108 = plugins/certexpire
+@MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE@am__append_109 = plugins/certexpire/libstrongswan-certexpire.la
+@USE_SYSTIME_FIX_TRUE@am__append_110 = plugins/systime_fix
+@MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE@am__append_111 = plugins/systime_fix/libstrongswan-systime-fix.la
+@USE_LED_TRUE@am__append_112 = plugins/led
+@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_113 = plugins/led/libstrongswan-led.la
+@USE_DUPLICHECK_TRUE@am__append_114 = plugins/duplicheck
+@MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE@am__append_115 = plugins/duplicheck/libstrongswan-duplicheck.la
+@USE_COUPLING_TRUE@am__append_116 = plugins/coupling
+@MONOLITHIC_TRUE@@USE_COUPLING_TRUE@am__append_117 = plugins/coupling/libstrongswan-coupling.la
+@USE_RADATTR_TRUE@am__append_118 = plugins/radattr
+@MONOLITHIC_TRUE@@USE_RADATTR_TRUE@am__append_119 = plugins/radattr/libstrongswan-radattr.la
+@USE_UCI_TRUE@am__append_120 = plugins/uci
+@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_121 = plugins/uci/libstrongswan-uci.la
+@USE_ADDRBLOCK_TRUE@am__append_122 = plugins/addrblock
+@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_123 = plugins/addrblock/libstrongswan-addrblock.la
+@USE_UNITY_TRUE@am__append_124 = plugins/unity
+@MONOLITHIC_TRUE@@USE_UNITY_TRUE@am__append_125 = plugins/unity/libstrongswan-unity.la
+@USE_XAUTH_GENERIC_TRUE@am__append_126 = plugins/xauth_generic
+@MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE@am__append_127 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+@USE_XAUTH_EAP_TRUE@am__append_128 = plugins/xauth_eap
+@MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE@am__append_129 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+@USE_XAUTH_PAM_TRUE@am__append_130 = plugins/xauth_pam
+@MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE@am__append_131 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+@USE_XAUTH_NOAUTH_TRUE@am__append_132 = plugins/xauth_noauth
+@MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE@am__append_133 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+@USE_RESOLVE_TRUE@am__append_134 = plugins/resolve
+@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_135 = plugins/resolve/libstrongswan-resolve.la
+@USE_ATTR_TRUE@am__append_136 = plugins/attr
+@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_137 = plugins/attr/libstrongswan-attr.la
+@USE_ATTR_SQL_TRUE@am__append_138 = plugins/attr_sql
+@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_139 = plugins/attr_sql/libstrongswan-attr-sql.la
subdir = src/libcharon
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
@@ -325,12 +334,12 @@ libcharon_la_DEPENDENCIES = \
$(am__append_29) $(am__append_31) $(am__append_33) \
$(am__append_35) $(am__append_37) $(am__append_39) \
$(am__append_41) $(am__append_43) $(am__append_45) \
- $(am__append_47) $(am__append_49) $(am__append_50) \
- $(am__append_52) $(am__append_54) $(am__append_56) \
+ $(am__append_47) $(am__append_49) $(am__append_51) \
+ $(am__append_53) $(am__append_54) $(am__append_56) \
$(am__append_58) $(am__append_60) $(am__append_62) \
$(am__append_64) $(am__append_66) $(am__append_68) \
- $(am__append_69) $(am__append_70) $(am__append_72) \
- $(am__append_74) $(am__append_75) $(am__append_77) \
+ $(am__append_70) $(am__append_72) $(am__append_73) \
+ $(am__append_74) $(am__append_76) $(am__append_78) \
$(am__append_79) $(am__append_81) $(am__append_83) \
$(am__append_85) $(am__append_87) $(am__append_89) \
$(am__append_91) $(am__append_93) $(am__append_95) \
@@ -339,8 +348,14 @@ libcharon_la_DEPENDENCIES = \
$(am__append_109) $(am__append_111) $(am__append_113) \
$(am__append_115) $(am__append_117) $(am__append_119) \
$(am__append_121) $(am__append_123) $(am__append_125) \
- $(am__append_127) $(am__append_129) $(am__append_131)
-am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
+ $(am__append_127) $(am__append_129) $(am__append_131) \
+ $(am__append_133) $(am__append_135) $(am__append_137) \
+ $(am__append_139)
+am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
+ attributes/attributes.h attributes/attribute_provider.h \
+ attributes/attribute_handler.h attributes/attribute_manager.c \
+ attributes/attribute_manager.h attributes/mem_pool.c \
+ attributes/mem_pool.h bus/bus.c bus/bus.h \
bus/listeners/listener.h bus/listeners/logger.h \
bus/listeners/file_logger.c bus/listeners/file_logger.h \
config/backend_manager.c config/backend_manager.h \
@@ -421,7 +436,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c \
- processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+ processing/jobs/inactivity_job.h \
+ processing/jobs/initiate_tasks_job.c \
+ processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \
sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -429,7 +446,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
sa/authenticator.c sa/authenticator.h sa/child_sa.c \
sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
- sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
+ sa/ike_sa_manager.h sa/child_sa_manager.c \
+ sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
sa/trap_manager.h sa/task.c sa/task.h sa/ikev2/keymat_v2.c \
sa/ikev2/keymat_v2.h sa/ikev2/task_manager_v2.c \
@@ -454,6 +472,8 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
+ sa/ikev2/tasks/ike_reauth_complete.c \
+ sa/ikev2/tasks/ike_reauth_complete.h \
sa/ikev2/tasks/ike_auth_lifetime.c \
sa/ikev2/tasks/ike_auth_lifetime.h sa/ikev2/tasks/ike_vendor.c \
sa/ikev2/tasks/ike_vendor.h sa/ikev1/keymat_v1.c \
@@ -514,6 +534,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_mobike.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_rekey.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_reauth.lo \
+@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_reauth_complete.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_auth_lifetime.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_vendor.lo
@USE_IKEV1_TRUE@am__objects_2 = sa/ikev1/keymat_v1.lo \
@@ -543,7 +564,9 @@ am__dirstamp = $(am__leading_dot)dirstamp
@USE_ME_TRUE@ sa/ikev2/connect_manager.lo \
@USE_ME_TRUE@ sa/ikev2/mediation_manager.lo \
@USE_ME_TRUE@ sa/ikev2/tasks/ike_me.lo
-am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
+am_libcharon_la_OBJECTS = attributes/attributes.lo \
+ attributes/attribute_manager.lo attributes/mem_pool.lo \
+ bus/bus.lo bus/listeners/file_logger.lo \
config/backend_manager.lo config/child_cfg.lo \
config/ike_cfg.lo config/peer_cfg.lo config/proposal.lo \
control/controller.lo daemon.lo encoding/generator.lo \
@@ -587,13 +610,14 @@ am_libcharon_la_OBJECTS = bus/bus.lo bus/listeners/file_logger.lo \
processing/jobs/send_keepalive_job.lo \
processing/jobs/start_action_job.lo \
processing/jobs/roam_job.lo processing/jobs/update_sa_job.lo \
- processing/jobs/inactivity_job.lo sa/eap/eap_method.lo \
+ processing/jobs/inactivity_job.lo \
+ processing/jobs/initiate_tasks_job.lo sa/eap/eap_method.lo \
sa/eap/eap_manager.lo sa/xauth/xauth_method.lo \
sa/xauth/xauth_manager.lo sa/authenticator.lo sa/child_sa.lo \
sa/ike_sa.lo sa/ike_sa_id.lo sa/keymat.lo sa/ike_sa_manager.lo \
- sa/task_manager.lo sa/shunt_manager.lo sa/trap_manager.lo \
- sa/task.lo $(am__objects_1) $(am__objects_2) $(am__objects_3) \
- $(am__objects_4)
+ sa/child_sa_manager.lo sa/task_manager.lo sa/shunt_manager.lo \
+ sa/trap_manager.lo sa/task.lo $(am__objects_1) \
+ $(am__objects_2) $(am__objects_3) $(am__objects_4)
libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -676,11 +700,11 @@ am__define_uniq_tagged_files = \
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
- plugins/socket_dynamic plugins/socket_win plugins/farp \
- plugins/stroke plugins/vici plugins/smp plugins/sql \
- plugins/dnscert plugins/ipseckey plugins/updown \
- plugins/ext_auth plugins/eap_identity plugins/eap_sim \
- plugins/eap_sim_file plugins/eap_sim_pcsc \
+ plugins/socket_dynamic plugins/socket_win plugins/connmark \
+ plugins/forecast plugins/farp plugins/stroke plugins/vici \
+ plugins/smp plugins/sql plugins/dnscert plugins/ipseckey \
+ plugins/updown plugins/ext_auth plugins/eap_identity \
+ plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \
plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
plugins/eap_simaka_reauth plugins/eap_aka \
plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
@@ -694,8 +718,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
plugins/error_notify plugins/certexpire plugins/systime_fix \
plugins/led plugins/duplicheck plugins/coupling \
plugins/radattr plugins/uci plugins/addrblock plugins/unity \
- plugins/unit_tester plugins/xauth_generic plugins/xauth_eap \
- plugins/xauth_pam plugins/xauth_noauth
+ plugins/xauth_generic plugins/xauth_eap plugins/xauth_pam \
+ plugins/xauth_noauth plugins/resolve plugins/attr \
+ plugins/attr_sql tests
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -747,6 +772,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -807,10 +833,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -884,6 +912,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -943,16 +973,20 @@ urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
ipseclib_LTLIBRARIES = libcharon.la
-libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
- bus/listeners/logger.h bus/listeners/file_logger.c \
- bus/listeners/file_logger.h config/backend_manager.c \
- config/backend_manager.h config/backend.h config/child_cfg.c \
- config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
- config/peer_cfg.c config/peer_cfg.h config/proposal.c \
- config/proposal.h control/controller.c control/controller.h \
- daemon.c daemon.h encoding/generator.c encoding/generator.h \
- encoding/message.c encoding/message.h encoding/parser.c \
- encoding/parser.h encoding/payloads/auth_payload.c \
+libcharon_la_SOURCES = attributes/attributes.c attributes/attributes.h \
+ attributes/attribute_provider.h attributes/attribute_handler.h \
+ attributes/attribute_manager.c attributes/attribute_manager.h \
+ attributes/mem_pool.c attributes/mem_pool.h bus/bus.c \
+ bus/bus.h bus/listeners/listener.h bus/listeners/logger.h \
+ bus/listeners/file_logger.c bus/listeners/file_logger.h \
+ config/backend_manager.c config/backend_manager.h \
+ config/backend.h config/child_cfg.c config/child_cfg.h \
+ config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+ config/peer_cfg.h config/proposal.c config/proposal.h \
+ control/controller.c control/controller.h daemon.c daemon.h \
+ encoding/generator.c encoding/generator.h encoding/message.c \
+ encoding/message.h encoding/parser.c encoding/parser.h \
+ encoding/payloads/auth_payload.c \
encoding/payloads/auth_payload.h \
encoding/payloads/cert_payload.c \
encoding/payloads/cert_payload.h \
@@ -1023,7 +1057,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
processing/jobs/roam_job.h processing/jobs/update_sa_job.c \
processing/jobs/update_sa_job.h \
processing/jobs/inactivity_job.c \
- processing/jobs/inactivity_job.h sa/eap/eap_method.c \
+ processing/jobs/inactivity_job.h \
+ processing/jobs/initiate_tasks_job.c \
+ processing/jobs/initiate_tasks_job.h sa/eap/eap_method.c \
sa/eap/eap_method.h sa/eap/eap_inner_method.h \
sa/eap/eap_manager.c sa/eap/eap_manager.h \
sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
@@ -1031,7 +1067,8 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
sa/authenticator.c sa/authenticator.h sa/child_sa.c \
sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
sa/ike_sa_id.h sa/keymat.h sa/keymat.c sa/ike_sa_manager.c \
- sa/ike_sa_manager.h sa/task_manager.h sa/task_manager.c \
+ sa/ike_sa_manager.h sa/child_sa_manager.c \
+ sa/child_sa_manager.h sa/task_manager.h sa/task_manager.c \
sa/shunt_manager.c sa/shunt_manager.h sa/trap_manager.c \
sa/trap_manager.h sa/task.c sa/task.h $(am__append_1) \
$(am__append_2) $(am__append_3) $(am__append_5)
@@ -1057,12 +1094,12 @@ libcharon_la_LIBADD = \
$(am__append_33) $(am__append_35) $(am__append_37) \
$(am__append_39) $(am__append_41) $(am__append_43) \
$(am__append_45) $(am__append_47) $(am__append_49) \
- $(am__append_50) $(am__append_52) $(am__append_54) \
+ $(am__append_51) $(am__append_53) $(am__append_54) \
$(am__append_56) $(am__append_58) $(am__append_60) \
$(am__append_62) $(am__append_64) $(am__append_66) \
- $(am__append_68) $(am__append_69) $(am__append_70) \
- $(am__append_72) $(am__append_74) $(am__append_75) \
- $(am__append_77) $(am__append_79) $(am__append_81) \
+ $(am__append_68) $(am__append_70) $(am__append_72) \
+ $(am__append_73) $(am__append_74) $(am__append_76) \
+ $(am__append_78) $(am__append_79) $(am__append_81) \
$(am__append_83) $(am__append_85) $(am__append_87) \
$(am__append_89) $(am__append_91) $(am__append_93) \
$(am__append_95) $(am__append_97) $(am__append_99) \
@@ -1071,7 +1108,8 @@ libcharon_la_LIBADD = \
$(am__append_113) $(am__append_115) $(am__append_117) \
$(am__append_119) $(am__append_121) $(am__append_123) \
$(am__append_125) $(am__append_127) $(am__append_129) \
- $(am__append_131)
+ $(am__append_131) $(am__append_133) $(am__append_135) \
+ $(am__append_137) $(am__append_139)
EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_6) $(am__append_8) \
@MONOLITHIC_FALSE@ $(am__append_10) $(am__append_12) \
@@ -1084,13 +1122,13 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_38) $(am__append_40) \
@MONOLITHIC_FALSE@ $(am__append_42) $(am__append_44) \
@MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \
-@MONOLITHIC_FALSE@ $(am__append_51) $(am__append_53) \
+@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \
@MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \
@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \
@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \
-@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_71) \
-@MONOLITHIC_FALSE@ $(am__append_73) $(am__append_76) \
-@MONOLITHIC_FALSE@ $(am__append_78) $(am__append_80) \
+@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \
+@MONOLITHIC_FALSE@ $(am__append_71) $(am__append_75) \
+@MONOLITHIC_FALSE@ $(am__append_77) $(am__append_80) \
@MONOLITHIC_FALSE@ $(am__append_82) $(am__append_84) \
@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \
@MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \
@@ -1103,7 +1141,9 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_118) $(am__append_120) \
@MONOLITHIC_FALSE@ $(am__append_122) $(am__append_124) \
@MONOLITHIC_FALSE@ $(am__append_126) $(am__append_128) \
-@MONOLITHIC_FALSE@ $(am__append_130)
+@MONOLITHIC_FALSE@ $(am__append_130) $(am__append_132) \
+@MONOLITHIC_FALSE@ $(am__append_134) $(am__append_136) \
+@MONOLITHIC_FALSE@ $(am__append_138) tests
# build optional plugins
########################
@@ -1118,13 +1158,13 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_38) $(am__append_40) \
@MONOLITHIC_TRUE@ $(am__append_42) $(am__append_44) \
@MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \
-@MONOLITHIC_TRUE@ $(am__append_51) $(am__append_53) \
+@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \
@MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \
@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \
@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \
-@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_71) \
-@MONOLITHIC_TRUE@ $(am__append_73) $(am__append_76) \
-@MONOLITHIC_TRUE@ $(am__append_78) $(am__append_80) \
+@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \
+@MONOLITHIC_TRUE@ $(am__append_71) $(am__append_75) \
+@MONOLITHIC_TRUE@ $(am__append_77) $(am__append_80) \
@MONOLITHIC_TRUE@ $(am__append_82) $(am__append_84) \
@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \
@MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \
@@ -1137,7 +1177,9 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_118) $(am__append_120) \
@MONOLITHIC_TRUE@ $(am__append_122) $(am__append_124) \
@MONOLITHIC_TRUE@ $(am__append_126) $(am__append_128) \
-@MONOLITHIC_TRUE@ $(am__append_130)
+@MONOLITHIC_TRUE@ $(am__append_130) $(am__append_132) \
+@MONOLITHIC_TRUE@ $(am__append_134) $(am__append_136) \
+@MONOLITHIC_TRUE@ $(am__append_138) . tests
all: all-recursive
.SUFFIXES:
@@ -1207,6 +1249,18 @@ clean-ipseclibLTLIBRARIES:
echo rm -f $${locs}; \
rm -f $${locs}; \
}
+attributes/$(am__dirstamp):
+ @$(MKDIR_P) attributes
+ @: > attributes/$(am__dirstamp)
+attributes/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) attributes/$(DEPDIR)
+ @: > attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/attributes.lo: attributes/$(am__dirstamp) \
+ attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/attribute_manager.lo: attributes/$(am__dirstamp) \
+ attributes/$(DEPDIR)/$(am__dirstamp)
+attributes/mem_pool.lo: attributes/$(am__dirstamp) \
+ attributes/$(DEPDIR)/$(am__dirstamp)
bus/$(am__dirstamp):
@$(MKDIR_P) bus
@: > bus/$(am__dirstamp)
@@ -1389,6 +1443,9 @@ processing/jobs/update_sa_job.lo: processing/jobs/$(am__dirstamp) \
processing/jobs/$(DEPDIR)/$(am__dirstamp)
processing/jobs/inactivity_job.lo: processing/jobs/$(am__dirstamp) \
processing/jobs/$(DEPDIR)/$(am__dirstamp)
+processing/jobs/initiate_tasks_job.lo: \
+ processing/jobs/$(am__dirstamp) \
+ processing/jobs/$(DEPDIR)/$(am__dirstamp)
sa/eap/$(am__dirstamp):
@$(MKDIR_P) sa/eap
@: > sa/eap/$(am__dirstamp)
@@ -1421,6 +1478,8 @@ sa/ike_sa.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
sa/ike_sa_id.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
sa/keymat.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
sa/ike_sa_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
+sa/child_sa_manager.lo: sa/$(am__dirstamp) \
+ sa/$(DEPDIR)/$(am__dirstamp)
sa/task_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
sa/shunt_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
sa/trap_manager.lo: sa/$(am__dirstamp) sa/$(DEPDIR)/$(am__dirstamp)
@@ -1484,6 +1543,8 @@ sa/ikev2/tasks/ike_rekey.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_reauth.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_reauth_complete.lo: sa/ikev2/tasks/$(am__dirstamp) \
+ sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_auth_lifetime.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_vendor.lo: sa/ikev2/tasks/$(am__dirstamp) \
@@ -1574,6 +1635,8 @@ libcharon.la: $(libcharon_la_OBJECTS) $(libcharon_la_DEPENDENCIES) $(EXTRA_libch
mostlyclean-compile:
-rm -f *.$(OBJEXT)
+ -rm -f attributes/*.$(OBJEXT)
+ -rm -f attributes/*.lo
-rm -f bus/*.$(OBJEXT)
-rm -f bus/*.lo
-rm -f bus/listeners/*.$(OBJEXT)
@@ -1615,6 +1678,9 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@bus/$(DEPDIR)/bus.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/file_logger.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@bus/listeners/$(DEPDIR)/sys_logger.Plo@am__quote@
@@ -1665,6 +1731,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/dpd_timeout_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/inactivity_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_mediation_job.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/initiate_tasks_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/mediation_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/migrate_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/process_message_job.Plo@am__quote@
@@ -1679,6 +1746,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@processing/jobs/$(DEPDIR)/update_sa_job.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/authenticator.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/child_sa_manager.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_id.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/$(DEPDIR)/ike_sa_manager.Plo@am__quote@
@@ -1730,6 +1798,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_mobike.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_reauth_complete.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_rekey.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/ikev2/tasks/$(DEPDIR)/ike_vendor.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@sa/xauth/$(DEPDIR)/xauth_manager.Plo@am__quote@
@@ -1764,6 +1833,7 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
+ -rm -rf attributes/.libs attributes/_libs
-rm -rf bus/.libs bus/_libs
-rm -rf bus/listeners/.libs bus/listeners/_libs
-rm -rf config/.libs config/_libs
@@ -1971,6 +2041,8 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f attributes/$(DEPDIR)/$(am__dirstamp)
+ -rm -f attributes/$(am__dirstamp)
-rm -f bus/$(DEPDIR)/$(am__dirstamp)
-rm -f bus/$(am__dirstamp)
-rm -f bus/listeners/$(DEPDIR)/$(am__dirstamp)
@@ -2017,7 +2089,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
distclean: distclean-recursive
- -rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -2063,7 +2135,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
- -rm -rf ./$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) bus/$(DEPDIR) bus/listeners/$(DEPDIR) config/$(DEPDIR) control/$(DEPDIR) encoding/$(DEPDIR) encoding/payloads/$(DEPDIR) kernel/$(DEPDIR) network/$(DEPDIR) processing/jobs/$(DEPDIR) sa/$(DEPDIR) sa/eap/$(DEPDIR) sa/ikev1/$(DEPDIR) sa/ikev1/authenticators/$(DEPDIR) sa/ikev1/tasks/$(DEPDIR) sa/ikev2/$(DEPDIR) sa/ikev2/authenticators/$(DEPDIR) sa/ikev2/tasks/$(DEPDIR) sa/xauth/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libhydra/attributes/attribute_handler.h b/src/libcharon/attributes/attribute_handler.h
index bc488f6cb..3c14323a3 100644
--- a/src/libhydra/attributes/attribute_handler.h
+++ b/src/libcharon/attributes/attribute_handler.h
@@ -21,14 +21,14 @@
#ifndef ATTRIBUTE_HANDLER_H_
#define ATTRIBUTE_HANDLER_H_
+typedef struct attribute_handler_t attribute_handler_t;
+
+#include <sa/ike_sa.h>
#include <utils/chunk.h>
-#include <utils/identification.h>
#include <collections/linked_list.h>
#include "attributes.h"
-typedef struct attribute_handler_t attribute_handler_t;
-
/**
* Interface to handle configuration payload attributes.
*/
@@ -40,12 +40,12 @@ struct attribute_handler_t {
* After receiving a configuration attriubte, it is passed to each
* attribute handler until it is handled.
*
- * @param server server from which the attribute was received
+ * @param ike_sa IKE_SA under which attribute is received
* @param type type of configuration attribute to handle
* @param data associated attribute data
* @return TRUE if attribute handled
*/
- bool (*handle)(attribute_handler_t *this, identification_t *server,
+ bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data);
/**
@@ -54,19 +54,23 @@ struct attribute_handler_t {
* A handler that handle()d an attribute gets a call to release() when the
* connection gets closed. Depending on the implementation, this is required
* to remove the attribute.
+ *
+ * @param ike_sa IKE_SA which releases attribute
+ * @param type type of configuration attribute to release
+ * @param data associated attribute data
*/
- void (*release)(attribute_handler_t *this, identification_t *server,
+ void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data);
/**
* Enumerate attributes to request from a server.
*
- * @param server server identity to request attributes from
+ * @param ike_sa IKE_SA to request attributes for
* @param vips list of virtual IPs (host_t*) we are requesting
* @return enumerator (configuration_attribute_type_t, chunk_t)
*/
enumerator_t* (*create_attribute_enumerator)(attribute_handler_t *this,
- identification_t *server, linked_list_t *vips);
+ ike_sa_t *ike_sa, linked_list_t *vips);
};
#endif /** ATTRIBUTE_HANDLER_H_ @}*/
diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libcharon/attributes/attribute_manager.c
index 5fda8b426..2ab7ed118 100644
--- a/src/libhydra/attributes/attribute_manager.c
+++ b/src/libcharon/attributes/attribute_manager.c
@@ -53,15 +53,15 @@ struct private_attribute_manager_t {
typedef struct {
/** attribute group pools */
linked_list_t *pools;
- /** server/peer identity */
- identification_t *id;
+ /** associated IKE_SA */
+ ike_sa_t *ike_sa;
/** requesting/assigned virtual IPs */
linked_list_t *vips;
} enum_data_t;
METHOD(attribute_manager_t, acquire_address, host_t*,
private_attribute_manager_t *this, linked_list_t *pools,
- identification_t *id, host_t *requested)
+ ike_sa_t *ike_sa, host_t *requested)
{
enumerator_t *enumerator;
attribute_provider_t *current;
@@ -71,7 +71,7 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &current))
{
- host = current->acquire_address(current, pools, id, requested);
+ host = current->acquire_address(current, pools, ike_sa, requested);
if (host)
{
break;
@@ -85,7 +85,7 @@ METHOD(attribute_manager_t, acquire_address, host_t*,
METHOD(attribute_manager_t, release_address, bool,
private_attribute_manager_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
attribute_provider_t *current;
@@ -95,7 +95,7 @@ METHOD(attribute_manager_t, release_address, bool,
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &current))
{
- if (current->release_address(current, pools, address, id))
+ if (current->release_address(current, pools, address, ike_sa))
{
found = TRUE;
break;
@@ -114,18 +114,18 @@ static enumerator_t *responder_enum_create(attribute_provider_t *provider,
enum_data_t *data)
{
return provider->create_attribute_enumerator(provider, data->pools,
- data->id, data->vips);
+ data->ike_sa, data->vips);
}
METHOD(attribute_manager_t, create_responder_enumerator, enumerator_t*,
private_attribute_manager_t *this, linked_list_t *pools,
- identification_t *id, linked_list_t *vips)
+ ike_sa_t *ike_sa, linked_list_t *vips)
{
enum_data_t *data;
INIT(data,
.pools = pools,
- .id = id,
+ .ike_sa = ike_sa,
.vips = vips,
);
this->lock->read_lock(this->lock);
@@ -153,7 +153,7 @@ METHOD(attribute_manager_t, remove_provider, void,
}
METHOD(attribute_manager_t, handle, attribute_handler_t*,
- private_attribute_manager_t *this, identification_t *server,
+ private_attribute_manager_t *this, ike_sa_t *ike_sa,
attribute_handler_t *handler, configuration_attribute_type_t type,
chunk_t data)
{
@@ -166,7 +166,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
enumerator = this->handlers->create_enumerator(this->handlers);
while (enumerator->enumerate(enumerator, &current))
{
- if (current == handler && current->handle(current, server, type, data))
+ if (current == handler && current->handle(current, ike_sa, type, data))
{
handled = current;
break;
@@ -178,7 +178,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
enumerator = this->handlers->create_enumerator(this->handlers);
while (enumerator->enumerate(enumerator, &current))
{
- if (current->handle(current, server, type, data))
+ if (current->handle(current, ike_sa, type, data))
{
handled = current;
break;
@@ -198,7 +198,7 @@ METHOD(attribute_manager_t, handle, attribute_handler_t*,
METHOD(attribute_manager_t, release, void,
private_attribute_manager_t *this, attribute_handler_t *handler,
- identification_t *server, configuration_attribute_type_t type, chunk_t data)
+ ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data)
{
enumerator_t *enumerator;
attribute_handler_t *current;
@@ -209,7 +209,7 @@ METHOD(attribute_manager_t, release, void,
{
if (current == handler)
{
- current->release(current, server, type, data);
+ current->release(current, ike_sa, type, data);
break;
}
}
@@ -231,8 +231,8 @@ typedef struct {
enumerator_t *outer;
/** inner enumerator over current handlers attributes */
enumerator_t *inner;
- /** server ID we want attributes for */
- identification_t *id;
+ /** IKE_SA to request attributes for */
+ ike_sa_t *ike_sa;
/** virtual IPs we are requesting along with attriubutes */
linked_list_t *vips;
} initiator_enumerator_t;
@@ -254,7 +254,7 @@ static bool initiator_enumerate(initiator_enumerator_t *this,
}
DESTROY_IF(this->inner);
this->inner = this->handler->create_attribute_enumerator(this->handler,
- this->id, this->vips);
+ this->ike_sa, this->vips);
}
/* inject the handler as additional attribute */
*handler = this->handler;
@@ -273,7 +273,7 @@ static void initiator_destroy(initiator_enumerator_t *this)
}
METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*,
- private_attribute_manager_t *this, identification_t *id, linked_list_t *vips)
+ private_attribute_manager_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
{
initiator_enumerator_t *enumerator;
@@ -285,7 +285,7 @@ METHOD(attribute_manager_t, create_initiator_enumerator, enumerator_t*,
.destroy = (void*)initiator_destroy,
},
.this = this,
- .id = id,
+ .ike_sa = ike_sa,
.vips = vips,
.outer = this->handlers->create_enumerator(this->handlers),
);
@@ -345,4 +345,3 @@ attribute_manager_t *attribute_manager_create()
return &this->public;
}
-
diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libcharon/attributes/attribute_manager.h
index 99f41772c..6db664968 100644
--- a/src/libhydra/attributes/attribute_manager.h
+++ b/src/libcharon/attributes/attribute_manager.h
@@ -24,6 +24,8 @@
#include "attribute_provider.h"
#include "attribute_handler.h"
+#include <sa/ike_sa.h>
+
typedef struct attribute_manager_t attribute_manager_t;
/**
@@ -40,12 +42,12 @@ struct attribute_manager_t {
* Acquire a virtual IP address to assign to a peer.
*
* @param pools list of pool names (char*) to acquire from
- * @param id peer identity to get address forua
+ * @param ike_sa associated IKE_SA for which an address is requested
* @param requested IP in configuration request
* @return allocated address, NULL to serve none
*/
host_t* (*acquire_address)(attribute_manager_t *this,
- linked_list_t *pool, identification_t *id,
+ linked_list_t *pool, ike_sa_t *ike_sa,
host_t *requested);
/**
@@ -53,23 +55,23 @@ struct attribute_manager_t {
*
* @param pools list of pool names (char*) to release to
* @param address address to release
- * @param id peer identity to get address for
+ * @param ike_sa associated IKE_SA for which an address is released
* @return TRUE if address released to pool
*/
bool (*release_address)(attribute_manager_t *this,
linked_list_t *pools, host_t *address,
- identification_t *id);
+ ike_sa_t *ike_sa);
/**
* Create an enumerator over attributes to hand out to a peer.
*
* @param pool list of pools names (char*) to query attributes from
- * @param id peer identity to hand out attributes to
+ * @param ike_sa associated IKE_SA for which attributes are requested
* @param vip list of virtual IPs (host_t*) to assign to peer
* @return enumerator (configuration_attribute_type_t, chunk_t)
*/
enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this,
- linked_list_t *pool, identification_t *id,
+ linked_list_t *pool, ike_sa_t *ike_sa,
linked_list_t *vips);
/**
@@ -90,38 +92,37 @@ struct attribute_manager_t {
/**
* Handle a configuration attribute by passing them to the handlers.
*
- * @param server server from which the attribute was received
+ * @param ike_sa associated IKE_SA to handle an attribute for
* @param handler handler we requested the attribute for, if any
* @param type type of configuration attribute
* @param data associated attribute data
* @return handler which handled this attribute, NULL if none
*/
attribute_handler_t* (*handle)(attribute_manager_t *this,
- identification_t *server, attribute_handler_t *handler,
+ ike_sa_t *ike_sa, attribute_handler_t *handler,
configuration_attribute_type_t type, chunk_t data);
/**
* Release an attribute previously handle()d by a handler.
*
- * @param handler handler returned by handle() for this attribute
+ * @param ike_sa associated IKE_SA to release an attribute for
* @param server server from which the attribute was received
* @param type type of attribute to release
* @param data associated attribute data
*/
void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
- identification_t *server,
- configuration_attribute_type_t type,
+ ike_sa_t *ike_sa, configuration_attribute_type_t type,
chunk_t data);
/**
* Create an enumerator over attributes to request from server.
*
- * @param id server identity to hand out attributes to
+ * @param ike_sa associated IKE_SA to request attributes for
* @param vip list of virtual IPs (host_t*) going to request
* @return enumerator (attribute_handler_t, ca_type_t, chunk_t)
*/
enumerator_t* (*create_initiator_enumerator)(attribute_manager_t *this,
- identification_t *id, linked_list_t *vips);
+ ike_sa_t *ike_sa, linked_list_t *vips);
/**
* Register an attribute handler to the manager.
diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libcharon/attributes/attribute_provider.h
index adfd4a516..57453c2a0 100644
--- a/src/libhydra/attributes/attribute_provider.h
+++ b/src/libcharon/attributes/attribute_provider.h
@@ -21,8 +21,8 @@
#ifndef ATTRIBUTE_PROVIDER_H_
#define ATTRIBUTE_PROVIDER_H_
+#include <sa/ike_sa.h>
#include <networking/host.h>
-#include <utils/identification.h>
#include <collections/linked_list.h>
typedef struct attribute_provider_t attribute_provider_t;
@@ -36,35 +36,35 @@ struct attribute_provider_t {
* Acquire a virtual IP address to assign to a peer.
*
* @param pools list of pool names (char*) to acquire from
- * @param id peer ID
+ * @param ike_sa associated IKE_SA to assign address over
* @param requested IP in configuration request
* @return allocated address, NULL to serve none
*/
host_t* (*acquire_address)(attribute_provider_t *this,
- linked_list_t *pools, identification_t *id,
+ linked_list_t *pools, ike_sa_t *ike_sa,
host_t *requested);
/**
* Release a previously acquired address.
*
* @param pools list of pool names (char*) to release to
* @param address address to release
- * @param id peer ID
+ * @param ike_sa IKE_SA to release address for
* @return TRUE if the address has been released by the provider
*/
bool (*release_address)(attribute_provider_t *this,
linked_list_t *pools, host_t *address,
- identification_t *id);
+ ike_sa_t *ike_sa);
/**
* Create an enumerator over attributes to hand out to a peer.
*
* @param pool list of pools names (char*) to query attributes from
- * @param id peer ID
+ * @param ike_sa IKE_SA to request attributes for
* @param vip list of virtual IPs (host_t*) to assign to peer
* @return enumerator (configuration_attribute_type_t, chunk_t)
*/
enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
- linked_list_t *pools, identification_t *id,
+ linked_list_t *pools, ike_sa_t *ike_sa,
linked_list_t *vips);
};
diff --git a/src/libhydra/attributes/attributes.c b/src/libcharon/attributes/attributes.c
index 9fabcf4e4..9fabcf4e4 100644
--- a/src/libhydra/attributes/attributes.c
+++ b/src/libcharon/attributes/attributes.c
diff --git a/src/libhydra/attributes/attributes.h b/src/libcharon/attributes/attributes.h
index 5d1e9f9ba..5d1e9f9ba 100644
--- a/src/libhydra/attributes/attributes.h
+++ b/src/libcharon/attributes/attributes.h
diff --git a/src/libhydra/attributes/mem_pool.c b/src/libcharon/attributes/mem_pool.c
index cc45e5629..279668249 100644
--- a/src/libhydra/attributes/mem_pool.c
+++ b/src/libcharon/attributes/mem_pool.c
@@ -47,6 +47,11 @@ struct private_mem_pool_t {
host_t *base;
/**
+ * whether base is the network id of the subnet on which the pool is based
+ */
+ bool base_is_network_id;
+
+ /**
* size of the pool
*/
u_int size;
@@ -65,20 +70,25 @@ struct private_mem_pool_t {
* lock to safely access the pool
*/
mutex_t *mutex;
-
- /**
- * Do we reassign online leases to the same identity, if requested?
- */
- bool reassign_online;
};
/**
+ * A unique lease address offset, with a hash of the peer host address
+ */
+typedef struct {
+ /** lease, as offset */
+ u_int offset;
+ /** hash of remote address, to allow duplicates */
+ u_int hash;
+} unique_lease_t;
+
+/**
* Lease entry.
*/
typedef struct {
/* identitiy reference */
identification_t *id;
- /* array of online leases, as u_int offset */
+ /* array of online leases, as unique_lease_t */
array_t *online;
/* array of offline leases, as u_int offset */
array_t *offline;
@@ -93,13 +103,24 @@ static entry_t* entry_create(identification_t *id)
INIT(entry,
.id = id->clone(id),
- .online = array_create(sizeof(u_int), 0),
+ .online = array_create(sizeof(unique_lease_t), 0),
.offline = array_create(sizeof(u_int), 0),
);
return entry;
}
/**
+ * Destroy an entry
+ */
+static void entry_destroy(entry_t *this)
+{
+ this->id->destroy(this->id);
+ array_destroy(this->online);
+ array_destroy(this->offline);
+ free(this);
+}
+
+/**
* hashtable hash function for identities
*/
static u_int id_hash(identification_t *id)
@@ -235,12 +256,25 @@ METHOD(mem_pool_t, get_offline, u_int,
}
/**
+ * Create a unique hash for a remote address
+ */
+static u_int hash_addr(host_t *addr)
+{
+ if (addr)
+ {
+ return chunk_hash_inc(addr->get_address(addr), addr->get_port(addr));
+ }
+ return 0;
+}
+
+/**
* Get an existing lease for id
*/
static int get_existing(private_mem_pool_t *this, identification_t *id,
- host_t *requested)
+ host_t *requested, host_t *peer)
{
enumerator_t *enumerator;
+ unique_lease_t *lease, reassign;
u_int *current;
entry_t *entry;
int offset = 0;
@@ -255,8 +289,9 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
enumerator = array_create_enumerator(entry->offline);
if (enumerator->enumerate(enumerator, &current))
{
- offset = *current;
- array_insert(entry->online, ARRAY_TAIL, current);
+ reassign.offset = offset = *current;
+ reassign.hash = hash_addr(peer);
+ array_insert(entry->online, ARRAY_TAIL, &reassign);
array_remove_at(entry->offline, enumerator);
}
enumerator->destroy(enumerator);
@@ -265,19 +300,20 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
return offset;
}
- if (!this->reassign_online)
+ if (!peer)
{
return 0;
}
/* check for a valid online lease to reassign */
enumerator = array_create_enumerator(entry->online);
- while (enumerator->enumerate(enumerator, &current))
+ while (enumerator->enumerate(enumerator, &lease))
{
- if (*current == host2offset(this, requested))
+ if (lease->offset == host2offset(this, requested) &&
+ lease->hash == hash_addr(peer))
{
- offset = *current;
+ offset = lease->offset;
/* add an additional "online" entry */
- array_insert(entry->online, ARRAY_TAIL, current);
+ array_insert(entry->online, ARRAY_TAIL, lease);
break;
}
}
@@ -292,10 +328,10 @@ static int get_existing(private_mem_pool_t *this, identification_t *id,
/**
* Get a new lease for id
*/
-static int get_new(private_mem_pool_t *this, identification_t *id)
+static int get_new(private_mem_pool_t *this, identification_t *id, host_t *peer)
{
entry_t *entry;
- u_int offset = 0;
+ unique_lease_t lease = {};
if (this->unused < this->size)
{
@@ -306,47 +342,63 @@ static int get_new(private_mem_pool_t *this, identification_t *id)
this->leases->put(this->leases, entry->id, entry);
}
/* assigning offset, starting by 1 */
- offset = ++this->unused;
- array_insert(entry->online, ARRAY_TAIL, &offset);
+ lease.offset = ++this->unused + (this->base_is_network_id ? 1 : 0);
+ lease.hash = hash_addr(peer);
+ array_insert(entry->online, ARRAY_TAIL, &lease);
DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
}
- return offset;
+ return lease.offset;
}
/**
* Get a reassigned lease for id in case the pool is full
*/
-static int get_reassigned(private_mem_pool_t *this, identification_t *id)
+static int get_reassigned(private_mem_pool_t *this, identification_t *id,
+ host_t *peer)
{
enumerator_t *enumerator;
entry_t *entry;
- u_int current, offset = 0;
+ u_int current;
+ unique_lease_t lease = {};
enumerator = this->leases->create_enumerator(this->leases);
while (enumerator->enumerate(enumerator, NULL, &entry))
{
if (array_remove(entry->offline, ARRAY_HEAD, &current))
{
- offset = current;
- DBG1(DBG_CFG, "reassigning existing offline lease by '%Y'"
- " to '%Y'", entry->id, id);
+ lease.offset = current;
+ DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' "
+ "to '%Y'", entry->id, id);
+ }
+ if (!array_count(entry->online) && !array_count(entry->offline))
+ {
+ this->leases->remove_at(this->leases, enumerator);
+ entry_destroy(entry);
+ }
+ if (lease.offset)
+ {
break;
}
}
enumerator->destroy(enumerator);
- if (offset)
+ if (lease.offset)
{
- entry = entry_create(id);
- array_insert(entry->online, ARRAY_TAIL, &offset);
- this->leases->put(this->leases, entry->id, entry);
+ entry = this->leases->get(this->leases, id);
+ if (!entry)
+ {
+ entry = entry_create(id);
+ this->leases->put(this->leases, entry->id, entry);
+ }
+ lease.hash = hash_addr(peer);
+ array_insert(entry->online, ARRAY_TAIL, &lease);
}
- return offset;
+ return lease.offset;
}
METHOD(mem_pool_t, acquire_address, host_t*,
private_mem_pool_t *this, identification_t *id, host_t *requested,
- mem_pool_op_t operation)
+ mem_pool_op_t operation, host_t *peer)
{
int offset = 0;
@@ -367,13 +419,13 @@ METHOD(mem_pool_t, acquire_address, host_t*,
switch (operation)
{
case MEM_POOL_EXISTING:
- offset = get_existing(this, id, requested);
+ offset = get_existing(this, id, requested, peer);
break;
case MEM_POOL_NEW:
- offset = get_new(this, id);
+ offset = get_new(this, id, peer);
break;
case MEM_POOL_REASSIGN:
- offset = get_reassigned(this, id);
+ offset = get_reassigned(this, id, peer);
if (!offset)
{
DBG1(DBG_CFG, "pool '%s' is full, unable to assign address",
@@ -398,7 +450,8 @@ METHOD(mem_pool_t, release_address, bool,
enumerator_t *enumerator;
bool found = FALSE, more = FALSE;
entry_t *entry;
- u_int offset, *current;
+ u_int offset;
+ unique_lease_t *current;
if (this->size != 0)
{
@@ -411,7 +464,7 @@ METHOD(mem_pool_t, release_address, bool,
enumerator = array_create_enumerator(entry->online);
while (enumerator->enumerate(enumerator, &current))
{
- if (*current == offset)
+ if (current->offset == offset)
{
if (!found)
{ /* remove the first entry only */
@@ -463,6 +516,7 @@ METHOD(enumerator_t, lease_enumerate, bool,
lease_enumerator_t *this, identification_t **id, host_t **addr, bool *online)
{
u_int *offset;
+ unique_lease_t *lease;
DESTROY_IF(this->addr);
this->addr = NULL;
@@ -471,10 +525,10 @@ METHOD(enumerator_t, lease_enumerate, bool,
{
if (this->entry)
{
- if (this->online->enumerate(this->online, &offset))
+ if (this->online->enumerate(this->online, &lease))
{
*id = this->entry->id;
- *addr = this->addr = offset2host(this->pool, *offset);
+ *addr = this->addr = offset2host(this->pool, lease->offset);
*online = TRUE;
return TRUE;
}
@@ -535,10 +589,7 @@ METHOD(mem_pool_t, destroy, void,
enumerator = this->leases->create_enumerator(this->leases);
while (enumerator->enumerate(enumerator, NULL, &entry))
{
- entry->id->destroy(entry->id);
- array_destroy(entry->online);
- array_destroy(entry->offline);
- free(entry);
+ entry_destroy(entry);
}
enumerator->destroy(enumerator);
@@ -572,26 +623,45 @@ static private_mem_pool_t *create_generic(char *name)
.leases = hashtable_create((hashtable_hash_t)id_hash,
(hashtable_equals_t)id_equals, 16),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .reassign_online = lib->settings->get_bool(lib->settings,
- "%s.mem-pool.reassign_online", FALSE, lib->ns),
);
return this;
}
/**
+ * Check if the given host is the network ID of a subnet, that is, if hostbits
+ * are zero. Since we limit pools to 2^31 addresses we only have to check the
+ * last 4 bytes.
+ */
+static u_int network_id_diff(host_t *host, int hostbits)
+{
+ u_int32_t last;
+ chunk_t addr;
+
+ if (!hostbits)
+ {
+ return 0;
+ }
+ addr = host->get_address(host);
+ last = untoh32(addr.ptr + addr.len - sizeof(last));
+ hostbits = sizeof(last) * 8 - hostbits;
+ return (last << hostbits) >> hostbits;
+}
+
+/**
* Described in header
*/
mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
{
private_mem_pool_t *this;
+ u_int diff;
int addr_bits;
this = create_generic(name);
if (base)
{
addr_bits = base->get_family(base) == AF_INET ? 32 : 128;
- bits = max(0, min(bits, base->get_family(base) == AF_INET ? 32 : 128));
+ bits = max(0, min(bits, addr_bits));
/* net bits -> host bits */
bits = addr_bits - bits;
if (bits > POOL_LIMIT)
@@ -601,15 +671,31 @@ mem_pool_t *mem_pool_create(char *name, host_t *base, int bits)
base, addr_bits - bits);
}
this->size = 1 << bits;
+ this->base = base->clone(base);
if (this->size > 2)
- { /* do not use first and last addresses of a block */
- this->unused++;
- this->size -= 2;
+ {
+ /* if base is the network id we later skip the first address,
+ * otherwise adjust the size to represent the actual number
+ * of assignable addresses */
+ diff = network_id_diff(base, bits);
+ if (!diff)
+ {
+ this->base_is_network_id = TRUE;
+ this->size--;
+ }
+ else
+ {
+ this->size -= diff;
+ }
+ /* skip the last address (broadcast) of the subnet */
+ this->size--;
+ }
+ else if (network_id_diff(base, bits))
+ { /* only serve the second address of the subnet */
+ this->size--;
}
- this->base = base->clone(base);
}
-
return &this->public;
}
diff --git a/src/libhydra/attributes/mem_pool.h b/src/libcharon/attributes/mem_pool.h
index 7347bb547..3ee1dd37d 100644
--- a/src/libhydra/attributes/mem_pool.h
+++ b/src/libcharon/attributes/mem_pool.h
@@ -87,13 +87,21 @@ struct mem_pool_t {
* acquire a new lease (MEM_POOL_NEW), and if the pool is full once again
* to assign an existing offline lease (MEM_POOL_REASSIGN).
*
+ * If the same identity requests a virtual IP that is already assigned to
+ * it, the peer address and port is used to check if it is the same client
+ * instance that is connecting. If this is true, the request is considered
+ * a request for a reauthentication attempt, and the same virtual IP gets
+ * assigned to the peer.
+ *
* @param id the id to acquire an address for
* @param requested acquire this address, if possible
* @param operation acquire operation to perform, see above
+ * @param peer optional remote IKE address and port
* @return the acquired address
*/
host_t* (*acquire_address)(mem_pool_t *this, identification_t *id,
- host_t *requested, mem_pool_op_t operation);
+ host_t *requested, mem_pool_op_t operation,
+ host_t *peer);
/**
* Release a previously acquired address.
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index cb59f976b..7938f46cc 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -755,6 +755,33 @@ METHOD(bus_t, ike_rekey, void,
this->mutex->unlock(this->mutex);
}
+METHOD(bus_t, ike_update, void,
+ private_bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool keep;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->ike_update)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->ike_update(entry->listener, ike_sa, local, new);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
METHOD(bus_t, ike_reestablish_pre, void,
private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
{
@@ -1006,6 +1033,7 @@ bus_t *bus_create()
.child_keys = _child_keys,
.ike_updown = _ike_updown,
.ike_rekey = _ike_rekey,
+ .ike_update = _ike_update,
.ike_reestablish_pre = _ike_reestablish_pre,
.ike_reestablish_post = _ike_reestablish_post,
.child_updown = _child_updown,
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index e1d221ca5..051c429f9 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -382,6 +382,15 @@ struct bus_t {
void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
/**
+ * IKE_SA peer endpoint update hook.
+ *
+ * @param ike_sa updated IKE_SA, having old endpoints set
+ * @param local TRUE if local endpoint gets updated, FALSE for remote
+ * @param new new endpoint address and port
+ */
+ void (*ike_update)(bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new);
+
+ /**
* IKE_SA reestablishing hook (before resolving hosts).
*
* @param old reestablished and obsolete IKE_SA
diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h
index 0910cb361..3447d8f99 100644
--- a/src/libcharon/bus/listeners/listener.h
+++ b/src/libcharon/bus/listeners/listener.h
@@ -128,6 +128,17 @@ struct listener_t {
bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
/**
+ * Hook called for IKE_SA peer endpoint updates.
+ *
+ * @param ike_sa updated IKE_SA, having old endpoints set
+ * @param local TRUE if local endpoint gets updated, FALSE for remote
+ * @param new new endpoint address and port
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_update)(listener_t *this, ike_sa_t *ike_sa,
+ bool local, host_t *new);
+
+ /**
* Hook called when an initiator reestablishes an IKE_SA.
*
* This is invoked right after creating the new IKE_SA and setting the
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 42a3e9057..9464ceb5d 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -459,25 +459,10 @@ static traffic_selector_t* make_range(char *str)
{
traffic_selector_t *ts;
ts_type_t type;
- char *pos;
host_t *from, *to;
- pos = strchr(str, '-');
- if (!pos)
- {
- return NULL;
- }
- to = host_create_from_string(pos + 1, 0);
- if (!to)
- {
- return NULL;
- }
- str = strndup(str, pos - str);
- from = host_create_from_string_and_family(str, to->get_family(to), 0);
- free(str);
- if (!from)
+ if (!host_create_from_range(str, &from, &to))
{
- to->destroy(to);
return NULL;
}
if (to->get_family(to) == AF_INET)
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 50d3c6f66..e59dcd9ec 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -399,10 +399,12 @@ static const struct {
pseudo_random_function_t prf;
} integ_prf_map[] = {
{AUTH_HMAC_SHA1_96, PRF_HMAC_SHA1 },
+ {AUTH_HMAC_SHA1_160, PRF_HMAC_SHA1 },
{AUTH_HMAC_SHA2_256_128, PRF_HMAC_SHA2_256 },
{AUTH_HMAC_SHA2_384_192, PRF_HMAC_SHA2_384 },
{AUTH_HMAC_SHA2_512_256, PRF_HMAC_SHA2_512 },
{AUTH_HMAC_MD5_96, PRF_HMAC_MD5 },
+ {AUTH_HMAC_MD5_128, PRF_HMAC_MD5 },
{AUTH_AES_XCBC_96, PRF_AES128_XCBC },
{AUTH_CAMELLIA_XCBC_96, PRF_CAMELLIA128_XCBC },
{AUTH_AES_CMAC_96, PRF_AES128_CMAC },
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 25667e532..fd8349e2f 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -303,6 +303,18 @@ METHOD(listener_t, child_state_change, bool,
/* proper delete */
this->status = SUCCESS;
break;
+ case CHILD_RETRYING:
+ /* retrying with a different DH group; survive another
+ * initiation round */
+ this->status = NEED_MORE;
+ return TRUE;
+ case CHILD_CREATED:
+ if (this->status == NEED_MORE)
+ {
+ this->status = FAILED;
+ return TRUE;
+ }
+ break;
default:
break;
}
@@ -437,7 +449,7 @@ METHOD(job_t, terminate_ike_execute, job_requeue_t,
ike_sa_t *ike_sa;
ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- unique_id, FALSE);
+ unique_id);
if (!ike_sa)
{
DBG1(DBG_IKE, "unable to terminate IKE_SA: ID %d not found", unique_id);
@@ -522,17 +534,15 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
interface_job_t *job)
{
interface_listener_t *listener = &job->listener;
- u_int32_t reqid = listener->id;
- enumerator_t *enumerator;
+ u_int32_t id = listener->id;
child_sa_t *child_sa;
ike_sa_t *ike_sa;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- reqid, TRUE);
+ ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager,
+ id, &child_sa);
if (!ike_sa)
{
- DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found",
- reqid);
+ DBG1(DBG_IKE, "unable to terminate, CHILD_SA with ID %d not found", id);
listener->status = NOT_FOUND;
/* release listener */
listener_done(listener);
@@ -542,22 +552,10 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
listener->ike_sa = ike_sa;
listener->lock->unlock(listener->lock);
- enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
- while (enumerator->enumerate(enumerator, (void**)&child_sa))
- {
- if (child_sa->get_state(child_sa) != CHILD_ROUTED &&
- child_sa->get_reqid(child_sa) == reqid)
- {
- break;
- }
- child_sa = NULL;
- }
- enumerator->destroy(enumerator);
-
- if (!child_sa)
+ if (child_sa->get_state(child_sa) == CHILD_ROUTED)
{
DBG1(DBG_IKE, "unable to terminate, established "
- "CHILD_SA with ID %d not found", reqid);
+ "CHILD_SA with ID %d not found", id);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
listener->status = NOT_FOUND;
/* release listener */
@@ -584,7 +582,7 @@ METHOD(job_t, terminate_child_execute, job_requeue_t,
}
METHOD(controller_t, terminate_child, status_t,
- controller_t *this, u_int32_t reqid,
+ controller_t *this, u_int32_t unique_id,
controller_cb_t callback, void *param, u_int timeout)
{
interface_job_t *job;
@@ -605,7 +603,7 @@ METHOD(controller_t, terminate_child, status_t,
.param = param,
},
.status = FAILED,
- .id = reqid,
+ .id = unique_id,
.lock = spinlock_create(),
},
.public = {
diff --git a/src/libcharon/control/controller.h b/src/libcharon/control/controller.h
index 222285cde..02f4ebb2b 100644
--- a/src/libcharon/control/controller.h
+++ b/src/libcharon/control/controller.h
@@ -118,7 +118,7 @@ struct controller_t {
* If a callback is provided the function is synchronous and thus blocks
* until the CHILD_SA is properly deleted, or the call timed out.
*
- * @param reqid reqid of the CHILD_SA to terminate
+ * @param unique_id CHILD_SA unique ID to terminate
* @param cb logging callback
* @param param parameter to include in each call of cb
* @param timeout timeout in ms to wait for callbacks, 0 to disable
@@ -128,7 +128,7 @@ struct controller_t {
* - NEED_MORE, if callback returned FALSE
* - OUT_OF_RES if timed out
*/
- status_t (*terminate_child)(controller_t *this, u_int32_t reqid,
+ status_t (*terminate_child)(controller_t *this, u_int32_t unique_id,
controller_cb_t callback, void *param,
u_int timeout);
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 3ae7c4e6f..b1b8f57f0 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -474,12 +474,15 @@ static void destroy(private_daemon_t *this)
DESTROY_IF(this->public.connect_manager);
DESTROY_IF(this->public.mediation_manager);
#endif /* ME */
- /* make sure the cache is clear before unloading plugins */
+ /* make sure the cache and scheduler are clear before unloading plugins */
lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+ lib->scheduler->flush(lib->scheduler);
lib->plugins->unload(lib->plugins);
+ DESTROY_IF(this->public.attributes);
DESTROY_IF(this->kernel_handler);
DESTROY_IF(this->public.traps);
DESTROY_IF(this->public.shunts);
+ DESTROY_IF(this->public.child_sa_manager);
DESTROY_IF(this->public.ike_sa_manager);
DESTROY_IF(this->public.controller);
DESTROY_IF(this->public.eap);
@@ -606,6 +609,7 @@ METHOD(daemon_t, initialize, bool,
{
return FALSE;
}
+ this->public.child_sa_manager = child_sa_manager_create();
/* Queue start_action job */
lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create());
@@ -642,6 +646,7 @@ private_daemon_t *daemon_create()
.ref = 1,
);
charon = &this->public;
+ this->public.attributes = attribute_manager_create();
this->public.controller = controller_create();
this->public.eap = eap_manager_create();
this->public.xauth = xauth_manager_create();
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 36242bb04..d16bf1ddb 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -19,6 +19,9 @@
/**
* @defgroup libcharon libcharon
*
+ * @defgroup attributes attributes
+ * @ingroup libcharon
+ *
* @defgroup bus bus
* @ingroup libcharon
*
@@ -152,12 +155,14 @@
typedef struct daemon_t daemon_t;
+#include <attributes/attribute_manager.h>
#include <network/sender.h>
#include <network/receiver.h>
#include <network/socket_manager.h>
#include <control/controller.h>
#include <bus/bus.h>
#include <sa/ike_sa_manager.h>
+#include <sa/child_sa_manager.h>
#include <sa/trap_manager.h>
#include <sa/shunt_manager.h>
#include <config/backend_manager.h>
@@ -215,6 +220,11 @@ struct daemon_t {
ike_sa_manager_t *ike_sa_manager;
/**
+ * A child_sa_manager_t instance.
+ */
+ child_sa_manager_t *child_sa_manager;
+
+ /**
* Manager for triggering policies, called traps
*/
trap_manager_t *traps;
@@ -240,6 +250,11 @@ struct daemon_t {
receiver_t *receiver;
/**
+ * Manager for IKE configuration attributes
+ */
+ attribute_manager_t *attributes;
+
+ /**
* The signaling bus.
*/
bus_t *bus;
diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index cb6c97f25..0a596ffb0 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -180,6 +180,7 @@ static payload_order_t ike_sa_init_r_order[] = {
*/
static payload_rule_t ike_auth_i_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{PLV2_EAP, 0, 1, TRUE, TRUE},
{PLV2_AUTH, 0, 1, TRUE, TRUE},
@@ -227,6 +228,7 @@ static payload_order_t ike_auth_i_order[] = {
{PLV2_NOTIFY, NO_ADDITIONAL_ADDRESSES},
{PLV2_NOTIFY, 0},
{PLV2_VENDOR_ID, 0},
+ {PLV2_FRAGMENT, 0},
};
/**
@@ -234,6 +236,7 @@ static payload_order_t ike_auth_i_order[] = {
*/
static payload_rule_t ike_auth_r_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
{PLV2_EAP, 0, 1, TRUE, TRUE},
{PLV2_AUTH, 0, 1, TRUE, TRUE},
@@ -270,6 +273,7 @@ static payload_order_t ike_auth_r_order[] = {
{PLV2_NOTIFY, NO_ADDITIONAL_ADDRESSES},
{PLV2_NOTIFY, 0},
{PLV2_VENDOR_ID, 0},
+ {PLV2_FRAGMENT, 0},
};
/**
@@ -277,6 +281,7 @@ static payload_order_t ike_auth_r_order[] = {
*/
static payload_rule_t informational_i_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{PLV2_CONFIGURATION, 0, 1, TRUE, FALSE},
{PLV2_DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
@@ -295,6 +300,7 @@ static payload_order_t informational_i_order[] = {
{PLV2_NOTIFY, 0},
{PLV2_DELETE, 0},
{PLV2_CONFIGURATION, 0},
+ {PLV2_FRAGMENT, 0},
};
/**
@@ -302,6 +308,7 @@ static payload_order_t informational_i_order[] = {
*/
static payload_rule_t informational_r_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{PLV2_CONFIGURATION, 0, 1, TRUE, FALSE},
{PLV2_DELETE, 0, MAX_DELETE_PAYLOADS, TRUE, FALSE},
@@ -320,6 +327,7 @@ static payload_order_t informational_r_order[] = {
{PLV2_NOTIFY, 0},
{PLV2_DELETE, 0},
{PLV2_CONFIGURATION, 0},
+ {PLV2_FRAGMENT, 0},
};
/**
@@ -327,6 +335,7 @@ static payload_order_t informational_r_order[] = {
*/
static payload_rule_t create_child_sa_i_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{PLV2_SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
{PLV2_NONCE, 1, 1, TRUE, FALSE},
@@ -353,6 +362,7 @@ static payload_order_t create_child_sa_i_order[] = {
{PLV2_TS_INITIATOR, 0},
{PLV2_TS_RESPONDER, 0},
{PLV2_NOTIFY, 0},
+ {PLV2_FRAGMENT, 0},
};
/**
@@ -360,6 +370,7 @@ static payload_order_t create_child_sa_i_order[] = {
*/
static payload_rule_t create_child_sa_r_rules[] = {
/* payload type min max encr suff */
+ {PLV2_FRAGMENT, 0, 1, TRUE, TRUE},
{PLV2_NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
{PLV2_SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
{PLV2_NONCE, 1, 1, TRUE, FALSE},
@@ -386,6 +397,7 @@ static payload_order_t create_child_sa_r_order[] = {
{PLV2_TS_RESPONDER, 0},
{PLV2_NOTIFY, ADDITIONAL_TS_POSSIBLE},
{PLV2_NOTIFY, 0},
+ {PLV2_FRAGMENT, 0},
};
#ifdef ME
@@ -2143,6 +2155,8 @@ METHOD(message_t, parse_header, status_t,
}
ike_header->destroy(ike_header);
+ this->parser->set_major_version(this->parser, this->major_version);
+
DBG2(DBG_ENC, "parsed a %N %s header", exchange_type_names,
this->exchange_type, this->major_version == IKEV1_MAJOR_VERSION ?
"message" : (this->is_request ? "request" : "response"));
@@ -2463,7 +2477,7 @@ static status_t decrypt_payloads(private_message_t *this, keymat_t *keymat)
was_encrypted = "encrypted fragment payload";
}
- if (payload_is_known(type) && !was_encrypted &&
+ if (payload_is_known(type, this->major_version) && !was_encrypted &&
!is_connectivity_check(this, payload) &&
this->exchange_type != AGGRESSIVE)
{
diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c
index d6240fde2..f8340367e 100644
--- a/src/libcharon/encoding/parser.c
+++ b/src/libcharon/encoding/parser.c
@@ -59,6 +59,11 @@ struct private_parser_t {
parser_t public;
/**
+ * major IKE version
+ */
+ u_int8_t major_version;
+
+ /**
* Current bit for reading in input data.
*/
u_int8_t bit_pos;
@@ -369,7 +374,14 @@ METHOD(parser_t, parse_payload, status_t,
encoding_rule_t *rule;
/* create instance of the payload to parse */
- pld = payload_create(payload_type);
+ if (payload_is_known(payload_type, this->major_version))
+ {
+ pld = payload_create(payload_type);
+ }
+ else
+ {
+ pld = (payload_t*)unknown_payload_create(payload_type);
+ }
DBG2(DBG_ENC, "parsing %N payload, %d bytes left",
payload_type_names, payload_type, this->input_roof - this->byte_pos);
@@ -629,6 +641,12 @@ METHOD(parser_t, reset_context, void,
this->bit_pos = 0;
}
+METHOD(parser_t, set_major_version, void,
+ private_parser_t *this, u_int8_t major_version)
+{
+ this->major_version = major_version;
+}
+
METHOD(parser_t, destroy, void,
private_parser_t *this)
{
@@ -646,6 +664,7 @@ parser_t *parser_create(chunk_t data)
.public = {
.parse_payload = _parse_payload,
.reset_context = _reset_context,
+ .set_major_version = _set_major_version,
.get_remaining_byte_count = _get_remaining_byte_count,
.destroy = _destroy,
},
diff --git a/src/libcharon/encoding/parser.h b/src/libcharon/encoding/parser.h
index 27c5f03fe..5fd3e86ee 100644
--- a/src/libcharon/encoding/parser.h
+++ b/src/libcharon/encoding/parser.h
@@ -29,7 +29,7 @@ typedef struct parser_t parser_t;
#include <encoding/payloads/payload.h>
/**
- * A parser_t class to parse IKEv2 payloads.
+ * A parser_t class to parse IKE payloads.
*
* A parser is used for parsing one chunk of data. Multiple
* payloads can be parsed out of the chunk using parse_payload.
@@ -50,7 +50,8 @@ struct parser_t {
* - SUCCESSFUL if succeeded,
* - PARSE_ERROR if corrupted/invalid data found
*/
- status_t (*parse_payload) (parser_t *this, payload_type_t payload_type, payload_t **payload);
+ status_t (*parse_payload) (parser_t *this, payload_type_t payload_type,
+ payload_t **payload);
/**
* Gets the remaining byte count which is not currently parsed.
@@ -63,6 +64,13 @@ struct parser_t {
void (*reset_context) (parser_t *this);
/**
+ * Set the major IKE version.
+ *
+ * @param major_version the major IKE version
+ */
+ void (*set_major_version) (parser_t *this, u_int8_t major_version);
+
+ /**
* Destroys a parser_t object.
*/
void (*destroy) (parser_t *this);
diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c
index c2ab3b951..f11ea485c 100644
--- a/src/libcharon/encoding/payloads/delete_payload.c
+++ b/src/libcharon/encoding/payloads/delete_payload.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2005-2010 Martin Willi
* Copyright (C) 2010 revosec AG
* Copyright (C) 2005 Jan Hutter
@@ -281,6 +282,19 @@ METHOD(delete_payload_t, set_ike_spi, void,
this->payload_length = get_header_length(this) + this->spi_size;
}
+METHOD(delete_payload_t, get_ike_spi, bool,
+ private_delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r)
+{
+ if (this->protocol_id != PROTO_IKE ||
+ this->spis.len < 2 * sizeof(u_int64_t))
+ {
+ return FALSE;
+ }
+ memcpy(spi_i, this->spis.ptr, sizeof(u_int64_t));
+ memcpy(spi_r, this->spis.ptr + sizeof(u_int64_t), sizeof(u_int64_t));
+ return TRUE;
+}
+
/**
* SPI enumerator implementation
*/
@@ -352,6 +366,7 @@ delete_payload_t *delete_payload_create(payload_type_t type,
.get_protocol_id = _get_protocol_id,
.add_spi = _add_spi,
.set_ike_spi = _set_ike_spi,
+ .get_ike_spi = _get_ike_spi,
.create_spi_enumerator = _create_spi_enumerator,
.destroy = _destroy,
},
diff --git a/src/libcharon/encoding/payloads/delete_payload.h b/src/libcharon/encoding/payloads/delete_payload.h
index 46a89eab6..6728718cd 100644
--- a/src/libcharon/encoding/payloads/delete_payload.h
+++ b/src/libcharon/encoding/payloads/delete_payload.h
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -61,6 +62,15 @@ struct delete_payload_t {
void (*set_ike_spi)(delete_payload_t *this, u_int64_t spi_i, u_int64_t spi_r);
/**
+ * Get the IKE SPIs from an IKEv1 delete.
+ *
+ * @param spi_i initiator SPI
+ * @param spi_r responder SPI
+ * @return TRUE if SPIs extracted successfully
+ */
+ bool (*get_ike_spi)(delete_payload_t *this, u_int64_t *spi_i, u_int64_t *spi_r);
+
+ /**
* Get an enumerator over the SPIs in network order.
*
* @return enumerator over SPIs, u_int32_t
diff --git a/src/libcharon/encoding/payloads/encrypted_payload.c b/src/libcharon/encoding/payloads/encrypted_payload.c
index 5c574c34d..04372fdf0 100644
--- a/src/libcharon/encoding/payloads/encrypted_payload.c
+++ b/src/libcharon/encoding/payloads/encrypted_payload.c
@@ -561,6 +561,7 @@ static status_t parse(private_encrypted_payload_t *this, chunk_t plain)
payload_type_t type;
parser = parser_create(plain);
+ parser->set_major_version(parser, this->type == PLV1_ENCRYPTED ? 1 : 2);
type = this->next_payload;
while (type != PL_NONE)
{
diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c
index a002a8f21..bb8aab748 100644
--- a/src/libcharon/encoding/payloads/id_payload.c
+++ b/src/libcharon/encoding/payloads/id_payload.c
@@ -258,17 +258,20 @@ static traffic_selector_t *get_ts_from_range(private_id_payload_t *this,
static traffic_selector_t *get_ts_from_subnet(private_id_payload_t *this,
ts_type_t type)
{
+ traffic_selector_t *ts;
chunk_t net, netmask;
int i;
net = chunk_create(this->id_data.ptr, this->id_data.len / 2);
- netmask = chunk_skip(this->id_data, this->id_data.len / 2);
+ netmask = chunk_clone(chunk_skip(this->id_data, this->id_data.len / 2));
for (i = 0; i < net.len; i++)
{
netmask.ptr[i] = (netmask.ptr[i] ^ 0xFF) | net.ptr[i];
}
- return traffic_selector_create_from_bytes(this->protocol_id, type,
+ ts = traffic_selector_create_from_bytes(this->protocol_id, type,
net, this->port, netmask, this->port ?: 65535);
+ chunk_free(&netmask);
+ return ts;
}
/**
diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c
index 4f552d6ac..50fd73f90 100644
--- a/src/libcharon/encoding/payloads/ke_payload.c
+++ b/src/libcharon/encoding/payloads/ke_payload.c
@@ -247,9 +247,15 @@ ke_payload_t *ke_payload_create(payload_type_t type)
ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
diffie_hellman_t *dh)
{
- private_ke_payload_t *this = (private_ke_payload_t*)ke_payload_create(type);
+ private_ke_payload_t *this;
+ chunk_t value;
- dh->get_my_public_value(dh, &this->key_exchange_data);
+ if (!dh->get_my_public_value(dh, &value))
+ {
+ return NULL;
+ }
+ this = (private_ke_payload_t*)ke_payload_create(type);
+ this->key_exchange_data = value;
this->dh_group_number = dh->get_dh_group(dh);
this->payload_length += this->key_exchange_data.len;
diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h
index dfc6308b4..96c5096a5 100644
--- a/src/libcharon/encoding/payloads/ke_payload.h
+++ b/src/libcharon/encoding/payloads/ke_payload.h
@@ -73,7 +73,7 @@ ke_payload_t *ke_payload_create(payload_type_t type);
*
* @param type PLV2_KEY_EXCHANGE or PLV1_KEY_EXCHANGE
* @param dh diffie hellman object containing group and key
- * @return ke_payload_t object
+ * @return ke_payload_t object, NULL on error
*/
ke_payload_t *ke_payload_create_from_diffie_hellman(payload_type_t type,
diffie_hellman_t *dh);
diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c
index 94723ddd7..f32a1273f 100644
--- a/src/libcharon/encoding/payloads/notify_payload.c
+++ b/src/libcharon/encoding/payloads/notify_payload.c
@@ -65,7 +65,7 @@ ENUM_NEXT(notify_type_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_SA_NOT_
"ME_CONNECT_FAILED");
ENUM_NEXT(notify_type_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
"MS_NOTIFY_STATUS");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS,
"INITIAL_CONTACT",
"SET_WINDOW_SIZE",
"ADDITIONAL_TS_POSSIBLE",
@@ -112,8 +112,9 @@ ENUM_NEXT(notify_type_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY
"ERX_SUPPORTED",
"IFOM_CAPABILITY",
"SENDER_REQUEST_ID",
- "FRAGMENTATION_SUPPORTED");
-ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
+ "FRAGMENTATION_SUPPORTED",
+ "SIGNATURE_HASH_ALGORITHMS");
+ENUM_NEXT(notify_type_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS,
"INITIAL_CONTACT");
ENUM_NEXT(notify_type_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
"DPD_R_U_THERE",
@@ -174,7 +175,7 @@ ENUM_NEXT(notify_type_short_names, ME_CONNECT_FAILED, ME_CONNECT_FAILED, CHILD_S
"ME_CONN_FAIL");
ENUM_NEXT(notify_type_short_names, MS_NOTIFY_STATUS, MS_NOTIFY_STATUS, ME_CONNECT_FAILED,
"MS_STATUS");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_NOTIFY_STATUS,
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, SIGNATURE_HASH_ALGORITHMS, MS_NOTIFY_STATUS,
"INIT_CONTACT",
"SET_WINSIZE",
"ADD_TS_POSS",
@@ -221,8 +222,9 @@ ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT, FRAGMENTATION_SUPPORTED, MS_
"ERX_SUP",
"IFOM_CAP",
"SENDER_REQ_ID",
- "FRAG_SUP");
-ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, FRAGMENTATION_SUPPORTED,
+ "FRAG_SUP",
+ "HASH_ALG");
+ENUM_NEXT(notify_type_short_names, INITIAL_CONTACT_IKEV1, INITIAL_CONTACT_IKEV1, SIGNATURE_HASH_ALGORITHMS,
"INITIAL_CONTACT");
ENUM_NEXT(notify_type_short_names, DPD_R_U_THERE, DPD_R_U_THERE_ACK, INITIAL_CONTACT_IKEV1,
"DPD",
@@ -473,6 +475,14 @@ METHOD(payload_t, verify, status_t,
}
break;
}
+ case SIGNATURE_HASH_ALGORITHMS:
+ {
+ if (this->notify_data.len % 2)
+ {
+ bad_length = TRUE;
+ }
+ break;
+ }
case AUTH_LIFETIME:
{
if (this->notify_data.len != 4)
diff --git a/src/libcharon/encoding/payloads/notify_payload.h b/src/libcharon/encoding/payloads/notify_payload.h
index 25521c2bb..690757383 100644
--- a/src/libcharon/encoding/payloads/notify_payload.h
+++ b/src/libcharon/encoding/payloads/notify_payload.h
@@ -151,6 +151,8 @@ enum notify_type_t {
SENDER_REQUEST_ID = 16429,
/* IKEv2 fragmentation supported, RFC 7383 */
FRAGMENTATION_SUPPORTED = 16430,
+ /* Signature Hash Algorithms, RFC 7427 */
+ SIGNATURE_HASH_ALGORITHMS = 16431,
/* IKEv1 initial contact */
INITIAL_CONTACT_IKEV1 = 24578,
/* IKEv1 DPD */
diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c
index 600b6dd68..a1cd2f945 100644
--- a/src/libcharon/encoding/payloads/payload.c
+++ b/src/libcharon/encoding/payloads/payload.c
@@ -266,37 +266,51 @@ payload_t *payload_create(payload_type_t type)
/**
* See header.
*/
-bool payload_is_known(payload_type_t type)
+bool payload_is_known(payload_type_t type, u_int8_t maj_ver)
{
- if (type == PL_HEADER)
+ if (type >= PL_HEADER)
{
return TRUE;
}
- if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
+ switch (maj_ver)
{
- return TRUE;
- }
- if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
- {
- return TRUE;
- }
- if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
- {
- return TRUE;
- }
- if (type == PLV2_FRAGMENT)
- {
- return TRUE;
- }
+ case 0:
+ case IKEV1_MAJOR_VERSION:
+ if (type >= PLV1_SECURITY_ASSOCIATION && type <= PLV1_CONFIGURATION)
+ {
+ return TRUE;
+ }
+ if (type >= PLV1_NAT_D && type <= PLV1_NAT_OA)
+ {
+ return TRUE;
+ }
+ if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT)
+ {
+ return TRUE;
+ }
+ if (maj_ver)
+ {
+ break;
+ }
+ /* fall-through */
+ case IKEV2_MAJOR_VERSION:
+ if (type >= PLV2_SECURITY_ASSOCIATION && type <= PLV2_EAP)
+ {
+ return TRUE;
+ }
+ if (type == PLV2_FRAGMENT)
+ {
+ return TRUE;
+ }
#ifdef ME
- if (type == PLV2_ID_PEER)
- {
- return TRUE;
- }
+ if (type == PLV2_ID_PEER)
+ {
+ return TRUE;
+ }
#endif
- if (type >= PLV1_NAT_D_DRAFT_00_03 && type <= PLV1_FRAGMENT)
- {
- return TRUE;
+ break;
+ default:
+ break;
}
return FALSE;
}
diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h
index 036cd422d..920779bd1 100644
--- a/src/libcharon/encoding/payloads/payload.h
+++ b/src/libcharon/encoding/payloads/payload.h
@@ -405,9 +405,10 @@ payload_t *payload_create(payload_type_t type);
* Check if a specific payload is implemented, or handled as unknown payload.
*
* @param type type of the payload to check
+ * @param maj_ver major IKE version (use 0 to skip version check)
* @return FALSE if payload type handled as unknown payload
*/
-bool payload_is_known(payload_type_t type);
+bool payload_is_known(payload_type_t type, u_int8_t maj_ver);
/**
* Get the value field in a payload using encoding rules.
diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 53e8cf3ad..48dcfeb24 100644
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
* Copyright (C) 2005-2010 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -224,26 +224,7 @@ typedef enum {
/* FreeS/WAN proprietary */
IKEV1_ESP_ENCR_SERPENT = 252,
IKEV1_ESP_ENCR_TWOFISH = 253,
-} ikev1_esp_encr_transid_t;
-
-/**
- * IKEv1 Transform ID ESP authentication algorithm.
- */
-typedef enum {
- IKEV1_ESP_AUTH_HMAC_MD5 = 1,
- IKEV1_ESP_AUTH_HMAC_SHA = 2,
- IKEV1_ESP_AUTH_DES_MAC = 3,
- IKEV1_ESP_AUTH_KPDK = 4,
- IKEV1_ESP_AUTH_HMAC_SHA2_256 = 5,
- IKEV1_ESP_AUTH_HMAC_SHA2_384 = 6,
- IKEV1_ESP_AUTH_HMAC_SHA2_512 = 7,
- IKEV1_ESP_AUTH_HMAC_RIPEMD = 8,
- IKEV1_ESP_AUTH_AES_XCBC_MAC = 9,
- IKEV1_ESP_AUTH_SIG_RSA = 10,
- IKEV1_ESP_AUTH_AES_128_GMAC = 11,
- IKEV1_ESP_AUTH_AES_192_GMAC = 12,
- IKEV1_ESP_AUTH_AES_256_GMAC = 13,
-} ikev1_esp_auth_transid_it;
+} ikev1_esp_transid_t;
/**
* IKEv1 Transform ID AH authentication algorithm.
@@ -264,6 +245,25 @@ typedef enum {
} ikev1_ah_transid_t;
/**
+ * IKEv1 authentication algorithm.
+ */
+typedef enum {
+ IKEV1_AUTH_HMAC_MD5 = 1,
+ IKEV1_AUTH_HMAC_SHA = 2,
+ IKEV1_AUTH_DES_MAC = 3,
+ IKEV1_AUTH_KPDK = 4,
+ IKEV1_AUTH_HMAC_SHA2_256 = 5,
+ IKEV1_AUTH_HMAC_SHA2_384 = 6,
+ IKEV1_AUTH_HMAC_SHA2_512 = 7,
+ IKEV1_AUTH_HMAC_RIPEMD = 8,
+ IKEV1_AUTH_AES_XCBC_MAC = 9,
+ IKEV1_AUTH_SIG_RSA = 10,
+ IKEV1_AUTH_AES_128_GMAC = 11,
+ IKEV1_AUTH_AES_192_GMAC = 12,
+ IKEV1_AUTH_AES_256_GMAC = 13,
+} ikev1_auth_algo_t;
+
+/**
* IKEv1 ESP Encapsulation mode.
*/
typedef enum {
@@ -345,7 +345,7 @@ METHOD(payload_t, verify, status_t,
switch (this->protocol_id)
{
case PROTO_IPCOMP:
- if (this->spi.len != 2)
+ if (this->spi.len != 2 && this->spi.len != 4)
{
DBG1(DBG_ENC, "invalid CPI length in IPCOMP proposal");
return FAILED;
@@ -536,7 +536,7 @@ METHOD(proposal_substructure_t, get_cpi, bool,
{
if (cpi)
{
- *cpi = *((u_int16_t*)this->spi.ptr);
+ *cpi = htons(untoh16(this->spi.ptr + this->spi.len - 2));
}
enumerator->destroy(enumerator);
return TRUE;
@@ -620,7 +620,7 @@ static algo_map_t map_prf[] = {
/**
* ESP encryption algorithm mapping
*/
-static algo_map_t map_esp_encr[] = {
+static algo_map_t map_esp[] = {
{ IKEV1_ESP_ENCR_DES_IV64, ENCR_DES_IV64 },
{ IKEV1_ESP_ENCR_DES, ENCR_DES },
{ IKEV1_ESP_ENCR_3DES, ENCR_3DES },
@@ -646,23 +646,6 @@ static algo_map_t map_esp_encr[] = {
};
/**
- * ESP authentication algorithm mapping
- */
-static algo_map_t map_esp_auth[] = {
- { IKEV1_ESP_AUTH_HMAC_MD5, AUTH_HMAC_MD5_96 },
- { IKEV1_ESP_AUTH_HMAC_SHA, AUTH_HMAC_SHA1_96 },
- { IKEV1_ESP_AUTH_DES_MAC, AUTH_DES_MAC },
- { IKEV1_ESP_AUTH_KPDK, AUTH_KPDK_MD5 },
- { IKEV1_ESP_AUTH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 },
- { IKEV1_ESP_AUTH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 },
- { IKEV1_ESP_AUTH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 },
- { IKEV1_ESP_AUTH_AES_XCBC_MAC, AUTH_AES_XCBC_96 },
- { IKEV1_ESP_AUTH_AES_128_GMAC, AUTH_AES_128_GMAC },
- { IKEV1_ESP_AUTH_AES_192_GMAC, AUTH_AES_192_GMAC },
- { IKEV1_ESP_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC },
-};
-
-/**
* AH authentication algorithm mapping
*/
static algo_map_t map_ah[] = {
@@ -679,34 +662,30 @@ static algo_map_t map_ah[] = {
};
/**
- * Get IKEv2 algorithm from IKEv1 identifier
+ * ESP/AH authentication algorithm mapping
*/
-static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
+static algo_map_t map_auth[] = {
+ { IKEV1_AUTH_HMAC_MD5, AUTH_HMAC_MD5_96 },
+ { IKEV1_AUTH_HMAC_SHA, AUTH_HMAC_SHA1_96 },
+ { IKEV1_AUTH_DES_MAC, AUTH_DES_MAC },
+ { IKEV1_AUTH_KPDK, AUTH_KPDK_MD5 },
+ { IKEV1_AUTH_HMAC_SHA2_256, AUTH_HMAC_SHA2_256_128 },
+ { IKEV1_AUTH_HMAC_SHA2_384, AUTH_HMAC_SHA2_384_192 },
+ { IKEV1_AUTH_HMAC_SHA2_512, AUTH_HMAC_SHA2_512_256 },
+ { IKEV1_AUTH_AES_XCBC_MAC, AUTH_AES_XCBC_96 },
+ { IKEV1_AUTH_AES_128_GMAC, AUTH_AES_128_GMAC },
+ { IKEV1_AUTH_AES_192_GMAC, AUTH_AES_192_GMAC },
+ { IKEV1_AUTH_AES_256_GMAC, AUTH_AES_256_GMAC },
+};
+
+/**
+ * Map an IKEv1 to an IKEv2 identifier
+ */
+static u_int16_t ikev2_from_ikev1(algo_map_t *map, int count, u_int16_t def,
+ u_int16_t value)
{
- algo_map_t *map;
- u_int16_t def;
- int i, count;
+ int i;
- switch (type)
- {
- case ENCRYPTION_ALGORITHM:
- map = map_encr;
- count = countof(map_encr);
- def = ENCR_UNDEFINED;
- break;
- case INTEGRITY_ALGORITHM:
- map = map_integ;
- count = countof(map_integ);
- def = AUTH_UNDEFINED;
- break;
- case PSEUDO_RANDOM_FUNCTION:
- map = map_prf;
- count = countof(map_prf);
- def = PRF_UNDEFINED;
- break;
- default:
- return 0;
- }
for (i = 0; i < count; i++)
{
if (map[i].ikev1 == value)
@@ -718,30 +697,12 @@ static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
}
/**
- * Get IKEv1 algorithm from IKEv2 identifier
+ * Map an IKEv2 to an IKEv1 identifier
*/
-static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+static u_int16_t ikev1_from_ikev2(algo_map_t *map, int count, u_int16_t value)
{
- algo_map_t *map;
- int i, count;
+ int i;
- switch (type)
- {
- case ENCRYPTION_ALGORITHM:
- map = map_encr;
- count = countof(map_encr);
- break;
- case INTEGRITY_ALGORITHM:
- map = map_integ;
- count = countof(map_integ);
- break;
- case PSEUDO_RANDOM_FUNCTION:
- map = map_prf;
- count = countof(map_prf);
- break;
- default:
- return 0;
- }
for (i = 0; i < count; i++)
{
if (map[i].ikev2 == value)
@@ -753,87 +714,96 @@ static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
}
/**
- * Get IKEv2 algorithm from IKEv1 ESP transaction ID
+ * Get IKEv2 algorithm from IKEv1 identifier
*/
-static u_int16_t get_alg_from_ikev1_transid(protocol_id_t proto,
- transform_type_t type, u_int16_t value)
+static u_int16_t get_alg_from_ikev1(transform_type_t type, u_int16_t value)
{
- algo_map_t *map;
- u_int16_t def;
- int i, count;
-
switch (type)
{
case ENCRYPTION_ALGORITHM:
- map = map_esp_encr;
- count = countof(map_esp_encr);
- def = ENCR_UNDEFINED;
- break;
+ return ikev2_from_ikev1(map_encr, countof(map_encr),
+ ENCR_UNDEFINED, value);
case INTEGRITY_ALGORITHM:
- if (proto == PROTO_ESP)
- {
- map = map_esp_auth;
- count = countof(map_esp_auth);
- }
- else
- {
- map = map_ah;
- count = countof(map_ah);
- }
- def = AUTH_UNDEFINED;
- break;
+ return ikev2_from_ikev1(map_integ, countof(map_integ),
+ AUTH_UNDEFINED, value);
+ case PSEUDO_RANDOM_FUNCTION:
+ return ikev2_from_ikev1(map_prf, countof(map_prf),
+ PRF_UNDEFINED, value);
default:
return 0;
}
- for (i = 0; i < count; i++)
+}
+
+/**
+ * Get IKEv1 algorithm from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_from_alg(transform_type_t type, u_int16_t value)
+{
+ switch (type)
{
- if (map[i].ikev1 == value)
- {
- return map[i].ikev2;
- }
+ case ENCRYPTION_ALGORITHM:
+ return ikev1_from_ikev2(map_encr, countof(map_encr), value);
+ case INTEGRITY_ALGORITHM:
+ return ikev1_from_ikev2(map_integ, countof(map_integ), value);
+ case PSEUDO_RANDOM_FUNCTION:
+ return ikev1_from_ikev2(map_prf, countof(map_prf), value);
+ default:
+ return 0;
}
- return def;
}
/**
- * Get IKEv1 ESP/AH transaction ID from IKEv2 identifier
+ * Get IKEv2 algorithm from IKEv1 ESP/AH transform ID
*/
-static u_int16_t get_ikev1_transid_from_alg(protocol_id_t proto,
- transform_type_t type, u_int16_t value)
+static u_int16_t get_alg_from_ikev1_transid(transform_type_t type,
+ u_int16_t value)
{
- algo_map_t *map;
- int i, count;
-
switch (type)
{
case ENCRYPTION_ALGORITHM:
- map = map_esp_encr;
- count = countof(map_esp_encr);
- break;
+ return ikev2_from_ikev1(map_esp, countof(map_esp),
+ ENCR_UNDEFINED, value);
case INTEGRITY_ALGORITHM:
- if (proto == PROTO_ESP)
- {
- map = map_esp_auth;
- count = countof(map_esp_auth);
- }
- else
- {
- map = map_ah;
- count = countof(map_ah);
- }
- break;
+ return ikev2_from_ikev1(map_ah, countof(map_ah),
+ AUTH_UNDEFINED, value);
default:
return 0;
}
- for (i = 0; i < count; i++)
+}
+
+/**
+ * Get IKEv1 ESP/AH transform ID from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_transid_from_alg(transform_type_t type,
+ u_int16_t value)
+{
+ switch (type)
{
- if (map[i].ikev2 == value)
- {
- return map[i].ikev1;
- }
+ case ENCRYPTION_ALGORITHM:
+ return ikev1_from_ikev2(map_esp, countof(map_esp), value);
+ case INTEGRITY_ALGORITHM:
+ return ikev1_from_ikev2(map_ah, countof(map_ah), value);
+ default:
+ return 0;
}
- return 0;
}
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static u_int16_t get_alg_from_ikev1_auth(u_int16_t value)
+{
+ return ikev2_from_ikev1(map_auth, countof(map_auth), AUTH_UNDEFINED, value);
+}
+
+/**
+ * Get IKEv1 authentication algorithm from IKEv2 identifier
+ */
+static u_int16_t get_ikev1_auth_from_alg(u_int16_t value)
+{
+ return ikev1_from_ikev2(map_auth, countof(map_auth), value);
+}
+
/**
* Get IKEv1 authentication attribute from auth_method_t
*/
@@ -971,8 +941,7 @@ static void add_to_proposal_v1(proposal_t *proposal,
break;
case TATTR_PH2_AUTH_ALGORITHM:
proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM,
- get_alg_from_ikev1_transid(proto, INTEGRITY_ALGORITHM,
- value), 0);
+ get_alg_from_ikev1_auth(value), 0);
break;
case TATTR_PH2_GROUP:
proposal->add_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
@@ -989,7 +958,7 @@ static void add_to_proposal_v1(proposal_t *proposal,
NO_EXT_SEQ_NUMBERS, 0);
if (proto == PROTO_ESP)
{
- encr = get_alg_from_ikev1_transid(proto, ENCRYPTION_ALGORITHM,
+ encr = get_alg_from_ikev1_transid(ENCRYPTION_ALGORITHM,
transform->get_transform_id(transform));
if (encr)
{
@@ -1354,19 +1323,17 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
ipsec_mode_t mode, encap_t udp, int number)
{
transform_substructure_t *transform = NULL;
- u_int16_t alg, key_size;
+ u_int16_t alg, transid, key_size;
enumerator_t *enumerator;
- protocol_id_t proto;
- proto = proposal->get_protocol(proposal);
enumerator = proposal->create_enumerator(proposal, ENCRYPTION_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- alg = get_ikev1_transid_from_alg(proto, ENCRYPTION_ALGORITHM, alg);
- if (alg)
+ transid = get_ikev1_transid_from_alg(ENCRYPTION_ALGORITHM, alg);
+ if (transid)
{
transform = transform_substructure_create_type(
- PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
+ PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
if (key_size)
{
transform->add_transform_attribute(transform,
@@ -1380,13 +1347,14 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
if (enumerator->enumerate(enumerator, &alg, &key_size))
{
- alg = get_ikev1_transid_from_alg(proto, INTEGRITY_ALGORITHM, alg);
- if (alg)
+ transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
+ alg = get_ikev1_auth_from_alg(alg);
+ if (transid && alg)
{
if (!transform)
{
transform = transform_substructure_create_type(
- PLV1_TRANSFORM_SUBSTRUCTURE, number, alg);
+ PLV1_TRANSFORM_SUBSTRUCTURE, number, transid);
}
transform->add_transform_attribute(transform,
transform_attribute_create_value(PLV1_TRANSFORM_ATTRIBUTE,
diff --git a/src/libcharon/kernel/kernel_handler.c b/src/libcharon/kernel/kernel_handler.c
index 059124e35..9c0e2602b 100644
--- a/src/libcharon/kernel/kernel_handler.c
+++ b/src/libcharon/kernel/kernel_handler.c
@@ -72,36 +72,39 @@ METHOD(kernel_listener_t, acquire, bool,
}
METHOD(kernel_listener_t, expire, bool,
- private_kernel_handler_t *this, u_int32_t reqid, u_int8_t protocol,
- u_int32_t spi, bool hard)
+ private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard)
{
protocol_id_t proto = proto_ip2ike(protocol);
- DBG1(DBG_KNL, "creating %s job for %N CHILD_SA with SPI %.8x and reqid {%u}",
- hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), reqid);
+ DBG1(DBG_KNL, "creating %s job for CHILD_SA %N/0x%08x/%H",
+ hard ? "delete" : "rekey", protocol_id_names, proto, ntohl(spi), dst);
if (hard)
{
lib->processor->queue_job(lib->processor,
- (job_t*)delete_child_sa_job_create(reqid, proto, spi, hard));
+ (job_t*)delete_child_sa_job_create(proto, spi, dst, hard));
}
else
{
lib->processor->queue_job(lib->processor,
- (job_t*)rekey_child_sa_job_create(reqid, proto, spi));
+ (job_t*)rekey_child_sa_job_create(proto, spi, dst));
}
return TRUE;
}
METHOD(kernel_listener_t, mapping, bool,
- private_kernel_handler_t *this, u_int32_t reqid, u_int32_t spi,
- host_t *remote)
+ private_kernel_handler_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, host_t *remote)
{
- DBG1(DBG_KNL, "NAT mappings of ESP CHILD_SA with SPI %.8x and reqid {%u} "
- "changed, queuing update job", ntohl(spi), reqid);
+ protocol_id_t proto = proto_ip2ike(protocol);
+
+ DBG1(DBG_KNL, "NAT mappings of CHILD_SA %N/0x%08x/%H changed to %#H, "
+ "queuing update job", protocol_id_names, proto, ntohl(spi), dst,
+ remote);
lib->processor->queue_job(lib->processor,
- (job_t*)update_sa_job_create(reqid, remote));
+ (job_t*)update_sa_job_create(proto, spi, dst, remote));
return TRUE;
}
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index c3b014c3c..0554465b9 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 50594a452..58cf97b6e 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/android_dns/android_dns_handler.c b/src/libcharon/plugins/android_dns/android_dns_handler.c
index 526810355..160a145d3 100644
--- a/src/libcharon/plugins/android_dns/android_dns_handler.c
+++ b/src/libcharon/plugins/android_dns/android_dns_handler.c
@@ -128,7 +128,7 @@ static bool set_dns_server(private_android_dns_handler_t *this, int index,
}
METHOD(attribute_handler_t, handle, bool,
- private_android_dns_handler_t *this, identification_t *id,
+ private_android_dns_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
@@ -158,7 +158,7 @@ METHOD(attribute_handler_t, handle, bool,
}
METHOD(attribute_handler_t, release, void,
- private_android_dns_handler_t *this, identification_t *server,
+ private_android_dns_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
if (type == INTERNAL_IP4_DNS)
@@ -192,7 +192,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
- private_android_dns_handler_t *this, identification_t *id,
+ private_android_dns_handler_t *this, ike_sa_t *ike_sa,
linked_list_t *vips)
{
enumerator_t *enumerator;
@@ -232,4 +232,3 @@ android_dns_handler_t *android_dns_handler_create()
return &this->public;
}
-
diff --git a/src/libcharon/plugins/android_dns/android_dns_plugin.c b/src/libcharon/plugins/android_dns/android_dns_plugin.c
index b8eb11b57..9b6ec0dba 100644
--- a/src/libcharon/plugins/android_dns/android_dns_plugin.c
+++ b/src/libcharon/plugins/android_dns/android_dns_plugin.c
@@ -16,7 +16,6 @@
#include "android_dns_plugin.h"
#include "android_dns_handler.h"
-#include <hydra.h>
#include <daemon.h>
typedef struct private_android_dns_plugin_t private_android_dns_plugin_t;
@@ -51,13 +50,13 @@ static bool plugin_cb(private_android_dns_plugin_t *this,
{
if (reg)
{
- hydra->attributes->add_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
}
else
{
- hydra->attributes->remove_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
}
return TRUE;
}
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 700a4219c..8ce92e577 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/attr/Makefile.am b/src/libcharon/plugins/attr/Makefile.am
index 5b899b80c..6bc7e77d8 100644
--- a/src/libhydra/plugins/attr/Makefile.am
+++ b/src/libcharon/plugins/attr/Makefile.am
@@ -1,6 +1,7 @@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 50ea066c5..486b3c0b0 100644
--- a/src/libhydra/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libhydra/plugins/attr
+subdir = src/libcharon/plugins/attr
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -423,7 +428,8 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
@@ -448,9 +454,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libhydra/plugins/attr/Makefile
+ $(AUTOMAKE) --gnu src/libcharon/plugins/attr/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libcharon/plugins/attr/attr_plugin.c
index 72fcd6dff..9b15c3cc9 100644
--- a/src/libhydra/plugins/attr/attr_plugin.c
+++ b/src/libcharon/plugins/attr/attr_plugin.c
@@ -16,7 +16,7 @@
#include "attr_plugin.h"
#include "attr_provider.h"
-#include <hydra.h>
+#include <daemon.h>
typedef struct private_attr_plugin_t private_attr_plugin_t;
@@ -50,13 +50,13 @@ static bool plugin_cb(private_attr_plugin_t *this,
{
if (reg)
{
- hydra->attributes->add_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->add_provider(charon->attributes,
+ &this->provider->provider);
}
else
{
- hydra->attributes->remove_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->provider->provider);
}
return TRUE;
}
diff --git a/src/libhydra/plugins/attr/attr_plugin.h b/src/libcharon/plugins/attr/attr_plugin.h
index 29fb33839..0c6eebfa7 100644
--- a/src/libhydra/plugins/attr/attr_plugin.h
+++ b/src/libcharon/plugins/attr/attr_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup attr attr
- * @ingroup hplugins
+ * @ingroup cplugins
*
* @defgroup attr_plugin attr_plugin
* @{ @ingroup attr
diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libcharon/plugins/attr/attr_provider.c
index c1788df94..cac0ae4bf 100644
--- a/src/libhydra/plugins/attr/attr_provider.c
+++ b/src/libcharon/plugins/attr/attr_provider.c
@@ -18,7 +18,7 @@
#include <time.h>
-#include <hydra.h>
+#include <daemon.h>
#include <utils/debug.h>
#include <collections/linked_list.h>
#include <threading/rwlock.h>
@@ -78,7 +78,7 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in,
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
private_attr_provider_t *this, linked_list_t *pools,
- identification_t *id, linked_list_t *vips)
+ ike_sa_t *ike_sa, linked_list_t *vips)
{
if (vips->get_count(vips))
{
diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libcharon/plugins/attr/attr_provider.h
index 17db30408..17db30408 100644
--- a/src/libhydra/plugins/attr/attr_provider.h
+++ b/src/libcharon/plugins/attr/attr_provider.h
diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libcharon/plugins/attr_sql/Makefile.am
index 6e7eae5eb..366c902f7 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.am
+++ b/src/libcharon/plugins/attr_sql/Makefile.am
@@ -1,6 +1,7 @@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
@@ -13,6 +14,6 @@ endif
libstrongswan_attr_sql_la_SOURCES = \
attr_sql_plugin.h attr_sql_plugin.c \
- sql_attribute.h sql_attribute.c
+ attr_sql_provider.h attr_sql_provider.c
libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 076e1f8f2..8f1b3c0ff 100644
--- a/src/libhydra/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libhydra/plugins/attr_sql
+subdir = src/libcharon/plugins/attr_sql
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -129,7 +129,7 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
libstrongswan_attr_sql_la_LIBADD =
am_libstrongswan_attr_sql_la_OBJECTS = attr_sql_plugin.lo \
- sql_attribute.lo
+ attr_sql_provider.lo
libstrongswan_attr_sql_la_OBJECTS = \
$(am_libstrongswan_attr_sql_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -426,7 +431,8 @@ xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
@@ -435,7 +441,7 @@ AM_CFLAGS = \
@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-attr-sql.la
libstrongswan_attr_sql_la_SOURCES = \
attr_sql_plugin.h attr_sql_plugin.c \
- sql_attribute.h sql_attribute.c
+ attr_sql_provider.h attr_sql_provider.c
libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version
all: all-am
@@ -451,9 +457,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libhydra/plugins/attr_sql/Makefile
+ $(AUTOMAKE) --gnu src/libcharon/plugins/attr_sql/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -529,7 +535,7 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_provider.Plo@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c
index dde90051a..908877514 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c
+++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.c
@@ -14,12 +14,12 @@
* for more details.
*/
-#include <hydra.h>
+#include <daemon.h>
#include <utils/debug.h>
#include <plugins/plugin_feature.h>
#include "attr_sql_plugin.h"
-#include "sql_attribute.h"
+#include "attr_sql_provider.h"
typedef struct private_attr_sql_plugin_t private_attr_sql_plugin_t;
@@ -41,7 +41,7 @@ struct private_attr_sql_plugin_t {
/**
* configuration attributes
*/
- sql_attribute_t *attribute;
+ attr_sql_provider_t *attribute;
};
METHOD(plugin_t, get_name, char*,
@@ -74,14 +74,14 @@ static bool open_database(private_attr_sql_plugin_t *this,
DBG1(DBG_CFG, "attr-sql plugin failed to connect to database");
return FALSE;
}
- this->attribute = sql_attribute_create(this->db);
- hydra->attributes->add_provider(hydra->attributes,
- &this->attribute->provider);
+ this->attribute = attr_sql_provider_create(this->db);
+ charon->attributes->add_provider(charon->attributes,
+ &this->attribute->provider);
}
else
{
- hydra->attributes->remove_provider(hydra->attributes,
- &this->attribute->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->attribute->provider);
this->attribute->destroy(this->attribute);
this->db->destroy(this->db);
}
diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h
index ba85a6b28..b6b04ccc0 100644
--- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.h
+++ b/src/libcharon/plugins/attr_sql/attr_sql_plugin.h
@@ -15,9 +15,9 @@
/**
* @defgroup attr_sql attr_sql
- * @ingroup hplugins
+ * @ingroup cplugins
*
- * @defgroup sql_plugin sql_plugin
+ * @defgroup attr_sql_plugin attr_sql_plugin
* @{ @ingroup attr_sql
*/
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libcharon/plugins/attr_sql/attr_sql_provider.c
index d527c3fba..c2410705d 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.c
+++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.c
@@ -18,19 +18,19 @@
#include <utils/debug.h>
#include <library.h>
-#include "sql_attribute.h"
+#include "attr_sql_provider.h"
-typedef struct private_sql_attribute_t private_sql_attribute_t;
+typedef struct private_attr_sql_provider_t private_attr_sql_provider_t;
/**
- * private data of sql_attribute
+ * private data of attr_sql_provider
*/
-struct private_sql_attribute_t {
+struct private_attr_sql_provider_t {
/**
* public functions
*/
- sql_attribute_t public;
+ attr_sql_provider_t public;
/**
* database connection
@@ -46,11 +46,14 @@ struct private_sql_attribute_t {
/**
* lookup/insert an identity
*/
-static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
+static u_int get_identity(private_attr_sql_provider_t *this, ike_sa_t *ike_sa)
{
+ identification_t *id;
enumerator_t *e;
u_int row;
+ id = ike_sa->get_other_eap_id(ike_sa);
+
this->db->transaction(this->db, TRUE);
/* look for peer identity in the identities table */
e = this->db->query(this->db,
@@ -79,7 +82,7 @@ static u_int get_identity(private_sql_attribute_t *this, identification_t *id)
/**
* Lookup an attribute pool by name
*/
-static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
+static u_int get_attr_pool(private_attr_sql_provider_t *this, char *name)
{
enumerator_t *e;
u_int row = 0;
@@ -99,7 +102,7 @@ static u_int get_attr_pool(private_sql_attribute_t *this, char *name)
/**
* Lookup pool by name and address family
*/
-static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
+static u_int get_pool(private_attr_sql_provider_t *this, char *name, int family,
u_int *timeout)
{
enumerator_t *e;
@@ -125,7 +128,7 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, int family,
/**
* Look up an existing lease
*/
-static host_t* check_lease(private_sql_attribute_t *this, char *name,
+static host_t* check_lease(private_attr_sql_provider_t *this, char *name,
u_int pool, u_int identity)
{
while (TRUE)
@@ -171,7 +174,7 @@ static host_t* check_lease(private_sql_attribute_t *this, char *name,
* address as a candidate, but double check later on if it is still available
* during the update operation. This allows us to work without locking.
*/
-static host_t* get_lease(private_sql_attribute_t *this, char *name,
+static host_t* get_lease(private_attr_sql_provider_t *this, char *name,
u_int pool, u_int timeout, u_int identity)
{
while (TRUE)
@@ -243,7 +246,7 @@ static host_t* get_lease(private_sql_attribute_t *this, char *name,
}
METHOD(attribute_provider_t, acquire_address, host_t*,
- private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
+ private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
host_t *requested)
{
enumerator_t *enumerator;
@@ -252,7 +255,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
char *name;
int family;
- identity = get_identity(this, id);
+ identity = get_identity(this, ike_sa);
if (identity)
{
family = requested->get_family(requested);
@@ -295,8 +298,8 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
}
METHOD(attribute_provider_t, release_address, bool,
- private_sql_attribute_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ private_attr_sql_provider_t *this, linked_list_t *pools, host_t *address,
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
u_int pool, timeout;
@@ -338,7 +341,7 @@ METHOD(attribute_provider_t, release_address, bool,
}
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
- private_sql_attribute_t *this, linked_list_t *pools, identification_t *id,
+ private_attr_sql_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
linked_list_t *vips)
{
enumerator_t *attr_enumerator = NULL;
@@ -350,9 +353,9 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
char *name;
/* in a first step check for attributes that match name and id */
- if (id)
+ if (ike_sa)
{
- u_int identity = get_identity(this, id);
+ u_int identity = get_identity(this, ike_sa);
pool_enumerator = pools->create_enumerator(pools);
while (pool_enumerator->enumerate(pool_enumerator, &name))
@@ -432,8 +435,8 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
return (attr_enumerator ? attr_enumerator : enumerator_create_empty());
}
-METHOD(sql_attribute_t, destroy, void,
- private_sql_attribute_t *this)
+METHOD(attr_sql_provider_t, destroy, void,
+ private_attr_sql_provider_t *this)
{
free(this);
}
@@ -441,9 +444,9 @@ METHOD(sql_attribute_t, destroy, void,
/*
* see header file
*/
-sql_attribute_t *sql_attribute_create(database_t *db)
+attr_sql_provider_t *attr_sql_provider_create(database_t *db)
{
- private_sql_attribute_t *this;
+ private_attr_sql_provider_t *this;
time_t now = time(NULL);
INIT(this,
diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.h b/src/libcharon/plugins/attr_sql/attr_sql_provider.h
index ca87eb27e..a9b037bf5 100644
--- a/src/libhydra/plugins/attr_sql/sql_attribute.h
+++ b/src/libcharon/plugins/attr_sql/attr_sql_provider.h
@@ -14,22 +14,22 @@
*/
/**
- * @defgroup sql_attribute sql_attribute
+ * @defgroup attr_sql_provider attr_sql_provider
* @{ @ingroup attr_sql
*/
-#ifndef SQL_ATTRIBUTE_H_
-#define SQL_ATTRIBUTE_H_
+#ifndef ATTR_SQL_PROVIDER_H_
+#define ATTR_SQL_PROVIDER_H_
#include <attributes/attribute_provider.h>
#include <database/database.h>
-typedef struct sql_attribute_t sql_attribute_t;
+typedef struct attr_sql_provider_t attr_sql_provider_t;
/**
* SQL database based IKEv2 cfg attribute provider.
*/
-struct sql_attribute_t {
+struct attr_sql_provider_t {
/**
* Implements attribute provider interface
@@ -37,14 +37,14 @@ struct sql_attribute_t {
attribute_provider_t provider;
/**
- * Destroy a sql_attribute instance.
+ * Destroy a attr_sql_provider instance.
*/
- void (*destroy)(sql_attribute_t *this);
+ void (*destroy)(attr_sql_provider_t *this);
};
/**
- * Create a sql_attribute instance.
+ * Create a attr_sql_provider instance.
*/
-sql_attribute_t *sql_attribute_create(database_t *db);
+attr_sql_provider_t *attr_sql_provider_create(database_t *db);
-#endif /** SQL_ATTRIBUTE_H_ @}*/
+#endif /** ATTR_SQL_PROVIDER_H_ @}*/
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 08101d51d..f946d73c1 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/connmark/Makefile.am b/src/libcharon/plugins/connmark/Makefile.am
new file mode 100644
index 000000000..cc4d0ec8d
--- /dev/null
+++ b/src/libcharon/plugins/connmark/Makefile.am
@@ -0,0 +1,20 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-connmark.la
+else
+plugin_LTLIBRARIES = libstrongswan-connmark.la
+endif
+
+libstrongswan_connmark_la_SOURCES = \
+ connmark_listener.h connmark_listener.c \
+ connmark_plugin.h connmark_plugin.c
+
+libstrongswan_connmark_la_LDFLAGS = -module -avoid-version
+libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS)
diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 1aca319c7..65f53fde9 100644
--- a/src/libcharon/plugins/unit_tester/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libcharon/plugins/unit_tester
+subdir = src/libcharon/plugins/connmark
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -127,25 +127,23 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-libstrongswan_unit_tester_la_LIBADD =
-am__dirstamp = $(am__leading_dot)dirstamp
-am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
- tests/test_auth_info.lo tests/test_curl.lo tests/test_mysql.lo \
- tests/test_sqlite.lo tests/test_cert.lo tests/test_med_db.lo \
- tests/test_pool.lo tests/test_agent.lo
-libstrongswan_unit_tester_la_OBJECTS = \
- $(am_libstrongswan_unit_tester_la_OBJECTS)
+am__DEPENDENCIES_1 =
+libstrongswan_connmark_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_connmark_la_OBJECTS = connmark_listener.lo \
+ connmark_plugin.lo
+libstrongswan_connmark_la_OBJECTS = \
+ $(am_libstrongswan_connmark_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
am__v_lt_1 =
-libstrongswan_unit_tester_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+libstrongswan_connmark_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
- $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_unit_tester_la_LDFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_connmark_la_LDFLAGS) \
$(LDFLAGS) -o $@
-@MONOLITHIC_FALSE@am_libstrongswan_unit_tester_la_rpath = -rpath \
+@MONOLITHIC_FALSE@am_libstrongswan_connmark_la_rpath = -rpath \
@MONOLITHIC_FALSE@ $(plugindir)
-@MONOLITHIC_TRUE@am_libstrongswan_unit_tester_la_rpath =
+@MONOLITHIC_TRUE@am_libstrongswan_connmark_la_rpath =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -180,8 +178,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_unit_tester_la_SOURCES)
+SOURCES = $(libstrongswan_connmark_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_connmark_la_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -232,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -433,22 +436,16 @@ AM_CPPFLAGS = \
-I$(top_srcdir)/src/libcharon
AM_CFLAGS = \
- $(PLUGIN_CFLAGS)
-
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-unit-tester.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-libstrongswan_unit_tester_la_SOURCES = \
- unit_tester.c unit_tester.h tests.h \
- tests/test_auth_info.c \
- tests/test_curl.c \
- tests/test_mysql.c \
- tests/test_sqlite.c \
- tests/test_cert.c \
- tests/test_med_db.c \
- tests/test_pool.c \
- tests/test_agent.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
+ $(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-connmark.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-connmark.la
+libstrongswan_connmark_la_SOURCES = \
+ connmark_listener.h connmark_listener.c \
+ connmark_plugin.h connmark_plugin.c
+
+libstrongswan_connmark_la_LDFLAGS = -module -avoid-version
+libstrongswan_connmark_la_LIBADD = $(libiptc_LIBS)
all: all-am
.SUFFIXES:
@@ -462,9 +459,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libcharon/plugins/unit_tester/Makefile
+ $(AUTOMAKE) --gnu src/libcharon/plugins/connmark/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -529,49 +526,18 @@ clean-pluginLTLIBRARIES:
echo rm -f $${locs}; \
rm -f $${locs}; \
}
-tests/$(am__dirstamp):
- @$(MKDIR_P) tests
- @: > tests/$(am__dirstamp)
-tests/$(DEPDIR)/$(am__dirstamp):
- @$(MKDIR_P) tests/$(DEPDIR)
- @: > tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_auth_info.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_curl.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_mysql.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_sqlite.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_cert.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_med_db.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_pool.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-tests/test_agent.lo: tests/$(am__dirstamp) \
- tests/$(DEPDIR)/$(am__dirstamp)
-
-libstrongswan-unit-tester.la: $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_DEPENDENCIES) $(EXTRA_libstrongswan_unit_tester_la_DEPENDENCIES)
- $(AM_V_CCLD)$(libstrongswan_unit_tester_la_LINK) $(am_libstrongswan_unit_tester_la_rpath) $(libstrongswan_unit_tester_la_OBJECTS) $(libstrongswan_unit_tester_la_LIBADD) $(LIBS)
+
+libstrongswan-connmark.la: $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_DEPENDENCIES) $(EXTRA_libstrongswan_connmark_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_connmark_la_LINK) $(am_libstrongswan_connmark_la_rpath) $(libstrongswan_connmark_la_OBJECTS) $(libstrongswan_connmark_la_LIBADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
- -rm -f tests/*.$(OBJEXT)
- -rm -f tests/*.lo
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_agent.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_auth_info.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_cert.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_curl.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_med_db.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_mysql.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@tests/$(DEPDIR)/test_sqlite.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connmark_plugin.Plo@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -602,7 +568,6 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
- -rm -rf tests/.libs tests/_libs
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
@@ -719,8 +684,6 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
- -rm -f tests/$(DEPDIR)/$(am__dirstamp)
- -rm -f tests/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -731,7 +694,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR) tests/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -777,7 +740,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR) tests/$(DEPDIR)
+ -rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
new file mode 100644
index 000000000..23df690e8
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -0,0 +1,538 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "connmark_listener.h"
+
+#include <daemon.h>
+
+#include <errno.h>
+#include <libiptc/libiptc.h>
+#include <linux/netfilter/xt_esp.h>
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter/xt_MARK.h>
+#include <linux/netfilter/xt_policy.h>
+#include <linux/netfilter/xt_CONNMARK.h>
+
+
+typedef struct private_connmark_listener_t private_connmark_listener_t;
+
+/**
+ * Private data of an connmark_listener_t object.
+ */
+struct private_connmark_listener_t {
+
+ /**
+ * Public connmark_listener_t interface.
+ */
+ connmark_listener_t public;
+};
+
+/**
+ * Convert an (IPv4) traffic selector to an address and mask
+ */
+static bool ts2in(traffic_selector_t *ts,
+ struct in_addr *addr, struct in_addr *mask)
+{
+ u_int8_t bits;
+ host_t *net;
+
+ if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
+ ts->to_subnet(ts, &net, &bits))
+ {
+ memcpy(&addr->s_addr, net->get_address(net).ptr, 4);
+ net->destroy(net);
+ mask->s_addr = htonl(0xffffffffU << (32 - bits));
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Convert an (IPv4) host to an address with mask
+ */
+static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask)
+{
+ if (host->get_family(host) == AF_INET)
+ {
+ memcpy(&addr->s_addr, host->get_address(host).ptr, 4);
+ mask->s_addr = ~0;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Add or remove a rule to/from the specified chain
+ */
+static bool manage_rule(struct iptc_handle *ipth, const char *chain,
+ bool add, struct ipt_entry *e)
+{
+ if (add)
+ {
+ if (!iptc_insert_entry(chain, e, 0, ipth))
+ {
+ DBG1(DBG_CFG, "appending %s rule failed: %s",
+ chain, iptc_strerror(errno));
+ return FALSE;
+ }
+ }
+ else
+ {
+ if (!iptc_delete_entry(chain, e, "", ipth))
+ {
+ DBG1(DBG_CFG, "deleting %s rule failed: %s",
+ chain, iptc_strerror(errno));
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
+/**
+ * Add rule marking UDP-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, bool add,
+ u_int mark, u_int32_t spi,
+ host_t *dst, host_t *src)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_match m;
+ struct xt_udp udp;
+ struct ipt_entry_target t;
+ struct xt_mark_tginfo2 tm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+ sizeof(ipt.udp)),
+ .next_offset = sizeof(ipt),
+ .ip = {
+ .proto = IPPROTO_UDP,
+ },
+ },
+ .m = {
+ .u = {
+ .user = {
+ .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
+ .name = "udp",
+ },
+ },
+ },
+ .udp = {
+ .spts = { src->get_port(src), src->get_port(src) },
+ .dpts = { dst->get_port(dst), dst->get_port(dst) },
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+ .name = "MARK",
+ .revision = 2,
+ },
+ },
+ },
+ .tm = {
+ .mark = mark,
+ .mask = ~0,
+ },
+ };
+
+ if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking non-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, bool add,
+ u_int mark, u_int32_t spi,
+ host_t *dst, host_t *src)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_match m;
+ struct xt_esp esp;
+ struct ipt_entry_target t;
+ struct xt_mark_tginfo2 tm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+ sizeof(ipt.esp)),
+ .next_offset = sizeof(ipt),
+ .ip = {
+ .proto = IPPROTO_ESP,
+ },
+ },
+ .m = {
+ .u = {
+ .user = {
+ .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
+ .name = "esp",
+ },
+ },
+ },
+ .esp = {
+ .spis = { htonl(spi), htonl(spi) },
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+ .name = "MARK",
+ .revision = 2,
+ },
+ },
+ },
+ .tm = {
+ .mark = mark,
+ .mask = ~0,
+ },
+ };
+
+ if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking ESP packets to match the correct policy
+ */
+static bool manage_pre(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, bool add,
+ u_int mark, u_int32_t spi, bool encap,
+ host_t *dst, host_t *src)
+{
+ if (encap)
+ {
+ return manage_pre_esp_in_udp(this, ipth, add, mark, spi, dst, src);
+ }
+ return manage_pre_esp(this, ipth, add, mark, spi, dst, src);
+}
+
+/**
+ * Add inbound rule applying CONNMARK to matching traffic
+ */
+static bool manage_in(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, bool add,
+ u_int mark, u_int32_t spi,
+ traffic_selector_t *dst, traffic_selector_t *src)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_match m;
+ struct xt_policy_info p;
+ struct ipt_entry_target t;
+ struct xt_connmark_tginfo1 cm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+ sizeof(ipt.p)),
+ .next_offset = sizeof(ipt),
+ },
+ .m = {
+ .u = {
+ .user = {
+ .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
+ .name = "policy",
+ },
+ },
+ },
+ .p = {
+ .pol = {
+ {
+ .spi = spi,
+ .match.spi = 1,
+ },
+ },
+ .len = 1,
+ .flags = XT_POLICY_MATCH_IN,
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
+ .name = "CONNMARK",
+ .revision = 1,
+ },
+ },
+ },
+ .cm = {
+ .ctmark = mark,
+ .ctmask = ~0,
+ .nfmask = ~0,
+ .mode = XT_CONNMARK_SET,
+ },
+ };
+
+ if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "INPUT", add, &ipt.e);
+}
+
+/**
+ * Add outbund rule restoring CONNMARK on matching traffic
+ */
+static bool manage_out(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, bool add,
+ traffic_selector_t *dst, traffic_selector_t *src)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_target t;
+ struct xt_connmark_tginfo1 cm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e)),
+ .next_offset = sizeof(ipt),
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
+ .name = "CONNMARK",
+ .revision = 1,
+ },
+ },
+ },
+ .cm = {
+ .ctmask = ~0,
+ .nfmask = ~0,
+ .mode = XT_CONNMARK_RESTORE,
+ },
+ };
+
+ if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "OUTPUT", add, &ipt.e);
+}
+
+/**
+ * Initialize iptables handle, log error
+ */
+static struct iptc_handle* init_handle()
+{
+ struct iptc_handle *ipth;
+
+ ipth = iptc_init("mangle");
+ if (ipth)
+ {
+ return ipth;
+ }
+ DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno));
+ return NULL;
+}
+
+/**
+ * Commit iptables rules, log error
+ */
+static bool commit_handle(struct iptc_handle *ipth)
+{
+ if (iptc_commit(ipth))
+ {
+ return TRUE;
+ }
+ DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno));
+ return FALSE;
+}
+
+/**
+ * Add/Remove policies for a CHILD_SA using a iptables handle
+ */
+static bool manage_policies(private_connmark_listener_t *this,
+ struct iptc_handle *ipth, host_t *dst, host_t *src,
+ bool encap, child_sa_t *child_sa, bool add)
+{
+ traffic_selector_t *local, *remote;
+ enumerator_t *enumerator;
+ u_int32_t spi;
+ u_int mark;
+ bool done = TRUE;
+
+ spi = child_sa->get_spi(child_sa, TRUE);
+ mark = child_sa->get_mark(child_sa, TRUE).value;
+
+ enumerator = child_sa->create_policy_enumerator(child_sa);
+ while (enumerator->enumerate(enumerator, &local, &remote))
+ {
+ if (!manage_pre(this, ipth, add, mark, spi, encap, dst, src) ||
+ !manage_in(this, ipth, add, mark, spi, local, remote) ||
+ !manage_out(this, ipth, add, remote, local))
+ {
+ done = FALSE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return done;
+}
+
+/**
+ * Check if rules should be installed for given CHILD_SA
+ */
+static bool handle_sa(child_sa_t *child_sa)
+{
+ return child_sa->get_mark(child_sa, TRUE).value &&
+ child_sa->get_mark(child_sa, FALSE).value &&
+ child_sa->get_mode(child_sa) == MODE_TRANSPORT &&
+ child_sa->get_protocol(child_sa) == PROTO_ESP;
+}
+
+METHOD(listener_t, child_updown, bool,
+ private_connmark_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ bool up)
+{
+ struct iptc_handle *ipth;
+ host_t *dst, *src;
+ bool encap;
+
+ dst = ike_sa->get_my_host(ike_sa);
+ src = ike_sa->get_other_host(ike_sa);
+ encap = child_sa->has_encap(child_sa);
+
+ if (handle_sa(child_sa))
+ {
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (manage_policies(this, ipth, dst, src, encap, child_sa, up))
+ {
+ commit_handle(ipth);
+ }
+ iptc_free(ipth);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+ private_connmark_listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *old, child_sa_t *new)
+{
+ struct iptc_handle *ipth;
+ host_t *dst, *src;
+ bool oldencap, newencap;
+
+ dst = ike_sa->get_my_host(ike_sa);
+ src = ike_sa->get_other_host(ike_sa);
+ oldencap = old->has_encap(old);
+ newencap = new->has_encap(new);
+
+ if (handle_sa(old))
+ {
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (manage_policies(this, ipth, dst, src, oldencap, old, FALSE) &&
+ manage_policies(this, ipth, dst, src, newencap, new, TRUE))
+ {
+ commit_handle(ipth);
+ }
+ iptc_free(ipth);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, ike_update, bool,
+ private_connmark_listener_t *this, ike_sa_t *ike_sa,
+ bool local, host_t *new)
+{
+ struct iptc_handle *ipth;
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ host_t *dst, *src;
+ bool oldencap, newencap;
+
+ if (local)
+ {
+ dst = new;
+ src = ike_sa->get_other_host(ike_sa);
+ }
+ else
+ {
+ dst = ike_sa->get_my_host(ike_sa);
+ src = new;
+ }
+ /* during ike_update(), has_encap() on the CHILD_SA has not yet been
+ * updated, but shows the old state. */
+ newencap = ike_sa->has_condition(ike_sa, COND_NAT_ANY);
+
+ enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (enumerator->enumerate(enumerator, &child_sa))
+ {
+ if (handle_sa(child_sa))
+ {
+ oldencap = child_sa->has_encap(child_sa);
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (manage_policies(this, ipth, dst, src, oldencap,
+ child_sa, FALSE) &&
+ manage_policies(this, ipth, dst, src, newencap,
+ child_sa, TRUE))
+ {
+ commit_handle(ipth);
+ }
+ iptc_free(ipth);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+METHOD(connmark_listener_t, destroy, void,
+ private_connmark_listener_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+connmark_listener_t *connmark_listener_create()
+{
+ private_connmark_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .ike_update = _ike_update,
+ .child_updown = _child_updown,
+ .child_rekey = _child_rekey,
+ },
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/connmark/connmark_listener.h b/src/libcharon/plugins/connmark/connmark_listener.h
new file mode 100644
index 000000000..2d4098fb6
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_listener.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup connmark_listener connmark_listener
+ * @{ @ingroup connmark
+ */
+
+#ifndef CONNMARK_LISTENER_H_
+#define CONNMARK_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct connmark_listener_t connmark_listener_t;
+
+/**
+ * Listener to install Netfilter rules
+ */
+struct connmark_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a connmark_listener_t.
+ */
+ void (*destroy)(connmark_listener_t *this);
+};
+
+/**
+ * Create a connmark_listener instance.
+ */
+connmark_listener_t *connmark_listener_create();
+
+#endif /** CONNMARK_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c
new file mode 100644
index 000000000..3f276f93e
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_plugin.c
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "connmark_plugin.h"
+#include "connmark_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_connmark_plugin_t private_connmark_plugin_t;
+
+/**
+ * private data of connmark plugin
+ */
+struct private_connmark_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ connmark_plugin_t public;
+
+ /**
+ * Listener installing netfilter rules
+ */
+ connmark_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_connmark_plugin_t *this)
+{
+ return "connmark";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_connmark_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+ }
+ else
+ {
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_connmark_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "connmark"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_connmark_plugin_t *this)
+{
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *connmark_plugin_create()
+{
+ private_connmark_plugin_t *this;
+
+ if (!lib->caps->keep(lib->caps, CAP_NET_ADMIN))
+ {
+ DBG1(DBG_NET, "connmark plugin requires CAP_NET_ADMIN capability");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ .listener = connmark_listener_create(),
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.h b/src/libcharon/plugins/connmark/connmark_plugin.h
new file mode 100644
index 000000000..5b4ccebbe
--- /dev/null
+++ b/src/libcharon/plugins/connmark/connmark_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup connmark connmark
+ * @ingroup cplugins
+ *
+ * @defgroup connmark_plugin connmark_plugin
+ * @{ @ingroup connmark
+ */
+
+#ifndef CONNMARK_PLUGIN_H_
+#define CONNMARK_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct connmark_plugin_t connmark_plugin_t;
+
+/**
+ * Plugin using marks to select return path SA based on conntrack.
+ */
+struct connmark_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** CONNMARK_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 679d2dae6..dff80c37f 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 768c2b32b..1e84f04e2 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/dhcp/dhcp_plugin.c b/src/libcharon/plugins/dhcp/dhcp_plugin.c
index c36c60d28..642e28afc 100644
--- a/src/libcharon/plugins/dhcp/dhcp_plugin.c
+++ b/src/libcharon/plugins/dhcp/dhcp_plugin.c
@@ -18,7 +18,6 @@
#include "dhcp_plugin.h"
-#include <hydra.h>
#include <daemon.h>
#include <plugins/plugin_feature.h>
@@ -69,13 +68,13 @@ static bool plugin_cb(private_dhcp_plugin_t *this,
return FALSE;
}
this->provider = dhcp_provider_create(this->socket);
- hydra->attributes->add_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->add_provider(charon->attributes,
+ &this->provider->provider);
}
else
{
- hydra->attributes->remove_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->provider->provider);
this->provider->destroy(this->provider);
this->socket->destroy(this->socket);
}
diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c
index f5325b566..f0681b1da 100644
--- a/src/libcharon/plugins/dhcp/dhcp_provider.c
+++ b/src/libcharon/plugins/dhcp/dhcp_provider.c
@@ -66,10 +66,11 @@ static uintptr_t hash_transaction(dhcp_transaction_t *transaction)
METHOD(attribute_provider_t, acquire_address, host_t*,
private_dhcp_provider_t *this, linked_list_t *pools,
- identification_t *id, host_t *requested)
+ ike_sa_t *ike_sa, host_t *requested)
{
dhcp_transaction_t *transaction, *old;
enumerator_t *enumerator;
+ identification_t *id;
char *pool;
host_t *vip = NULL;
@@ -77,6 +78,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
{
return NULL;
}
+ id = ike_sa->get_other_eap_id(ike_sa);
enumerator = pools->create_enumerator(pools);
while (enumerator->enumerate(enumerator, &pool))
{
@@ -104,10 +106,11 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
METHOD(attribute_provider_t, release_address, bool,
private_dhcp_provider_t *this, linked_list_t *pools,
- host_t *address, identification_t *id)
+ host_t *address, ike_sa_t *ike_sa)
{
dhcp_transaction_t *transaction;
enumerator_t *enumerator;
+ identification_t *id;
bool found = FALSE;
char *pool;
@@ -115,6 +118,7 @@ METHOD(attribute_provider_t, release_address, bool,
{
return FALSE;
}
+ id = ike_sa->get_other_eap_id(ike_sa);
enumerator = pools->create_enumerator(pools);
while (enumerator->enumerate(enumerator, &pool))
{
@@ -139,11 +143,12 @@ METHOD(attribute_provider_t, release_address, bool,
}
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
- private_dhcp_provider_t *this, linked_list_t *pools, identification_t *id,
+ private_dhcp_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
linked_list_t *vips)
{
dhcp_transaction_t *transaction = NULL;
enumerator_t *enumerator;
+ identification_t *id;
host_t *vip;
if (pools->find_first(pools, (linked_list_match_t)streq,
@@ -152,6 +157,7 @@ METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
return NULL;
}
+ id = ike_sa->get_other_eap_id(ike_sa);
this->mutex->lock(this->mutex);
enumerator = vips->create_enumerator(vips);
while (enumerator->enumerate(enumerator, &vip))
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index 3484e08a3..ed873b316 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 381d7a119..41862cb2a 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 3b0f8763c..dacddfb87 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index 839a379ea..3c26b8511 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index fdbad6234..402c7cadc 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index 9675104da..2279b2514 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index 0610b5859..30d2c88d1 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 38c9d0b7c..14616c214 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index f5dfd6814..78dfd29e3 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 5ccd58158..2f0d65d6d 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 04cc422f5..47534372b 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
index 31c96d229..ac4ecfc86 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_accounting.c
@@ -99,7 +99,7 @@ typedef struct {
/** IKE_SA identifier this entry is stored under */
ike_sa_id_t *id;
/** RADIUS accounting session ID */
- char sid[16];
+ char sid[24];
/** number of sent/received octets/packets */
struct {
u_int64_t sent;
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
index 1a48c07e5..6a4a0384e 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c
@@ -26,7 +26,7 @@
#include <radius_client.h>
#include <radius_config.h>
-#include <hydra.h>
+#include <daemon.h>
#include <threading/rwlock.h>
#include <processing/jobs/callback_job.h>
#include <processing/jobs/delete_ike_sa_job.h>
@@ -149,19 +149,26 @@ static void load_configs(private_eap_radius_plugin_t *this)
continue;
}
nas_identifier = lib->settings->get_str(lib->settings,
- "%s.plugins.eap-radius.servers.%s.nas_identifier", "strongSwan",
+ "%s.plugins.eap-radius.servers.%s.nas_identifier",
+ lib->settings->get_str(lib->settings,
+ "%s.plugins.eap-radius.nas_identifier", "strongSwan",
+ lib->ns),
lib->ns, section);
auth_port = lib->settings->get_int(lib->settings,
"%s.plugins.eap-radius.servers.%s.auth_port",
lib->settings->get_int(lib->settings,
"%s.plugins.eap-radius.servers.%s.port",
- AUTH_PORT, lib->ns, section),
+ lib->settings->get_int(lib->settings,
+ "%s.plugins.eap-radius.port", AUTH_PORT, lib->ns),
+ lib->ns, section),
lib->ns, section);
acct_port = lib->settings->get_int(lib->settings,
"%s.plugins.eap-radius.servers.%s.acct_port", ACCT_PORT,
lib->ns, section);
sockets = lib->settings->get_int(lib->settings,
- "%s.plugins.eap-radius.servers.%s.sockets", 1,
+ "%s.plugins.eap-radius.servers.%s.sockets",
+ lib->settings->get_int(lib->settings,
+ "%s.plugins.eap-radius.sockets", 1, lib->ns),
lib->ns, section);
preference = lib->settings->get_int(lib->settings,
"%s.plugins.eap-radius.servers.%s.preference", 0,
@@ -211,13 +218,13 @@ static bool plugin_cb(private_eap_radius_plugin_t *this,
{
charon->bus->add_listener(charon->bus, &this->forward->listener);
}
- hydra->attributes->add_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->add_provider(charon->attributes,
+ &this->provider->provider);
}
else
{
- hydra->attributes->remove_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->provider->provider);
if (this->forward)
{
charon->bus->remove_listener(charon->bus, &this->forward->listener);
diff --git a/src/libcharon/plugins/eap_radius/eap_radius_provider.c b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
index 7c794616b..0cf723711 100644
--- a/src/libcharon/plugins/eap_radius/eap_radius_provider.c
+++ b/src/libcharon/plugins/eap_radius/eap_radius_provider.c
@@ -311,19 +311,13 @@ METHOD(listener_t, ike_rekey, bool,
METHOD(attribute_provider_t, acquire_address, host_t*,
private_eap_radius_provider_t *this, linked_list_t *pools,
- identification_t *id, host_t *requested)
+ ike_sa_t *ike_sa, host_t *requested)
{
enumerator_t *enumerator;
host_t *addr = NULL;
- ike_sa_t *ike_sa;
uintptr_t sa;
char *name;
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- return NULL;
- }
sa = ike_sa->get_unique_id(ike_sa);
enumerator = pools->create_enumerator(pools);
@@ -348,19 +342,13 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
METHOD(attribute_provider_t, release_address, bool,
private_eap_radius_provider_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
host_t *found = NULL;
- ike_sa_t *ike_sa;
uintptr_t sa;
char *name;
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- return FALSE;
- }
sa = ike_sa->get_unique_id(ike_sa);
enumerator = pools->create_enumerator(pools);
@@ -428,18 +416,12 @@ METHOD(enumerator_t, attribute_destroy, void,
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
private_eap_radius_provider_t *this, linked_list_t *pools,
- identification_t *id, linked_list_t *vips)
+ ike_sa_t *ike_sa, linked_list_t *vips)
{
attribute_enumerator_t *enumerator;
attr_t *attr;
- ike_sa_t *ike_sa;
uintptr_t sa;
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- return NULL;
- }
sa = ike_sa->get_unique_id(ike_sa);
INIT(enumerator,
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index 6a00ea74d..251eeeeba 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 7a08f4e0e..bffcbc0df 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index a1ec7adc1..78682ce37 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index bf99ab095..2a6be5fd9 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index ce4602365..de504d4cd 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 0c0b7fd52..de3508a07 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index 25696f524..d4219b876 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tls/eap_tls.c b/src/libcharon/plugins/eap_tls/eap_tls.c
index dffbaf266..bc01ba5df 100644
--- a/src/libcharon/plugins/eap_tls/eap_tls.c
+++ b/src/libcharon/plugins/eap_tls/eap_tls.c
@@ -109,6 +109,12 @@ METHOD(eap_method_t, is_mutual, bool,
return TRUE;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_tls_t *this)
+{
+ return this->tls_eap->get_auth(this->tls_eap);
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_tls_t *this)
{
@@ -138,6 +144,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
.get_msk = _get_msk,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index 2d5d65875..6c34ed098 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 62d23d064..f70f47ef6 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -256,6 +256,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
private_eap_tnc_t *this;
int max_msg_count;
char* protocol;
+ ike_sa_t *ike_sa;
+ host_t *server_ip, *peer_ip;
tnccs_t *tnccs;
tnccs_type_t tnccs_type;
@@ -302,8 +304,29 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
free(this);
return NULL;
}
+
+ /* Determine IP addresses of server and peer */
+ ike_sa = charon->bus->get_sa(charon->bus);
+ if (!ike_sa)
+ {
+ DBG1(DBG_TNC, "%N constructor did not find IKE_SA",
+ eap_type_names, type);
+ free(this);
+ return NULL;
+ }
+ if (is_server)
+ {
+ server_ip = ike_sa->get_my_host(ike_sa);
+ peer_ip = ike_sa->get_other_host(ike_sa);
+ }
+ else
+ {
+ peer_ip = ike_sa->get_my_host(ike_sa);
+ server_ip = ike_sa->get_other_host(ike_sa);
+ }
+
tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
- is_server, server, peer,
+ is_server, server, peer, server_ip, peer_ip,
(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
is_server ? enforce_recommendation : NULL);
if (!tnccs)
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 38c7632ac..0babf1766 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index 703cd3f29..c99d47f8d 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -111,6 +111,12 @@ METHOD(eap_method_t, is_mutual, bool,
return TRUE;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_ttls_t *this)
+{
+ return this->tls_eap->get_auth(this->tls_eap);
+}
+
METHOD(eap_method_t, destroy, void,
private_eap_ttls_t *this)
{
@@ -141,6 +147,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
.get_msk = _get_msk,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index d9fa454ca..0a07aa7a3 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -237,6 +237,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index a1b47dd33..d23e680aa 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index 2bfd38ba1..318400fc9 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/forecast/Makefile.am b/src/libcharon/plugins/forecast/Makefile.am
new file mode 100644
index 000000000..ce573135d
--- /dev/null
+++ b/src/libcharon/plugins/forecast/Makefile.am
@@ -0,0 +1,21 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-forecast.la
+else
+plugin_LTLIBRARIES = libstrongswan-forecast.la
+endif
+
+libstrongswan_forecast_la_SOURCES = \
+ forecast_listener.h forecast_listener.c \
+ forecast_forwarder.h forecast_forwarder.c \
+ forecast_plugin.h forecast_plugin.c
+
+libstrongswan_forecast_la_LDFLAGS = -module -avoid-version
+libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS)
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
new file mode 100644
index 000000000..7b190ca25
--- /dev/null
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -0,0 +1,784 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/forecast
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+am__DEPENDENCIES_1 =
+libstrongswan_forecast_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
+am_libstrongswan_forecast_la_OBJECTS = forecast_listener.lo \
+ forecast_forwarder.lo forecast_plugin.lo
+libstrongswan_forecast_la_OBJECTS = \
+ $(am_libstrongswan_forecast_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_forecast_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_forecast_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_forecast_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_forecast_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_forecast_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_forecast_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS) $(libiptc_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-forecast.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-forecast.la
+libstrongswan_forecast_la_SOURCES = \
+ forecast_listener.h forecast_listener.c \
+ forecast_forwarder.h forecast_forwarder.c \
+ forecast_plugin.h forecast_plugin.c
+
+libstrongswan_forecast_la_LDFLAGS = -module -avoid-version
+libstrongswan_forecast_la_LIBADD = $(libiptc_LIBS)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/forecast/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-forecast.la: $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_DEPENDENCIES) $(EXTRA_libstrongswan_forecast_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_forecast_la_LINK) $(am_libstrongswan_forecast_la_rpath) $(libstrongswan_forecast_la_OBJECTS) $(libstrongswan_forecast_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_forwarder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_listener.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/forecast_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.c b/src/libcharon/plugins/forecast/forecast_forwarder.c
new file mode 100644
index 000000000..07a3d4953
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.c
@@ -0,0 +1,496 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_forwarder.h"
+
+#include <errno.h>
+#include <unistd.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <linux/socket.h>
+#include <netinet/if_ether.h>
+#include <linux/if_packet.h>
+#include <linux/filter.h>
+#include <sys/ioctl.h>
+#include <ifaddrs.h>
+#include <net/if.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <threading/thread.h>
+#include <processing/jobs/callback_job.h>
+
+#define BOOTP_SERVER_PORT 67
+#define BOOTP_CLIENT_PORT 68
+
+typedef struct private_forecast_forwarder_t private_forecast_forwarder_t;
+typedef struct private_kernel_listener_t private_kernel_listener_t;
+
+/**
+ * Private data of registered kernel listener
+ */
+struct private_kernel_listener_t {
+
+ /**
+ * Implements kernel_listener_t
+ */
+ kernel_listener_t listener;
+
+ /**
+ * Listener that knows active addresses
+ */
+ forecast_listener_t *fc;
+
+ /**
+ * current broadcast address of internal network
+ */
+ u_int32_t broadcast;
+
+ /**
+ * LAN interface index
+ */
+ int ifindex;
+
+ /**
+ * Packet socket
+ */
+ int pkt;
+
+ /**
+ * RAW socket
+ */
+ int raw;
+};
+
+/**
+ * Private data of an forecast_forwarder_t object.
+ */
+struct private_forecast_forwarder_t {
+
+ /**
+ * Public forecast_forwarder_t interface.
+ */
+ forecast_forwarder_t public;
+
+ /**
+ * Public kernel_listener_t interface.
+ */
+ private_kernel_listener_t kernel;
+};
+
+/**
+ * Send a broadcast/multicast packet to a network
+ */
+static void send_net(private_forecast_forwarder_t *this,
+ struct sockaddr_ll *addr, void *buf, size_t len)
+{
+ if (sendto(this->kernel.pkt, buf, len, 0,
+ (struct sockaddr*)addr, sizeof(*addr)) != len)
+ {
+ DBG1(DBG_NET, "forecast send_net() failed: %s", strerror(errno));
+ }
+}
+
+/**
+ * Send a broadcast/multicast packet to a peer
+ */
+static void send_peer(private_forecast_forwarder_t *this, u_int32_t dst,
+ void *buf, size_t len, int mark)
+{
+ struct sockaddr_in addr = {
+ .sin_family = AF_INET,
+ .sin_addr.s_addr = dst,
+ };
+
+ if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_MARK,
+ &mark, sizeof(mark)) != 0)
+ {
+ DBG1(DBG_NET, "forecast setting SO_MARK failed: %s", strerror(errno));
+ }
+ if (sendto(this->kernel.raw, buf, len, 0,
+ (struct sockaddr*)&addr, sizeof(addr)) != len)
+ {
+ DBG1(DBG_NET, "forecast send_peer() failed: %s", strerror(errno));
+ }
+}
+
+/**
+ * Check if an IP packet is BOOTP/DHCP
+ */
+static bool is_bootp(void *buf, size_t len)
+{
+ struct __attribute__((__packed__)) {
+ struct iphdr ip;
+ struct udphdr udp;
+ } *pkt = buf;
+
+ if (len > sizeof(*pkt))
+ {
+ if (ntohs(pkt->udp.source) == BOOTP_CLIENT_PORT &&
+ ntohs(pkt->udp.dest) == BOOTP_SERVER_PORT)
+ {
+ return TRUE;
+ }
+ if (ntohs(pkt->udp.source) == BOOTP_SERVER_PORT &&
+ ntohs(pkt->udp.dest) == BOOTP_CLIENT_PORT)
+ {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+/**
+ * Broadcast/Multicast receiver
+ */
+static bool receive_casts(private_forecast_forwarder_t *this)
+{
+ struct __attribute__((packed)) {
+ struct iphdr hdr;
+ char data[2048];
+ } buf;
+ char *type;
+ ssize_t len;
+ u_int mark, origin = 0;
+ host_t *src, *dst;
+ traffic_selector_t *ts;
+ enumerator_t *enumerator;
+ struct sockaddr_ll addr;
+ socklen_t alen = sizeof(addr);
+ bool reinject;
+
+ len = recvfrom(this->kernel.pkt, &buf, sizeof(buf), MSG_DONTWAIT,
+ (struct sockaddr*)&addr, &alen);
+ if (len < 0)
+ {
+ if (errno != EAGAIN && errno != EWOULDBLOCK)
+ {
+ DBG1(DBG_NET, "receiving from forecast socket failed: %s",
+ strerror(errno));
+ }
+ return TRUE;
+ }
+ else if (len < sizeof(struct iphdr))
+ {
+ DBG1(DBG_NET, "received short forecast packet: %zd bytes", len);
+ return TRUE;
+ }
+ if (is_bootp(&buf, len))
+ { /* don't forward DHCP broadcasts */
+ return TRUE;
+ }
+
+ src = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.saddr), 0);
+ dst = host_create_from_chunk(AF_INET, chunk_from_thing(buf.hdr.daddr), 0);
+
+ /* create valid broadcast/multicast MAC to send out */
+ if (IN_MULTICAST(ntohl(buf.hdr.daddr)))
+ {
+ type = "multi";
+ ETHER_MAP_IP_MULTICAST(&buf.hdr.daddr, addr.sll_addr);
+ }
+ else
+ {
+ type = "broad";
+ memset(&addr.sll_addr, 0xFF, sizeof(addr.sll_addr));
+ }
+ DBG2(DBG_NET, "forecast intercepted packet: %H to %H", src, dst);
+
+ /* find mark of originating tunnel */
+ enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
+ while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
+ {
+ if (ts->includes(ts, src))
+ {
+ origin = mark;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* send packet over all tunnels, but not the packets origin */
+ enumerator = this->kernel.fc->create_enumerator(this->kernel.fc, FALSE);
+ while (enumerator->enumerate(enumerator, &ts, &mark, &reinject))
+ {
+ if (ts->includes(ts, dst))
+ {
+ if ((reinject && origin != mark) || origin == 0)
+ {
+ DBG2(DBG_NET, "forwarding a %H %scast from %H to peer %R (%u)",
+ dst, type, src, ts, mark);
+ send_peer(this, buf.hdr.daddr, &buf, len, mark);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (origin)
+ {
+ /* forward broadcast/multicast from client to network */
+ DBG2(DBG_NET, "forwarding a %H %scast from peer %H to internal network",
+ dst, type, src);
+ addr.sll_ifindex = this->kernel.ifindex;
+ send_net(this, &addr, &buf, len);
+ }
+
+ dst->destroy(dst);
+ src->destroy(src);
+
+ return TRUE;
+}
+
+/**
+ * Join a multicast group
+ */
+static void join_group(private_kernel_listener_t *this, char *group,
+ struct sockaddr *addr)
+{
+ struct sockaddr_in *in;
+ struct ip_mreqn mreq;
+ host_t *host;
+
+ host = host_create_from_string(group, 0);
+ if (host)
+ {
+ memset(&mreq, 0, sizeof(mreq));
+ memcpy(&mreq.imr_multiaddr.s_addr, host->get_address(host).ptr, 4);
+ if (addr->sa_family == AF_INET)
+ {
+ in = (struct sockaddr_in*)addr;
+ memcpy(&mreq.imr_address, &in->sin_addr.s_addr,
+ sizeof(in->sin_addr.s_addr));
+ }
+ mreq.imr_ifindex = this->ifindex;
+ if (setsockopt(this->raw, IPPROTO_IP, IP_ADD_MEMBERSHIP,
+ &mreq, sizeof(mreq)) == -1)
+ {
+ if (errno != EADDRINUSE)
+ {
+ DBG1(DBG_NET, "forecast multicast join to %s failed: %s",
+ group, strerror(errno));
+ }
+ }
+ else
+ {
+ DBG2(DBG_NET, "forwarding multicast group %s", group);
+ }
+ host->destroy(host);
+ }
+}
+
+/**
+ * (Re-)Join all multicast groups we want to forward
+ */
+static void join_groups(private_kernel_listener_t *this, struct sockaddr *addr)
+{
+ enumerator_t *enumerator;
+ char *groups, *group;
+ static char *def =
+ "224.0.0.1," /* host multicast */
+ "224.0.0.22," /* IGMP */
+ "224.0.0.251," /* mDNS */
+ "224.0.0.252," /* LLMNR */
+ "239.255.255.250"; /* SSDP/WS-discovery */
+
+ groups = lib->settings->get_str(lib->settings,
+ "%s.plugins.forecast.groups", def, lib->ns);
+ DBG1(DBG_CFG, "joining forecast multicast groups: %s", groups);
+ enumerator = enumerator_create_token(groups, ",", " ");
+ while (enumerator->enumerate(enumerator, &group))
+ {
+ join_group(this, group, addr);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Attach the socket filter to the socket
+ */
+static bool attach_filter(int fd, u_int32_t broadcast)
+{
+ struct sock_filter filter_code[] = {
+ /* destination address: is ... */
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct iphdr, daddr)),
+ /* broadcast, as received from the local network */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ntohl(broadcast), 4, 0),
+ /* broadcast, as Win7 sends them */
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xFFFFFFFF, 3, 0),
+ /* any multicast, 224.0.0.0/4 */
+ BPF_STMT(BPF_ALU+BPF_AND+BPF_K, 0xF0000000),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0xE0000000, 1, 0),
+ BPF_STMT(BPF_RET+BPF_K, 0),
+ BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
+ BPF_STMT(BPF_RET+BPF_A, 0),
+ };
+ struct sock_fprog filter = {
+ sizeof(filter_code) / sizeof(struct sock_filter),
+ filter_code,
+ };
+
+ if (setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER,
+ &filter, sizeof(filter)) < 0)
+ {
+ DBG1(DBG_NET, "installing forecast PACKET socket filter failed: %s",
+ strerror(errno));
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Get the interface index of an interface name
+ */
+static int get_ifindex(private_kernel_listener_t *this, char *ifname)
+{
+ struct ifreq ifr = {};
+
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ if (ioctl(this->raw, SIOCGIFINDEX, &ifr) == 0)
+ {
+ return ifr.ifr_ifindex;
+ }
+ return 0;
+}
+
+/**
+ * Set up the interface for broad/multicast forwarding
+ */
+static void setup_interface(private_kernel_listener_t *this)
+{
+ struct ifaddrs *addrs, *current;
+ struct sockaddr_in *in;
+ host_t *host;
+ char *name;
+
+ name = lib->settings->get_str(lib->settings,
+ "%s.plugins.forecast.interface", NULL, lib->ns);
+ if (getifaddrs(&addrs) == 0)
+ {
+ for (current = addrs; current; current = current->ifa_next)
+ {
+ if (name && !streq(name, current->ifa_name))
+ {
+ continue;
+ }
+ if (current->ifa_flags & IFF_BROADCAST &&
+ current->ifa_broadaddr &&
+ current->ifa_broadaddr->sa_family == AF_INET)
+ {
+ DBG1(DBG_NET, "using forecast interface %s", current->ifa_name);
+ this->ifindex = get_ifindex(this, current->ifa_name);
+ in = (struct sockaddr_in*)current->ifa_broadaddr;
+ attach_filter(this->pkt, in->sin_addr.s_addr);
+ join_groups(this, current->ifa_addr);
+ host = host_create_from_sockaddr(current->ifa_broadaddr);
+ if (host)
+ {
+ this->fc->set_broadcast(this->fc, host);
+ host->destroy(host);
+ }
+ break;
+ }
+ }
+ }
+ freeifaddrs(addrs);
+}
+
+METHOD(kernel_listener_t, roam, bool,
+ private_kernel_listener_t *this, bool address)
+{
+ if (address)
+ {
+ setup_interface(this);
+ }
+ return TRUE;
+}
+
+METHOD(forecast_forwarder_t, destroy, void,
+ private_forecast_forwarder_t *this)
+{
+ if (this->kernel.raw != -1)
+ {
+ close(this->kernel.raw);
+ }
+ if (this->kernel.pkt != -1)
+ {
+ lib->watcher->remove(lib->watcher, this->kernel.pkt);
+ close(this->kernel.pkt);
+ }
+ hydra->kernel_interface->remove_listener(hydra->kernel_interface,
+ &this->kernel.listener);
+ free(this);
+}
+
+/**
+ * See header
+ */
+forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener)
+{
+ private_forecast_forwarder_t *this;
+ int on = 1;
+
+ INIT(this,
+ .public = {
+ .destroy = _destroy,
+ },
+ .kernel = {
+ .listener = {
+ .roam = _roam,
+ },
+ .raw = -1,
+ .pkt = -1,
+ .fc = listener,
+ },
+ );
+
+ this->kernel.pkt = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_IP));
+ if (this->kernel.pkt == -1)
+ {
+ DBG1(DBG_NET, "opening PACKET socket failed: %s", strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+ this->kernel.raw = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+ if (this->kernel.raw == -1)
+ {
+ DBG1(DBG_NET, "opening RAW socket failed: %s", strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+ if (setsockopt(this->kernel.raw, IPPROTO_IP, IP_HDRINCL,
+ &on, sizeof(on)) == -1)
+ {
+ DBG1(DBG_NET, "forecast socket HDRINCL failed: %s", strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+ if (setsockopt(this->kernel.raw, SOL_SOCKET, SO_BROADCAST,
+ &on, sizeof(on)) == -1)
+ {
+ DBG1(DBG_NET, "forecast socket BROADCAST failed: %s", strerror(errno));
+ destroy(this);
+ return NULL;
+ }
+
+ setup_interface(&this->kernel);
+
+ hydra->kernel_interface->add_listener(hydra->kernel_interface,
+ &this->kernel.listener);
+
+ lib->watcher->add(lib->watcher, this->kernel.pkt, WATCHER_READ,
+ (watcher_cb_t)receive_casts, this);
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_forwarder.h b/src/libcharon/plugins/forecast/forecast_forwarder.h
new file mode 100644
index 000000000..14d107361
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_forwarder.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast_forwarder forecast_forwarder
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_FORWARDER_H_
+#define FORECAST_FORWARDER_H_
+
+#include "forecast_listener.h"
+
+typedef struct forecast_forwarder_t forecast_forwarder_t;
+
+/**
+ * Broadcast/Multicast sniffer and forwarder.
+ */
+struct forecast_forwarder_t {
+
+ /**
+ * Destroy a forecast_forwarder_t.
+ */
+ void (*destroy)(forecast_forwarder_t *this);
+};
+
+/**
+ * Create a forecast_forwarder instance.
+ *
+ * @param listener listener to check for addresses to forward to
+ * @return forwarder instance
+ */
+forecast_forwarder_t *forecast_forwarder_create(forecast_listener_t *listener);
+
+#endif /** FORECAST_FORWARDER_H_ @}*/
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
new file mode 100644
index 000000000..63a8cb15b
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -0,0 +1,680 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_listener.h"
+
+#include <errno.h>
+#include <libiptc/libiptc.h>
+#include <linux/netfilter/xt_MARK.h>
+#include <linux/netfilter/xt_esp.h>
+
+#include <daemon.h>
+#include <collections/array.h>
+#include <collections/hashtable.h>
+#include <threading/rwlock.h>
+
+typedef struct private_forecast_listener_t private_forecast_listener_t;
+
+/**
+ * Private data of an forecast_listener_t object.
+ */
+struct private_forecast_listener_t {
+
+ /**
+ * Public forecast_listener_t interface.
+ */
+ forecast_listener_t public;
+
+ /**
+ * List of entries
+ */
+ linked_list_t *entries;
+
+ /**
+ * RWlock for IP list
+ */
+ rwlock_t *lock;
+
+ /**
+ * Configs we do reinjection
+ */
+ char *reinject_configs;
+
+ /**
+ * Broadcast address on LAN interface, network order
+ */
+ u_int32_t broadcast;
+};
+
+/**
+ * Hashtable entry
+ */
+typedef struct {
+ /** local traffic selectors */
+ array_t *lts;
+ /** remote traffic selectors */
+ array_t *rts;
+ /** firewall mark used by CHILD_SA */
+ u_int mark;
+ /** local IKE_SA endpoint */
+ host_t *lhost;
+ /** remote IKE_SA endpoint */
+ host_t *rhost;
+ /** inbound SPI */
+ u_int32_t spi;
+ /** use UDP encapsulation */
+ bool encap;
+ /** whether we should allow reencapsulation of IPsec received forecasts */
+ bool reinject;
+ /** broadcast address used for that entry */
+ u_int32_t broadcast;
+} entry_t;
+
+/**
+ * Destroy an entry
+ */
+static void entry_destroy(entry_t *entry)
+{
+ if (entry)
+ {
+ entry->lhost->destroy(entry->lhost);
+ entry->rhost->destroy(entry->rhost);
+ array_destroy_offset(entry->lts, offsetof(traffic_selector_t, destroy));
+ array_destroy_offset(entry->rts, offsetof(traffic_selector_t, destroy));
+ free(entry);
+ }
+}
+
+/**
+ * Convert an (IPv4) traffic selector to an address and mask
+ */
+static bool ts2in(traffic_selector_t *ts,
+ struct in_addr *addr, struct in_addr *mask)
+{
+ u_int8_t bits;
+ host_t *net;
+
+ if (ts->get_type(ts) == TS_IPV4_ADDR_RANGE &&
+ ts->to_subnet(ts, &net, &bits))
+ {
+ memcpy(&addr->s_addr, net->get_address(net).ptr, 4);
+ net->destroy(net);
+ mask->s_addr = htonl(0xffffffffU << (32 - bits));
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Convert an (IPv4) host to an address with mask
+ */
+static bool host2in(host_t *host, struct in_addr *addr, struct in_addr *mask)
+{
+ if (host->get_family(host) == AF_INET)
+ {
+ memcpy(&addr->s_addr, host->get_address(host).ptr, 4);
+ mask->s_addr = ~0;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Add or remove a rule to/from the specified chain
+ */
+static bool manage_rule(struct iptc_handle *ipth, const char *chain,
+ bool add, struct ipt_entry *e)
+{
+ if (add)
+ {
+ if (!iptc_insert_entry(chain, e, 0, ipth))
+ {
+ DBG1(DBG_CFG, "appending %s rule failed: %s",
+ chain, iptc_strerror(errno));
+ return FALSE;
+ }
+ }
+ else
+ {
+ if (!iptc_delete_entry(chain, e, "", ipth))
+ {
+ DBG1(DBG_CFG, "deleting %s rule failed: %s",
+ chain, iptc_strerror(errno));
+ return FALSE;
+ }
+ }
+ return TRUE;
+}
+
+/**
+ * Add rule marking UDP-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
+ entry_t *entry, bool add)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_match m;
+ struct xt_udp udp;
+ struct ipt_entry_target t;
+ struct xt_mark_tginfo2 tm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+ sizeof(ipt.udp)),
+ .next_offset = sizeof(ipt),
+ .ip = {
+ .proto = IPPROTO_UDP,
+ },
+ },
+ .m = {
+ .u = {
+ .user = {
+ .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
+ .name = "udp",
+ },
+ },
+ },
+ .udp = {
+ .spts = {
+ entry->rhost->get_port(entry->rhost),
+ entry->rhost->get_port(entry->lhost)
+ },
+ .dpts = {
+ entry->lhost->get_port(entry->lhost),
+ entry->lhost->get_port(entry->lhost)
+ },
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+ .name = "MARK",
+ .revision = 2,
+ },
+ },
+ },
+ .tm = {
+ .mark = entry->mark,
+ .mask = ~0,
+ },
+ };
+
+ if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking non-encapsulated ESP packets to match the correct policy
+ */
+static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_match m;
+ struct xt_esp esp;
+ struct ipt_entry_target t;
+ struct xt_mark_tginfo2 tm;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
+ sizeof(ipt.esp)),
+ .next_offset = sizeof(ipt),
+ .ip = {
+ .proto = IPPROTO_ESP,
+ },
+ },
+ .m = {
+ .u = {
+ .user = {
+ .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
+ .name = "esp",
+ },
+ },
+ },
+ .esp = {
+ .spis = { htonl(entry->spi), htonl(entry->spi) },
+ },
+ .t = {
+ .u = {
+ .user = {
+ .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
+ .name = "MARK",
+ .revision = 2,
+ },
+ },
+ },
+ .tm = {
+ .mark = entry->mark,
+ .mask = ~0,
+ },
+ };
+
+ if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
+ !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
+ {
+ return FALSE;
+ }
+ return manage_rule(ipth, "PREROUTING", add, &ipt.e);
+}
+
+/**
+ * Add rule marking ESP packets to match the correct policy
+ */
+static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+ if (entry->encap)
+ {
+ return manage_pre_esp_in_udp(ipth, entry, add);
+ }
+ return manage_pre_esp(ipth, entry, add);
+}
+
+/**
+ * Add rule handling outbound traffic to use correct mark
+ */
+static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
+{
+ struct {
+ struct ipt_entry e;
+ struct ipt_entry_target t;
+ struct xt_mark_tginfo2 m;
+ } ipt = {
+ .e = {
+ .target_offset = XT_ALIGN(sizeof(ipt.e)),
+ .next_offset = sizeof(ipt),
+ },
+ .t = {
+ .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
+ .u.user.name = "MARK",
+ .u.user.revision = 2,
+ },
+ .m = {
+ .mark = entry->mark,
+ .mask = ~0,
+ },
+ };
+ enumerator_t *enumerator;
+ traffic_selector_t *ts;
+
+ enumerator = array_create_enumerator(entry->rts);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
+ {
+ continue;
+ }
+ if (ipt.e.ip.dst.s_addr == 0xffffffff ||
+ ipt.e.ip.dst.s_addr == entry->broadcast ||
+ memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
+ {
+ /* skip broadcast/multicast selectors, they are shared and the mark
+ * is set by the socket we use for reinjection */
+ continue;
+ }
+ if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
+ !manage_rule(ipth, "OUTPUT", add, &ipt.e))
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+/**
+ * Check if config is whitelisted to reinject traffic
+ */
+static bool is_reinject_config(private_forecast_listener_t *this, char *name)
+{
+ enumerator_t *enumerator;
+ bool reinject = FALSE;
+ char *token;
+
+ enumerator = enumerator_create_token(this->reinject_configs, ",", " ");
+ while (enumerator->enumerate(enumerator, &token))
+ {
+ if (streq(token, name))
+ {
+ reinject = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return reinject;
+}
+
+/**
+ * Add rules and entry for given CHILD_SA
+ */
+static bool add_entry(private_forecast_listener_t *this,
+ struct iptc_handle *ipth, host_t *lhost, host_t *rhost,
+ child_sa_t *child_sa, bool encap)
+{
+ enumerator_t *enumerator;
+ traffic_selector_t *ts;
+ entry_t *entry;
+
+ INIT(entry,
+ .lts = array_create(0, 0),
+ .rts = array_create(0, 0),
+ .lhost = lhost->clone(lhost),
+ .rhost = rhost->clone(rhost),
+ .spi = child_sa->get_spi(child_sa, TRUE),
+ .encap = encap,
+ .mark = child_sa->get_mark(child_sa, TRUE).value,
+ .reinject = is_reinject_config(this, child_sa->get_name(child_sa)),
+ .broadcast = this->broadcast,
+ );
+
+ enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ array_insert(entry->lts, ARRAY_TAIL, ts->clone(ts));
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ array_insert(entry->rts, ARRAY_TAIL, ts->clone(ts));
+ }
+ enumerator->destroy(enumerator);
+
+ if (manage_pre(ipth, entry, TRUE) &&
+ manage_out(ipth, entry, TRUE))
+ {
+ this->lock->write_lock(this->lock);
+ this->entries->insert_last(this->entries, entry);
+ this->lock->unlock(this->lock);
+ return TRUE;
+ }
+ entry_destroy(entry);
+ return FALSE;
+}
+
+/**
+ * Remove an entry and rules for a given mark
+ */
+static bool remove_entry(private_forecast_listener_t *this,
+ struct iptc_handle *ipth, child_sa_t *child_sa)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool done = FALSE;
+
+ this->lock->write_lock(this->lock);
+ enumerator = this->entries->create_enumerator(this->entries);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->mark == child_sa->get_mark(child_sa, TRUE).value)
+ {
+ this->entries->remove_at(this->entries, enumerator);
+ if (manage_pre(ipth, entry, FALSE) &&
+ manage_out(ipth, entry, FALSE))
+ {
+ done = TRUE;
+ }
+ entry_destroy(entry);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ return done;
+}
+
+/**
+ * Initialize iptables handle, log error
+ */
+static struct iptc_handle* init_handle()
+{
+ struct iptc_handle *ipth;
+
+ ipth = iptc_init("mangle");
+ if (ipth)
+ {
+ return ipth;
+ }
+ DBG1(DBG_CFG, "initializing iptables failed: %s", iptc_strerror(errno));
+ return NULL;
+}
+
+/**
+ * Commit iptables rules, log error
+ */
+static bool commit_handle(struct iptc_handle *ipth)
+{
+ if (iptc_commit(ipth))
+ {
+ return TRUE;
+ }
+ DBG1(DBG_CFG, "forecast iptables commit failed: %s", iptc_strerror(errno));
+ return FALSE;
+}
+
+/**
+ * Check if we should handle the given CHILD_SA
+ */
+static bool handle_sa(child_sa_t *child_sa)
+{
+ return child_sa->get_mark(child_sa, TRUE).value &&
+ child_sa->get_mark(child_sa, FALSE).value;
+}
+
+METHOD(listener_t, child_updown, bool,
+ private_forecast_listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ bool up)
+{
+ struct iptc_handle *ipth;
+ host_t *lhost, *rhost;
+ bool encap;
+
+ lhost = ike_sa->get_my_host(ike_sa);
+ rhost = ike_sa->get_other_host(ike_sa);
+ encap = child_sa->has_encap(child_sa);
+
+ if (handle_sa(child_sa))
+ {
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (up)
+ {
+ if (add_entry(this, ipth, lhost, rhost, child_sa, encap))
+ {
+ commit_handle(ipth);
+ }
+ }
+ else
+ {
+ if (remove_entry(this, ipth, child_sa))
+ {
+ commit_handle(ipth);
+ }
+ }
+ iptc_free(ipth);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, child_rekey, bool,
+ private_forecast_listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *old, child_sa_t *new)
+{
+ struct iptc_handle *ipth;;
+ host_t *lhost, *rhost;
+
+ lhost = ike_sa->get_my_host(ike_sa);
+ rhost = ike_sa->get_other_host(ike_sa);
+
+ if (handle_sa(old))
+ {
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (remove_entry(this, ipth, old) &&
+ add_entry(this, ipth, lhost, rhost, new, new->has_encap(new)))
+ {
+ commit_handle(ipth);
+ }
+ iptc_free(ipth);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, ike_update, bool,
+ private_forecast_listener_t *this, ike_sa_t *ike_sa,
+ bool local, host_t *new)
+{
+ struct iptc_handle *ipth;
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ host_t *lhost, *rhost;
+ bool encap;
+
+ if (local)
+ {
+ lhost = new;
+ rhost = ike_sa->get_other_host(ike_sa);
+ }
+ else
+ {
+ lhost = ike_sa->get_my_host(ike_sa);
+ rhost = new;
+ }
+ /* during ike_update(), has_encap() on the CHILD_SA has not yet been
+ * updated, but shows the old state. */
+ encap = ike_sa->has_condition(ike_sa, COND_NAT_ANY);
+
+ enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (enumerator->enumerate(enumerator, &child_sa))
+ {
+ if (handle_sa(child_sa))
+ {
+ ipth = init_handle();
+ if (ipth)
+ {
+ if (remove_entry(this, ipth, child_sa) &&
+ add_entry(this, ipth, lhost, rhost, child_sa, encap))
+ {
+ commit_handle(ipth);
+ }
+ iptc_free(ipth);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+/**
+ * Filter to map entries to ts/mark
+ */
+static bool ts_filter(entry_t *entry, traffic_selector_t **ts,
+ traffic_selector_t **out, void *dummy, u_int32_t *mark,
+ void *dummy2, bool *reinject)
+{
+ *out = *ts;
+ *mark = entry->mark;
+ *reinject = entry->reinject;
+ return TRUE;
+}
+
+/**
+ * Create inner enumerator over local traffic selectors
+ */
+static enumerator_t* create_inner_local(entry_t *entry, rwlock_t *lock)
+{
+ return enumerator_create_filter(array_create_enumerator(entry->lts),
+ (void*)ts_filter, entry, NULL);
+}
+
+/**
+ * Create inner enumerator over remote traffic selectors
+ */
+static enumerator_t* create_inner_remote(entry_t *entry, rwlock_t *lock)
+{
+ return enumerator_create_filter(array_create_enumerator(entry->rts),
+ (void*)ts_filter, entry, NULL);
+}
+
+METHOD(forecast_listener_t, create_enumerator, enumerator_t*,
+ private_forecast_listener_t *this, bool local)
+{
+ this->lock->read_lock(this->lock);
+ return enumerator_create_nested(
+ this->entries->create_enumerator(this->entries),
+ (void*)(local ? create_inner_local : create_inner_remote),
+ this->lock, (void*)this->lock->unlock);
+}
+
+METHOD(forecast_listener_t, set_broadcast, void,
+ private_forecast_listener_t *this, host_t *bcast)
+{
+ if (bcast->get_family(bcast) == AF_INET)
+ {
+ struct sockaddr_in *in;
+
+ in = (struct sockaddr_in*)bcast->get_sockaddr(bcast);
+ this->broadcast = in->sin_addr.s_addr;
+ }
+}
+
+METHOD(forecast_listener_t, destroy, void,
+ private_forecast_listener_t *this)
+{
+ this->entries->destroy(this->entries);
+ this->lock->destroy(this->lock);
+ free(this);
+}
+
+/**
+ * See header
+ */
+forecast_listener_t *forecast_listener_create()
+{
+ private_forecast_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .ike_update = _ike_update,
+ .child_updown = _child_updown,
+ .child_rekey = _child_rekey,
+ },
+ .create_enumerator = _create_enumerator,
+ .set_broadcast = _set_broadcast,
+ .destroy = _destroy,
+ },
+ .entries = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .reinject_configs = lib->settings->get_str(lib->settings,
+ "%s.plugins.forecast.reinject", "", lib->ns),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_listener.h b/src/libcharon/plugins/forecast/forecast_listener.h
new file mode 100644
index 000000000..49827ecb1
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_listener.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast_listener forecast_listener
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_LISTENER_H_
+#define FORECAST_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct forecast_listener_t forecast_listener_t;
+
+/**
+ * Listener to register the set of IPs we forward received multi/broadcasts to.
+ */
+struct forecast_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Create an enumerator over active tunnels.
+ *
+ * The enumerator enumerates over local or remote traffic selectors,
+ * associated firewall marks and if decasulated packets should get
+ * reinjected into other tunnels.
+ *
+ * @param local TRUE to enumerate local, FALSE to enumerate remote TS
+ * @return enumerator over (traffic_selector_t*, u_int, bool)
+ */
+ enumerator_t* (*create_enumerator)(forecast_listener_t *this, bool local);
+
+ /**
+ * Set the broadcast address of the LAN interface.
+ *
+ * @param bcast broadcast address
+ */
+ void (*set_broadcast)(forecast_listener_t *this, host_t *bcast);
+
+ /**
+ * Destroy a forecast_listener_t.
+ */
+ void (*destroy)(forecast_listener_t *this);
+};
+
+/**
+ * Create a forecast_listener instance.
+ */
+forecast_listener_t *forecast_listener_create();
+
+#endif /** FORECAST_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/forecast/forecast_plugin.c b/src/libcharon/plugins/forecast/forecast_plugin.c
new file mode 100644
index 000000000..a129b76b2
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_plugin.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "forecast_plugin.h"
+#include "forecast_listener.h"
+#include "forecast_forwarder.h"
+
+#include <daemon.h>
+
+typedef struct private_forecast_plugin_t private_forecast_plugin_t;
+
+/**
+ * Private data of forecast plugin
+ */
+struct private_forecast_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ forecast_plugin_t public;
+
+ /**
+ * Listener registering active tunnels
+ */
+ forecast_listener_t *listener;
+
+ /**
+ * Broadcast/Multicast sniffer and forwarder
+ */
+ forecast_forwarder_t *forwarder;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_forecast_plugin_t *this)
+{
+ return "forecast";
+}
+
+/**
+ * Register plugin features
+ */
+static bool register_forecast(private_forecast_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *data)
+{
+ if (reg)
+ {
+ this->forwarder = forecast_forwarder_create(this->listener);
+ if (!this->forwarder)
+ {
+ return FALSE;
+ }
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+ }
+ else
+ {
+ charon->bus->remove_listener(charon->bus, &this->listener->listener);
+ this->forwarder->destroy(this->forwarder);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_forecast_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)register_forecast, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "forecast"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_forecast_plugin_t *this)
+{
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *forecast_plugin_create()
+{
+ private_forecast_plugin_t *this;
+
+ if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+ {
+ DBG1(DBG_NET, "forecast plugin requires CAP_NET_RAW capability");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .reload = (void*)return_false,
+ .destroy = _destroy,
+ },
+ },
+ .listener = forecast_listener_create(),
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/forecast/forecast_plugin.h b/src/libcharon/plugins/forecast/forecast_plugin.h
new file mode 100644
index 000000000..739ca4d79
--- /dev/null
+++ b/src/libcharon/plugins/forecast/forecast_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010-2014 Martin Willi
+ * Copyright (C) 2010-2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup forecast forecast
+ * @ingroup cplugins
+ *
+ * @defgroup forecast_plugin forecast_plugin
+ * @{ @ingroup forecast
+ */
+
+#ifndef FORECAST_PLUGIN_H_
+#define FORECAST_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct forecast_plugin_t forecast_plugin_t;
+
+/**
+ * Broadcast/Multicast forwarding plugin.
+ */
+struct forecast_plugin_t {
+
+ /**
+ * Implements plugin interface.
+ */
+ plugin_t plugin;
+};
+
+#endif /** FORECAST_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index aa5bdb747..de74f88cc 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index dd55fae8b..2b271a8e7 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -170,7 +170,7 @@ static bool responsible_for(private_ha_attribute_t *this, int bit)
}
METHOD(attribute_provider_t, acquire_address, host_t*,
- private_ha_attribute_t *this, linked_list_t *pools, identification_t *id,
+ private_ha_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
host_t *requested)
{
enumerator_t *enumerator;
@@ -233,7 +233,7 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
METHOD(attribute_provider_t, release_address, bool,
private_ha_attribute_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
pool_t *pool;
diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c
index 60e75fc7e..6c1b3471d 100644
--- a/src/libcharon/plugins/ha/ha_cache.c
+++ b/src/libcharon/plugins/ha/ha_cache.c
@@ -196,9 +196,26 @@ static status_t rekey_children(ike_sa_t *ike_sa)
enumerator_t *enumerator;
child_sa_t *child_sa;
status_t status = SUCCESS;
+ linked_list_t *children;
+ struct {
+ protocol_id_t protocol;
+ u_int32_t spi;
+ } *info;
+ children = linked_list_create();
enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
- while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ while (enumerator->enumerate(enumerator, &child_sa))
+ {
+ INIT(info,
+ .protocol = child_sa->get_protocol(child_sa),
+ .spi = child_sa->get_spi(child_sa, TRUE),
+ );
+ children->insert_last(children, info);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = children->create_enumerator(children);
+ while (enumerator->enumerate(enumerator, &info))
{
if (ike_sa->supports_extension(ike_sa, EXT_MS_WINDOWS) &&
ike_sa->has_condition(ike_sa, COND_NAT_THERE))
@@ -207,17 +224,13 @@ static status_t rekey_children(ike_sa_t *ike_sa)
* with an "invalid situation" error. We just close the CHILD_SA,
* Windows will reestablish it immediately if required. */
DBG1(DBG_CFG, "resyncing CHILD_SA using a delete");
- status = ike_sa->delete_child_sa(ike_sa,
- child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE),
+ status = ike_sa->delete_child_sa(ike_sa, info->protocol, info->spi,
FALSE);
}
else
{
DBG1(DBG_CFG, "resyncing CHILD_SA using a rekey");
- status = ike_sa->rekey_child_sa(ike_sa,
- child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE));
+ status = ike_sa->rekey_child_sa(ike_sa, info->protocol, info->spi);
}
if (status == DESTROY_ME)
{
@@ -225,6 +238,8 @@ static status_t rekey_children(ike_sa_t *ike_sa)
}
}
enumerator->destroy(enumerator);
+ children->destroy_function(children, free);
+
return status;
}
diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c
index c166d72ac..17f2d50d1 100644
--- a/src/libcharon/plugins/ha/ha_child.c
+++ b/src/libcharon/plugins/ha/ha_child.c
@@ -97,7 +97,7 @@ METHOD(listener_t, child_keys, bool,
}
m->add_attribute(m, HA_NONCE_I, nonce_i);
m->add_attribute(m, HA_NONCE_R, nonce_r);
- if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
+ if (dh && dh->get_shared_secret(dh, &secret))
{
m->add_attribute(m, HA_SECRET, secret);
chunk_clear(&secret);
@@ -128,7 +128,7 @@ METHOD(listener_t, child_keys, bool,
ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R "
"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
- child_sa->get_reqid(child_sa), local_ts, remote_ts,
+ child_sa->get_unique_id(child_sa), local_ts, remote_ts,
seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c
index e20e872c1..31eeb934e 100644
--- a/src/libcharon/plugins/ha/ha_dispatcher.c
+++ b/src/libcharon/plugins/ha/ha_dispatcher.c
@@ -81,17 +81,18 @@ struct ha_diffie_hellman_t {
chunk_t pub;
};
-METHOD(diffie_hellman_t, dh_get_shared_secret, status_t,
+METHOD(diffie_hellman_t, dh_get_shared_secret, bool,
ha_diffie_hellman_t *this, chunk_t *secret)
{
*secret = chunk_clone(this->secret);
- return SUCCESS;
+ return TRUE;
}
-METHOD(diffie_hellman_t, dh_get_my_public_value, void,
+METHOD(diffie_hellman_t, dh_get_my_public_value, bool,
ha_diffie_hellman_t *this, chunk_t *value)
{
*value = chunk_clone(this->pub);
+ return TRUE;
}
METHOD(diffie_hellman_t, dh_destroy, void,
@@ -373,6 +374,9 @@ static void process_ike_update(private_ha_dispatcher_t *this,
else
{
DBG1(DBG_IKE, "HA is missing nodes peer configuration");
+ charon->ike_sa_manager->checkin_and_destroy(
+ charon->ike_sa_manager, ike_sa);
+ ike_sa = NULL;
}
break;
case HA_EXTENSIONS:
@@ -718,7 +722,8 @@ static void process_child_add(private_ha_dispatcher_t *this,
child_sa = child_sa_create(ike_sa->get_my_host(ike_sa),
ike_sa->get_other_host(ike_sa), config, 0,
- ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+ ike_sa->has_condition(ike_sa, COND_NAT_ANY),
+ 0, 0);
child_sa->set_mode(child_sa, mode);
child_sa->set_protocol(child_sa, PROTO_ESP);
child_sa->set_ipcomp(child_sa, ipcomp);
@@ -835,7 +840,7 @@ static void process_child_add(private_ha_dispatcher_t *this,
DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R "
"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
- child_sa->get_reqid(child_sa), local_ts, remote_ts,
+ child_sa->get_unique_id(child_sa), local_ts, remote_ts,
seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");
child_sa->add_policies(child_sa, local_ts, remote_ts);
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 442a3a23d..6b4b53c9c 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -84,7 +84,7 @@ METHOD(listener_t, ike_keys, bool,
{ /* do not sync SA between nodes */
return TRUE;
}
- if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+ if (!dh->get_shared_secret(dh, &secret))
{
return TRUE;
}
@@ -127,9 +127,11 @@ METHOD(listener_t, ike_keys, bool,
chunk_clear(&secret);
if (ike_sa->get_version(ike_sa) == IKEV1)
{
- dh->get_my_public_value(dh, &secret);
- m->add_attribute(m, HA_LOCAL_DH, secret);
- chunk_free(&secret);
+ if (dh->get_my_public_value(dh, &secret))
+ {
+ m->add_attribute(m, HA_LOCAL_DH, secret);
+ chunk_free(&secret);
+ }
m->add_attribute(m, HA_REMOTE_DH, dh_other);
if (shared)
{
diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c
index 493cad5ec..a58377bab 100644
--- a/src/libcharon/plugins/ha/ha_plugin.c
+++ b/src/libcharon/plugins/ha/ha_plugin.c
@@ -25,7 +25,6 @@
#include "ha_attribute.h"
#include <daemon.h>
-#include <hydra.h>
#include <config/child_cfg.h>
typedef struct private_ha_plugin_t private_ha_plugin_t;
@@ -108,13 +107,13 @@ static bool plugin_cb(private_ha_plugin_t *this,
charon->bus->add_listener(charon->bus, &this->segments->listener);
charon->bus->add_listener(charon->bus, &this->ike->listener);
charon->bus->add_listener(charon->bus, &this->child->listener);
- hydra->attributes->add_provider(hydra->attributes,
- &this->attr->provider);
+ charon->attributes->add_provider(charon->attributes,
+ &this->attr->provider);
}
else
{
- hydra->attributes->remove_provider(hydra->attributes,
- &this->attr->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->attr->provider);
charon->bus->remove_listener(charon->bus, &this->segments->listener);
charon->bus->remove_listener(charon->bus, &this->ike->listener);
charon->bus->remove_listener(charon->bus, &this->child->listener);
@@ -224,4 +223,3 @@ plugin_t *ha_plugin_create()
return &this->public.plugin;
}
-
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index bd3fd63aa..f98e78ffc 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index 7e1f79bd8..7a2583d06 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index c961c0bd8..6b6c95688 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
index bd07a67a2..6246dc505 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -222,10 +222,10 @@ static inline bool policy_entry_equals(policy_entry_t *a,
/**
* Expiration callback
*/
-static void expire(u_int32_t reqid, u_int8_t protocol, u_int32_t spi, bool hard)
+static void expire(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard)
{
- hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
- spi, hard);
+ hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+ spi, dst, hard);
}
METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
@@ -236,14 +236,14 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
- return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, reqid, spi);
+ return ipsec->sas->get_spi(ipsec->sas, src, dst, protocol, spi);
}
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_libipsec_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
return NOT_SUPPORTED;
}
@@ -254,13 +254,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
{
return ipsec->sas->add_sa(ipsec->sas, src, dst, spi, protocol, reqid, mark,
tfc, lifetime, enc_alg, enc_key, int_alg, int_key,
- mode, ipcomp, cpi, initiator, encap, esn, inbound,
- src_ts, dst_ts);
+ mode, ipcomp, cpi, initiator, encap, esn,
+ inbound, update);
}
METHOD(kernel_ipsec_t, update_sa, status_t,
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
index 6ce1d4eb0..830954e11 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_router.c
@@ -131,35 +131,6 @@ static void deliver_plain(private_kernel_libipsec_router_t *this,
}
/**
- * Create an FD set covering all TUN devices and the read end of the notify pipe
- */
-static int collect_fds(private_kernel_libipsec_router_t *this, fd_set *fds)
-{
- enumerator_t *enumerator;
- tun_entry_t *entry;
- int maxfd;
-
- FD_ZERO(fds);
- FD_SET(this->notify[0], fds);
- maxfd = this->notify[0];
-
- FD_SET(this->tun.fd, fds);
- maxfd = max(maxfd, this->tun.fd);
-
- this->lock->read_lock(this->lock);
- enumerator = this->tuns->create_enumerator(this->tuns);
- while (enumerator->enumerate(enumerator, NULL, &entry))
- {
- FD_SET(entry->fd, fds);
- maxfd = max(maxfd, entry->fd);
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-
- return maxfd + 1;
-}
-
-/**
* Read and process outbound plaintext packet for the given TUN device
*/
static void process_plain(tun_device_t *tun)
@@ -183,29 +154,20 @@ static void process_plain(tun_device_t *tun)
}
/**
- * Handle waiting data for any TUN device
+ * Find flagged revents in a pollfd set by fd
*/
-static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
+static int find_revents(struct pollfd *pfd, int count, int fd)
{
- enumerator_t *enumerator;
- tun_entry_t *entry;
+ int i;
- if (FD_ISSET(this->tun.fd, fds))
+ for (i = 0; i < count; i++)
{
- process_plain(this->tun.tun);
- }
-
- this->lock->read_lock(this->lock);
- enumerator = this->tuns->create_enumerator(this->tuns);
- while (enumerator->enumerate(enumerator, NULL, &entry))
- {
- if (FD_ISSET(entry->fd, fds))
+ if (pfd[i].fd == fd)
{
- process_plain(entry->tun);
+ return pfd[i].revents;
}
}
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
+ return 0;
}
/**
@@ -213,28 +175,68 @@ static void handle_tuns(private_kernel_libipsec_router_t *this, fd_set *fds)
*/
static job_requeue_t handle_plain(private_kernel_libipsec_router_t *this)
{
+ enumerator_t *enumerator;
+ tun_entry_t *entry;
bool oldstate;
- fd_set fds;
- int maxfd;
+ int count = 0;
+ char buf[1];
+ struct pollfd *pfd;
+
+ this->lock->read_lock(this->lock);
- maxfd = collect_fds(this, &fds);
+ pfd = alloca(sizeof(*pfd) * (this->tuns->get_count(this->tuns) + 2));
+ pfd[count].fd = this->notify[0];
+ pfd[count].events = POLLIN;
+ count++;
+ pfd[count].fd = this->tun.fd;
+ pfd[count].events = POLLIN;
+ count++;
+
+ enumerator = this->tuns->create_enumerator(this->tuns);
+ while (enumerator->enumerate(enumerator, NULL, &entry))
+ {
+ pfd[count].fd = entry->fd;
+ pfd[count].events = POLLIN;
+ count++;
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
oldstate = thread_cancelability(TRUE);
- if (select(maxfd, &fds, NULL, NULL, NULL) <= 0)
+ if (poll(pfd, count, -1) <= 0)
{
thread_cancelability(oldstate);
return JOB_REQUEUE_FAIR;
}
thread_cancelability(oldstate);
- if (FD_ISSET(this->notify[0], &fds))
- { /* list of TUN devices changed, read notification data, rebuild FDs */
- char buf[1];
- while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf));
+ if (pfd[0].revents & POLLIN)
+ {
+ /* list of TUN devices changed, read notification data, rebuild FDs */
+ while (read(this->notify[0], &buf, sizeof(buf)) == sizeof(buf))
+ {
+ /* nop */
+ }
return JOB_REQUEUE_DIRECT;
}
- handle_tuns(this, &fds);
+ if (pfd[1].revents & POLLIN)
+ {
+ process_plain(this->tun.tun);
+ }
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->tuns->create_enumerator(this->tuns);
+ while (enumerator->enumerate(enumerator, NULL, &entry))
+ {
+ if (find_revents(pfd, count, entry->fd) & POLLIN)
+ {
+ process_plain(entry->tun);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
return JOB_REQUEUE_DIRECT;
}
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index 1c92e30fc..efb214b88 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -237,6 +237,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -297,10 +298,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -374,6 +377,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
index 41f85ba5c..2e31aa151 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.c
@@ -54,6 +54,24 @@ const GUID FWPM_LAYER_IPFORWARD_V4 = {
const GUID FWPM_LAYER_IPFORWARD_V6 = {
0x7b964818, 0x19c7, 0x493a, { 0xb7,0x1f,0x83,0x2c,0x36,0x84,0xd2,0x8c }
};
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4 = {
+ 0xc38d57d1, 0x05a7, 0x4c33, { 0x90,0x4f,0x7f,0xbc,0xee,0xe6,0x0e,0x82 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6 = {
+ 0x4a72393b, 0x319f, 0x44bc, { 0x84,0xc3,0xba,0x54,0xdc,0xb3,0xb6,0xb4 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4 = {
+ 0xe1cd9fe7, 0xf4b5, 0x4273, { 0x96,0xc0,0x59,0x2e,0x48,0x7b,0x86,0x50 }
+};
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6 = {
+ 0xa3b42c97, 0x9f04, 0x4672, { 0xb8,0x7e,0xce,0xe9,0xc4,0x83,0x25,0x7f }
+};
+const GUID FWPM_SUBLAYER_IPSEC_TUNNEL = {
+ 0x83f299ed, 0x9ff4, 0x4967, { 0xaf,0xf4,0xc3,0x09,0xf4,0xda,0xb8,0x27 }
+};
+const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL = {
+ 0xa5082e73, 0x8f71, 0x4559, { 0x8a,0x9a,0x10,0x1c,0xea,0x04,0xef,0x87 }
+};
const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 = {
0x5132900d, 0x5e84, 0x4b5f, { 0x80,0xe4,0x01,0x74,0x1e,0x81,0xff,0x10 }
};
@@ -90,6 +108,24 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 = {
const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 = {
0xdae640cc, 0xe021, 0x4bee, { 0x9e,0xb6,0xa4,0x8b,0x27,0x5c,0x8c,0x1d }
};
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 = {
+ 0x6ac141fc, 0xf75d, 0x4203, { 0xb9,0xc8,0x48,0xe6,0x14,0x9c,0x27,0x12 }
+};
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 = {
+ 0x4c0dda05, 0xe31f, 0x4666, { 0x90,0xb0,0xb3,0xdf,0xad,0x34,0x12,0x9a }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4 = {
+ 0x3df6e7de, 0xfd20, 0x48f2, { 0x9f,0x26,0xf8,0x54,0x44,0x4c,0xba,0x79 }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6 = {
+ 0xa1e392d3, 0x72ac, 0x47bb, { 0x87,0xa7,0x01,0x22,0xc6,0x94,0x34,0xab }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4 = {
+ 0x7dff309b, 0xba7d, 0x4aba, { 0x91,0xaa,0xae,0x5c,0x66,0x40,0xc9,0x44 }
+};
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6 = {
+ 0xa9a0d6d9, 0xc58c, 0x474e, { 0x8a,0xeb,0x3c,0xfe,0x99,0xd6,0xd5,0x3d }
+};
/**
* Load a function symbol from a loaded dll
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
index 50a89a007..a553a0986 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_compat.h
@@ -127,6 +127,10 @@ const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V4;
const GUID FWPM_LAYER_OUTBOUND_TRANSPORT_V6;
const GUID FWPM_LAYER_IPFORWARD_V4;
const GUID FWPM_LAYER_IPFORWARD_V6;
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V4;
+const GUID FWPM_LAYER_ALE_AUTH_CONNECT_V6;
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4;
+const GUID FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6;
const GUID FWPM_SUBLAYER_IPSEC_TUNNEL;
const GUID FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL;
const GUID FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4;
@@ -141,6 +145,12 @@ const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4;
const GUID FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6;
const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4;
const GUID FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6;
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4;
+const GUID FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V4;
+const GUID FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V6;
/* integrity config, missing in some MinGW versions */
#ifndef IPSEC_AUTH_CONFIG_HMAC_MD5_96
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index c788bfb10..b38ded846 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -26,6 +26,8 @@
#include <collections/hashtable.h>
#include <processing/jobs/callback_job.h>
+#define IPPROTO_IPIP 4
+#define IPPROTO_IPV6 41
typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t;
@@ -188,6 +190,14 @@ typedef struct {
u_int64_t provider;
/** WFP allocated LUID for SA context */
u_int64_t sa_id;
+ /** WFP allocated LUID for tunnel mode IP-IPv4 inbound filter */
+ u_int64_t ip_ipv4_in;
+ /** WFP allocated LUID for tunnel mode IP-IPv4 outbound filter */
+ u_int64_t ip_ipv4_out;
+ /** WFP allocated LUID for tunnel mode IP-IPv6 inbound filter */
+ u_int64_t ip_ipv6_in;
+ /** WFP allocated LUID for tunnel mode IP-IPv6 outbound filter */
+ u_int64_t ip_ipv6_out;
} entry_t;
/**
@@ -285,6 +295,22 @@ static void cleanup_policies(private_kernel_wfp_ipsec_t *this, entry_t *entry)
*/
static void entry_destroy(private_kernel_wfp_ipsec_t *this, entry_t *entry)
{
+ if (entry->ip_ipv4_in)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_in);
+ }
+ if (entry->ip_ipv4_out)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->ip_ipv4_out);
+ }
+ if (entry->ip_ipv6_in)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_in);
+ }
+ if (entry->ip_ipv6_out)
+ {
+ FwpmFilterDeleteById0(this->handle, entry->ip_ipv6_out);
+ }
if (entry->sa_id)
{
IPsecSaContextDeleteById0(this->handle, entry->sa_id);
@@ -553,49 +579,58 @@ static void free_conditions(FWPM_FILTER_CONDITION0 *conds, int count)
* Find the callout GUID for given parameters
*/
static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
- GUID *layer, GUID *sublayer, GUID *callout)
+ bool ale, GUID *layer, GUID *sublayer, GUID *callout)
{
struct {
bool tunnel;
bool v6;
bool inbound;
bool forward;
+ bool ale;
const GUID *layer;
const GUID *sublayer;
const GUID *callout;
} map[] = {
- { 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
- &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 },
- { 0, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
- &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 },
- { 0, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
- &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 },
- { 0, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
- &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 },
- { 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 },
- { 1, 0, 0, 1, &FWPM_LAYER_IPFORWARD_V4,
- &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
- &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 },
- { 1, 0, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 },
- { 1, 0, 1, 1, &FWPM_LAYER_IPFORWARD_V4,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 },
- { 1, 1, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 },
- { 1, 1, 0, 1, &FWPM_LAYER_IPFORWARD_V6,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 },
- { 1, 1, 1, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 },
- { 1, 1, 1, 1, &FWPM_LAYER_IPFORWARD_V6,
- &FWPM_SUBLAYER_IPSEC_TUNNEL,
- &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 },
+ { 0, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4, NULL,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V4 },
+ { 0, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4, NULL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V4 },
+ { 0, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6, NULL,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V6 },
+ { 0, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6, NULL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V6 },
+ { 1, 0, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V4 },
+ { 1, 0, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V4 },
+ { 1, 0, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V4 },
+ { 1, 0, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V4,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V4 },
+ { 1, 0, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V4, NULL,
+ &FWPM_CALLOUT_IPSEC_ALE_CONNECT_V4 },
+ { 1, 0, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4, NULL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V4},
+ { 1, 1, 0, 0, 0, &FWPM_LAYER_OUTBOUND_TRANSPORT_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_OUTBOUND_TUNNEL_V6 },
+ { 1, 1, 0, 1, 0, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_SUBLAYER_IPSEC_FORWARD_OUTBOUND_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_FORWARD_OUTBOUND_TUNNEL_V6 },
+ { 1, 1, 1, 0, 0, &FWPM_LAYER_INBOUND_TRANSPORT_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_V6 },
+ { 1, 1, 1, 1, 0, &FWPM_LAYER_IPFORWARD_V6,
+ &FWPM_SUBLAYER_IPSEC_TUNNEL,
+ &FWPM_CALLOUT_IPSEC_FORWARD_INBOUND_TUNNEL_V6 },
+ { 1, 1, 0, 0, 1, &FWPM_LAYER_ALE_AUTH_CONNECT_V6, NULL,
+ &FWPM_CALLOUT_IPSEC_ALE_CONNECT_V6 },
+ { 1, 1, 1, 0, 1, &FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V6, NULL,
+ &FWPM_CALLOUT_IPSEC_INBOUND_TUNNEL_ALE_ACCEPT_V6},
};
int i;
@@ -604,7 +639,8 @@ static bool find_callout(bool tunnel, bool v6, bool inbound, bool forward,
if (tunnel == map[i].tunnel &&
v6 == map[i].v6 &&
inbound == map[i].inbound &&
- forward == map[i].forward)
+ forward == map[i].forward &&
+ ale == map[i].ale)
{
*callout = *map[i].callout;
*layer = *map[i].layer;
@@ -647,7 +683,7 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
}
v6 = sp->src->get_type(sp->src) == TS_IPV6_ADDR_RANGE;
- if (!find_callout(context != NULL, v6, inbound, fwd,
+ if (!find_callout(context != NULL, v6, inbound, fwd, FALSE,
&filter.layerKey, &filter.subLayerKey,
&filter.action.calloutKey))
{
@@ -688,8 +724,73 @@ static bool install_sp(private_kernel_wfp_ipsec_t *this, sp_entry_t *sp,
free_conditions(conds, count);
if (res != ERROR_SUCCESS)
{
- DBG1(DBG_KNL, "installing %s%sbound WFP filter failed: 0x%08x",
- fwd ? "forward " : "", inbound ? "in" : "out", res);
+ DBG1(DBG_KNL, "installing IPv%d %s%sbound %s WFP filter failed: 0x%08x",
+ v6 ? 6 : 4, fwd ? "forward " : "", inbound ? "in" : "out",
+ context ? "tunnel" : "transport", res);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Install an IP-IP allow filter for SA specific hosts
+ */
+static bool install_ipip_ale(private_kernel_wfp_ipsec_t *this,
+ host_t *local, host_t *remote, GUID *context,
+ bool inbound, int proto, u_int64_t *filter_id)
+{
+ traffic_selector_t *lts, *rts;
+ FWPM_FILTER_CONDITION0 *conds = NULL;
+ int count = 0;
+ bool v6;
+ DWORD res;
+ FWPM_FILTER0 filter = {
+ .displayData = {
+ .name = L"charon IPsec IP-in-IP ALE policy",
+ },
+ .action = {
+ .type = FWP_ACTION_CALLOUT_TERMINATING,
+ },
+ };
+
+ if (context)
+ {
+ filter.flags |= FWPM_FILTER_FLAG_HAS_PROVIDER_CONTEXT;
+ filter.providerKey = (GUID*)&this->provider.providerKey;
+ filter.providerContextKey = *context;
+ }
+
+ v6 = local->get_family(local) == AF_INET6;
+ if (!find_callout(TRUE, v6, inbound, FALSE, TRUE, &filter.layerKey,
+ &filter.subLayerKey, &filter.action.calloutKey))
+ {
+ return FALSE;
+ }
+
+ lts = traffic_selector_create_from_subnet(local->clone(local),
+ v6 ? 128 : 32 , proto, 0, 65535);
+ rts = traffic_selector_create_from_subnet(remote->clone(remote),
+ v6 ? 128 : 32 , proto, 0, 65535);
+ if (!ts2condition(lts, &FWPM_CONDITION_IP_LOCAL_ADDRESS, &conds, &count) ||
+ !ts2condition(rts, &FWPM_CONDITION_IP_REMOTE_ADDRESS, &conds, &count))
+ {
+ free_conditions(conds, count);
+ lts->destroy(lts);
+ rts->destroy(rts);
+ return FALSE;
+ }
+ lts->destroy(lts);
+ rts->destroy(rts);
+
+ filter.numFilterConditions = count;
+ filter.filterCondition = conds;
+
+ res = FwpmFilterAdd0(this->handle, &filter, NULL, filter_id);
+ free_conditions(conds, count);
+ if (res != ERROR_SUCCESS)
+ {
+ DBG1(DBG_KNL, "installing IP-IPv%d %s ALE WFP filter failed: 0x%08x",
+ v6 ? 6 : 4, inbound ? "inbound" : "outbound", res);
return FALSE;
}
return TRUE;
@@ -703,10 +804,21 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
{
enumerator_t *enumerator;
sp_entry_t *sp;
+ bool has_v4 = FALSE, has_v6 = FALSE;
enumerator = array_create_enumerator(entry->sps);
while (enumerator->enumerate(enumerator, &sp))
{
+ switch (sp->src->get_type(sp->src))
+ {
+ case TS_IPV4_ADDR_RANGE:
+ has_v4 = TRUE;
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ has_v6 = TRUE;
+ break;
+ }
+
/* inbound policy */
if (!install_sp(this, sp, context, TRUE, FALSE, &sp->policy_in))
{
@@ -719,21 +831,22 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
enumerator->destroy(enumerator);
return FALSE;
}
+
if (context)
{
if (!sp->src->is_host(sp->src, entry->local) ||
!sp->dst->is_host(sp->dst, entry->remote))
{
/* inbound forward policy, from decapsulation */
- if (!install_sp(this, sp, context,
- TRUE, TRUE, &sp->policy_fwd_in))
+ if (!install_sp(this, sp, context, TRUE, TRUE,
+ &sp->policy_fwd_in))
{
enumerator->destroy(enumerator);
return FALSE;
}
/* outbound forward policy, to encapsulate */
- if (!install_sp(this, sp, context,
- FALSE, TRUE, &sp->policy_fwd_out))
+ if (!install_sp(this, sp, context, FALSE, TRUE,
+ &sp->policy_fwd_out))
{
enumerator->destroy(enumerator);
return FALSE;
@@ -743,6 +856,38 @@ static bool install_sps(private_kernel_wfp_ipsec_t *this,
}
enumerator->destroy(enumerator);
+ if (context)
+ {
+ /* In tunnel mode, Windows does firewall filtering on decrypted but
+ * non-unwrapped packets: It sees them as IP-in-IP packets. When using
+ * a default-drop policy, we need to allow such packets explicitly. */
+ if (has_v4)
+ {
+ if (!install_ipip_ale(this, entry->local, entry->remote, context,
+ TRUE, IPPROTO_IPIP, &entry->ip_ipv4_in))
+ {
+ return FALSE;
+ }
+ if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
+ FALSE, IPPROTO_IPIP, &entry->ip_ipv4_out))
+ {
+ return FALSE;
+ }
+ }
+ if (has_v6)
+ {
+ if (!install_ipip_ale(this, entry->local, entry->remote, context,
+ TRUE, IPPROTO_IPV6, &entry->ip_ipv6_in))
+ {
+ return FALSE;
+ }
+ if (!install_ipip_ale(this, entry->local, entry->remote, NULL,
+ FALSE, IPPROTO_IPV6, &entry->ip_ipv6_out))
+ {
+ return FALSE;
+ }
+ }
+ }
return TRUE;
}
@@ -1583,8 +1728,20 @@ static void WINAPI event_callback(void *user, const FWPM_NET_EVENT1 *event)
acquire(this, event->classifyDrop->filterId, local, remote);
break;
case FWPM_NET_EVENT_TYPE_IKEEXT_MM_FAILURE:
+ DBG1(DBG_KNL, "WFP MM failure: %R === %R, 0x%08x, filterId %llu",
+ local, remote, event->ikeMmFailure->failureErrorCode,
+ event->ikeMmFailure->mmFilterId);
+ break;
case FWPM_NET_EVENT_TYPE_IKEEXT_QM_FAILURE:
+ DBG1(DBG_KNL, "WFP QM failure: %R === %R, 0x%08x, filterId %llu",
+ local, remote, event->ikeQmFailure->failureErrorCode,
+ event->ikeQmFailure->qmFilterId);
+ break;
case FWPM_NET_EVENT_TYPE_IKEEXT_EM_FAILURE:
+ DBG1(DBG_KNL, "WFP EM failure: %R === %R, 0x%08x, filterId %llu",
+ local, remote, event->ikeEmFailure->failureErrorCode,
+ event->ikeEmFailure->qmFilterId);
+ break;
case FWPM_NET_EVENT_TYPE_IPSEC_KERNEL_DROP:
DBG1(DBG_KNL, "IPsec kernel drop: %R === %R, error 0x%08x, "
"SPI 0x%08x, %s filterId %llu", local, remote,
@@ -1824,7 +1981,7 @@ static u_int permute(u_int x, u_int p)
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
/* To avoid sequencial SPIs, we use a one-to-one permuation function on
* an incrementing counter, that is a full period PRNG for the range we
@@ -1841,7 +1998,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_wfp_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
return NOT_SUPPORTED;
}
@@ -1875,9 +2032,8 @@ static void expire_data_destroy(expire_data_t *data)
static job_requeue_t expire_job(expire_data_t *data)
{
private_kernel_wfp_ipsec_t *this = data->this;
- u_int32_t reqid = 0;
u_int8_t protocol;
- entry_t *entry;
+ entry_t *entry = NULL;
sa_entry_t key = {
.spi = data->spi,
.dst = data->dst,
@@ -1891,7 +2047,6 @@ static job_requeue_t expire_job(expire_data_t *data)
if (entry)
{
protocol = entry->isa.protocol;
- reqid = entry->reqid;
if (entry->osa.dst)
{
key.dst = entry->osa.dst;
@@ -1908,15 +2063,14 @@ static job_requeue_t expire_job(expire_data_t *data)
if (entry)
{
protocol = entry->isa.protocol;
- reqid = entry->reqid;
}
this->mutex->unlock(this->mutex);
}
- if (reqid)
+ if (entry)
{
- hydra->kernel_interface->expire(hydra->kernel_interface,
- reqid, protocol, data->spi, data->hard);
+ hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+ data->spi, data->dst, data->hard);
}
return JOB_REQUEUE_NONE;
@@ -1949,8 +2103,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
{
host_t *local, *remote;
entry_t *entry;
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index db4552dde..7942868f6 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index 418dccba5..52dbec53f 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -239,6 +239,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -299,10 +300,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -376,6 +379,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c
index bc7c0ffbc..8a500635c 100644
--- a/src/libcharon/plugins/load_tester/load_tester_config.c
+++ b/src/libcharon/plugins/load_tester/load_tester_config.c
@@ -394,6 +394,28 @@ static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
}
}
}
+ else if (strpfx(str, "xauth"))
+ { /* XAuth, use a username */
+ class = AUTH_CLASS_XAUTH;
+ if (*(str + strlen("xauth")) == '-')
+ {
+ auth->add(auth, AUTH_RULE_XAUTH_BACKEND, str + strlen("xauth-"));
+ }
+ if (!id)
+ {
+ if (local && num)
+ {
+ snprintf(buf, sizeof(buf), "cli-%.6d-%.2d", num, rnd);
+ id = identification_create_from_string(buf);
+ }
+ else
+ {
+ id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ }
+ }
+ /* additionally set the ID as XAuth identity */
+ auth->add(auth, AUTH_RULE_XAUTH_IDENTITY, id->clone(id));
+ }
else
{
if (!streq(str, "pubkey"))
@@ -618,7 +640,7 @@ static host_t *allocate_addr(private_load_tester_config_t *this, uint num)
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, &pool))
{
- found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW);
+ found = pool->acquire_address(pool, id, requested, MEM_POOL_NEW, NULL);
if (found)
{
iface = (char*)pool->get_name(pool);
diff --git a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
index d5ec3599b..e1c7c0e0b 100644
--- a/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
+++ b/src/libcharon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -15,33 +15,38 @@
#include "load_tester_diffie_hellman.h"
-/**
- * Implementation of gmp_diffie_hellman_t.get_my_public_value.
- */
-static void get_my_public_value(load_tester_diffie_hellman_t *this,
- chunk_t *value)
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+ load_tester_diffie_hellman_t *this, chunk_t *value)
{
*value = chunk_empty;
+ return TRUE;
}
-/**
- * Implementation of gmp_diffie_hellman_t.get_shared_secret.
- */
-static status_t get_shared_secret(load_tester_diffie_hellman_t *this,
- chunk_t *secret)
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+ load_tester_diffie_hellman_t *this, chunk_t value)
+{
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+ load_tester_diffie_hellman_t *this, chunk_t *secret)
{
*secret = chunk_empty;
- return SUCCESS;
+ return TRUE;
}
-/**
- * Implementation of gmp_diffie_hellman_t.get_dh_group.
- */
-static diffie_hellman_group_t get_dh_group(load_tester_diffie_hellman_t *this)
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+ load_tester_diffie_hellman_t *this)
{
return MODP_NULL;
}
+METHOD(diffie_hellman_t, destroy, void,
+ load_tester_diffie_hellman_t *this)
+{
+ free(this);
+}
+
/**
* See header
*/
@@ -55,13 +60,15 @@ load_tester_diffie_hellman_t *load_tester_diffie_hellman_create(
return NULL;
}
- this = malloc_thing(load_tester_diffie_hellman_t);
-
- this->dh.get_shared_secret = (status_t (*)(diffie_hellman_t *, chunk_t *))get_shared_secret;
- this->dh.set_other_public_value = (void (*)(diffie_hellman_t *, chunk_t ))nop;
- this->dh.get_my_public_value = (void (*)(diffie_hellman_t *, chunk_t *))get_my_public_value;
- this->dh.get_dh_group = (diffie_hellman_group_t (*)(diffie_hellman_t *))get_dh_group;
- this->dh.destroy = (void (*)(diffie_hellman_t *))free;
+ INIT(this,
+ .dh = {
+ .get_shared_secret = _get_shared_secret,
+ .set_other_public_value = _set_other_public_value,
+ .get_my_public_value = _get_my_public_value,
+ .get_dh_group = _get_dh_group,
+ .destroy = _destroy,
+ }
+ );
return this;
}
diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
index 3f256ddd0..62d43e302 100644
--- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c
@@ -36,7 +36,7 @@ struct private_load_tester_ipsec_t {
METHOD(kernel_ipsec_t, get_spi, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
*spi = (uint32_t)ref_get(&this->spi);
return SUCCESS;
@@ -44,7 +44,7 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_load_tester_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
return FAILED;
}
@@ -55,8 +55,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
{
return SUCCESS;
}
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index f0f2c75f4..264c58ff5 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -235,6 +235,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -295,10 +296,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -372,6 +375,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in
index 3a866e968..76c9012b2 100644
--- a/src/libcharon/plugins/maemo/Makefile.in
+++ b/src/libcharon/plugins/maemo/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index e0f70ce44..35740c369 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index adb61e817..8fe160ef3 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index a0c21c442..9a5e438e1 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_handler.c b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
index 9a3b2701d..d974b57ce 100644
--- a/src/libcharon/plugins/osx_attr/osx_attr_handler.c
+++ b/src/libcharon/plugins/osx_attr/osx_attr_handler.c
@@ -169,7 +169,7 @@ static bool manage_dns(int family, chunk_t data, bool add)
}
METHOD(attribute_handler_t, handle, bool,
- private_osx_attr_handler_t *this, identification_t *id,
+ private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
@@ -182,7 +182,7 @@ METHOD(attribute_handler_t, handle, bool,
}
METHOD(attribute_handler_t, release, void,
- private_osx_attr_handler_t *this, identification_t *server,
+ private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
@@ -206,7 +206,7 @@ METHOD(enumerator_t, enumerate_dns, bool,
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
- private_osx_attr_handler_t *this, identification_t *id,
+ private_osx_attr_handler_t *this, ike_sa_t *ike_sa,
linked_list_t *vips)
{
enumerator_t *enumerator;
diff --git a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
index 380483c23..4be9eda5e 100644
--- a/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
+++ b/src/libcharon/plugins/osx_attr/osx_attr_plugin.c
@@ -16,7 +16,6 @@
#include "osx_attr_plugin.h"
#include "osx_attr_handler.h"
-#include <hydra.h>
#include <daemon.h>
typedef struct private_osx_attr_plugin_t private_osx_attr_plugin_t;
@@ -51,13 +50,13 @@ static bool plugin_cb(private_osx_attr_plugin_t *this,
{
if (reg)
{
- hydra->attributes->add_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
}
else
{
- hydra->attributes->remove_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
}
return TRUE;
}
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 14abba99a..baff3fc76 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am
index 33c3e70fc..9cfc370c0 100644
--- a/src/libhydra/plugins/resolve/Makefile.am
+++ b/src/libcharon/plugins/resolve/Makefile.am
@@ -1,6 +1,7 @@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon \
-DRESOLV_CONF=\"${resolv_conf}\"
AM_CFLAGS = \
diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 5b4c7bc6a..91479bf52 100644
--- a/src/libhydra/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -78,7 +78,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/libhydra/plugins/resolve
+subdir = src/libcharon/plugins/resolve
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -427,6 +432,7 @@ xml_LIBS = @xml_LIBS@
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon \
-DRESOLV_CONF=\"${resolv_conf}\"
AM_CFLAGS = \
@@ -452,9 +458,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile
+ $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c
index 069466ab5..74c3960ff 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.c
+++ b/src/libcharon/plugins/resolve/resolve_handler.c
@@ -185,9 +185,10 @@ static bool invoke_resolvconf(private_resolve_handler_t *this,
}
METHOD(attribute_handler_t, handle, bool,
- private_resolve_handler_t *this, identification_t *server,
+ private_resolve_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
+ identification_t *server;
host_t *addr;
bool handled;
@@ -208,6 +209,7 @@ METHOD(attribute_handler_t, handle, bool,
DESTROY_IF(addr);
return FALSE;
}
+ server = ike_sa->get_other_id(ike_sa);
this->mutex->lock(this->mutex);
if (this->use_resolvconf)
@@ -229,9 +231,10 @@ METHOD(attribute_handler_t, handle, bool,
}
METHOD(attribute_handler_t, release, void,
- private_resolve_handler_t *this, identification_t *server,
+ private_resolve_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
+ identification_t *server;
host_t *addr;
int family;
@@ -247,6 +250,7 @@ METHOD(attribute_handler_t, release, void,
return;
}
addr = host_create_from_chunk(family, data, 0);
+ server = ike_sa->get_other_id(ike_sa);
this->mutex->lock(this->mutex);
if (this->use_resolvconf)
@@ -319,7 +323,7 @@ static bool has_host_family(linked_list_t *list, int family)
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
- private_resolve_handler_t *this, identification_t *server,
+ private_resolve_handler_t *this, ike_sa_t *ike_sa,
linked_list_t *vips)
{
attribute_enumerator_t *enumerator;
@@ -374,4 +378,3 @@ resolve_handler_t *resolve_handler_create()
return &this->public;
}
-
diff --git a/src/libhydra/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h
index 77bf9781c..77bf9781c 100644
--- a/src/libhydra/plugins/resolve/resolve_handler.h
+++ b/src/libcharon/plugins/resolve/resolve_handler.h
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c
index 2fef09a49..193c5b602 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.c
+++ b/src/libcharon/plugins/resolve/resolve_plugin.c
@@ -16,7 +16,7 @@
#include "resolve_plugin.h"
#include "resolve_handler.h"
-#include <hydra.h>
+#include <daemon.h>
typedef struct private_resolve_plugin_t private_resolve_plugin_t;
@@ -50,13 +50,13 @@ static bool plugin_cb(private_resolve_plugin_t *this,
{
if (reg)
{
- hydra->attributes->add_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
}
else
{
- hydra->attributes->remove_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
}
return TRUE;
}
@@ -99,4 +99,3 @@ plugin_t *resolve_plugin_create()
return &this->public.plugin;
}
-
diff --git a/src/libhydra/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h
index 0148b10d7..0148b10d7 100644
--- a/src/libhydra/plugins/resolve/resolve_plugin.h
+++ b/src/libcharon/plugins/resolve/resolve_plugin.h
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index 7c5b030f4..572e7fc2f 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index 548524a38..25b40995b 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_default/socket_default_socket.c b/src/libcharon/plugins/socket_default/socket_default_socket.c
index 9cc39955b..dbfddbb81 100644
--- a/src/libcharon/plugins/socket_default/socket_default_socket.c
+++ b/src/libcharon/plugins/socket_default/socket_default_socket.c
@@ -141,6 +141,11 @@ struct private_socket_default_socket_t {
* TRUE if the source address should be set on outbound packets
*/
bool set_source;
+
+ /**
+ * A counter to implement round-robin selection of read sockets
+ */
+ u_int rr_counter;
};
METHOD(socket_t, receiver, status_t,
@@ -150,66 +155,43 @@ METHOD(socket_t, receiver, status_t,
chunk_t data;
packet_t *pkt;
host_t *source = NULL, *dest = NULL;
- int bytes_read = 0;
+ int i, rr, index, bytes_read = 0, selected = -1;
bool oldstate;
-
- fd_set rfds;
- int max_fd = 0, selected = 0;
u_int16_t port = 0;
-
- FD_ZERO(&rfds);
-
- if (this->ipv4 != -1)
- {
- FD_SET(this->ipv4, &rfds);
- max_fd = max(max_fd, this->ipv4);
- }
- if (this->ipv4_natt != -1)
- {
- FD_SET(this->ipv4_natt, &rfds);
- max_fd = max(max_fd, this->ipv4_natt);
- }
- if (this->ipv6 != -1)
- {
- FD_SET(this->ipv6, &rfds);
- max_fd = max(max_fd, this->ipv6);
- }
- if (this->ipv6_natt != -1)
- {
- FD_SET(this->ipv6_natt, &rfds);
- max_fd = max(max_fd, this->ipv6_natt);
- }
+ struct pollfd pfd[] = {
+ { .fd = this->ipv4, .events = POLLIN },
+ { .fd = this->ipv4_natt, .events = POLLIN },
+ { .fd = this->ipv6, .events = POLLIN },
+ { .fd = this->ipv6_natt, .events = POLLIN },
+ };
+ int ports[] = {
+ /* port numbers associated to pollfds */
+ this->port, this->natt, this->port, this->natt,
+ };
DBG2(DBG_NET, "waiting for data on sockets");
oldstate = thread_cancelability(TRUE);
- if (select(max_fd + 1, &rfds, NULL, NULL, NULL) <= 0)
+ if (poll(pfd, countof(pfd), -1) <= 0)
{
thread_cancelability(oldstate);
return FAILED;
}
thread_cancelability(oldstate);
- if (this->ipv4 != -1 && FD_ISSET(this->ipv4, &rfds))
+ rr = this->rr_counter++;
+ for (i = 0; i < countof(pfd); i++)
{
- port = this->port;
- selected = this->ipv4;
- }
- if (this->ipv4_natt != -1 && FD_ISSET(this->ipv4_natt, &rfds))
- {
- port = this->natt;
- selected = this->ipv4_natt;
- }
- if (this->ipv6 != -1 && FD_ISSET(this->ipv6, &rfds))
- {
- port = this->port;
- selected = this->ipv6;
- }
- if (this->ipv6_natt != -1 && FD_ISSET(this->ipv6_natt, &rfds))
- {
- port = this->natt;
- selected = this->ipv6_natt;
+ /* To serve all ports with equal priority, we use a round-robin
+ * scheme to choose the one to process in this invocation */
+ index = (rr + i) % countof(pfd);
+ if (pfd[index].revents & POLLIN)
+ {
+ selected = pfd[index].fd;
+ port = ports[index];
+ break;
+ }
}
- if (selected)
+ if (selected != -1)
{
struct msghdr msg;
struct cmsghdr *cmsgptr;
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index 892549c6c..5c010a59a 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index 88b2ac3f0..0c3bf31b9 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 3c132457b..f74257af2 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index d4680186a..a316f5c25 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/stroke/stroke_attribute.c b/src/libcharon/plugins/stroke/stroke_attribute.c
index 0f3c38986..cd1b4d093 100644
--- a/src/libcharon/plugins/stroke/stroke_attribute.c
+++ b/src/libcharon/plugins/stroke/stroke_attribute.c
@@ -94,7 +94,7 @@ static mem_pool_t *find_pool(private_stroke_attribute_t *this, char *name)
*/
static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
identification_t *id, host_t *requested,
- mem_pool_op_t operation)
+ mem_pool_op_t operation, host_t *peer)
{
host_t *addr = NULL;
enumerator_t *enumerator;
@@ -107,7 +107,7 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
pool = find_pool(this, name);
if (pool)
{
- addr = pool->acquire_address(pool, id, requested, operation);
+ addr = pool->acquire_address(pool, id, requested, operation, peer);
if (addr)
{
break;
@@ -120,20 +120,24 @@ static host_t *find_addr(private_stroke_attribute_t *this, linked_list_t *pools,
}
METHOD(attribute_provider_t, acquire_address, host_t*,
- private_stroke_attribute_t *this, linked_list_t *pools, identification_t *id,
+ private_stroke_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
host_t *requested)
{
- host_t *addr;
+ identification_t *id;
+ host_t *addr, *peer;
+
+ id = ike_sa->get_other_eap_id(ike_sa);
+ peer = ike_sa->get_other_host(ike_sa);
this->lock->read_lock(this->lock);
- addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer);
if (!addr)
{
- addr = find_addr(this, pools, id, requested, MEM_POOL_NEW);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer);
if (!addr)
{
- addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer);
}
}
@@ -144,13 +148,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
METHOD(attribute_provider_t, release_address, bool,
private_stroke_attribute_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
+ identification_t *id;
mem_pool_t *pool;
bool found = FALSE;
char *name;
+ id = ike_sa->get_other_eap_id(ike_sa);
+
enumerator = pools->create_enumerator(pools);
this->lock->read_lock(this->lock);
while (enumerator->enumerate(enumerator, &name))
@@ -197,9 +204,8 @@ static bool attr_filter(void *lock, host_t **in,
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
private_stroke_attribute_t *this, linked_list_t *pools,
- identification_t *id, linked_list_t *vips)
+ ike_sa_t *ike_sa, linked_list_t *vips)
{
- ike_sa_t *ike_sa;
peer_cfg_t *peer_cfg;
enumerator_t *enumerator;
attributes_t *attr;
@@ -413,4 +419,3 @@ stroke_attribute_t *stroke_attribute_create()
return &this->public;
}
-
diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c
index f8026875f..b470b81c6 100644
--- a/src/libcharon/plugins/stroke/stroke_ca.c
+++ b/src/libcharon/plugins/stroke/stroke_ca.c
@@ -120,6 +120,84 @@ static void ca_section_destroy(ca_section_t *this)
}
/**
+ * Data for the certificate enumerator
+ */
+typedef struct {
+ private_stroke_ca_t *this;
+ certificate_type_t cert;
+ key_type_t key;
+ identification_t *id;
+} cert_data_t;
+
+/**
+ * destroy cert_data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+ data->this->lock->unlock(data->this->lock);
+ free(data);
+}
+
+/**
+ * filter function for certs enumerator
+ */
+static bool certs_filter(cert_data_t *data, ca_section_t **in,
+ certificate_t **out)
+{
+ public_key_t *public;
+ certificate_t *cert = (*in)->cert;
+
+ if (data->cert == CERT_ANY || data->cert == cert->get_type(cert))
+ {
+ public = cert->get_public_key(cert);
+ if (public)
+ {
+ if (data->key == KEY_ANY || data->key == public->get_type(public))
+ {
+ if (data->id && public->has_fingerprint(public,
+ data->id->get_encoding(data->id)))
+ {
+ public->destroy(public);
+ *out = cert;
+ return TRUE;
+ }
+ }
+ public->destroy(public);
+ }
+ else if (data->key != KEY_ANY)
+ {
+ return FALSE;
+ }
+ if (data->id == NULL || cert->has_subject(cert, data->id))
+ {
+ *out = cert;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
+ private_stroke_ca_t *this, certificate_type_t cert, key_type_t key,
+ identification_t *id, bool trusted)
+{
+ enumerator_t *enumerator;
+ cert_data_t *data;
+
+ INIT(data,
+ .this = this,
+ .cert = cert,
+ .key = key,
+ .id = id,
+ );
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->sections->create_enumerator(this->sections);
+ return enumerator_create_filter(enumerator, (void*)certs_filter, data,
+ (void*)cert_data_destroy);
+}
+
+/**
* data to pass to create_inner_cdp
*/
typedef struct {
@@ -438,7 +516,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
.public = {
.set = {
.create_private_enumerator = (void*)return_null,
- .create_cert_enumerator = (void*)return_null,
+ .create_cert_enumerator = _create_cert_enumerator,
.create_shared_enumerator = (void*)return_null,
.create_cdp_enumerator = _create_cdp_enumerator,
.cache_cert = (void*)nop,
@@ -456,4 +534,3 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
return &this->public;
}
-
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 62967b006..55ec7cdc9 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2014 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -301,7 +301,8 @@ static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
{
enumerator_t *enumerator;
- bool rsa = FALSE, ecdsa = FALSE, rsa_len = FALSE, ecdsa_len = FALSE;
+ bool rsa = FALSE, ecdsa = FALSE, bliss = FALSE,
+ rsa_len = FALSE, ecdsa_len = FALSE, bliss_strength = FALSE;
int strength;
char *token;
@@ -328,9 +329,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
{ "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
{ "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
{ "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
+ { "sha256", SIGN_BLISS_WITH_SHA256, KEY_BLISS, },
+ { "sha384", SIGN_BLISS_WITH_SHA384, KEY_BLISS, },
+ { "sha512", SIGN_BLISS_WITH_SHA512, KEY_BLISS, },
};
- if (rsa_len || ecdsa_len)
+ if (rsa_len || ecdsa_len || bliss_strength)
{ /* expecting a key strength token */
strength = atoi(token);
if (strength)
@@ -343,8 +347,12 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
{
cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength);
}
+ else if (bliss_strength)
+ {
+ cfg->add(cfg, AUTH_RULE_BLISS_STRENGTH, (uintptr_t)strength);
+ }
}
- rsa_len = ecdsa_len = FALSE;
+ rsa_len = ecdsa_len = bliss_strength = FALSE;
if (strength)
{
continue;
@@ -360,6 +368,11 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
ecdsa = ecdsa_len = TRUE;
continue;
}
+ if (streq(token, "bliss"))
+ {
+ bliss = bliss_strength = TRUE;
+ continue;
+ }
if (streq(token, "pubkey"))
{
continue;
@@ -376,7 +389,8 @@ static void parse_pubkey_constraints(char *auth, auth_cfg_t *cfg)
*/
if ((rsa && schemes[i].key == KEY_RSA) ||
(ecdsa && schemes[i].key == KEY_ECDSA) ||
- (!rsa && !ecdsa))
+ (bliss && schemes[i].key == KEY_BLISS) ||
+ (!rsa && !ecdsa && !bliss))
{
cfg->add(cfg, AUTH_RULE_SIGNATURE_SCHEME,
(uintptr_t)schemes[i].scheme);
@@ -590,7 +604,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
/* authentication metod (class, actually) */
if (strpfx(auth, "pubkey") ||
strpfx(auth, "rsa") ||
- strpfx(auth, "ecdsa"))
+ strpfx(auth, "ecdsa") ||
+ strpfx(auth, "bliss"))
{
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
build_crl_policy(cfg, local, msg->add_conn.crl_policy);
@@ -620,9 +635,16 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
else if (strpfx(auth, "eap"))
{
eap_vendor_type_t *type;
+ char *pos;
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
+ /* check for public key constraints for EAP-TLS etc. */
+ pos = strchr(auth, ':');
+ if (pos)
+ {
+ *pos = 0;
+ parse_pubkey_constraints(pos + 1, cfg);
+ }
type = eap_vendor_type_from_string(auth);
if (type)
{
@@ -667,6 +689,24 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
/**
+ * build a mem_pool_t from an address range
+ */
+static mem_pool_t *create_pool_range(char *str)
+{
+ mem_pool_t *pool;
+ host_t *from, *to;
+
+ if (!host_create_from_range(str, &from, &to))
+ {
+ return NULL;
+ }
+ pool = mem_pool_create_range(str, from, to);
+ from->destroy(from);
+ to->destroy(to);
+ return pool;
+}
+
+/**
* build a peer_cfg from a stroke msg
*/
static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
@@ -789,17 +829,25 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
}
else
{
- /* in-memory pool, named using CIDR notation */
+ /* in-memory pool, using range or CIDR notation */
+ mem_pool_t *pool;
host_t *base;
int bits;
- base = host_create_from_subnet(token, &bits);
- if (base)
+ pool = create_pool_range(token);
+ if (!pool)
+ {
+ base = host_create_from_subnet(token, &bits);
+ if (base)
+ {
+ pool = mem_pool_create(token, base, bits);
+ base->destroy(base);
+ }
+ }
+ if (pool)
{
- this->attributes->add_pool(this->attributes,
- mem_pool_create(token, base, bits));
+ this->attributes->add_pool(this->attributes, pool);
peer_cfg->add_pool(peer_cfg, token);
- base->destroy(base);
}
else
{
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index f770d7c9e..0084fbf93 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -352,7 +352,7 @@ METHOD(stroke_control_t, terminate, void,
if (streq(name, child_sa->get_name(child_sa)))
{
child_list->insert_last(child_list,
- (void*)(uintptr_t)child_sa->get_reqid(child_sa));
+ (void*)(uintptr_t)child_sa->get_unique_id(child_sa));
if (!all)
{
break;
@@ -432,13 +432,13 @@ METHOD(stroke_control_t, rekey, void,
while (children->enumerate(children, (void**)&child_sa))
{
if ((name && streq(name, child_sa->get_name(child_sa))) ||
- (id && id == child_sa->get_reqid(child_sa)))
+ (id && id == child_sa->get_unique_id(child_sa)))
{
lib->processor->queue_job(lib->processor,
(job_t*)rekey_child_sa_job_create(
- child_sa->get_reqid(child_sa),
child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE)));
+ child_sa->get_spi(child_sa, TRUE),
+ ike_sa->get_my_host(ike_sa)));
if (!all)
{
finished = TRUE;
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 83431d17c..5e423f1de 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -70,11 +70,21 @@ struct private_stroke_cred_t {
char *secrets_file;
/**
- * credentials
+ * credentials: end entity certs, attribute certs, CRLs, etc.
*/
mem_cred_t *creds;
/**
+ * CA certificates
+ */
+ mem_cred_t *cacerts;
+
+ /**
+ * Attribute Authority certificates
+ */
+ mem_cred_t *aacerts;
+
+ /**
* ignore missing CA basic constraint (i.e. treat all certificates in
* ipsec.conf ca sections and ipsec.d/cacerts as CA certificates)
*/
@@ -231,7 +241,7 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
}
DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'",
cert->get_subject(cert), filename);
- return this->creds->add_cert_ref(this->creds, TRUE, cert);
+ return this->creds->get_cert_ref(this->creds, cert);
}
return NULL;
}
@@ -374,133 +384,183 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
}
/**
- * load trusted certificates from a directory
+ * Load a CA certificate from disk
*/
-static void load_certdir(private_stroke_cred_t *this, char *path,
- certificate_type_t type, x509_flag_t flag)
+static void load_x509_ca(private_stroke_cred_t *this, char *file)
{
- struct stat st;
- char *file;
-
- enumerator_t *enumerator = enumerator_create_directory(path);
+ certificate_t *cert;
- if (!enumerator)
+ if (this->force_ca_cert)
+ { /* treat certificate as CA cert even it has no CA basic constraint */
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file,
+ BUILD_X509_FLAG, X509_CA, BUILD_END);
+ }
+ else
{
- DBG1(DBG_CFG, " reading directory failed");
- return;
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file, BUILD_END);
}
-
- while (enumerator->enumerate(enumerator, NULL, &file, &st))
+ if (cert)
{
- certificate_t *cert;
+ x509_t *x509 = (x509_t*)cert;
- if (!S_ISREG(st.st_mode))
+ if (!(x509->get_flags(x509) & X509_CA))
{
- /* skip special file */
- continue;
+ DBG1(DBG_CFG, " ca certificate \"%Y\" lacks ca basic constraint, "
+ "discarded", cert->get_subject(cert));
+ cert->destroy(cert);
}
- switch (type)
+ else
{
- case CERT_X509:
- if (flag & X509_CA)
- {
- if (this->force_ca_cert)
- { /* treat this certificate as CA cert even it has no
- * CA basic constraint */
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, file, BUILD_X509_FLAG,
- X509_CA, BUILD_END);
- }
- else
- {
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, file, BUILD_END);
- }
- if (cert)
- {
- x509_t *x509 = (x509_t*)cert;
-
- if (!(x509->get_flags(x509) & X509_CA))
- {
- DBG1(DBG_CFG, " ca certificate \"%Y\" lacks "
- "ca basic constraint, discarded",
- cert->get_subject(cert));
- cert->destroy(cert);
- cert = NULL;
- }
- else
- {
- DBG1(DBG_CFG, " loaded ca certificate \"%Y\" "
- "from '%s'", cert->get_subject(cert), file);
- }
- }
- else
+ DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), file);
+ this->cacerts->add_cert(this->cacerts, TRUE, cert);
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading ca certificate from '%s' failed", file);
+ }
+}
+
+/**
+ * Load AA certificate with flags from disk
+ */
+static void load_x509_aa(private_stroke_cred_t *this, char *file)
+{
+ certificate_t *cert;
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file,
+ BUILD_X509_FLAG, X509_AA, BUILD_END);
+ if (cert)
+ {
+ DBG1(DBG_CFG, " loaded AA certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), file);
+ this->aacerts->add_cert(this->aacerts, TRUE, cert);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading AA certificate from '%s' failed", file);
+ }
+}
+
+/**
+ * Load a certificate with flags from disk
+ */
+static void load_x509(private_stroke_cred_t *this, char *file, x509_flag_t flag)
+{
+ certificate_t *cert;
+
+ /* for all other flags, we add them to the certificate. */
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file,
+ BUILD_X509_FLAG, flag, BUILD_END);
+ if (cert)
+ {
+ DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), file);
+ this->creds->add_cert(this->creds, TRUE, cert);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading certificate from '%s' failed", file);
+ }
+}
+
+/**
+ * Load a CRL from a file
+ */
+static void load_x509_crl(private_stroke_cred_t *this, char *file)
+{
+ certificate_t *cert;
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
+ BUILD_FROM_FILE, file, BUILD_END);
+ if (cert)
+ {
+ this->creds->add_crl(this->creds, (crl_t*)cert);
+ DBG1(DBG_CFG, " loaded crl from '%s'", file);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading crl from '%s' failed", file);
+ }
+}
+
+/**
+ * Load an attribute certificate from a file
+ */
+static void load_x509_ac(private_stroke_cred_t *this, char *file)
+{
+ certificate_t *cert;
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_AC,
+ BUILD_FROM_FILE, file, BUILD_END);
+ if (cert)
+ {
+ DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file);
+ this->creds->add_cert(this->creds, FALSE, cert);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading attribute certificate from '%s' failed", file);
+ }
+}
+
+/**
+ * load trusted certificates from a directory
+ */
+static void load_certdir(private_stroke_cred_t *this, char *path,
+ certificate_type_t type, x509_flag_t flag)
+{
+ enumerator_t *enumerator;
+ struct stat st;
+ char *file;
+
+ enumerator = enumerator_create_directory(path);
+ if (enumerator)
+ {
+ while (enumerator->enumerate(enumerator, NULL, &file, &st))
+ {
+ if (!S_ISREG(st.st_mode))
+ {
+ /* skip special file */
+ continue;
+ }
+ switch (type)
+ {
+ case CERT_X509:
+ if (flag & X509_CA)
{
- DBG1(DBG_CFG, " loading ca certificate from '%s' "
- "failed", file);
+ load_x509_ca(this, file);
}
- }
- else
- { /* for all other flags, we add them to the certificate. */
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, file,
- BUILD_X509_FLAG, flag, BUILD_END);
- if (cert)
+ else if (flag & X509_AA)
{
- DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'",
- cert->get_subject(cert), file);
+ load_x509_aa(this, file);
}
else
{
- DBG1(DBG_CFG, " loading certificate from '%s' "
- "failed", file);
+ load_x509(this, file, flag);
}
- }
- if (cert)
- {
- this->creds->add_cert(this->creds, TRUE, cert);
- }
- break;
- case CERT_X509_CRL:
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509_CRL,
- BUILD_FROM_FILE, file,
- BUILD_END);
- if (cert)
- {
- this->creds->add_crl(this->creds, (crl_t*)cert);
- DBG1(DBG_CFG, " loaded crl from '%s'", file);
- }
- else
- {
- DBG1(DBG_CFG, " loading crl from '%s' failed", file);
- }
- break;
- case CERT_X509_AC:
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509_AC,
- BUILD_FROM_FILE, file,
- BUILD_END);
- if (cert)
- {
- this->creds->add_cert(this->creds, FALSE, cert);
- DBG1(DBG_CFG, " loaded attribute certificate from '%s'",
- file);
- }
- else
- {
- DBG1(DBG_CFG, " loading attribute certificate from '%s' "
- "failed", file);
- }
- break;
- default:
- break;
+ break;
+ case CERT_X509_CRL:
+ load_x509_crl(this, file);
+ break;
+ case CERT_X509_AC:
+ load_x509_ac(this, file);
+ break;
+ default:
+ break;
+ }
}
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " reading directory failed");
}
- enumerator->destroy(enumerator);
}
METHOD(stroke_cred_t, cache_cert, void,
@@ -1124,6 +1184,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
while (fetchline(src, &line))
{
chunk_t ids, token;
+ key_type_t key_type;
shared_key_type_t type;
line_nr++;
@@ -1222,10 +1283,22 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
DBG1(DBG_CFG, "line %d: missing token", line_nr);
break;
}
- if (match("RSA", &token) || match("ECDSA", &token))
+ if (match("RSA", &token) || match("ECDSA", &token) ||
+ match("BLISS", &token))
{
- if (!load_private(secrets, line, line_nr, prompt,
- match("RSA", &token) ? KEY_RSA : KEY_ECDSA))
+ if (match("RSA", &token))
+ {
+ key_type = KEY_RSA;
+ }
+ else if (match("ECDSA", &token))
+ {
+ key_type = KEY_ECDSA;
+ }
+ else
+ {
+ key_type = KEY_BLISS;
+ }
+ if (!load_private(secrets, line, line_nr, prompt, key_type))
{
break;
}
@@ -1256,8 +1329,8 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
}
else
{
- DBG1(DBG_CFG, "line %d: token must be either "
- "RSA, ECDSA, P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+ DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
+ "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
break;
}
}
@@ -1308,6 +1381,8 @@ METHOD(stroke_cred_t, reread, void,
{
DBG1(DBG_CFG, "rereading ca certificates from '%s'",
CA_CERTIFICATE_DIR);
+ this->cacerts->clear(this->cacerts);
+ lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
load_certdir(this, CA_CERTIFICATE_DIR, CERT_X509, X509_CA);
}
if (msg->reread.flags & REREAD_OCSPCERTS)
@@ -1321,6 +1396,8 @@ METHOD(stroke_cred_t, reread, void,
{
DBG1(DBG_CFG, "rereading aa certificates from '%s'",
AA_CERTIFICATE_DIR);
+ this->aacerts->clear(this->aacerts);
+ lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
load_certdir(this, AA_CERTIFICATE_DIR, CERT_X509, X509_AA);
}
if (msg->reread.flags & REREAD_ACERTS)
@@ -1346,7 +1423,11 @@ METHOD(stroke_cred_t, add_shared, void,
METHOD(stroke_cred_t, destroy, void,
private_stroke_cred_t *this)
{
+ lib->credmgr->remove_set(lib->credmgr, &this->aacerts->set);
+ lib->credmgr->remove_set(lib->credmgr, &this->cacerts->set);
lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+ this->aacerts->destroy(this->aacerts);
+ this->cacerts->destroy(this->cacerts);
this->creds->destroy(this->creds);
free(this);
}
@@ -1379,9 +1460,13 @@ stroke_cred_t *stroke_cred_create()
"%s.plugins.stroke.secrets_file", SECRETS_FILE,
lib->ns),
.creds = mem_cred_create(),
+ .cacerts = mem_cred_create(),
+ .aacerts = mem_cred_create(),
);
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+ lib->credmgr->add_set(lib->credmgr, &this->cacerts->set);
+ lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
this->force_ca_cert = lib->settings->get_bool(lib->settings,
"%s.plugins.stroke.ignore_missing_ca_basic_constraint",
diff --git a/src/libcharon/plugins/stroke/stroke_cred.h b/src/libcharon/plugins/stroke/stroke_cred.h
index f6fbb96d3..9434629ef 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@@ -50,10 +50,13 @@ struct stroke_cred_t {
void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
/**
- * Load a CA certificate, and serve it through the credential_set.
+ * Load a CA certificate.
+ *
+ * This method does not add the loaded CA certificate to the internal
+ * credentail set, but returns it only.
*
* @param filename file to load CA cert from
- * @return reference to loaded certificate, or NULL
+ * @return loaded certificate, or NULL
*/
certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
diff --git a/src/libcharon/plugins/stroke/stroke_handler.c b/src/libcharon/plugins/stroke/stroke_handler.c
index fef8cab67..d0cc9afab 100644
--- a/src/libcharon/plugins/stroke/stroke_handler.c
+++ b/src/libcharon/plugins/stroke/stroke_handler.c
@@ -94,10 +94,9 @@ static bool attr_filter(void *lock, host_t **in,
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
- private_stroke_handler_t *this, identification_t *server,
+ private_stroke_handler_t *this, ike_sa_t *ike_sa,
linked_list_t *vips)
{
- ike_sa_t *ike_sa;
peer_cfg_t *peer_cfg;
enumerator_t *enumerator;
attributes_t *attr;
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 1aa49ce0d..68b8232bc 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -214,11 +214,12 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
config = child_sa->get_config(child_sa);
now = time_monotonic(NULL);
- fprintf(out, "%12s{%d}: %N, %N%s",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ fprintf(out, "%12s{%d}: %N, %N%s, reqid %u",
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
ipsec_mode_names, child_sa->get_mode(child_sa),
- config->use_proxy_mode(config) ? "_PROXY" : "");
+ config->use_proxy_mode(config) ? "_PROXY" : "",
+ child_sa->get_reqid(child_sa));
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
@@ -238,7 +239,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
if (all)
{
fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
- child_sa->get_reqid(child_sa));
+ child_sa->get_unique_id(child_sa));
proposal = child_sa->get_proposal(child_sa);
if (proposal)
@@ -322,7 +323,8 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
}
- else if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+ else if (child_sa->get_state(child_sa) == CHILD_REKEYING ||
+ child_sa->get_state(child_sa) == CHILD_REKEYED)
{
rekey = child_sa->get_lifetime(child_sa, TRUE);
fprintf(out, ", expires in %V", &now, &rekey);
@@ -333,7 +335,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
other_ts = linked_list_create_from_enumerator(
child_sa->create_ts_enumerator(child_sa, FALSE));
fprintf(out, "\n%12s{%d}: %#R=== %#R\n",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
my_ts, other_ts);
my_ts->destroy(my_ts);
other_ts->destroy(other_ts);
@@ -496,7 +498,7 @@ METHOD(stroke_list_t, status, void,
{
struct mallinfo mi = mallinfo();
- fprintf(out, " malloc: sbrk %d, mmap %d, used %d, free %d\n",
+ fprintf(out, " malloc: sbrk %u, mmap %u, used %u, free %u\n",
mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks);
}
#endif /* HAVE_MALLINFO */
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index 31df1f99b..f64b99f08 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -69,6 +69,7 @@ METHOD(plugin_t, get_features, int,
PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
index 54dd56e91..db7e66f14 100644
--- a/src/libcharon/plugins/stroke/stroke_socket.c
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -24,7 +24,6 @@
#include <unistd.h>
#include <errno.h>
-#include <hydra.h>
#include <daemon.h>
#include "stroke_config.h"
@@ -747,8 +746,10 @@ METHOD(stroke_socket_t, destroy, void,
lib->credmgr->remove_set(lib->credmgr, &this->ca->set);
lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
charon->backends->remove_backend(charon->backends, &this->config->backend);
- hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
- hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->attribute->provider);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
charon->bus->remove_listener(charon->bus, &this->counter->listener);
this->cred->destroy(this->cred);
this->ca->destroy(this->ca);
@@ -790,8 +791,10 @@ stroke_socket_t *stroke_socket_create()
lib->credmgr->add_set(lib->credmgr, &this->ca->set);
lib->credmgr->add_set(lib->credmgr, &this->cred->set);
charon->backends->add_backend(charon->backends, &this->config->backend);
- hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
- hydra->attributes->add_handler(hydra->attributes, &this->handler->handler);
+ charon->attributes->add_provider(charon->attributes,
+ &this->attribute->provider);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
charon->bus->add_listener(charon->bus, &this->counter->listener);
max_concurrent = lib->settings->get_int(lib->settings,
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index 0e477f9f3..be148b6c3 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 3f2952c4b..17cc341c5 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 97c479632..ef05275b7 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -233,6 +233,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -293,10 +294,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -370,6 +373,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 109c216d5..91456f8da 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2013 Andreas Steffen
+ * Copyright (C) 2012-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -646,8 +646,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
int pt_tls_fd;
struct sockaddr_storage addr;
socklen_t addrlen = sizeof(addr);
- identification_t *peer;
- host_t *host;
+ identification_t *client_id;
+ host_t *server_ip, *client_ip;
pt_tls_server_t *pt_tls;
tnccs_t *tnccs;
pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL;
@@ -658,17 +658,22 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno));
return FALSE;
}
- host = host_create_from_sockaddr((sockaddr_t*)&addr);
- DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host);
- host->destroy(host);
+ client_ip = host_create_from_sockaddr((sockaddr_t*)&addr);
+ DBG1(DBG_TNC, "accepting PT-TLS stream from %H", client_ip);
+
+ /* Currently we do not determine the IP address of the server interface */
+ server_ip = host_create_any(client_ip->get_family(client_ip));
- /* At this moment the peer identity is not known yet */
- peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+ /* At this moment the client identity is not known yet */
+ client_id = identification_create_from_encoding(ID_ANY, chunk_empty),
tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
- this->server, peer, TNC_IFT_TLS_2_0,
+ this->server, client_id, server_ip,
+ client_ip, TNC_IFT_TLS_2_0,
(tnccs_cb_t)get_recommendation);
- peer->destroy(peer);
+ client_id->destroy(client_id);
+ server_ip->destroy(server_ip);
+ client_ip->destroy(client_ip);
if (!tnccs)
{
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 5e16c3c35..2c031383a 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am
deleted file mode 100644
index b7f8fc319..000000000
--- a/src/libcharon/plugins/unit_tester/Makefile.am
+++ /dev/null
@@ -1,26 +0,0 @@
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra \
- -I$(top_srcdir)/src/libcharon
-
-AM_CFLAGS = \
- $(PLUGIN_CFLAGS)
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-unit-tester.la
-else
-plugin_LTLIBRARIES = libstrongswan-unit-tester.la
-endif
-
-libstrongswan_unit_tester_la_SOURCES = \
- unit_tester.c unit_tester.h tests.h \
- tests/test_auth_info.c \
- tests/test_curl.c \
- tests/test_mysql.c \
- tests/test_sqlite.c \
- tests/test_cert.c \
- tests/test_med_db.c \
- tests/test_pool.c \
- tests/test_agent.c
-
-libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/unit_tester/tests/test_agent.c b/src/libcharon/plugins/unit_tester/tests/test_agent.c
deleted file mode 100644
index baab629be..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_agent.c
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * SSH agent signature creation and verification
- ******************************************************************************/
-bool test_agent()
-{
- char *path;
- chunk_t sig, data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
- private_key_t *private;
- public_key_t *public;
-
- path = getenv("SSH_AUTH_SOCK");
- if (!path)
- {
- DBG1(DBG_CFG, "ssh-agent not found.");
- return FALSE;
- }
-
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_AGENT_SOCKET, path, BUILD_END);
- if (!private)
- {
- return FALSE;
- }
- if (!private->sign(private, SIGN_RSA_EMSA_PKCS1_SHA1, data, &sig))
- {
- return FALSE;
- }
- public = private->get_public_key(private);
- if (!public)
- {
- return FALSE;;
- }
- if (!public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
- {
- return FALSE;
- }
- free(sig.ptr);
- data.ptr[1] = 0x01; /* fake it */
- if (public->verify(public, SIGN_RSA_EMSA_PKCS1_SHA1, data, sig))
- {
- return FALSE;
- }
-
- private->destroy(private);
- public->destroy(public);
-
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
deleted file mode 100644
index c250c356f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <credentials/auth_cfg.h>
-
-
-static chunk_t certchunk = chunk_from_chars(
- 0x30,0x82,0x02,0xfa,0x30,0x82,0x01,0xe2,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x5a,
- 0xf2,0x65,0xae,0x78,0xff,0x23,0xde,0xf7,0xa6,0xa3,0x94,0x8c,0x3f,0xa0,0xc1,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x39,
- 0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,
- 0x17,0x06,0x03,0x55,0x04,0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,
- 0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,
- 0x03,0x13,0x06,0x6d,0x61,0x72,0x74,0x69,0x6e,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,
- 0x34,0x32,0x37,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x17,0x0d,0x31,0x32,0x30,0x34,
- 0x32,0x35,0x30,0x37,0x31,0x34,0x32,0x36,0x5a,0x30,0x39,0x31,0x0b,0x30,0x09,0x06,
- 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x19,0x30,0x17,0x06,0x03,0x55,0x04,
- 0x0a,0x13,0x10,0x4c,0x69,0x6e,0x75,0x78,0x20,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,
- 0x77,0x61,0x6e,0x31,0x0f,0x30,0x0d,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x6d,0x61,
- 0x72,0x74,0x69,0x6e,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
- 0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,
- 0x02,0x82,0x01,0x01,0x00,0xd7,0xb9,0xba,0x4d,0xe2,0x3b,0x3d,0x35,0x7a,0x3f,0x88,
- 0x67,0x95,0xe7,0xfd,0x9f,0xe9,0x0a,0x0d,0x79,0x3a,0x9e,0x21,0x8f,0xcb,0xe4,0x67,
- 0x24,0xae,0x0c,0xda,0xb3,0xcc,0xec,0x36,0xb4,0xa8,0x4d,0xf1,0x3d,0xad,0xe4,0x8c,
- 0x63,0x92,0x54,0xb7,0xb2,0x02,0xa2,0x00,0x62,0x8b,0x04,0xac,0xa0,0x17,0xad,0x17,
- 0x9a,0x05,0x0d,0xd7,0xb3,0x08,0x02,0xc5,0x26,0xcf,0xdd,0x05,0x42,0xfc,0x13,0x6d,
- 0x9f,0xb1,0xf3,0x4f,0x82,0x1d,0xef,0x01,0xc9,0x91,0xea,0x37,0x1b,0x79,0x28,0xfa,
- 0xbf,0x9f,0xb3,0xeb,0x82,0x4f,0x10,0xc6,0x4b,0xa4,0x08,0xf7,0x8e,0xf2,0x00,0xea,
- 0x04,0x97,0x80,0x9f,0x65,0x86,0xde,0x6b,0xc7,0xda,0x83,0xfc,0xad,0x4a,0xaf,0x52,
- 0x8b,0x4d,0x33,0xee,0x49,0x87,0x2f,0x3b,0x60,0x45,0x66,0x8f,0xe6,0x89,0xcc,0xb1,
- 0x92,0x02,0x17,0x2b,0x7b,0x8e,0x90,0x47,0x84,0x84,0x59,0x95,0x81,0xd8,0xe0,0xf3,
- 0x87,0xe0,0x04,0x09,0xfd,0xcc,0x3a,0x21,0x34,0xfa,0xec,0xbe,0xf5,0x9c,0xcf,0x55,
- 0x80,0x7b,0xe3,0x75,0x9d,0x36,0x68,0xab,0x83,0xe3,0xad,0x01,0x53,0x0d,0x8a,0x9a,
- 0xa6,0xb0,0x15,0xc9,0xc5,0xf8,0x9b,0x51,0x32,0xcf,0x97,0x6c,0xfe,0x4a,0x56,0x3c,
- 0xc8,0x8f,0x4a,0x70,0x23,0x4f,0xf6,0xf7,0xe6,0x9f,0x09,0xcd,0x8f,0xea,0x20,0x7d,
- 0x34,0xc0,0xc5,0xc0,0x34,0x06,0x6f,0x8b,0xeb,0x04,0x54,0x3f,0x0e,0xcd,0xe2,0x85,
- 0xab,0x94,0x3e,0x91,0x6c,0x18,0x6f,0x96,0x5d,0xf2,0x8b,0x10,0xe9,0x90,0x43,0xb0,
- 0x61,0x52,0xac,0xcf,0x75,0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,
- 0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x09,0x63,
- 0x42,0xad,0xe5,0xa3,0xf6,0xc9,0x5d,0x08,0xf2,0x78,0x7b,0xeb,0x8a,0xef,0x50,0x00,
- 0xc8,0xeb,0xe9,0x26,0x94,0xcb,0x84,0x10,0x7e,0x42,0x6b,0x86,0x38,0x57,0xa6,0x02,
- 0x98,0x5a,0x2c,0x8f,0x44,0x32,0x1b,0x97,0x8c,0x7e,0x4b,0xd8,0xe8,0xe8,0x0f,0x4a,
- 0xb9,0x31,0x9f,0xf6,0x9f,0x0e,0x67,0x26,0x05,0x2a,0x99,0x14,0x35,0x41,0x47,0x9a,
- 0xfa,0x12,0x94,0x0b,0xe9,0x27,0x7c,0x71,0x20,0xd7,0x8d,0x3b,0x97,0x19,0x2d,0x15,
- 0xff,0xa4,0xf3,0x89,0x8d,0x29,0x5f,0xf6,0x3f,0x93,0xaf,0x78,0x61,0xe4,0xe1,0x2e,
- 0x75,0xc1,0x2c,0xc4,0x76,0x95,0x19,0xf8,0x37,0xdc,0xd8,0x00,0x7a,0x3c,0x0f,0x49,
- 0x2e,0x88,0x09,0x16,0xb3,0x92,0x33,0xdf,0x77,0x83,0x4f,0xb5,0x9e,0x30,0x8c,0x48,
- 0x1d,0xd8,0x84,0xfb,0xf1,0xb9,0xa0,0xbe,0x25,0xff,0x4c,0xeb,0xef,0x2b,0xcd,0xfa,
- 0x0b,0x94,0x66,0x3b,0x28,0x08,0x3f,0x3a,0xda,0x41,0xd0,0x6b,0xab,0x5e,0xbb,0x8a,
- 0x9f,0xdc,0x98,0x3e,0x59,0x37,0x48,0xbe,0x69,0xde,0x85,0x82,0xf2,0x53,0x8b,0xe4,
- 0x44,0xe4,0x71,0x91,0x14,0x85,0x0e,0x1e,0x79,0xdd,0x62,0xf5,0xdc,0x25,0x89,0xab,
- 0x50,0x5b,0xaa,0xae,0xe3,0x64,0x6a,0x23,0x34,0xd7,0x30,0xe2,0x2a,0xc8,0x81,0x0c,
- 0xec,0xd2,0x31,0xc6,0x1e,0xb6,0xc0,0x57,0xd9,0xe1,0x14,0x06,0x9b,0xf8,0x51,0x69,
- 0x47,0xf0,0x9c,0xcd,0x69,0xef,0x8e,0x5f,0x62,0xda,0x10,0xf7,0x3c,0x6d,0x0f,0x33,
- 0xec,0x6f,0xfd,0x94,0x07,0x16,0x41,0x32,0x06,0xa4,0xe1,0x08,0x31,0x87,
-);
-
-/*******************************************************************************
- * auth info test
- ******************************************************************************/
-bool test_auth_cfg()
-{
- auth_cfg_t *auth = auth_cfg_create(), *auth2;
- certificate_t *c1, *c2;
- enumerator_t *enumerator;
- int round = 0;
- void *value;
- auth_rule_t type;
-
- c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, certchunk,
- BUILD_END);
- if (!c1)
- {
- return FALSE;
- }
-
- auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
- c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
- if (!c2)
- {
- return FALSE;
- }
- if (!c1->equals(c1, c2))
- {
- return FALSE;
- }
-
- enumerator = auth->create_enumerator(auth);
- while (enumerator->enumerate(enumerator, &type, &value))
- {
- round++;
- if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
- {
- continue;
- }
- return FALSE;
- }
- enumerator->destroy(enumerator);
-
- auth2 = auth_cfg_create();
- auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
- auth2->merge(auth2, auth, FALSE);
-
- round = 0;
- enumerator = auth2->create_enumerator(auth2);
- while (enumerator->enumerate(enumerator, &type, &value))
- {
- round++;
- if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
- {
- continue;
- }
- if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
- {
- continue;
- }
- return FALSE;
- }
- enumerator->destroy(enumerator);
- auth->destroy(auth);
- auth2->destroy(auth2);
- c1->destroy(c1);
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_cert.c b/src/libcharon/plugins/unit_tester/tests/test_cert.c
deleted file mode 100644
index f4410a688..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_cert.c
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <credentials/certificates/x509.h>
-
-/*******************************************************************************
- * X509 certificate generation and parsing
- ******************************************************************************/
-bool test_cert_x509()
-{
- private_key_t *ca_key, *peer_key;
- public_key_t *public;
- certificate_t *ca_cert, *peer_cert, *parsed;
- identification_t *issuer, *subject;
- u_int32_t serial = htonl(0);
- chunk_t encoding;
-
- issuer = identification_create_from_string("CN=CA, OU=Test, O=strongSwan");
- subject = identification_create_from_string("CN=Peer, OU=Test, O=strongSwan");
-
- ca_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_KEY_SIZE, 1024, BUILD_END);
- peer_key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
- BUILD_KEY_SIZE, 1024, BUILD_END);
- if (!ca_key)
- {
- return FALSE;
- }
- ca_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_SIGNING_KEY, ca_key,
- BUILD_SUBJECT, issuer,
- BUILD_SERIAL, chunk_from_thing(serial),
- BUILD_X509_FLAG, X509_CA,
- BUILD_END);
- if (!ca_cert)
- {
- return FALSE;
- }
-
- ca_cert->get_encoding(ca_cert, CERT_ASN1_DER, &encoding);
- parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, encoding,
- BUILD_END);
- chunk_free(&encoding);
- if (!parsed)
- {
- return FALSE;
- }
- if (!parsed->issued_by(parsed, ca_cert, NULL))
- {
- return FALSE;
- }
- parsed->destroy(parsed);
-
- serial = htonl(ntohl(serial) + 1);
- public = peer_key->get_public_key(peer_key);
- peer_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_SIGNING_KEY, ca_key,
- BUILD_SIGNING_CERT, ca_cert,
- BUILD_PUBLIC_KEY, public,
- BUILD_SUBJECT, subject,
- BUILD_SERIAL, chunk_from_thing(serial),
- BUILD_END);
- public->destroy(public);
- if (!peer_cert)
- {
- return FALSE;
- }
-
- peer_cert->get_encoding(peer_cert, CERT_ASN1_DER, &encoding);
- parsed = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, encoding,
- BUILD_END);
- chunk_free(&encoding);
- if (!parsed)
- {
- return FALSE;
- }
- if (!parsed->issued_by(parsed, ca_cert, NULL))
- {
- return FALSE;
- }
- parsed->destroy(parsed);
-
- ca_cert->destroy(ca_cert);
- ca_key->destroy(ca_key);
- peer_cert->destroy(peer_cert);
- peer_key->destroy(peer_key);
- issuer->destroy(issuer);
- subject->destroy(subject);
- return TRUE;
-}
-
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_curl.c b/src/libcharon/plugins/unit_tester/tests/test_curl.c
deleted file mode 100644
index 21656a94e..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_curl.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-/*******************************************************************************
- * curl get test
- ******************************************************************************/
-
-bool test_curl_get()
-{
- chunk_t chunk;
-
- if (lib->fetcher->fetch(lib->fetcher, "http://www.strongswan.org",
- &chunk, FETCH_END) != SUCCESS)
- {
- return FALSE;
- }
- free(chunk.ptr);
-
- if (lib->fetcher->fetch(lib->fetcher, "http://www.google.com",
- &chunk, FETCH_END) != SUCCESS)
- {
- return FALSE;
- }
- free(chunk.ptr);
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c
deleted file mode 100644
index 75244ab8f..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-#include <unistd.h>
-
-/*******************************************************************************
- * fetch public key from mediation database
- ******************************************************************************/
-
-bool test_med_db()
-{
- chunk_t found, keyid = chunk_from_chars(
- 0xed,0x90,0xe6,0x4f,0xec,0xa2,0x1f,0x4b,
- 0x68,0x97,0x99,0x24,0x22,0xe0,0xde,0x21,
- 0xb9,0xd6,0x26,0x29
- );
- identification_t *id;
- enumerator_t *enumerator;
- public_key_t *public;
- auth_cfg_t *auth;
- bool good = FALSE;
-
- id = identification_create_from_encoding(ID_KEY_ID, keyid);
- enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
- KEY_ANY, id, NULL);
- while (enumerator->enumerate(enumerator, &public, &auth))
- {
- good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found);
- if (good)
- {
- good = chunk_equals(id->get_encoding(id), found);
- }
- }
- enumerator->destroy(enumerator);
- id->destroy(id);
- return good;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_mysql.c b/src/libcharon/plugins/unit_tester/tests/test_mysql.c
deleted file mode 100644
index eda238623..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_mysql.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-/*******************************************************************************
- * mysql simple test
- ******************************************************************************/
-bool test_mysql()
-{
- database_t *db;
- char *txt = "I'm a superduper test";
- chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
- int row;
- chunk_t qdata;
- char *qtxt;
- bool good = FALSE;
- enumerator_t *enumerator;
-
- db = lib->db->create(lib->db, "mysql://testuser:testpass@localhost/test");
- if (!db)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "CREATE TABLE test ("
- "id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, "
- "txt TEXT, data BLOB)") < 0)
- {
- return FALSE;
- }
- if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
- DB_TEXT, txt, DB_BLOB, data) < 0)
- {
- return FALSE;
- }
- if (row != 1)
- {
- return FALSE;
- }
- enumerator = db->query(db, "SELECT txt, data FROM test WHERE id = ?",
- DB_INT, row,
- DB_TEXT, DB_BLOB);
- if (!enumerator)
- {
- return FALSE;
- }
- while (enumerator->enumerate(enumerator, &qtxt, &qdata))
- {
- if (good)
- { /* only one row */
- good = FALSE;
- break;
- }
- if (streq(qtxt, txt) && chunk_equals(data, qdata))
- {
- good = TRUE;
- }
- }
- enumerator->destroy(enumerator);
- if (!good)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "DELETE FROM test WHERE id = ?", DB_INT, row) != 1)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "DROP TABLE test") < 0)
- {
- return FALSE;
- }
- db->destroy(db);
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_pool.c b/src/libcharon/plugins/unit_tester/tests/test_pool.c
deleted file mode 100644
index f36953f3a..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_pool.c
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <time.h>
-
-#include <library.h>
-#include <threading/thread.h>
-#include <hydra.h>
-
-#define ALLOCS 1000
-#define THREADS 20
-
-static void* testing(void *thread)
-{
- int i;
- host_t *addr[ALLOCS];
- identification_t *id[ALLOCS];
- linked_list_t *pools;
-
- /* prepare identities */
- for (i = 0; i < ALLOCS; i++)
- {
- char buf[256];
-
- snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
- id[i] = identification_create_from_string(buf);
- }
-
- pools = linked_list_create();
- pools->insert_last(pools, "test");
-
- /* allocate addresses */
- for (i = 0; i < ALLOCS; i++)
- {
- addr[i] = hydra->attributes->acquire_address(hydra->attributes,
- pools, id[i], NULL);
- if (!addr[i])
- {
- pools->destroy(pools);
- return (void*)FALSE;
- }
- }
-
- /* release addresses */
- for (i = 0; i < ALLOCS; i++)
- {
- hydra->attributes->release_address(hydra->attributes,
- pools, addr[i], id[i]);
- }
-
- pools->destroy(pools);
-
- /* cleanup */
- for (i = 0; i < ALLOCS; i++)
- {
- addr[i]->destroy(addr[i]);
- id[i]->destroy(id[i]);
- }
- return (void*)TRUE;
-}
-
-
-/*******************************************************************************
- * SQL pool performance test
- ******************************************************************************/
-bool test_pool()
-{
- thread_t *threads[THREADS];
- uintptr_t i;
-
- for (i = 0; i < THREADS; i++)
- {
- if (!(threads[i] = thread_create((thread_main_t)testing, (void*)i)))
- {
- return FALSE;
- }
- }
- for (i = 0; i < THREADS; i++)
- {
- bool *res = threads[i]->join(threads[i]);
- if (!res)
- {
- return FALSE;
- }
- }
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c b/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
deleted file mode 100644
index 99490b566..000000000
--- a/src/libcharon/plugins/unit_tester/tests/test_sqlite.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <library.h>
-#include <daemon.h>
-#include <collections/enumerator.h>
-
-#include <unistd.h>
-
-
-#define DBFILE "/tmp/strongswan-test.db"
-
-/*******************************************************************************
- * sqlite simple test
- ******************************************************************************/
-bool test_sqlite()
-{
- database_t *db;
- char *txt = "I'm a superduper test";
- chunk_t data = chunk_from_chars(0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08);
- int row;
- chunk_t qdata;
- char *qtxt;
- bool good = FALSE;
- enumerator_t *enumerator;
-
- db = lib->db->create(lib->db, "sqlite://" DBFILE);
- if (!db)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "CREATE TABLE test (txt TEXT, data BLOB)") < 0)
- {
- return FALSE;
- }
- if (db->execute(db, &row, "INSERT INTO test (txt, data) VALUES (?,?)",
- DB_TEXT, txt, DB_BLOB, data) < 0)
- {
- return FALSE;
- }
- if (row != 1)
- {
- return FALSE;
- }
- enumerator = db->query(db, "SELECT txt, data FROM test WHERE oid = ?",
- DB_INT, row,
- DB_TEXT, DB_BLOB);
- if (!enumerator)
- {
- return FALSE;
- }
- while (enumerator->enumerate(enumerator, &qtxt, &qdata))
- {
- if (good)
- { /* only one row */
- good = FALSE;
- break;
- }
- if (streq(qtxt, txt) && chunk_equals(data, qdata))
- {
- good = TRUE;
- }
- }
- enumerator->destroy(enumerator);
- if (!good)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "DELETE FROM test WHERE oid = ?", DB_INT, row) != 1)
- {
- return FALSE;
- }
- if (db->execute(db, NULL, "DROP TABLE test") < 0)
- {
- return FALSE;
- }
- db->destroy(db);
- unlink(DBFILE);
- return TRUE;
-}
-
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.c b/src/libcharon/plugins/unit_tester/unit_tester.c
deleted file mode 100644
index ea7ffca04..000000000
--- a/src/libcharon/plugins/unit_tester/unit_tester.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (C) 2013 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "unit_tester.h"
-
-#include <daemon.h>
-
-typedef struct private_unit_tester_t private_unit_tester_t;
-typedef struct unit_test_t unit_test_t;
-typedef enum test_status_t test_status_t;
-
-/**
- * private data of unit_tester
- */
-struct private_unit_tester_t {
-
- /**
- * public functions
- */
- unit_tester_t public;
-};
-
-struct unit_test_t {
-
- /**
- * name of the test
- */
- char *name;
-
- /**
- * test function
- */
- bool (*test)(void);
-
- /**
- * run the test?
- */
- bool enabled;
-};
-
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) bool function();
-#include <plugins/unit_tester/tests.h>
-#undef DEFINE_TEST
-#define DEFINE_TEST(name, function, enabled) {name, function, enabled},
-static unit_test_t tests[] = {
-#include <plugins/unit_tester/tests.h>
-};
-
-static void run_tests(private_unit_tester_t *this)
-{
- int i, run = 0, failed = 0, success = 0, skipped = 0;
-
- DBG1(DBG_CFG, "running unit tests, %d tests registered",
- sizeof(tests)/sizeof(unit_test_t));
-
- for (i = 0; i < sizeof(tests)/sizeof(unit_test_t); i++)
- {
- if (tests[i].enabled)
- {
- run++;
- if (tests[i].test())
- {
- DBG1(DBG_CFG, "test '%s' successful", tests[i].name);
- success++;
- }
- else
- {
- DBG1(DBG_CFG, "test '%s' failed", tests[i].name);
- failed++;
- }
- }
- else
- {
- DBG1(DBG_CFG, "test '%s' disabled", tests[i].name);
- skipped++;
- }
- }
- DBG1(DBG_CFG, "%d/%d tests successful (%d failed, %d disabled)",
- success, run, failed, skipped);
-}
-
-METHOD(plugin_t, get_name, char*,
- private_unit_tester_t *this)
-{
- return "unit-tester";
-}
-
-/**
- * We currently don't depend explicitly on any plugin features. But in case
- * activated tests depend on such features we at least try to run them in plugin
- * order.
- */
-static bool plugin_cb(private_unit_tester_t *this,
- plugin_feature_t *feature, bool reg, void *cb_data)
-{
- if (reg)
- {
- run_tests(this);
- }
- return TRUE;
-}
-
-METHOD(plugin_t, get_features, int,
- private_unit_tester_t *this, plugin_feature_t *features[])
-{
- static plugin_feature_t f[] = {
- PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
- PLUGIN_PROVIDE(CUSTOM, "unit-tester"),
- };
- *features = f;
- return countof(f);
-}
-
-METHOD(plugin_t, destroy, void,
- private_unit_tester_t *this)
-{
- free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *unit_tester_plugin_create()
-{
- private_unit_tester_t *this;
-
- INIT(this,
- .public = {
- .plugin = {
- .get_name = _get_name,
- .get_features = _get_features,
- .destroy = _destroy,
- },
- },
- );
-
- return &this->public.plugin;
-}
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index 1e04ebced..4f0a7e736 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index bcef0dc25..9fc9be61a 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -50,8 +50,8 @@ struct private_unity_handler_t {
* Traffic selector entry for networks to include under a given IKE_SA
*/
typedef struct {
- /** associated IKE_SA, unique ID */
- u_int32_t sa;
+ /** associated IKE_SA COOKIEs */
+ ike_sa_id_t *id;
/** traffic selector to include/exclude */
traffic_selector_t *ts;
} entry_t;
@@ -61,6 +61,7 @@ typedef struct {
*/
static void entry_destroy(entry_t *this)
{
+ this->id->destroy(this->id);
this->ts->destroy(this->ts);
free(this);
}
@@ -131,9 +132,10 @@ static bool add_include(private_unity_handler_t *this, chunk_t data)
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
INIT(entry,
- .sa = ike_sa->get_unique_id(ike_sa),
+ .id = ike_sa->get_id(ike_sa),
.ts = ts,
);
+ entry->id = entry->id->clone(entry->id);
this->mutex->lock(this->mutex);
this->include->insert_last(this->include, entry);
@@ -171,7 +173,7 @@ static bool remove_include(private_unity_handler_t *this, chunk_t data)
enumerator = this->include->create_enumerator(this->include);
while (enumerator->enumerate(enumerator, &entry))
{
- if (entry->sa == ike_sa->get_unique_id(ike_sa) &&
+ if (entry->id->equals(entry->id, ike_sa->get_id(ike_sa)) &&
ts->equals(ts, entry->ts))
{
this->include->remove_at(this->include, enumerator);
@@ -209,8 +211,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
char name[128];
host_t *host;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- entry->sa, FALSE);
+ ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, entry->id);
if (ike_sa)
{
create_shunt_name(ike_sa, entry->ts, name, sizeof(name));
@@ -267,9 +268,10 @@ static bool add_exclude(private_unity_handler_t *this, chunk_t data)
while (list->remove_first(list, (void**)&ts) == SUCCESS)
{
INIT(entry,
- .sa = ike_sa->get_unique_id(ike_sa),
+ .id = ike_sa->get_id(ike_sa),
.ts = ts,
);
+ entry->id = entry->id->clone(entry->id);
/* we can't install the shunt policy yet, as we don't know the virtual IP.
* Defer installation using an async callback. */
@@ -315,7 +317,7 @@ static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
}
METHOD(attribute_handler_t, handle, bool,
- private_unity_handler_t *this, identification_t *id,
+ private_unity_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
@@ -330,7 +332,7 @@ METHOD(attribute_handler_t, handle, bool,
}
METHOD(attribute_handler_t, release, void,
- private_unity_handler_t *this, identification_t *server,
+ private_unity_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
switch (type)
@@ -378,10 +380,9 @@ METHOD(enumerator_t, enumerate_attributes, bool,
}
METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t *,
- unity_handler_t *this, identification_t *id, linked_list_t *vips)
+ unity_handler_t *this, ike_sa_t *ike_sa, linked_list_t *vips)
{
attribute_enumerator_t *enumerator;
- ike_sa_t *ike_sa;
ike_sa = charon->bus->get_sa(charon->bus);
if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
@@ -402,7 +403,7 @@ typedef struct {
/** mutex to unlock */
mutex_t *mutex;
/** IKE_SA ID to filter for */
- u_int32_t id;
+ ike_sa_id_t *id;
} include_filter_t;
/**
@@ -411,7 +412,7 @@ typedef struct {
static bool include_filter(include_filter_t *data,
entry_t **entry, traffic_selector_t **ts)
{
- if ((*entry)->sa == data->id)
+ if (data->id->equals(data->id, (*entry)->id))
{
*ts = (*entry)->ts;
return TRUE;
@@ -429,7 +430,7 @@ static void destroy_filter(include_filter_t *data)
}
METHOD(unity_handler_t, create_include_enumerator, enumerator_t*,
- private_unity_handler_t *this, u_int32_t id)
+ private_unity_handler_t *this, ike_sa_id_t *id)
{
include_filter_t *data;
diff --git a/src/libcharon/plugins/unity/unity_handler.h b/src/libcharon/plugins/unity/unity_handler.h
index 8656fd372..18efe293b 100644
--- a/src/libcharon/plugins/unity/unity_handler.h
+++ b/src/libcharon/plugins/unity/unity_handler.h
@@ -21,6 +21,7 @@
#ifndef UNITY_HANDLER_H_
#define UNITY_HANDLER_H_
+#include <sa/ike_sa_id.h>
#include <attributes/attribute_handler.h>
typedef struct unity_handler_t unity_handler_t;
@@ -38,11 +39,11 @@ struct unity_handler_t {
/**
* Create an enumerator over Split-Include attributes received for an IKE_SA.
*
- * @param id IKE_SA unique ID to get Split-Includes for
+ * @param id IKE_SA ID to get Split-Includes for
* @return enumerator over traffic_selector_t*
*/
enumerator_t* (*create_include_enumerator)(unity_handler_t *this,
- u_int32_t id);
+ ike_sa_id_t *id);
/**
* Destroy a unity_handler_t.
diff --git a/src/libcharon/plugins/unity/unity_narrow.c b/src/libcharon/plugins/unity/unity_narrow.c
index 52a2c7f24..227d24be8 100644
--- a/src/libcharon/plugins/unity/unity_narrow.c
+++ b/src/libcharon/plugins/unity/unity_narrow.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
*
@@ -16,6 +19,8 @@
#include "unity_narrow.h"
#include <daemon.h>
+#include <encoding/payloads/id_payload.h>
+#include <collections/hashtable.h>
typedef struct private_unity_narrow_t private_unity_narrow_t;
@@ -33,6 +38,11 @@ struct private_unity_narrow_t {
* Unity attribute handler
*/
unity_handler_t *handler;
+
+ /**
+ * IKE_SAs for which we received 0.0.0.0/0 as remote traffic selector
+ */
+ hashtable_t *wildcard_ts;
};
/**
@@ -65,7 +75,7 @@ static void narrow_initiator(private_unity_narrow_t *this, ike_sa_t *ike_sa,
enumerator_t *enumerator;
enumerator = this->handler->create_include_enumerator(this->handler,
- ike_sa->get_unique_id(ike_sa));
+ ike_sa->get_id(ike_sa));
while (enumerator->enumerate(enumerator, &current))
{
if (orig == NULL)
@@ -149,7 +159,7 @@ static bool has_split_includes(private_unity_narrow_t *this, ike_sa_t *ike_sa)
bool has;
enumerator = this->handler->create_include_enumerator(this->handler,
- ike_sa->get_unique_id(ike_sa));
+ ike_sa->get_id(ike_sa));
has = enumerator->enumerate(enumerator, &ts);
enumerator->destroy(enumerator);
@@ -191,11 +201,19 @@ METHOD(listener_t, narrow, bool,
{
case NARROW_INITIATOR_PRE_AUTH:
case NARROW_RESPONDER:
- narrow_pre(local, "us");
+ if (this->wildcard_ts->get(this->wildcard_ts, ike_sa))
+ {
+ narrow_pre(local, "us");
+
+ }
break;
case NARROW_INITIATOR_POST_AUTH:
case NARROW_RESPONDER_POST:
- narrow_responder_post(child_sa->get_config(child_sa), local);
+ if (this->wildcard_ts->get(this->wildcard_ts, ike_sa))
+ {
+ narrow_responder_post(child_sa->get_config(child_sa),
+ local);
+ }
break;
default:
break;
@@ -205,9 +223,69 @@ METHOD(listener_t, narrow, bool,
return TRUE;
}
+METHOD(listener_t, message, bool,
+ private_unity_narrow_t *this, ike_sa_t *ike_sa, message_t *message,
+ bool incoming, bool plain)
+{
+ traffic_selector_t *tsr = NULL, *wildcard;
+ enumerator_t *enumerator;
+ id_payload_t *id_payload;
+ payload_t *payload;
+ bool first = TRUE;
+
+ if (!incoming || !plain ||
+ message->get_exchange_type(message) != QUICK_MODE ||
+ !ike_sa || !ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY))
+ {
+ return TRUE;
+ }
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == PLV1_ID)
+ {
+ if (!first)
+ {
+ id_payload = (id_payload_t*)payload;
+ tsr = id_payload->get_ts(id_payload);
+ break;
+ }
+ first = FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (!tsr)
+ {
+ return TRUE;
+ }
+ wildcard = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+ if (tsr->equals(tsr, wildcard))
+ {
+ this->wildcard_ts->put(this->wildcard_ts, ike_sa, ike_sa);
+ }
+ else
+ {
+ this->wildcard_ts->remove(this->wildcard_ts, ike_sa);
+ }
+ wildcard->destroy(wildcard);
+ tsr->destroy(tsr);
+ return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+ private_unity_narrow_t *this, ike_sa_t *ike_sa, bool up)
+{
+ if (!up)
+ {
+ this->wildcard_ts->remove(this->wildcard_ts, ike_sa);
+ }
+ return TRUE;
+}
+
METHOD(unity_narrow_t, destroy, void,
private_unity_narrow_t *this)
{
+ this->wildcard_ts->destroy(this->wildcard_ts);
free(this);
}
@@ -222,10 +300,14 @@ unity_narrow_t *unity_narrow_create(unity_handler_t *handler)
.public = {
.listener = {
.narrow = _narrow,
+ .message = _message,
+ .ike_updown = _ike_updown,
},
.destroy = _destroy,
},
.handler = handler,
+ .wildcard_ts = hashtable_create(hashtable_hash_ptr,
+ hashtable_equals_ptr, 4),
);
return &this->public;
diff --git a/src/libcharon/plugins/unity/unity_plugin.c b/src/libcharon/plugins/unity/unity_plugin.c
index 9e4571d34..b7a3fee2e 100644
--- a/src/libcharon/plugins/unity/unity_plugin.c
+++ b/src/libcharon/plugins/unity/unity_plugin.c
@@ -19,7 +19,6 @@
#include "unity_provider.h"
#include <daemon.h>
-#include <hydra.h>
typedef struct private_unity_plugin_t private_unity_plugin_t;
@@ -63,19 +62,19 @@ static bool plugin_cb(private_unity_plugin_t *this,
{
if (reg)
{
- hydra->attributes->add_handler(hydra->attributes,
- &this->handler->handler);
- hydra->attributes->add_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
+ charon->attributes->add_provider(charon->attributes,
+ &this->provider->provider);
charon->bus->add_listener(charon->bus, &this->narrower->listener);
}
else
{
charon->bus->remove_listener(charon->bus, &this->narrower->listener);
- hydra->attributes->remove_handler(hydra->attributes,
- &this->handler->handler);
- hydra->attributes->remove_provider(hydra->attributes,
- &this->provider->provider);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->provider->provider);
}
return TRUE;
diff --git a/src/libcharon/plugins/unity/unity_provider.c b/src/libcharon/plugins/unity/unity_provider.c
index 86f81fcfb..1e297a39e 100644
--- a/src/libcharon/plugins/unity/unity_provider.c
+++ b/src/libcharon/plugins/unity/unity_provider.c
@@ -135,19 +135,17 @@ static bool use_ts(traffic_selector_t *ts)
}
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
- private_unity_provider_t *this, linked_list_t *pools, identification_t *id,
+ private_unity_provider_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
linked_list_t *vips)
{
attribute_enumerator_t *attr_enum;
enumerator_t *enumerator;
linked_list_t *list, *current;
traffic_selector_t *ts;
- ike_sa_t *ike_sa;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa || ike_sa->get_version(ike_sa) != IKEV1 ||
+ if (ike_sa->get_version(ike_sa) != IKEV1 ||
!ike_sa->supports_extension(ike_sa, EXT_CISCO_UNITY) ||
!vips->get_count(vips))
{
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index 834d373f3..619d17a0e 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/updown/updown_handler.c b/src/libcharon/plugins/updown/updown_handler.c
index 0894d2d07..72d7f7da3 100644
--- a/src/libcharon/plugins/updown/updown_handler.c
+++ b/src/libcharon/plugins/updown/updown_handler.c
@@ -62,19 +62,13 @@ static void attributes_destroy(attributes_t *this)
}
METHOD(attribute_handler_t, handle, bool,
- private_updown_handler_t *this, identification_t *server,
+ private_updown_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
attributes_t *current, *attr = NULL;
enumerator_t *enumerator;
- ike_sa_t *ike_sa;
host_t *host;
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- return FALSE;
- }
switch (type)
{
case INTERNAL_IP4_DNS:
@@ -117,12 +111,11 @@ METHOD(attribute_handler_t, handle, bool,
}
METHOD(attribute_handler_t, release, void,
- private_updown_handler_t *this, identification_t *server,
+ private_updown_handler_t *this, ike_sa_t *ike_sa,
configuration_attribute_type_t type, chunk_t data)
{
attributes_t *attr;
enumerator_t *enumerator, *servers;
- ike_sa_t *ike_sa;
host_t *host;
bool found = FALSE;
int family;
@@ -139,43 +132,39 @@ METHOD(attribute_handler_t, release, void,
return;
}
- ike_sa = charon->bus->get_sa(charon->bus);
- if (ike_sa)
+ this->lock->write_lock(this->lock);
+ enumerator = this->attrs->create_enumerator(this->attrs);
+ while (enumerator->enumerate(enumerator, &attr))
{
- this->lock->write_lock(this->lock);
- enumerator = this->attrs->create_enumerator(this->attrs);
- while (enumerator->enumerate(enumerator, &attr))
+ if (attr->id == ike_sa->get_unique_id(ike_sa))
{
- if (attr->id == ike_sa->get_unique_id(ike_sa))
+ servers = attr->dns->create_enumerator(attr->dns);
+ while (servers->enumerate(servers, &host))
{
- servers = attr->dns->create_enumerator(attr->dns);
- while (servers->enumerate(servers, &host))
+ if (host->get_family(host) == family &&
+ chunk_equals(data, host->get_address(host)))
{
- if (host->get_family(host) == family &&
- chunk_equals(data, host->get_address(host)))
- {
- attr->dns->remove_at(attr->dns, servers);
- host->destroy(host);
- found = TRUE;
- break;
- }
- }
- servers->destroy(servers);
- if (attr->dns->get_count(attr->dns) == 0)
- {
- this->attrs->remove_at(this->attrs, enumerator);
- attributes_destroy(attr);
+ attr->dns->remove_at(attr->dns, servers);
+ host->destroy(host);
+ found = TRUE;
break;
}
}
- if (found)
+ servers->destroy(servers);
+ if (attr->dns->get_count(attr->dns) == 0)
{
+ this->attrs->remove_at(this->attrs, enumerator);
+ attributes_destroy(attr);
break;
}
}
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
+ if (found)
+ {
+ break;
+ }
}
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
}
METHOD(updown_handler_t, create_dns_enumerator, enumerator_t*,
diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c
index 1d15cc55e..be65d599f 100644
--- a/src/libcharon/plugins/updown/updown_listener.c
+++ b/src/libcharon/plugins/updown/updown_listener.c
@@ -243,6 +243,7 @@ static void invoke_once(private_updown_listener_t *this, ike_sa_t *ike_sa,
me = ike_sa->get_my_host(ike_sa);
other = ike_sa->get_other_host(ike_sa);
+ push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
push_env(envp, countof(envp), "PLUTO_VERSION=1.1");
is_host = my_ts->is_host(my_ts, me);
if (is_host)
diff --git a/src/libcharon/plugins/updown/updown_plugin.c b/src/libcharon/plugins/updown/updown_plugin.c
index d30267dee..60ecfcce6 100644
--- a/src/libcharon/plugins/updown/updown_plugin.c
+++ b/src/libcharon/plugins/updown/updown_plugin.c
@@ -18,7 +18,6 @@
#include "updown_handler.h"
#include <daemon.h>
-#include <hydra.h>
typedef struct private_updown_plugin_t private_updown_plugin_t;
@@ -61,8 +60,8 @@ static bool plugin_cb(private_updown_plugin_t *this,
"%s.plugins.updown.dns_handler", FALSE, lib->ns))
{
this->handler = updown_handler_create();
- hydra->attributes->add_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->add_handler(charon->attributes,
+ &this->handler->handler);
}
this->listener = updown_listener_create(this->handler);
charon->bus->add_listener(charon->bus, &this->listener->listener);
@@ -74,8 +73,8 @@ static bool plugin_cb(private_updown_plugin_t *this,
if (this->handler)
{
this->handler->destroy(this->handler);
- hydra->attributes->remove_handler(hydra->attributes,
- &this->handler->handler);
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
}
}
return TRUE;
diff --git a/src/libcharon/plugins/vici/Makefile.am b/src/libcharon/plugins/vici/Makefile.am
index da71de394..b25396085 100644
--- a/src/libcharon/plugins/vici/Makefile.am
+++ b/src/libcharon/plugins/vici/Makefile.am
@@ -74,3 +74,7 @@ SUBDIRS =
if USE_RUBY_GEMS
SUBDIRS += ruby
endif
+
+if USE_PYTHON_EGGS
+SUBDIRS += python
+endif
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index 34546b905..b63226daa 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -81,6 +81,7 @@ host_triplet = @host@
TESTS = vici_tests$(EXEEXT)
check_PROGRAMS = $(am__EXEEXT_1)
@USE_RUBY_GEMS_TRUE@am__append_1 = ruby
+@USE_PYTHON_EGGS_TRUE@am__append_2 = python
subdir = src/libcharon/plugins/vici
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
@@ -269,7 +270,7 @@ am__tty_colors = { \
std=''; \
fi; \
}
-DIST_SUBDIRS = ruby
+DIST_SUBDIRS = ruby python
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -321,6 +322,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -381,10 +383,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -458,6 +462,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -571,7 +577,7 @@ vici_tests_LDADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
$(top_builddir)/src/libstrongswan/tests/libtest.la
-SUBDIRS = $(am__append_1)
+SUBDIRS = $(am__append_1) $(am__append_2)
all: all-recursive
.SUFFIXES:
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 272491052..0ce4271b0 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -145,25 +145,25 @@ the following C array:
char msg[] = {
/* key1 = value1 */
- 2, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
+ 3, 4,'k','e','y','1', 0,6,'v','a','l','u','e','1',
/* section1 */
- 0, 8,'s','e','c','t','i','o','n','1',
+ 1, 8,'s','e','c','t','i','o','n','1',
/* sub-section */
- 0, 11,'s','u','b','-','s','e','c','t','i','o','n',
+ 1, 11,'s','u','b','-','s','e','c','t','i','o','n',
/* key2 = value2 */
- 2, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
+ 3, 4,'k','e','y','2', 0,6,'v','a','l','u','e','2',
/* sub-section end */
- 1,
+ 2,
/* list1 */
- 3, 5, 'l','i','s','t','1',
+ 4, 5, 'l','i','s','t','1',
/* item1 */
- 4, 0,5,'i','t','e','m','1',
+ 5, 0,5,'i','t','e','m','1',
/* item2 */
- 4, 0,5,'i','t','e','m','2',
+ 5, 0,5,'i','t','e','m','2',
/* list1 end */
- 5,
+ 6,
/* section1 end */
- 1,
+ 2,
};
## Client-initiated commands ##
@@ -559,6 +559,7 @@ command.
]
child-sas = {
<child-sa-name>* = {
+ uniqueid = <unique CHILD_SA identifier>
reqid = <reqid of CHILD_SA>
state = <state string of CHILD_SA>
mode = <IPsec mode, tunnel|transport|beet>
@@ -820,9 +821,9 @@ during encoding.
## Connecting to the daemon ##
-To create a connection to the daemon, a socket must be passed to the
-_Connection_ constructor. There is no default, but on Unix systems usually
-a Unix socket over _/var/run/charon.vici_ is used:
+To create a connection to the daemon, a socket can be passed to the
+_Connection_ constructor. If none is passed, a default Unix socket at
+_/var/run/charon.vici_ is used:
require "vici"
require "socket"
@@ -854,3 +855,73 @@ _list-conns_ command and implicitly the _list-conn_ event:
For more details about the ruby gem refer to the comments in the gem source
code or the generated documentation.
+
+# vici Python egg #
+
+The _vici Python egg_ is a pure Python implementation of the VICI protocol to
+implement client applications. It is provided in the _python_ subdirectory, and
+gets built and installed if strongSwan has been _./configure_'d with
+_--enable-vici_ and _--enable-python-eggs_.
+
+The _vici_ module provides a _Session()_ constructor for a high level interface,
+the underlying classes are usually not required to build Python applications
+using VICI. The _Session_ class provides methods for the supported VICI
+commands.
+
+To represent the VICI message data tree, the library converts the binary
+encoding to Python data types. The _Session_ class takes and returns Python
+objects for the exchanged message data:
+ * Sections get encoded as OrderedDict, containing other sections, or
+ * Key/Values, where the values are strings as dictionary values
+ * Lists get encoded as Python Lists with string values
+Values that do not conform to Python dict or list get converted to strings using
+str().
+
+## Connecting to the daemon ##
+
+To create a connection to the daemon, a socket can be passed to the _Session_
+constructor. If none is passed, a default Unix socket at _/var/run/charon.vici_
+is used:
+
+ import vici
+ import socket
+
+ s = socket.socket(socket.AF_UNIX)
+ s.connect("/var/run/charon.vici")
+ v = vici.Session(s)
+
+## A simple client request ##
+
+An example to print the daemon version information is as simple as:
+
+ ver = v.version()
+
+ print "{daemon} {version} ({sysname}, {release}, {machine})".format(**ver)
+
+## A request with response iteration ##
+
+The _Session_ class returns an iterable Python generator for streamed events to
+continuously stream objects to the caller. The following example lists all
+loaded connections using the _list-conns_ command and implicitly the _list-conn_
+event:
+
+ for conn in v.list_conns():
+ for key in conn:
+ print key
+
+Please note that if the returned generator is not iterated completely, it must
+be closed using _close()_. This is implicitly done when breaking from a loop,
+but an explicit call may be required when directly iterating the generator with
+_next()_.
+
+## Sorting in dictionaries ##
+
+In VICI, in some message trees the order of objects in dictionary matters. In
+contrast to ruby Hashes, Python dictionaries do not preserve order of added
+objects. It is therefore recommended to use OrderedDicts instead of the default
+dictionaries. Objects returned by the library use OrderedDicts.
+
+## API documentation ##
+
+For more details about the Python egg refer to the comments in the Python source
+code.
diff --git a/src/libcharon/plugins/vici/libvici.c b/src/libcharon/plugins/vici/libvici.c
index c0205ccb6..7c98c8b69 100644
--- a/src/libcharon/plugins/vici/libvici.c
+++ b/src/libcharon/plugins/vici/libvici.c
@@ -427,14 +427,8 @@ vici_res_t* vici_submit(vici_req_t *req, vici_conn_t *conn)
void vici_free_req(vici_req_t *req)
{
- vici_message_t *message;
-
free(req->name);
- message = req->b->finalize(req->b);
- if (message)
- {
- message->destroy(message);
- }
+ req->b->destroy(req->b);
free(req);
}
diff --git a/src/libcharon/plugins/vici/python/LICENSE b/src/libcharon/plugins/vici/python/LICENSE
new file mode 100644
index 000000000..111523ca8
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/LICENSE
@@ -0,0 +1,19 @@
+Copyright (c) 2015 Björn Schuberg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/src/libcharon/plugins/vici/python/MANIFEST.in b/src/libcharon/plugins/vici/python/MANIFEST.in
new file mode 100644
index 000000000..1aba38f67
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/MANIFEST.in
@@ -0,0 +1 @@
+include LICENSE
diff --git a/src/libcharon/plugins/vici/python/Makefile.am b/src/libcharon/plugins/vici/python/Makefile.am
new file mode 100644
index 000000000..f51737870
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/Makefile.am
@@ -0,0 +1,33 @@
+EXTRA_DIST = LICENSE MANIFEST.in \
+ setup.py.in \
+ vici/test/__init__.py \
+ vici/test/test_protocol.py \
+ vici/__init__.py \
+ vici/compat.py \
+ vici/exception.py \
+ vici/protocol.py \
+ vici/session.py
+
+setup.py: $(srcdir)/setup.py.in
+ $(AM_V_GEN) sed \
+ -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+ $(srcdir)/setup.py.in > $@
+
+all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py
+ (cd $(srcdir); $(PYTHON) setup.py bdist_egg \
+ -b $(shell readlink -f $(builddir))/build \
+ -d $(shell readlink -f $(builddir))/dist)
+
+clean-local: setup.py
+ $(PYTHON) setup.py clean -a
+ rm -rf vici.egg-info dist setup.py
+
+install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+ $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
+ dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+if USE_PY_TEST
+ TESTS = $(PY_TEST)
+endif
diff --git a/src/_updown_espmark/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 51a0d9a13..3a5e5ea72 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -13,7 +13,6 @@
# PARTICULAR PURPOSE.
@SET_MAKE@
-
VPATH = @srcdir@
am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
am__make_running_with_option = \
@@ -78,9 +77,8 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-subdir = src/_updown_espmark
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(dist_ipsec_SCRIPTS) $(dist_man8_MANS)
+subdir = src/libcharon/plugins/vici/python
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -98,35 +96,6 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
- $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
- *) f=$$p;; \
- esac;
-am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
-am__install_max = 40
-am__nobase_strip_setup = \
- srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
-am__nobase_strip = \
- for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
-am__nobase_list = $(am__nobase_strip_setup); \
- for p in $$list; do echo "$$p $$p"; done | \
- sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
- $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
- if (++n[$$2] == $(am__install_max)) \
- { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
- END { for (dir in files) print dir, files[dir] }'
-am__base_list = \
- sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
- sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
-am__uninstall_files_from_dir = { \
- test -z "$$files" \
- || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
- || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
- $(am__cd) "$$dir" && rm -f $$files; }; \
- }
-am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"
-SCRIPTS = $(dist_ipsec_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -146,10 +115,29 @@ am__can_run_installinfo = \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(dist_man8_MANS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
@@ -176,6 +164,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -236,10 +225,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -313,6 +304,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -371,8 +364,17 @@ top_srcdir = @top_srcdir@
urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-dist_ipsec_SCRIPTS = _updown_espmark
-dist_man8_MANS = _updown_espmark.8
+EXTRA_DIST = LICENSE MANIFEST.in \
+ setup.py.in \
+ vici/test/__init__.py \
+ vici/test/test_protocol.py \
+ vici/__init__.py \
+ vici/compat.py \
+ vici/exception.py \
+ vici/protocol.py \
+ vici/session.py
+
+@USE_PY_TEST_TRUE@TESTS = $(PY_TEST)
all: all-am
.SUFFIXES:
@@ -385,9 +387,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/_updown_espmark/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile'; \
$(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/_updown_espmark/Makefile
+ $(AUTOMAKE) --gnu src/libcharon/plugins/vici/python/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -406,88 +408,12 @@ $(top_srcdir)/configure: $(am__configure_deps)
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
-install-dist_ipsecSCRIPTS: $(dist_ipsec_SCRIPTS)
- @$(NORMAL_INSTALL)
- @list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
- fi; \
- for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n' \
- -e 'h;s|.*|.|' \
- -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) { files[d] = files[d] " " $$1; \
- if (++n[d] == $(am__install_max)) { \
- print "f", d, files[d]; n[d] = 0; files[d] = "" } } \
- else { print "f", d "/" $$4, $$1 } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \
- $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-dist_ipsecSCRIPTS:
- @$(NORMAL_UNINSTALL)
- @list='$(dist_ipsec_SCRIPTS)'; test -n "$(ipsecdir)" || exit 0; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 's,.*/,,;$(transform)'`; \
- dir='$(DESTDIR)$(ipsecdir)'; $(am__uninstall_files_from_dir)
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(dist_man8_MANS)
- @$(NORMAL_INSTALL)
- @list1='$(dist_man8_MANS)'; \
- list2=''; \
- test -n "$(man8dir)" \
- && test -n "`echo $$list1$$list2`" \
- || exit 0; \
- echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
- { for i in $$list1; do echo "$$i"; done; \
- if test -n "$$list2"; then \
- for i in $$list2; do echo "$$i"; done \
- | sed -n '/\.8[a-z]*$$/p'; \
- fi; \
- } | while read p; do \
- if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
- echo "$$d$$p"; echo "$$p"; \
- done | \
- sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
- sed 'N;N;s,\n, ,g' | { \
- list=; while read file base inst; do \
- if test "$$base" = "$$inst"; then list="$$list $$file"; else \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
- fi; \
- done; \
- for i in $$list; do echo "$$i"; done | $(am__base_list) | \
- while read files; do \
- test -z "$$files" || { \
- echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
- $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
- done; }
-
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
- files=`{ for i in $$list; do echo "$$i"; done; \
- } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
- -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
- dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
@@ -495,6 +421,99 @@ ctags CTAGS:
cscope cscopelist:
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -526,12 +545,10 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
-all-am: Makefile $(SCRIPTS) $(MANS)
+all-am: Makefile all-local
installdirs:
- for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
@@ -564,7 +581,7 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
-clean-am: clean-generic clean-libtool mostlyclean-am
+clean-am: clean-generic clean-libtool clean-local mostlyclean-am
distclean: distclean-am
-rm -f Makefile
@@ -582,13 +599,13 @@ info: info-am
info-am:
-install-data-am: install-dist_ipsecSCRIPTS install-man
+install-data-am:
install-dvi: install-dvi-am
install-dvi-am:
-install-exec-am:
+install-exec-am: install-exec-local
install-html: install-html-am
@@ -598,7 +615,7 @@ install-info: install-info-am
install-info-am:
-install-man: install-man8
+install-man:
install-pdf: install-pdf-am
@@ -626,26 +643,43 @@ ps: ps-am
ps-am:
-uninstall-am: uninstall-dist_ipsecSCRIPTS uninstall-man
+uninstall-am:
-uninstall-man: uninstall-man8
+.MAKE: check-am install-am install-strip
-.MAKE: install-am install-strip
-
-.PHONY: all all-am check check-am clean clean-generic clean-libtool \
- cscopelist-am ctags-am distclean distclean-generic \
- distclean-libtool distdir dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am \
- install-dist_ipsecSCRIPTS install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-man8 \
+.PHONY: all all-am all-local check check-TESTS check-am clean \
+ clean-generic clean-libtool clean-local cscopelist-am ctags-am \
+ distclean distclean-generic distclean-libtool distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-exec-local install-html \
+ install-html-am install-info install-info-am install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags-am uninstall uninstall-am uninstall-dist_ipsecSCRIPTS \
- uninstall-man uninstall-man8
+ tags-am uninstall uninstall-am
+
+
+setup.py: $(srcdir)/setup.py.in
+ $(AM_V_GEN) sed \
+ -e "s:@EGG_VERSION@:$(PACKAGE_VERSION):" \
+ $(srcdir)/setup.py.in > $@
+
+all-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+
+dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg: $(EXTRA_DIST) setup.py
+ (cd $(srcdir); $(PYTHON) setup.py bdist_egg \
+ -b $(shell readlink -f $(builddir))/build \
+ -d $(shell readlink -f $(builddir))/dist)
+
+clean-local: setup.py
+ $(PYTHON) setup.py clean -a
+ rm -rf vici.egg-info dist setup.py
+install-exec-local: dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
+ $(EASY_INSTALL) $(PYTHONEGGINSTALLDIR) \
+ dist/vici-$(PACKAGE_VERSION)-py$(PYTHON_VERSION).egg
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/src/libcharon/plugins/vici/python/setup.py.in b/src/libcharon/plugins/vici/python/setup.py.in
new file mode 100644
index 000000000..0e4ad8236
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/setup.py.in
@@ -0,0 +1,34 @@
+from setuptools import setup
+
+
+long_description = (
+ "The strongSwan VICI protocol allows external application to monitor, "
+ "configure and control the IKE daemon charon. This python package provides "
+ "a native client side implementation of the VICI protocol, well suited to "
+ "script automated tasks in a reliable way."
+)
+
+setup(
+ name="vici",
+ version="@EGG_VERSION@",
+ description="Native python interface for strongSwan VICI",
+ author="Bjorn Schuberg",
+ url="https://wiki.strongswan.org/projects/strongswan/wiki/Vici",
+ license="MIT",
+ packages=["vici"],
+ long_description=long_description,
+ include_package_data=True,
+ classifiers=(
+ "Development Status :: 3 - Alpha",
+ "Intended Audience :: Developers",
+ "Intended Audience :: System Administrators",
+ "License :: OSI Approved :: MIT License",
+ "Natural Language :: English",
+ "Programming Language :: Python :: 2.7",
+ "Programming Language :: Python :: 3.2",
+ "Programming Language :: Python :: 3.3",
+ "Programming Language :: Python :: 3.4",
+ "Topic :: Security",
+ "Topic :: Software Development :: Libraries",
+ )
+)
diff --git a/src/libcharon/plugins/vici/python/vici/__init__.py b/src/libcharon/plugins/vici/python/vici/__init__.py
new file mode 100644
index 000000000..d314325b6
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/__init__.py
@@ -0,0 +1 @@
+from .session import Session
diff --git a/src/libcharon/plugins/vici/python/vici/compat.py b/src/libcharon/plugins/vici/python/vici/compat.py
new file mode 100644
index 000000000..b5f46992e
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/compat.py
@@ -0,0 +1,14 @@
+# Help functions for compatibility between python version 2 and 3
+
+
+# From http://legacy.python.org/dev/peps/pep-0469
+try:
+ dict.iteritems
+except AttributeError:
+ # python 3
+ def iteritems(d):
+ return iter(d.items())
+else:
+ # python 2
+ def iteritems(d):
+ return d.iteritems()
diff --git a/src/libcharon/plugins/vici/python/vici/exception.py b/src/libcharon/plugins/vici/python/vici/exception.py
new file mode 100644
index 000000000..36384e556
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/exception.py
@@ -0,0 +1,10 @@
+"""Exception types that may be thrown by this library."""
+
+class DeserializationException(Exception):
+ """Encountered an unexpected byte sequence or missing element type."""
+
+class SessionException(Exception):
+ """Session request exception."""
+
+class CommandException(Exception):
+ """Command result exception."""
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
new file mode 100644
index 000000000..855a7b2e2
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -0,0 +1,196 @@
+import io
+import socket
+import struct
+
+from collections import namedtuple
+from collections import OrderedDict
+
+from .compat import iteritems
+from .exception import DeserializationException
+
+
+class Transport(object):
+ HEADER_LENGTH = 4
+ MAX_SEGMENT = 512 * 1024
+
+ def __init__(self, sock):
+ self.socket = sock
+
+ def send(self, packet):
+ self.socket.sendall(struct.pack("!I", len(packet)) + packet)
+
+ def receive(self):
+ raw_length = self.socket.recv(self.HEADER_LENGTH)
+ length, = struct.unpack("!I", raw_length)
+ payload = self.socket.recv(length)
+ return payload
+
+ def close(self):
+ self.socket.shutdown(socket.SHUT_RDWR)
+ self.socket.close()
+
+
+class Packet(object):
+ CMD_REQUEST = 0 # Named request message
+ CMD_RESPONSE = 1 # Unnamed response message for a request
+ CMD_UNKNOWN = 2 # Unnamed response if requested command is unknown
+ EVENT_REGISTER = 3 # Named event registration request
+ EVENT_UNREGISTER = 4 # Named event de-registration request
+ EVENT_CONFIRM = 5 # Unnamed confirmation for event (de-)registration
+ EVENT_UNKNOWN = 6 # Unnamed response if event (de-)registration failed
+ EVENT = 7 # Named event message
+
+ ParsedPacket = namedtuple(
+ "ParsedPacket",
+ ["response_type", "payload"]
+ )
+
+ ParsedEventPacket = namedtuple(
+ "ParsedEventPacket",
+ ["response_type", "event_type", "payload"]
+ )
+
+ @classmethod
+ def _named_request(cls, request_type, request, message=None):
+ request = request.encode()
+ payload = struct.pack("!BB", request_type, len(request)) + request
+ if message is not None:
+ return payload + message
+ else:
+ return payload
+
+ @classmethod
+ def request(cls, command, message=None):
+ return cls._named_request(cls.CMD_REQUEST, command, message)
+
+ @classmethod
+ def register_event(cls, event_type):
+ return cls._named_request(cls.EVENT_REGISTER, event_type)
+
+ @classmethod
+ def unregister_event(cls, event_type):
+ return cls._named_request(cls.EVENT_UNREGISTER, event_type)
+
+ @classmethod
+ def parse(cls, packet):
+ stream = FiniteStream(packet)
+ response_type, = struct.unpack("!B", stream.read(1))
+
+ if response_type == cls.EVENT:
+ length, = struct.unpack("!B", stream.read(1))
+ event_type = stream.read(length)
+ return cls.ParsedEventPacket(response_type, event_type, stream)
+ else:
+ return cls.ParsedPacket(response_type, stream)
+
+
+class Message(object):
+ SECTION_START = 1 # Begin a new section having a name
+ SECTION_END = 2 # End a previously started section
+ KEY_VALUE = 3 # Define a value for a named key in the section
+ LIST_START = 4 # Begin a named list for list items
+ LIST_ITEM = 5 # Define an unnamed item value in the current list
+ LIST_END = 6 # End a previously started list
+
+ @classmethod
+ def serialize(cls, message):
+ def encode_named_type(marker, name):
+ name = name.encode()
+ return struct.pack("!BB", marker, len(name)) + name
+
+ def encode_blob(value):
+ if not isinstance(value, bytes):
+ value = str(value).encode()
+ return struct.pack("!H", len(value)) + value
+
+ def serialize_list(lst):
+ segment = bytes()
+ for item in lst:
+ segment += struct.pack("!B", cls.LIST_ITEM) + encode_blob(item)
+ return segment
+
+ def serialize_dict(d):
+ segment = bytes()
+ for key, value in iteritems(d):
+ if isinstance(value, dict):
+ segment += (
+ encode_named_type(cls.SECTION_START, key)
+ + serialize_dict(value)
+ + struct.pack("!B", cls.SECTION_END)
+ )
+ elif isinstance(value, list):
+ segment += (
+ encode_named_type(cls.LIST_START, key)
+ + serialize_list(value)
+ + struct.pack("!B", cls.LIST_END)
+ )
+ else:
+ segment += (
+ encode_named_type(cls.KEY_VALUE, key)
+ + encode_blob(value)
+ )
+ return segment
+
+ return serialize_dict(message)
+
+ @classmethod
+ def deserialize(cls, stream):
+ def decode_named_type(stream):
+ length, = struct.unpack("!B", stream.read(1))
+ return stream.read(length).decode()
+
+ def decode_blob(stream):
+ length, = struct.unpack("!H", stream.read(2))
+ return stream.read(length)
+
+ def decode_list_item(stream):
+ marker, = struct.unpack("!B", stream.read(1))
+ while marker == cls.LIST_ITEM:
+ yield decode_blob(stream)
+ marker, = struct.unpack("!B", stream.read(1))
+
+ if marker != cls.LIST_END:
+ raise DeserializationException(
+ "Expected end of list at {pos}".format(pos=stream.tell())
+ )
+
+ section = OrderedDict()
+ section_stack = []
+ while stream.has_more():
+ element_type, = struct.unpack("!B", stream.read(1))
+ if element_type == cls.SECTION_START:
+ section_name = decode_named_type(stream)
+ new_section = OrderedDict()
+ section[section_name] = new_section
+ section_stack.append(section)
+ section = new_section
+
+ elif element_type == cls.LIST_START:
+ list_name = decode_named_type(stream)
+ section[list_name] = [item for item in decode_list_item(stream)]
+
+ elif element_type == cls.KEY_VALUE:
+ key = decode_named_type(stream)
+ section[key] = decode_blob(stream)
+
+ elif element_type == cls.SECTION_END:
+ if len(section_stack):
+ section = section_stack.pop()
+ else:
+ raise DeserializationException(
+ "Unexpected end of section at {pos}".format(
+ pos=stream.tell()
+ )
+ )
+
+ if len(section_stack):
+ raise DeserializationException("Expected end of section")
+ return section
+
+
+class FiniteStream(io.BytesIO):
+ def __len__(self):
+ return len(self.getvalue())
+
+ def has_more(self):
+ return self.tell() < len(self)
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
new file mode 100644
index 000000000..dee58699d
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -0,0 +1,327 @@
+import collections
+import socket
+
+from .exception import SessionException, CommandException
+from .protocol import Transport, Packet, Message
+
+
+class Session(object):
+ def __init__(self, sock=None):
+ if sock is None:
+ sock = socket.socket(socket.AF_UNIX)
+ sock.connect("/var/run/charon.vici")
+ self.handler = SessionHandler(Transport(sock))
+
+ def version(self):
+ """Retrieve daemon and system specific version information.
+
+ :return: daemon and system specific version information
+ :rtype: dict
+ """
+ return self.handler.request("version")
+
+ def stats(self):
+ """Retrieve IKE daemon statistics and load information.
+
+ :return: IKE daemon statistics and load information
+ :rtype: dict
+ """
+ return self.handler.request("stats")
+
+ def reload_settings(self):
+ """Reload strongswan.conf settings and any plugins supporting reload.
+ """
+ self.handler.request("reload-settings")
+
+ def initiate(self, sa):
+ """Initiate an SA.
+
+ :param sa: the SA to initiate
+ :type sa: dict
+ :return: generator for logs emitted as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("initiate", "control-log", sa)
+
+ def terminate(self, sa):
+ """Terminate an SA.
+
+ :param sa: the SA to terminate
+ :type sa: dict
+ :return: generator for logs emitted as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("terminate", "control-log", sa)
+
+ def install(self, policy):
+ """Install a trap, drop or bypass policy defined by a CHILD_SA config.
+
+ :param policy: policy to install
+ :type policy: dict
+ """
+ self.handler.request("install", policy)
+
+ def uninstall(self, policy):
+ """Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
+
+ :param policy: policy to uninstall
+ :type policy: dict
+ """
+ self.handler.request("uninstall", policy)
+
+ def list_sas(self, filters=None):
+ """Retrieve active IKE_SAs and associated CHILD_SAs.
+
+ :param filters: retrieve only matching IKE_SAs (optional)
+ :type filters: dict
+ :return: generator for active IKE_SAs and associated CHILD_SAs as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("list-sas", "list-sa", filters)
+
+ def list_policies(self, filters=None):
+ """Retrieve installed trap, drop and bypass policies.
+
+ :param filters: retrieve only matching policies (optional)
+ :type filters: dict
+ :return: generator for installed trap, drop and bypass policies as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("list-policies", "list-policy",
+ filters)
+
+ def list_conns(self, filters=None):
+ """Retrieve loaded connections.
+
+ :param filters: retrieve only matching configuration names (optional)
+ :type filters: dict
+ :return: generator for loaded connections as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("list-conns", "list-conn",
+ filters)
+
+ def get_conns(self):
+ """Retrieve connection names loaded exclusively over vici.
+
+ :return: connection names
+ :rtype: dict
+ """
+ return self.handler.request("get-conns")
+
+ def list_certs(self, filters=None):
+ """Retrieve loaded certificates.
+
+ :param filters: retrieve only matching certificates (optional)
+ :type filters: dict
+ :return: generator for loaded certificates as dict
+ :rtype: generator
+ """
+ return self.handler.streamed_request("list-certs", "list-cert", filters)
+
+ def load_conn(self, connection):
+ """Load a connection definition into the daemon.
+
+ :param connection: connection definition
+ :type connection: dict
+ """
+ self.handler.request("load-conn", connection)
+
+ def unload_conn(self, name):
+ """Unload a connection definition.
+
+ :param name: connection definition name
+ :type name: dict
+ """
+ self.handler.request("unload-conn", name)
+
+ def load_cert(self, certificate):
+ """Load a certificate into the daemon.
+
+ :param certificate: PEM or DER encoded certificate
+ :type certificate: dict
+ """
+ self.handler.request("load-cert", certificate)
+
+ def load_key(self, private_key):
+ """Load a private key into the daemon.
+
+ :param private_key: PEM or DER encoded key
+ """
+ self.handler.request("load-key", private_key)
+
+ def load_shared(self, secret):
+ """Load a shared IKE PSK, EAP or XAuth secret into the daemon.
+
+ :param secret: shared IKE PSK, EAP or XAuth secret
+ :type secret: dict
+ """
+ self.handler.request("load-shared", secret)
+
+ def clear_creds(self):
+ """Clear credentials loaded over vici.
+
+ Clear all loaded certificate, private key and shared key credentials.
+ This affects only credentials loaded over vici, but additionally
+ flushes the credential cache.
+ """
+ self.handler.request("clear-creds")
+
+ def load_pool(self, pool):
+ """Load a virtual IP pool.
+
+ Load an in-memory virtual IP and configuration attribute pool.
+ Existing pools with the same name get updated, if possible.
+
+ :param pool: virtual IP and configuration attribute pool
+ :type pool: dict
+ """
+ return self.handler.request("load-pool", pool)
+
+ def unload_pool(self, pool_name):
+ """Unload a virtual IP pool.
+
+ Unload a previously loaded virtual IP and configuration attribute pool.
+ Unloading fails for pools with leases currently online.
+
+ :param pool_name: pool by name
+ :type pool_name: dict
+ """
+ self.handler.request("unload-pool", pool_name)
+
+ def get_pools(self):
+ """Retrieve loaded pools.
+
+ :return: loaded pools
+ :rtype: dict
+ """
+ return self.handler.request("get-pools")
+
+
+class SessionHandler(object):
+ """Handles client command execution requests over vici."""
+
+ def __init__(self, transport):
+ self.transport = transport
+
+ def _communicate(self, packet):
+ """Send packet over transport and parse response.
+
+ :param packet: packet to send
+ :type packet: :py:class:`vici.protocol.Packet`
+ :return: parsed packet in a tuple with message type and payload
+ :rtype: :py:class:`collections.namedtuple`
+ """
+ self.transport.send(packet)
+ return Packet.parse(self.transport.receive())
+
+ def request(self, command, message=None):
+ """Send request with an optional message.
+
+ :param command: command to send
+ :type command: str
+ :param message: message (optional)
+ :type message: str
+ :return: command result
+ :rtype: dict
+ """
+ if message is not None:
+ message = Message.serialize(message)
+ packet = Packet.request(command, message)
+ response = self._communicate(packet)
+
+ if response.response_type != Packet.CMD_RESPONSE:
+ raise SessionException(
+ "Unexpected response type {type}, "
+ "expected '{response}' (CMD_RESPONSE)".format(
+ type=response.response_type,
+ response=Packet.CMD_RESPONSE
+ )
+ )
+
+ command_response = Message.deserialize(response.payload)
+ if "success" in command_response:
+ if command_response["success"] != b"yes":
+ raise CommandException(
+ "Command failed: {errmsg}".format(
+ errmsg=command_response["errmsg"]
+ )
+ )
+
+ return command_response
+
+ def streamed_request(self, command, event_stream_type, message=None):
+ """Send command request and collect and return all emitted events.
+
+ :param command: command to send
+ :type command: str
+ :param event_stream_type: event type emitted on command execution
+ :type event_stream_type: str
+ :param message: message (optional)
+ :type message: str
+ :return: generator for streamed event responses as dict
+ :rtype: generator
+ """
+ if message is not None:
+ message = Message.serialize(message)
+
+ # subscribe to event stream
+ packet = Packet.register_event(event_stream_type)
+ response = self._communicate(packet)
+
+ if response.response_type != Packet.EVENT_CONFIRM:
+ raise SessionException(
+ "Unexpected response type {type}, "
+ "expected '{confirm}' (EVENT_CONFIRM)".format(
+ type=response.response_type,
+ confirm=Packet.EVENT_CONFIRM,
+ )
+ )
+
+ # issue command, and read any event messages
+ packet = Packet.request(command, message)
+ self.transport.send(packet)
+ exited = False
+ while True:
+ response = Packet.parse(self.transport.receive())
+ if response.response_type == Packet.EVENT:
+ if not exited:
+ try:
+ yield Message.deserialize(response.payload)
+ except GeneratorExit:
+ exited = True
+ pass
+ else:
+ break
+
+ if response.response_type == Packet.CMD_RESPONSE:
+ command_response = Message.deserialize(response.payload)
+ else:
+ raise SessionException(
+ "Unexpected response type {type}, "
+ "expected '{response}' (CMD_RESPONSE)".format(
+ type=response.response_type,
+ response=Packet.CMD_RESPONSE
+ )
+ )
+
+ # unsubscribe from event stream
+ packet = Packet.unregister_event(event_stream_type)
+ response = self._communicate(packet)
+ if response.response_type != Packet.EVENT_CONFIRM:
+ raise SessionException(
+ "Unexpected response type {type}, "
+ "expected '{confirm}' (EVENT_CONFIRM)".format(
+ type=response.response_type,
+ confirm=Packet.EVENT_CONFIRM,
+ )
+ )
+
+ # evaluate command result, if any
+ if "success" in command_response:
+ if command_response["success"] != b"yes":
+ raise CommandException(
+ "Command failed: {errmsg}".format(
+ errmsg=command_response["errmsg"]
+ )
+ )
diff --git a/src/libcharon/plugins/vici/python/vici/test/__init__.py b/src/libcharon/plugins/vici/python/vici/test/__init__.py
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/test/__init__.py
diff --git a/src/libcharon/plugins/vici/python/vici/test/test_protocol.py b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py
new file mode 100644
index 000000000..a1f202d79
--- /dev/null
+++ b/src/libcharon/plugins/vici/python/vici/test/test_protocol.py
@@ -0,0 +1,144 @@
+import pytest
+
+from ..protocol import Packet, Message, FiniteStream
+from ..exception import DeserializationException
+
+
+class TestPacket(object):
+ # test data definitions for outgoing packet types
+ cmd_request = b"\x00\x0c" b"command_type"
+ cmd_request_msg = b"\x00\x07" b"command" b"payload"
+ event_register = b"\x03\x0a" b"event_type"
+ event_unregister = b"\x04\x0a" b"event_type"
+
+ # test data definitions for incoming packet types
+ cmd_response = b"\x01" b"reply"
+ cmd_unknown = b"\x02"
+ event_confirm = b"\x05"
+ event_unknown = b"\x06"
+ event = b"\x07\x03" b"log" b"message"
+
+ def test_request(self):
+ assert Packet.request("command_type") == self.cmd_request
+ assert Packet.request("command", b"payload") == self.cmd_request_msg
+
+ def test_register_event(self):
+ assert Packet.register_event("event_type") == self.event_register
+
+ def test_unregister_event(self):
+ assert Packet.unregister_event("event_type") == self.event_unregister
+
+ def test_parse(self):
+ parsed_cmd_response = Packet.parse(self.cmd_response)
+ assert parsed_cmd_response.response_type == Packet.CMD_RESPONSE
+ assert parsed_cmd_response.payload.getvalue() == self.cmd_response
+
+ parsed_cmd_unknown = Packet.parse(self.cmd_unknown)
+ assert parsed_cmd_unknown.response_type == Packet.CMD_UNKNOWN
+ assert parsed_cmd_unknown.payload.getvalue() == self.cmd_unknown
+
+ parsed_event_confirm = Packet.parse(self.event_confirm)
+ assert parsed_event_confirm.response_type == Packet.EVENT_CONFIRM
+ assert parsed_event_confirm.payload.getvalue() == self.event_confirm
+
+ parsed_event_unknown = Packet.parse(self.event_unknown)
+ assert parsed_event_unknown.response_type == Packet.EVENT_UNKNOWN
+ assert parsed_event_unknown.payload.getvalue() == self.event_unknown
+
+ parsed_event = Packet.parse(self.event)
+ assert parsed_event.response_type == Packet.EVENT
+ assert parsed_event.payload.getvalue() == self.event
+
+
+class TestMessage(object):
+ """Message (de)serialization test."""
+
+ # data definitions for test of de(serialization)
+ # serialized messages holding a section
+ ser_sec_unclosed = b"\x01\x08unclosed"
+ ser_sec_single = b"\x01\x07section\x02"
+ ser_sec_nested = b"\x01\x05outer\x01\x0asubsection\x02\x02"
+
+ # serialized messages holding a list
+ ser_list_invalid = b"\x04\x07invalid\x05\x00\x02e1\x02\x03sec\x06"
+ ser_list_0_item = b"\x04\x05empty\x06"
+ ser_list_1_item = b"\x04\x01l\x05\x00\x02e1\x06"
+ ser_list_2_item = b"\x04\x01l\x05\x00\x02e1\x05\x00\x02e2\x06"
+
+ # serialized messages with key value pairs
+ ser_kv_pair = b"\x03\x03key\x00\x05value"
+ ser_kv_zero = b"\x03\x0azerolength\x00\x00"
+
+ # deserialized messages holding a section
+ des_sec_single = { "section": {} }
+ des_sec_nested = { "outer": { "subsection": {} } }
+
+ # deserialized messages holding a list
+ des_list_0_item = { "empty": [] }
+ des_list_1_item = { "l": [ b"e1" ] }
+ des_list_2_item = { "l": [ b"e1", b"e2" ] }
+
+ # deserialized messages with key value pairs
+ des_kv_pair = { "key": b"value" }
+ des_kv_zero = { "zerolength": b"" }
+
+ def test_section_serialization(self):
+ assert Message.serialize(self.des_sec_single) == self.ser_sec_single
+ assert Message.serialize(self.des_sec_nested) == self.ser_sec_nested
+
+ def test_list_serialization(self):
+ assert Message.serialize(self.des_list_0_item) == self.ser_list_0_item
+ assert Message.serialize(self.des_list_1_item) == self.ser_list_1_item
+ assert Message.serialize(self.des_list_2_item) == self.ser_list_2_item
+
+ def test_key_serialization(self):
+ assert Message.serialize(self.des_kv_pair) == self.ser_kv_pair
+ assert Message.serialize(self.des_kv_zero) == self.ser_kv_zero
+
+ def test_section_deserialization(self):
+ single = Message.deserialize(FiniteStream(self.ser_sec_single))
+ nested = Message.deserialize(FiniteStream(self.ser_sec_nested))
+
+ assert single == self.des_sec_single
+ assert nested == self.des_sec_nested
+
+ with pytest.raises(DeserializationException):
+ Message.deserialize(FiniteStream(self.ser_sec_unclosed))
+
+ def test_list_deserialization(self):
+ l0 = Message.deserialize(FiniteStream(self.ser_list_0_item))
+ l1 = Message.deserialize(FiniteStream(self.ser_list_1_item))
+ l2 = Message.deserialize(FiniteStream(self.ser_list_2_item))
+
+ assert l0 == self.des_list_0_item
+ assert l1 == self.des_list_1_item
+ assert l2 == self.des_list_2_item
+
+ with pytest.raises(DeserializationException):
+ Message.deserialize(FiniteStream(self.ser_list_invalid))
+
+ def test_key_deserialization(self):
+ pair = Message.deserialize(FiniteStream(self.ser_kv_pair))
+ zerolength = Message.deserialize(FiniteStream(self.ser_kv_zero))
+
+ assert pair == self.des_kv_pair
+ assert zerolength == self.des_kv_zero
+
+ def test_roundtrip(self):
+ message = {
+ "key1": "value1",
+ "section1": {
+ "sub-section": {
+ "key2": b"value2",
+ },
+ "list1": [ "item1", "item2" ],
+ },
+ }
+ serialized_message = FiniteStream(Message.serialize(message))
+ deserialized_message = Message.deserialize(serialized_message)
+
+ # ensure that list items and key values remain as undecoded bytes
+ deserialized_section = deserialized_message["section1"]
+ assert deserialized_message["key1"] == b"value1"
+ assert deserialized_section["sub-section"]["key2"] == b"value2"
+ assert deserialized_section["list1"] == [ b"item1", b"item2" ]
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.am b/src/libcharon/plugins/vici/ruby/Makefile.am
index ce38e1c3d..3e12f86cc 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.am
+++ b/src/libcharon/plugins/vici/ruby/Makefile.am
@@ -5,8 +5,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in
-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
$(srcdir)/vici.gemspec.in > $@
-vici-$(PACKAGE_VERSION).gem: vici.gemspec
- $(GEM) build vici.gemspec
+vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST)
+ (cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec)
+ [ "$(srcdir)" = "$(builddir)" ] || \
+ mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir)
all-local: vici-$(PACKAGE_VERSION).gem
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index c8a8c11fb..f37c09ea2 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -535,8 +540,10 @@ vici.gemspec: $(srcdir)/vici.gemspec.in
-e "s:@GEM_VERSION@:$(PACKAGE_VERSION):" \
$(srcdir)/vici.gemspec.in > $@
-vici-$(PACKAGE_VERSION).gem: vici.gemspec
- $(GEM) build vici.gemspec
+vici-$(PACKAGE_VERSION).gem: vici.gemspec $(EXTRA_DIST)
+ (cd $(srcdir); $(GEM) build $(abs_builddir)/vici.gemspec)
+ [ "$(srcdir)" = "$(builddir)" ] || \
+ mv $(srcdir)/vici-$(PACKAGE_VERSION).gem $(builddir)
all-local: vici-$(PACKAGE_VERSION).gem
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index e8a9ddca9..f87e46e69 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -243,6 +243,25 @@ module Vici
end
##
+ # Receive data from socket, until len bytes read
+ def recv_all(len)
+ encoding = ""
+ while encoding.length < len do
+ encoding << @socket.recv(len - encoding.length)
+ end
+ encoding
+ end
+
+ ##
+ # Send data to socket, until all bytes sent
+ def send_all(encoding)
+ len = 0
+ while len < encoding.length do
+ len += @socket.send(encoding[len..-1], 0)
+ end
+ end
+
+ ##
# Write a packet prefixed by its length over the transport socket. Type
# specifies the message, the optional label and message get appended.
def write(type, label, message)
@@ -253,15 +272,15 @@ module Vici
if message
encoding << message.encoding
end
- @socket.send([encoding.length + 1, type].pack("Nc") + encoding, 0)
+ send_all([encoding.length + 1, type].pack("Nc") + encoding)
end
##
# Read a packet from the transport socket. Returns the packet type, and
# if available in the packet a label and the contained message.
def read
- len = @socket.recv(4).unpack("N")[0]
- encoding = @socket.recv(len)
+ len = recv_all(4).unpack("N")[0]
+ encoding = recv_all(len)
type = encoding.unpack("c")[0]
len = 1
case type
@@ -371,7 +390,10 @@ module Vici
# during encoding.
class Connection
- def initialize(socket)
+ def initialize(socket = nil)
+ if socket == nil
+ socket = UNIXSocket.new("/var/run/charon.vici")
+ end
@transp = Transport.new(socket)
end
diff --git a/src/libcharon/plugins/vici/ruby/vici.gemspec.in b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
index 5ad61c0a0..2bd2b3d88 100644
--- a/src/libcharon/plugins/vici/ruby/vici.gemspec.in
+++ b/src/libcharon/plugins/vici/ruby/vici.gemspec.in
@@ -2,7 +2,7 @@ Gem::Specification.new do |s|
s.name = "vici"
s.version = "@GEM_VERSION@"
s.authors = ["Martin Willi"]
- s.email = ["martin@strongswan.ch"]
+ s.email = ["martin@strongswan.org"]
s.description = %q{
The strongSwan VICI protocol allows external application to monitor,
configure and control the IKE daemon charon. This ruby gem provides a
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index 2178116c9..f04bae774 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
@@ -93,7 +96,8 @@ static void pool_destroy(pool_t *pool)
* Find an existing or not yet existing lease
*/
static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
- identification_t *id, host_t *requested, mem_pool_op_t op)
+ identification_t *id, host_t *requested,
+ mem_pool_op_t op, host_t *peer)
{
enumerator_t *enumerator;
host_t *addr = NULL;
@@ -106,7 +110,8 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
pool = this->pools->get(this->pools, name);
if (pool)
{
- addr = pool->vips->acquire_address(pool->vips, id, requested, op);
+ addr = pool->vips->acquire_address(pool->vips, id, requested,
+ op, peer);
if (addr)
{
break;
@@ -119,20 +124,24 @@ static host_t *find_addr(private_vici_attribute_t *this, linked_list_t *pools,
}
METHOD(attribute_provider_t, acquire_address, host_t*,
- private_vici_attribute_t *this, linked_list_t *pools, identification_t *id,
+ private_vici_attribute_t *this, linked_list_t *pools, ike_sa_t *ike_sa,
host_t *requested)
{
- host_t *addr;
+ identification_t *id;
+ host_t *addr, *peer;
+
+ id = ike_sa->get_other_eap_id(ike_sa);
+ peer = ike_sa->get_other_host(ike_sa);
this->lock->read_lock(this->lock);
- addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_EXISTING, peer);
if (!addr)
{
- addr = find_addr(this, pools, id, requested, MEM_POOL_NEW);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_NEW, peer);
if (!addr)
{
- addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN);
+ addr = find_addr(this, pools, id, requested, MEM_POOL_REASSIGN, peer);
}
}
@@ -143,13 +152,16 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
METHOD(attribute_provider_t, release_address, bool,
private_vici_attribute_t *this, linked_list_t *pools, host_t *address,
- identification_t *id)
+ ike_sa_t *ike_sa)
{
enumerator_t *enumerator;
+ identification_t *id;
bool found = FALSE;
pool_t *pool;
char *name;
+ id = ike_sa->get_other_eap_id(ike_sa);
+
this->lock->read_lock(this->lock);
enumerator = pools->create_enumerator(pools);
@@ -256,7 +268,7 @@ static bool have_vips_from_pool(mem_pool_t *pool, linked_list_t *vips)
METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*,
private_vici_attribute_t *this, linked_list_t *pools,
- identification_t *id, linked_list_t *vips)
+ ike_sa_t *ike_sa, linked_list_t *vips)
{
enumerator_t *enumerator;
nested_data_t *data;
@@ -355,6 +367,24 @@ static vici_message_t* create_reply(char *fmt, ...)
}
/**
+ * Parse a range definition of an address pool
+ */
+static mem_pool_t *create_pool_range(char *name, char *buf)
+{
+ mem_pool_t *pool;
+ host_t *from, *to;
+
+ if (!host_create_from_range(buf, &from, &to))
+ {
+ return NULL;
+ }
+ pool = mem_pool_create_range(name, from, to);
+ from->destroy(from);
+ to->destroy(to);
+ return pool;
+}
+
+/**
* Parse callback data, passed to each callback
*/
typedef struct {
@@ -490,7 +520,8 @@ CALLBACK(pool_kv, bool,
if (streq(name, "addrs"))
{
char buf[128];
- host_t *base;
+ mem_pool_t *pool;
+ host_t *base = NULL;
int bits;
if (data->pool->vips)
@@ -503,14 +534,22 @@ CALLBACK(pool_kv, bool,
data->request->reply = create_reply("invalid addrs value");
return FALSE;
}
- base = host_create_from_subnet(buf, &bits);
- if (!base)
+ pool = create_pool_range(data->name, buf);
+ if (!pool)
+ {
+ base = host_create_from_subnet(buf, &bits);
+ if (base)
+ {
+ pool = mem_pool_create(data->name, base, bits);
+ base->destroy(base);
+ }
+ }
+ if (!pool)
{
data->request->reply = create_reply("invalid addrs value: %s", buf);
return FALSE;
}
- data->pool->vips = mem_pool_create(data->name, base, bits);
- base->destroy(base);
+ data->pool->vips = pool;
return TRUE;
}
data->request->reply = create_reply("invalid attribute: %s", name);
diff --git a/src/libcharon/plugins/vici/vici_builder.c b/src/libcharon/plugins/vici/vici_builder.c
index 561632049..82f12c9da 100644
--- a/src/libcharon/plugins/vici/vici_builder.c
+++ b/src/libcharon/plugins/vici/vici_builder.c
@@ -84,6 +84,8 @@ METHOD(vici_builder_t, add, void,
if (value.len > 0xffff)
{
+ DBG1(DBG_ENC, "vici value exceeds size limit (%zu > %u)",
+ value.len, 0xffff);
this->error++;
return;
}
@@ -125,24 +127,58 @@ METHOD(vici_builder_t, add, void,
}
}
-METHOD(vici_builder_t, vadd_kv, void,
- private_vici_builder_t *this, char *key, char *fmt, va_list args)
+/**
+ * Add a list item or a key/value, if key given
+ */
+static void vadd_kv_or_li(private_vici_builder_t *this, char *key,
+ char *fmt, va_list args)
{
- char buf[2048];
+ u_char buf[512];
+ chunk_t value;
ssize_t len;
+ va_list copy;
- len = vsnprintf(buf, sizeof(buf), fmt, args);
- if (len < 0 || len >= sizeof(buf))
+ va_copy(copy, args);
+ len = vsnprintf(buf, sizeof(buf), fmt, copy);
+ va_end(copy);
+ if (len >= sizeof(buf))
{
- DBG1(DBG_ENC, "vici builder format buffer exceeds limit");
+ value = chunk_alloc(len + 1);
+ len = vsnprintf(value.ptr, value.len, fmt, args);
+ }
+ else
+ {
+ value = chunk_create(buf, len);
+ }
+
+ if (len < 0)
+ {
+ DBG1(DBG_ENC, "vici builder format print failed");
this->error++;
}
else
{
- add(this, VICI_KEY_VALUE, key, chunk_create(buf, len));
+ if (key)
+ {
+ add(this, VICI_KEY_VALUE, key, value);
+ }
+ else
+ {
+ add(this, VICI_LIST_ITEM, value);
+ }
+ }
+ if (value.ptr != buf)
+ {
+ free(value.ptr);
}
}
+METHOD(vici_builder_t, vadd_kv, void,
+ private_vici_builder_t *this, char *key, char *fmt, va_list args)
+{
+ vadd_kv_or_li(this, key, fmt, args);
+}
+
METHOD(vici_builder_t, add_kv, void,
private_vici_builder_t *this, char *key, char *fmt, ...)
{
@@ -153,23 +189,10 @@ METHOD(vici_builder_t, add_kv, void,
va_end(args);
}
-
METHOD(vici_builder_t, vadd_li, void,
private_vici_builder_t *this, char *fmt, va_list args)
{
- char buf[2048];
- ssize_t len;
-
- len = vsnprintf(buf, sizeof(buf), fmt, args);
- if (len < 0 || len >= sizeof(buf))
- {
- DBG1(DBG_ENC, "vici builder format buffer exceeds limit");
- this->error++;
- }
- else
- {
- add(this, VICI_LIST_ITEM, chunk_create(buf, len));
- }
+ vadd_kv_or_li(this, NULL, fmt, args);
}
METHOD(vici_builder_t, add_li, void,
@@ -206,6 +229,13 @@ METHOD(vici_builder_t, end_list, void,
add(this, VICI_LIST_END);
}
+METHOD(vici_builder_t, destroy, void,
+ private_vici_builder_t *this)
+{
+ this->writer->destroy(this->writer);
+ free(this);
+}
+
METHOD(vici_builder_t, finalize, vici_message_t*,
private_vici_builder_t *this)
{
@@ -215,14 +245,12 @@ METHOD(vici_builder_t, finalize, vici_message_t*,
{
DBG1(DBG_ENC, "vici builder error: %u errors (section: %u, list %u)",
this->error, this->section, this->list);
- this->writer->destroy(this->writer);
- free(this);
+ destroy(this);
return NULL;
}
product = vici_message_create_from_data(
this->writer->extract_buf(this->writer), TRUE);
- this->writer->destroy(this->writer);
- free(this);
+ destroy(this);
return product;
}
@@ -245,6 +273,7 @@ vici_builder_t *vici_builder_create()
.begin_list = _begin_list,
.end_list = _end_list,
.finalize = _finalize,
+ .destroy = _destroy,
},
.writer = bio_writer_create(0),
);
diff --git a/src/libcharon/plugins/vici/vici_builder.h b/src/libcharon/plugins/vici/vici_builder.h
index 5a5cc8a03..f7d21eb8f 100644
--- a/src/libcharon/plugins/vici/vici_builder.h
+++ b/src/libcharon/plugins/vici/vici_builder.h
@@ -119,6 +119,14 @@ struct vici_builder_t {
* @return vici message, NULL on error
*/
vici_message_t* (*finalize)(vici_builder_t *this);
+
+ /**
+ * Destroy a vici builder without finalization.
+ *
+ * Note that finalize() already destroys the message, and calling destroy()
+ * is required only if the message does not get finalize()d.
+ */
+ void (*destroy)(vici_builder_t *this);
};
/**
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 113d48084..649161020 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -1551,8 +1551,8 @@ static void clear_start_action(private_vici_config_t *this,
enumerator_t *enumerator, *children;
child_sa_t *child_sa;
ike_sa_t *ike_sa;
- u_int32_t reqid = 0, *del;
- array_t *reqids = NULL;
+ u_int32_t id = 0, *del;
+ array_t *ids = NULL;
char *name;
name = child_cfg->get_name(child_cfg);
@@ -1568,23 +1568,23 @@ static void clear_start_action(private_vici_config_t *this,
{
if (streq(name, child_sa->get_name(child_sa)))
{
- reqid = child_sa->get_reqid(child_sa);
- array_insert_create(&reqids, ARRAY_TAIL, &reqid);
+ id = child_sa->get_unique_id(child_sa);
+ array_insert_create(&ids, ARRAY_TAIL, &id);
}
}
children->destroy(children);
}
enumerator->destroy(enumerator);
- if (array_count(reqids))
+ if (array_count(ids))
{
- while (array_remove(reqids, ARRAY_HEAD, &del))
+ while (array_remove(ids, ARRAY_HEAD, &del))
{
DBG1(DBG_CFG, "closing '%s' #%u", name, *del);
charon->controller->terminate_child(charon->controller,
*del, NULL, NULL, 0);
}
- array_destroy(reqids);
+ array_destroy(ids);
}
break;
case ACTION_ROUTE:
@@ -1601,14 +1601,14 @@ static void clear_start_action(private_vici_config_t *this,
{
if (streq(name, child_sa->get_name(child_sa)))
{
- reqid = child_sa->get_reqid(child_sa);
+ id = child_sa->get_reqid(child_sa);
break;
}
}
enumerator->destroy(enumerator);
- if (reqid)
+ if (id)
{
- charon->traps->uninstall(charon->traps, reqid);
+ charon->traps->uninstall(charon->traps, id);
}
break;
}
@@ -1751,7 +1751,8 @@ CALLBACK(config_sn, bool,
.fragmentation = FRAGMENTATION_NO,
.unique = UNIQUE_NO,
.keyingtries = 1,
- .rekey_time = LFT_DEFAULT_IKE_REKEY,
+ .rekey_time = LFT_UNDEFINED,
+ .reauth_time = LFT_UNDEFINED,
.over_time = LFT_UNDEFINED,
.rand_time = LFT_UNDEFINED,
};
@@ -1809,6 +1810,20 @@ CALLBACK(config_sn, bool,
peer.local_port = charon->socket->get_port(charon->socket, FALSE);
}
+ if (peer.rekey_time == LFT_UNDEFINED && peer.reauth_time == LFT_UNDEFINED)
+ {
+ /* apply a default rekey time if no rekey/reauth time set */
+ peer.rekey_time = LFT_DEFAULT_IKE_REKEY;
+ peer.reauth_time = 0;
+ }
+ if (peer.rekey_time == LFT_UNDEFINED)
+ {
+ peer.rekey_time = 0;
+ }
+ if (peer.reauth_time == LFT_UNDEFINED)
+ {
+ peer.reauth_time = 0;
+ }
if (peer.over_time == LFT_UNDEFINED)
{
/* default over_time to 10% of rekey/reauth time if not given */
@@ -1816,9 +1831,17 @@ CALLBACK(config_sn, bool,
}
if (peer.rand_time == LFT_UNDEFINED)
{
- /* default rand_time to over_time if not given */
- peer.rand_time = min(peer.over_time,
- max(peer.rekey_time, peer.reauth_time) / 2);
+ /* default rand_time to over_time if not given, but don't make it
+ * longer than half of rekey/rauth time */
+ if (peer.rekey_time && peer.reauth_time)
+ {
+ peer.rand_time = min(peer.rekey_time, peer.reauth_time);
+ }
+ else
+ {
+ peer.rand_time = max(peer.rekey_time, peer.reauth_time);
+ }
+ peer.rand_time = min(peer.over_time, peer.rand_time / 2);
}
log_peer_data(&peer);
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 292a40032..01d503644 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -264,11 +264,11 @@ CALLBACK(terminate, vici_message_t*,
{
continue;
}
- if (child_id && child_sa->get_reqid(child_sa) != child_id)
+ if (child_id && child_sa->get_unique_id(child_sa) != child_id)
{
continue;
}
- current = child_sa->get_reqid(child_sa);
+ current = child_sa->get_unique_id(child_sa);
array_insert(ids, ARRAY_TAIL, &current);
}
csas->destroy(csas);
diff --git a/src/libcharon/plugins/vici/vici_plugin.c b/src/libcharon/plugins/vici/vici_plugin.c
index 8881feca9..af8bd283b 100644
--- a/src/libcharon/plugins/vici/vici_plugin.c
+++ b/src/libcharon/plugins/vici/vici_plugin.c
@@ -23,7 +23,6 @@
#include "vici_logger.h"
#include <library.h>
-#include <hydra.h>
#include <daemon.h>
typedef struct private_vici_plugin_t private_vici_plugin_t;
@@ -104,8 +103,8 @@ static bool register_vici(private_vici_plugin_t *this,
charon->backends->add_backend(charon->backends,
&this->config->backend);
- hydra->attributes->add_provider(hydra->attributes,
- &this->attrs->provider);
+ charon->attributes->add_provider(charon->attributes,
+ &this->attrs->provider);
charon->bus->add_logger(charon->bus, &this->logger->logger);
return TRUE;
}
@@ -114,8 +113,8 @@ static bool register_vici(private_vici_plugin_t *this,
else
{
charon->bus->remove_logger(charon->bus, &this->logger->logger);
- hydra->attributes->remove_provider(hydra->attributes,
- &this->attrs->provider);
+ charon->attributes->remove_provider(charon->attributes,
+ &this->attrs->provider);
charon->backends->remove_backend(charon->backends,
&this->config->backend);
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 54833abde..3e0d73cdf 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -63,11 +63,13 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
enumerator_t *enumerator;
traffic_selector_t *ts;
+ b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child));
b->add_kv(b, "reqid", "%u", child->get_reqid(child));
b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child));
b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
if (child->get_state(child) == CHILD_INSTALLED ||
- child->get_state(child) == CHILD_REKEYING)
+ child->get_state(child) == CHILD_REKEYING ||
+ child->get_state(child) == CHILD_REKEYED)
{
b->add_kv(b, "protocol", "%N", protocol_id_names,
child->get_protocol(child));
@@ -507,11 +509,14 @@ static void build_auth_cfgs(peer_cfg_t *peer_cfg, bool local, vici_builder_t *b)
certificate_t *cert;
char *str;
} v;
+ char buf[32];
+ int i = 0;
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
while (enumerator->enumerate(enumerator, &auth))
{
- b->begin_section(b, local ? "local" : "remote");
+ snprintf(buf, sizeof(buf), "%s-%d", local ? "local" : "remote", ++i);
+ b->begin_section(b, buf);
rules = auth->create_enumerator(auth);
while (rules->enumerate(rules, &rule, &v))
@@ -976,10 +981,10 @@ CALLBACK(stats, vici_message_t*,
struct mallinfo mi = mallinfo();
b->begin_section(b, "mallinfo");
- b->add_kv(b, "sbrk", "%d", mi.arena);
- b->add_kv(b, "mmap", "%d", mi.hblkhd);
- b->add_kv(b, "used", "%d", mi.uordblks);
- b->add_kv(b, "free", "%d", mi.fordblks);
+ b->add_kv(b, "sbrk", "%u", mi.arena);
+ b->add_kv(b, "mmap", "%u", mi.hblkhd);
+ b->add_kv(b, "used", "%u", mi.uordblks);
+ b->add_kv(b, "free", "%u", mi.fordblks);
b->end_section(b);
}
#endif /* HAVE_MALLINFO */
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index b1cc1d118..e400d9f35 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index e393ee163..a9684455d 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index f0e772700..5170c924f 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index a4c1aaeb2..087f5b350 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 296ccaa1c..29441bcb5 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libcharon/processing/jobs/adopt_children_job.c b/src/libcharon/processing/jobs/adopt_children_job.c
index fb480eee2..c8a9c17de 100644
--- a/src/libcharon/processing/jobs/adopt_children_job.c
+++ b/src/libcharon/processing/jobs/adopt_children_job.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2012 Martin Willi
* Copyright (C) 2012 revosec AG
*
@@ -54,10 +57,10 @@ METHOD(job_t, execute, job_requeue_t,
private_adopt_children_job_t *this)
{
identification_t *my_id, *other_id, *xauth;
- host_t *me, *other;
+ host_t *me, *other, *vip;
peer_cfg_t *cfg;
- linked_list_t *children;
- enumerator_t *enumerator, *childenum;
+ linked_list_t *children, *vips;
+ enumerator_t *enumerator, *subenum;
ike_sa_id_t *id;
ike_sa_t *ike_sa;
child_sa_t *child_sa;
@@ -81,7 +84,8 @@ METHOD(job_t, execute, job_requeue_t,
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- /* find old SA to adopt children from */
+ /* find old SA to adopt children and virtual IPs from */
+ vips = linked_list_create();
children = linked_list_create();
enumerator = charon->ike_sa_manager->create_id_enumerator(
charon->ike_sa_manager, my_id, xauth,
@@ -102,18 +106,29 @@ METHOD(job_t, execute, job_requeue_t,
other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
{
- childenum = ike_sa->create_child_sa_enumerator(ike_sa);
- while (childenum->enumerate(childenum, &child_sa))
+ subenum = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (subenum->enumerate(subenum, &child_sa))
{
- ike_sa->remove_child_sa(ike_sa, childenum);
+ ike_sa->remove_child_sa(ike_sa, subenum);
children->insert_last(children, child_sa);
}
- childenum->destroy(childenum);
- if (children->get_count(children))
+ subenum->destroy(subenum);
+
+ subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+ while (subenum->enumerate(subenum, &vip))
+ {
+ vips->insert_last(vips, vip->clone(vip));
+ }
+ subenum->destroy(subenum);
+ /* this does not release the addresses, which is good, but
+ * it does trigger an assign_vips(FALSE) event, so we also
+ * trigger one below */
+ ike_sa->clear_virtual_ips(ike_sa, FALSE);
+ if (children->get_count(children) || vips->get_count(vips))
{
DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
- "adopting %d children",
- children->get_count(children));
+ "adopting %d children and %d virtual IPs",
+ children->get_count(children), vips->get_count(vips));
}
ike_sa->set_state(ike_sa, IKE_DELETING);
charon->bus->ike_updown(charon->bus, ike_sa, FALSE);
@@ -125,7 +140,7 @@ METHOD(job_t, execute, job_requeue_t,
charon->ike_sa_manager->checkin(
charon->ike_sa_manager, ike_sa);
}
- if (children->get_count(children))
+ if (children->get_count(children) || vips->get_count(vips))
{
break;
}
@@ -140,7 +155,7 @@ METHOD(job_t, execute, job_requeue_t,
xauth->destroy(xauth);
cfg->destroy(cfg);
- if (children->get_count(children))
+ if (children->get_count(children) || vips->get_count(vips))
{
/* adopt children by new SA */
ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
@@ -152,10 +167,27 @@ METHOD(job_t, execute, job_requeue_t,
{
ike_sa->add_child_sa(ike_sa, child_sa);
}
+ if (vips->get_count(vips))
+ {
+ while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
+ {
+ ike_sa->add_virtual_ip(ike_sa, FALSE, vip);
+ vip->destroy(vip);
+ }
+ charon->bus->assign_vips(charon->bus, ike_sa, TRUE);
+ }
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
}
}
children->destroy_offset(children, offsetof(child_sa_t, destroy));
+ /* FIXME: If we still have addresses here it means we weren't able to
+ * find the new SA anymore (while not very likely during a proper
+ * reauthentication, this theoretically could happen because the SA is
+ * not locked while we search for the old one). So the addresses here
+ * should be released properly to avoid leaking these leases. This is
+ * currently not possible, though, due to the changed interface of
+ * release_address(), which now takes a complete IKE_SA object. */
+ vips->destroy_offset(vips, offsetof(host_t, destroy));
if (array_count(this->tasks))
{
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c
index 9afbac02b..0d85883be 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.c
@@ -31,11 +31,6 @@ struct private_delete_child_sa_job_t {
delete_child_sa_job_t public;
/**
- * reqid of the CHILD_SA
- */
- u_int32_t reqid;
-
- /**
* protocol of the CHILD_SA (ESP/AH)
*/
protocol_id_t protocol;
@@ -46,6 +41,11 @@ struct private_delete_child_sa_job_t {
u_int32_t spi;
/**
+ * SA destination address
+ */
+ host_t *dst;
+
+ /**
* Delete for an expired CHILD_SA
*/
bool expired;
@@ -54,6 +54,7 @@ struct private_delete_child_sa_job_t {
METHOD(job_t, destroy, void,
private_delete_child_sa_job_t *this)
{
+ this->dst->destroy(this->dst);
free(this);
}
@@ -62,12 +63,12 @@ METHOD(job_t, execute, job_requeue_t,
{
ike_sa_t *ike_sa;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
+ ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+ this->protocol, this->spi, this->dst, NULL);
if (ike_sa == NULL)
{
- DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for delete",
- this->reqid);
+ DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for delete",
+ protocol_id_names, this->protocol, htonl(this->spi), this->dst);
}
else
{
@@ -87,8 +88,8 @@ METHOD(job_t, get_priority, job_priority_t,
/*
* Described in header
*/
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol, u_int32_t spi, bool expired)
+delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst, bool expired)
{
private_delete_child_sa_job_t *this;
@@ -100,12 +101,11 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
.destroy = _destroy,
},
},
- .reqid = reqid,
.protocol = protocol,
.spi = spi,
+ .dst = dst->clone(dst),
.expired = expired,
);
return &this->public;
}
-
diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.h b/src/libcharon/processing/jobs/delete_child_sa_job.h
index be6d578bc..6fa53644c 100644
--- a/src/libcharon/processing/jobs/delete_child_sa_job.h
+++ b/src/libcharon/processing/jobs/delete_child_sa_job.h
@@ -44,16 +44,13 @@ struct delete_child_sa_job_t {
/**
* Creates a job of type DELETE_CHILD_SA.
*
- * The CHILD_SA is identified by its reqid, protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid reqid of the CHILD_SA, as used in kernel
* @param protocol protocol of the CHILD_SA
* @param spi security parameter index of the CHILD_SA
+ * @param dst SA destination address
* @param expired TRUE if CHILD_SA already expired
* @return delete_child_sa_job_t object
*/
-delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol, u_int32_t spi, bool expired);
+delete_child_sa_job_t *delete_child_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst, bool expired);
#endif /** DELETE_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/dpd_timeout_job.c b/src/libcharon/processing/jobs/dpd_timeout_job.c
index 9cdce5cab..4c88c13e2 100644
--- a/src/libcharon/processing/jobs/dpd_timeout_job.c
+++ b/src/libcharon/processing/jobs/dpd_timeout_job.c
@@ -63,6 +63,12 @@ METHOD(job_t, execute, job_requeue_t,
this->ike_sa_id);
if (ike_sa)
{
+ if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
+ {
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+ return JOB_REQUEUE_NONE;
+ }
+
use_time = ike_sa->get_statistic(ike_sa, STAT_INBOUND);
enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
diff --git a/src/libcharon/processing/jobs/inactivity_job.c b/src/libcharon/processing/jobs/inactivity_job.c
index 197733979..f0f90eedf 100644
--- a/src/libcharon/processing/jobs/inactivity_job.c
+++ b/src/libcharon/processing/jobs/inactivity_job.c
@@ -30,9 +30,9 @@ struct private_inactivity_job_t {
inactivity_job_t public;
/**
- * Reqid of CHILD_SA to check
+ * Unique CHILD_SA identifier to check
*/
- u_int32_t reqid;
+ u_int32_t id;
/**
* Inactivity timeout
@@ -57,8 +57,8 @@ METHOD(job_t, execute, job_requeue_t,
ike_sa_t *ike_sa;
u_int32_t reschedule = 0;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
+ ike_sa = charon->child_sa_manager->checkout_by_id(charon->child_sa_manager,
+ this->id, NULL);
if (ike_sa)
{
enumerator_t *enumerator;
@@ -69,9 +69,9 @@ METHOD(job_t, execute, job_requeue_t,
status_t status = SUCCESS;
enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
- while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ while (enumerator->enumerate(enumerator, &child_sa))
{
- if (child_sa->get_reqid(child_sa) == this->reqid)
+ if (child_sa->get_unique_id(child_sa) == this->id)
{
time_t in, out, install, diff;
@@ -136,7 +136,7 @@ METHOD(job_t, get_priority, job_priority_t,
/**
* See header
*/
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
bool close_ike)
{
private_inactivity_job_t *this;
@@ -149,7 +149,7 @@ inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
.destroy = _destroy,
},
},
- .reqid = reqid,
+ .id = unique_id,
.timeout = timeout,
.close_ike = close_ike,
);
diff --git a/src/libcharon/processing/jobs/inactivity_job.h b/src/libcharon/processing/jobs/inactivity_job.h
index 890f7704b..ff19fe560 100644
--- a/src/libcharon/processing/jobs/inactivity_job.h
+++ b/src/libcharon/processing/jobs/inactivity_job.h
@@ -42,12 +42,12 @@ struct inactivity_job_t {
/**
* Create a inactivity_job instance.
*
- * @param reqid reqid of CHILD_SA to check for inactivity
+ * @param unique_id unique CHILD_SA identifier to check for inactivity
* @param timeout inactivity timeout in s
* @param close_ike close IKE_SA if the last remaining CHILD_SA is inactive?
* @return inactivity checking job
*/
-inactivity_job_t *inactivity_job_create(u_int32_t reqid, u_int32_t timeout,
+inactivity_job_t *inactivity_job_create(u_int32_t unique_id, u_int32_t timeout,
bool close_ike);
#endif /** INACTIVITY_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.c b/src/libcharon/processing/jobs/initiate_tasks_job.c
new file mode 100644
index 000000000..001e71fd1
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_tasks_job.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+
+#include "initiate_tasks_job.h"
+
+#include <sa/ike_sa.h>
+#include <daemon.h>
+
+
+typedef struct private_initiate_tasks_job_t private_initiate_tasks_job_t;
+
+/**
+ * Private data of an initiate_tasks_job_t Object
+ */
+struct private_initiate_tasks_job_t {
+
+ /**
+ * Public initiate_tasks_job_t interface
+ */
+ initiate_tasks_job_t public;
+
+ /**
+ * ID of the IKE_SA to trigger task initiation
+ */
+ ike_sa_id_t *ike_sa_id;
+};
+
+METHOD(job_t, destroy, void,
+ private_initiate_tasks_job_t *this)
+{
+ this->ike_sa_id->destroy(this->ike_sa_id);
+ free(this);
+}
+
+METHOD(job_t, execute, job_requeue_t,
+ private_initiate_tasks_job_t *this)
+{
+ ike_sa_t *ike_sa;
+
+ ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
+ this->ike_sa_id);
+ if (ike_sa)
+ {
+ if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME)
+ {
+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
+ ike_sa);
+ }
+ else
+ {
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+ }
+ }
+ return JOB_REQUEUE_NONE;
+}
+
+METHOD(job_t, get_priority, job_priority_t,
+ private_initiate_tasks_job_t *this)
+{
+ return JOB_PRIO_MEDIUM;
+}
+
+/*
+ * Described in header
+ */
+initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id)
+{
+ private_initiate_tasks_job_t *this;
+
+ INIT(this,
+ .public = {
+ .job_interface = {
+ .execute = _execute,
+ .get_priority = _get_priority,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa_id = ike_sa_id->clone(ike_sa_id),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/processing/jobs/initiate_tasks_job.h b/src/libcharon/processing/jobs/initiate_tasks_job.h
new file mode 100644
index 000000000..071497843
--- /dev/null
+++ b/src/libcharon/processing/jobs/initiate_tasks_job.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup initiate_tasks_job initiate_tasks_job
+ * @{ @ingroup cjobs
+ */
+
+#ifndef INITIATE_TASKS_JOB_H_
+#define INITIATE_TASKS_JOB_H_
+
+typedef struct initiate_tasks_job_t initiate_tasks_job_t;
+
+#include <library.h>
+#include <processing/jobs/job.h>
+#include <sa/ike_sa_id.h>
+
+/**
+ * Job triggering initiation of any queued IKE_SA tasks.
+ */
+struct initiate_tasks_job_t {
+
+ /**
+ * Implements job_t interface
+ */
+ job_t job_interface;
+};
+
+/**
+ * Creates a job to trigger IKE_SA task initiation.
+ *
+ * @param ike_sa_id ID of IKE_SA to trigger tasks for (gets cloned)
+ * @return job instance
+ */
+initiate_tasks_job_t *initiate_tasks_job_create(ike_sa_id_t *ike_sa_id);
+
+#endif /** INITIATE_TASKS_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c
index 2ebfc6714..097dbdffd 100644
--- a/src/libcharon/processing/jobs/migrate_job.c
+++ b/src/libcharon/processing/jobs/migrate_job.c
@@ -70,29 +70,34 @@ METHOD(job_t, destroy, void,
METHOD(job_t, execute, job_requeue_t,
private_migrate_job_t *this)
{
- ike_sa_t *ike_sa = NULL;
+ enumerator_t *ike_sas, *children;
+ ike_sa_t *ike_sa;
- if (this->reqid)
+ ike_sas = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager,
+ TRUE);
+ while (ike_sas->enumerate(ike_sas, &ike_sa))
{
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
- }
- if (ike_sa)
- {
- enumerator_t *children, *enumerator;
- child_sa_t *child_sa;
- host_t *host;
+ child_sa_t *current, *child_sa = NULL;
linked_list_t *vips;
+ status_t status;
+ host_t *host;
children = ike_sa->create_child_sa_enumerator(ike_sa);
- while (children->enumerate(children, (void**)&child_sa))
+ while (children->enumerate(children, &current))
{
- if (child_sa->get_reqid(child_sa) == this->reqid)
+ if (current->get_reqid(current) == this->reqid)
{
+ child_sa = current;
break;
}
}
children->destroy(children);
+
+ if (!child_sa)
+ {
+ continue;
+ }
+
DBG2(DBG_JOB, "found CHILD_SA with reqid {%d}", this->reqid);
ike_sa->set_kmaddress(ike_sa, this->local, this->remote);
@@ -105,27 +110,28 @@ METHOD(job_t, execute, job_requeue_t,
host->set_port(host, IKEV2_UDP_PORT);
ike_sa->set_other_host(ike_sa, host);
- vips = linked_list_create();
- enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
- while (enumerator->enumerate(enumerator, &host))
- {
- vips->insert_last(vips, host);
- }
- enumerator->destroy(enumerator);
+ vips = linked_list_create_from_enumerator(
+ ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE));
- if (child_sa->update(child_sa, this->local, this->remote, vips,
- ike_sa->has_condition(ike_sa, COND_NAT_ANY)) == NOT_SUPPORTED)
+ status = child_sa->update(child_sa, this->local, this->remote, vips,
+ ike_sa->has_condition(ike_sa, COND_NAT_ANY));
+ switch (status)
{
- ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE));
+ case NOT_SUPPORTED:
+ ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
+ child_sa->get_spi(child_sa, TRUE));
+ break;
+ case SUCCESS:
+ charon->child_sa_manager->remove(charon->child_sa_manager,
+ child_sa);
+ charon->child_sa_manager->add(charon->child_sa_manager,
+ child_sa, ike_sa);
+ default:
+ break;
}
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
vips->destroy(vips);
}
- else
- {
- DBG1(DBG_JOB, "no CHILD_SA found with reqid {%d}", this->reqid);
- }
+ ike_sas->destroy(ike_sas);
return JOB_REQUEUE_NONE;
}
diff --git a/src/libcharon/processing/jobs/migrate_job.h b/src/libcharon/processing/jobs/migrate_job.h
index 30c0ad0ac..0f2b9aaad 100644
--- a/src/libcharon/processing/jobs/migrate_job.h
+++ b/src/libcharon/processing/jobs/migrate_job.h
@@ -46,7 +46,7 @@ struct migrate_job_t {
*
* We use the reqid or the traffic selectors to find a matching CHILD_SA.
*
- * @param reqid reqid of the CHILD_SA to acquire
+ * @param reqid reqid of the CHILD_SA to migrate
* @param src_ts source traffic selector to be used in the policy
* @param dst_ts destination traffic selector to be used in the policy
* @param dir direction of the policy (in|out)
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c
index 1bf8dc0cb..8f17d39ab 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c
@@ -24,17 +24,13 @@ typedef struct private_rekey_child_sa_job_t private_rekey_child_sa_job_t;
* Private data of an rekey_child_sa_job_t object.
*/
struct private_rekey_child_sa_job_t {
+
/**
* Public rekey_child_sa_job_t interface.
*/
rekey_child_sa_job_t public;
/**
- * reqid of the child to rekey
- */
- u_int32_t reqid;
-
- /**
* protocol of the CHILD_SA (ESP/AH)
*/
protocol_id_t protocol;
@@ -43,11 +39,17 @@ struct private_rekey_child_sa_job_t {
* inbound SPI of the CHILD_SA
*/
u_int32_t spi;
+
+ /**
+ * SA destination address
+ */
+ host_t *dst;
};
METHOD(job_t, destroy, void,
private_rekey_child_sa_job_t *this)
{
+ this->dst->destroy(this->dst);
free(this);
}
@@ -56,12 +58,12 @@ METHOD(job_t, execute, job_requeue_t,
{
ike_sa_t *ike_sa;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
+ ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+ this->protocol, this->spi, this->dst, NULL);
if (ike_sa == NULL)
{
- DBG2(DBG_JOB, "CHILD_SA with reqid %d not found for rekeying",
- this->reqid);
+ DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for rekey",
+ protocol_id_names, this->protocol, htonl(this->spi), this->dst);
}
else
{
@@ -80,9 +82,8 @@ METHOD(job_t, get_priority, job_priority_t,
/*
* Described in header
*/
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol,
- u_int32_t spi)
+rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst)
{
private_rekey_child_sa_job_t *this;
@@ -94,9 +95,9 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
.destroy = _destroy,
},
},
- .reqid = reqid,
.protocol = protocol,
.spi = spi,
+ .dst = dst->clone(dst),
);
return &this->public;
diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.h b/src/libcharon/processing/jobs/rekey_child_sa_job.h
index fcbe65a06..364bb5ae7 100644
--- a/src/libcharon/processing/jobs/rekey_child_sa_job.h
+++ b/src/libcharon/processing/jobs/rekey_child_sa_job.h
@@ -43,15 +43,11 @@ struct rekey_child_sa_job_t {
/**
* Creates a job of type REKEY_CHILD_SA.
*
- * The CHILD_SA is identified by its protocol (AH/ESP) and its
- * inbound SPI.
- *
- * @param reqid reqid of the CHILD_SA to rekey
* @param protocol protocol of the CHILD_SA
* @param spi security parameter index of the CHILD_SA
+ * @param dst SA destination address
* @return rekey_child_sa_job_t object
*/
-rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid,
- protocol_id_t protocol,
- u_int32_t spi);
+rekey_child_sa_job_t *rekey_child_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst);
#endif /** REKEY_CHILD_SA_JOB_H_ @}*/
diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
index 516dc5dd5..403d826a3 100644
--- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c
@@ -67,7 +67,8 @@ static u_int32_t get_retry_delay(ike_sa_t *ike_sa)
enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
while (enumerator->enumerate(enumerator, &child_sa))
{
- if (child_sa->get_state(child_sa) != CHILD_INSTALLED)
+ if (child_sa->get_state(child_sa) != CHILD_INSTALLED &&
+ child_sa->get_state(child_sa) != CHILD_REKEYED)
{
retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
DBG1(DBG_IKE, "unable to reauthenticate in CHILD_SA %N state, "
diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c
index e6d7da2c6..862506d90 100644
--- a/src/libcharon/processing/jobs/update_sa_job.c
+++ b/src/libcharon/processing/jobs/update_sa_job.c
@@ -27,15 +27,26 @@ typedef struct private_update_sa_job_t private_update_sa_job_t;
* Private data of an update_sa_job_t Object
*/
struct private_update_sa_job_t {
+
/**
* public update_sa_job_t interface
*/
update_sa_job_t public;
/**
- * reqid of the CHILD_SA
+ * protocol of the CHILD_SA (ESP/AH)
+ */
+ protocol_id_t protocol;
+
+ /**
+ * SPI of the CHILD_SA
*/
- u_int32_t reqid;
+ u_int32_t spi;
+
+ /**
+ * Old SA destination address
+ */
+ host_t *dst;
/**
* New SA address and port
@@ -46,6 +57,7 @@ struct private_update_sa_job_t {
METHOD(job_t, destroy, void,
private_update_sa_job_t *this)
{
+ this->dst->destroy(this->dst);
this->new->destroy(this->new);
free(this);
}
@@ -55,11 +67,12 @@ METHOD(job_t, execute, job_requeue_t,
{
ike_sa_t *ike_sa;
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
+ ike_sa = charon->child_sa_manager->checkout(charon->child_sa_manager,
+ this->protocol, this->spi, this->dst, NULL);
if (ike_sa == NULL)
{
- DBG1(DBG_JOB, "CHILD_SA with reqid %d not found for update", this->reqid);
+ DBG1(DBG_JOB, "CHILD_SA %N/0x%08x/%H not found for update",
+ protocol_id_names, this->protocol, htonl(this->spi), this->dst);
}
else
{
@@ -78,7 +91,8 @@ METHOD(job_t, get_priority, job_priority_t,
/*
* Described in header
*/
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
+update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst, host_t *new)
{
private_update_sa_job_t *this;
@@ -90,10 +104,11 @@ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new)
.destroy = _destroy,
},
},
- .reqid = reqid,
- .new = new,
+ .protocol = protocol,
+ .spi = spi,
+ .dst = dst->clone(dst),
+ .new = new->clone(new),
);
return &this->public;
}
-
diff --git a/src/libcharon/processing/jobs/update_sa_job.h b/src/libcharon/processing/jobs/update_sa_job.h
index 55a3df83e..9c19f5b6e 100644
--- a/src/libcharon/processing/jobs/update_sa_job.h
+++ b/src/libcharon/processing/jobs/update_sa_job.h
@@ -26,6 +26,7 @@ typedef struct update_sa_job_t update_sa_job_t;
#include <library.h>
#include <networking/host.h>
#include <processing/jobs/job.h>
+#include <config/proposal.h>
/**
* Update the addresses of an IKE and its CHILD_SAs.
@@ -41,10 +42,13 @@ struct update_sa_job_t {
/**
* Creates a job to update IKE and CHILD_SA addresses.
*
- * @param reqid reqid of the CHILD_SA
+ * @param protocol IPsec protocol of SA to update
+ * @param spi SPI of SA to update
+ * @param dst old destination host of SA to update
* @param new new address and port
* @return update_sa_job_t object
*/
-update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new);
+update_sa_job_t *update_sa_job_create(protocol_id_t protocol,
+ u_int32_t spi, host_t *dst, host_t *new);
#endif /** UPDATE_SA_JOB_H_ @}*/
diff --git a/src/libcharon/sa/authenticator.c b/src/libcharon/sa/authenticator.c
index 8571274ac..6c3681a2d 100644
--- a/src/libcharon/sa/authenticator.c
+++ b/src/libcharon/sa/authenticator.c
@@ -31,12 +31,14 @@ ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
"RSA signature",
"pre-shared key",
"DSS signature");
-ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_GSPM, AUTH_DSS,
+ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_DS, AUTH_DSS,
"ECDSA-256 signature",
"ECDSA-384 signature",
"ECDSA-521 signature",
- "secure password method");
-ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_GSPM,
+ "secure password method",
+ "NULL authentication",
+ "digital signature");
+ENUM_NEXT(auth_method_names, AUTH_XAUTH_INIT_PSK, AUTH_HYBRID_RESP_RSA, AUTH_DS,
"XAuthInitPSK",
"XAuthRespPSK",
"XAuthInitRSA",
@@ -99,6 +101,7 @@ authenticator_t *authenticator_create_verifier(
case AUTH_ECDSA_256:
case AUTH_ECDSA_384:
case AUTH_ECDSA_521:
+ case AUTH_DS:
return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
sent_nonce, received_init, reserved);
case AUTH_PSK:
diff --git a/src/libcharon/sa/authenticator.h b/src/libcharon/sa/authenticator.h
index 914f42d9d..97c042e71 100644
--- a/src/libcharon/sa/authenticator.h
+++ b/src/libcharon/sa/authenticator.h
@@ -80,6 +80,16 @@ enum auth_method_t {
AUTH_GSPM = 12,
/**
+ * NULL Authentication Method as specified in draft-ietf-ipsecme-ikev2-null-auth
+ */
+ AUTH_NULL = 13,
+
+ /**
+ * Digital Signature as specified in RFC 7427
+ */
+ AUTH_DS = 14,
+
+ /**
* IKEv1 initiator XAUTH with PSK, outside of IANA range
*/
AUTH_XAUTH_INIT_PSK = 256,
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index a96ab4e90..e0db2e655 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -34,6 +34,8 @@ ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
"INSTALLED",
"UPDATING",
"REKEYING",
+ "REKEYED",
+ "RETRYING",
"DELETING",
"DESTROYING",
);
@@ -100,6 +102,16 @@ struct private_child_sa_t {
u_int32_t reqid;
/**
+ * Did we allocate/confirm and must release the reqid?
+ */
+ bool reqid_allocated;
+
+ /*
+ * Unique CHILD_SA identifier
+ */
+ u_int32_t unique_id;
+
+ /**
* inbound mark used for this child_sa
*/
mark_t mark_in;
@@ -228,6 +240,12 @@ METHOD(child_sa_t, get_reqid, u_int32_t,
return this->reqid;
}
+METHOD(child_sa_t, get_unique_id, u_int32_t,
+ private_child_sa_t *this)
+{
+ return this->unique_id;
+}
+
METHOD(child_sa_t, get_config, child_cfg_t*,
private_child_sa_t *this)
{
@@ -602,7 +620,7 @@ METHOD(child_sa_t, alloc_spi, u_int32_t,
{
if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
this->other_addr, this->my_addr,
- proto_ike2ip(protocol), this->reqid,
+ proto_ike2ip(protocol),
&this->my_spi) == SUCCESS)
{
/* if we allocate a SPI, but then are unable to establish the SA, we
@@ -618,7 +636,7 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t,
{
if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
this->other_addr, this->my_addr,
- this->reqid, &this->my_cpi) == SUCCESS)
+ &this->my_cpi) == SUCCESS)
{
return this->my_cpi;
}
@@ -632,7 +650,7 @@ METHOD(child_sa_t, install, status_t,
{
u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
u_int16_t esn = NO_EXT_SEQ_NUMBERS;
- traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
+ linked_list_t *src_ts = NULL, *dst_ts = NULL;
time_t now;
lifetime_cfg_t *lifetime;
u_int32_t tfc = 0;
@@ -680,6 +698,18 @@ METHOD(child_sa_t, install, status_t,
this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
&esn, NULL);
+ if (!this->reqid_allocated)
+ {
+ status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
+ my_ts, other_ts, this->mark_in, this->mark_out,
+ &this->reqid);
+ if (status != SUCCESS)
+ {
+ return status;
+ }
+ this->reqid_allocated = TRUE;
+ }
+
lifetime = this->config->get_lifetime(this->config);
now = time_monotonic(NULL);
@@ -704,18 +734,16 @@ METHOD(child_sa_t, install, status_t,
lifetime->time.rekey = 0;
}
- /* BEET requires the bound address from the traffic selectors.
- * TODO: We add just the first traffic selector for now, as the
- * kernel accepts a single TS per SA only */
+ /* BEET requires the bound address from the traffic selectors */
if (inbound)
{
- my_ts->get_first(my_ts, (void**)&dst_ts);
- other_ts->get_first(other_ts, (void**)&src_ts);
+ dst_ts = my_ts;
+ src_ts = other_ts;
}
else
{
- my_ts->get_first(my_ts, (void**)&src_ts);
- other_ts->get_first(other_ts, (void**)&dst_ts);
+ src_ts = my_ts;
+ dst_ts = other_ts;
}
status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
@@ -723,7 +751,7 @@ METHOD(child_sa_t, install, status_t,
inbound ? this->mark_in : this->mark_out, tfc,
lifetime, enc_alg, encr, int_alg, integ, this->mode,
this->ipcomp, cpi, this->config->get_replay_window(this->config),
- initiator, this->encap, esn, update, src_ts, dst_ts);
+ initiator, this->encap, esn, inbound, update, src_ts, dst_ts);
free(lifetime);
@@ -798,6 +826,19 @@ METHOD(child_sa_t, add_policies, status_t,
traffic_selector_t *my_ts, *other_ts;
status_t status = SUCCESS;
+ if (!this->reqid_allocated)
+ {
+ /* trap policy, get or confirm reqid */
+ status = hydra->kernel_interface->alloc_reqid(
+ hydra->kernel_interface, my_ts_list, other_ts_list,
+ this->mark_in, this->mark_out, &this->reqid);
+ if (status != SUCCESS)
+ {
+ return status;
+ }
+ this->reqid_allocated = TRUE;
+ }
+
/* apply traffic selectors */
enumerator = my_ts_list->create_enumerator(my_ts_list);
while (enumerator->enumerate(enumerator, &my_ts))
@@ -805,12 +846,15 @@ METHOD(child_sa_t, add_policies, status_t,
array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
}
enumerator->destroy(enumerator);
+ array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL);
+
enumerator = other_ts_list->create_enumerator(other_ts_list);
while (enumerator->enumerate(enumerator, &other_ts))
{
array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
}
enumerator->destroy(enumerator);
+ array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL);
if (this->config->install_policy(this->config))
{
@@ -1071,6 +1115,22 @@ METHOD(child_sa_t, destroy, void,
set_state(this, CHILD_DESTROYING);
+ if (this->config->install_policy(this->config))
+ {
+ /* delete all policies in the kernel */
+ enumerator = create_policy_enumerator(this);
+ while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+ {
+ del_policies_internal(this, my_ts, other_ts, priority);
+ if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
+ {
+ del_policies_internal(this, my_ts, other_ts,
+ POLICY_PRIORITY_FALLBACK);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+
/* delete SAs in the kernel, if they are set up */
if (this->my_spi)
{
@@ -1087,20 +1147,13 @@ METHOD(child_sa_t, destroy, void,
this->mark_out);
}
- if (this->config->install_policy(this->config))
+ if (this->reqid_allocated)
{
- /* delete all policies in the kernel */
- enumerator = create_policy_enumerator(this);
- while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
+ if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
+ this->reqid, this->mark_in, this->mark_out) != SUCCESS)
{
- del_policies_internal(this, my_ts, other_ts, priority);
- if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
- {
- del_policies_internal(this, my_ts, other_ts,
- POLICY_PRIORITY_FALLBACK);
- }
+ DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
}
- enumerator->destroy(enumerator);
}
array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
@@ -1151,15 +1204,17 @@ static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
* Described in header.
*/
child_sa_t * child_sa_create(host_t *me, host_t* other,
- child_cfg_t *config, u_int32_t rekey, bool encap)
+ child_cfg_t *config, u_int32_t rekey, bool encap,
+ u_int mark_in, u_int mark_out)
{
- static refcount_t reqid = 0;
private_child_sa_t *this;
+ static refcount_t unique_id = 0, unique_mark = 0, mark;
INIT(this,
.public = {
.get_name = _get_name,
.get_reqid = _get_reqid,
+ .get_unique_id = _get_unique_id,
.get_config = _get_config,
.get_state = _get_state,
.set_state = _set_state,
@@ -1201,6 +1256,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
.close_action = config->get_close_action(config),
.dpd_action = config->get_dpd_action(config),
.reqid = config->get_reqid(config),
+ .unique_id = ref_get(&unique_id),
.mark_in = config->get_mark(config, TRUE),
.mark_out = config->get_mark(config, FALSE),
.install_time = time_monotonic(NULL),
@@ -1209,9 +1265,37 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->config = config;
config->get_ref(config);
+ if (mark_in)
+ {
+ this->mark_in.value = mark_in;
+ }
+ if (mark_out)
+ {
+ this->mark_out.value = mark_out;
+ }
+ if (this->mark_in.value == MARK_UNIQUE ||
+ this->mark_out.value == MARK_UNIQUE)
+ {
+ mark = ref_get(&unique_mark);
+ if (this->mark_in.value == MARK_UNIQUE)
+ {
+ this->mark_in.value = mark;
+ }
+ if (this->mark_out.value == MARK_UNIQUE)
+ {
+ this->mark_out.value = mark;
+ }
+ }
+
if (!this->reqid)
{
- /* reuse old reqid if we are rekeying an existing CHILD_SA */
+ /* reuse old reqid if we are rekeying an existing CHILD_SA. While the
+ * reqid cache would find the same reqid for our selectors, this does
+ * not work in a special case: If an SA is triggered by a trap policy,
+ * but the negotiated SA gets narrowed, we still must reuse the same
+ * reqid to successfully "trigger" the SA on the kernel level. Rekeying
+ * such an SA requires an explicit reqid, as the cache currently knows
+ * the original selectors only for that reqid. */
if (rekey)
{
this->reqid = rekey;
@@ -1219,22 +1303,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
else
{
this->reqid = charon->traps->find_reqid(charon->traps, config);
- if (!this->reqid)
- {
- this->reqid = ref_get(&reqid);
- }
}
}
- if (this->mark_in.value == MARK_REQID)
- {
- this->mark_in.value = this->reqid;
- }
- if (this->mark_out.value == MARK_REQID)
- {
- this->mark_out.value = this->reqid;
- }
-
/* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
if (config->get_mode(config) == MODE_TRANSPORT &&
config->use_proxy_mode(config))
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index a0c6c357f..debe8eb2c 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -68,6 +68,16 @@ enum child_sa_state_t {
CHILD_REKEYING,
/**
+ * CHILD_SA that was rekeyed, but stays installed
+ */
+ CHILD_REKEYED,
+
+ /**
+ * CHILD_SA negotiation failed, but gets retried
+ */
+ CHILD_RETRYING,
+
+ /**
* CHILD_SA in progress of delete
*/
CHILD_DELETING,
@@ -121,6 +131,16 @@ struct child_sa_t {
u_int32_t (*get_reqid)(child_sa_t *this);
/**
+ * Get the unique numerical identifier for this CHILD_SA.
+ *
+ * While the same reqid might be shared between multiple SAs, the unique_id
+ * is truly unique for all CHILD_SA instances.
+ *
+ * @return unique CHILD_SA identifier
+ */
+ u_int32_t (*get_unique_id)(child_sa_t *this);
+
+ /**
* Get the config used to set up this child sa.
*
* @return child_cfg
@@ -379,9 +399,12 @@ struct child_sa_t {
* @param config config to use for this CHILD_SA
* @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
* @param encap TRUE to enable UDP encapsulation (NAT traversal)
+ * @param mark_in explicit inbound mark value to use, 0 for config
+ * @param mark_out explicit outbound mark value to use, 0 for config
* @return child_sa_t object
*/
child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
- u_int32_t reqid, bool encap);
+ u_int32_t reqid, bool encap,
+ u_int mark_in, u_int mark_out);
#endif /** CHILD_SA_H_ @}*/
diff --git a/src/libcharon/sa/child_sa_manager.c b/src/libcharon/sa/child_sa_manager.c
new file mode 100644
index 000000000..071a119da
--- /dev/null
+++ b/src/libcharon/sa/child_sa_manager.c
@@ -0,0 +1,333 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_sa_manager.h"
+
+#include <daemon.h>
+#include <threading/mutex.h>
+#include <collections/hashtable.h>
+
+typedef struct private_child_sa_manager_t private_child_sa_manager_t;
+
+/**
+ * Private data of an child_sa_manager_t object.
+ */
+struct private_child_sa_manager_t {
+
+ /**
+ * Public child_sa_manager_t interface.
+ */
+ child_sa_manager_t public;
+
+ /**
+ * CHILD_SAs by inbound SPI/dst, child_entry_t => child_entry_t
+ */
+ hashtable_t *in;
+
+ /**
+ * CHILD_SAs by outbound SPI/dst, child_entry_t => child_entry_t
+ */
+ hashtable_t *out;
+
+ /**
+ * CHILD_SAs by unique ID, child_entry_t => child_entry_t
+ */
+ hashtable_t *ids;
+
+ /**
+ * Mutex to access any hashtable
+ */
+ mutex_t *mutex;
+};
+
+/**
+ * Hashtable entry for a known CHILD_SA
+ */
+typedef struct {
+ /** the associated IKE_SA */
+ ike_sa_id_t *ike_id;
+ /** unique CHILD_SA identifier */
+ u_int32_t unique_id;
+ /** inbound SPI */
+ u_int32_t spi_in;
+ /** outbound SPI */
+ u_int32_t spi_out;
+ /** inbound host address */
+ host_t *host_in;
+ /** outbound host address and port */
+ host_t *host_out;
+ /** IPsec protocol, AH|ESP */
+ protocol_id_t proto;
+} child_entry_t;
+
+/**
+ * Destroy a CHILD_SA entry
+ */
+static void child_entry_destroy(child_entry_t *entry)
+{
+ entry->ike_id->destroy(entry->ike_id);
+ entry->host_in->destroy(entry->host_in);
+ entry->host_out->destroy(entry->host_out);
+ free(entry);
+}
+
+/**
+ * Hashtable hash function for inbound SAs
+ */
+static u_int hash_in(child_entry_t *entry)
+{
+ return chunk_hash_inc(chunk_from_thing(entry->spi_in),
+ chunk_hash_inc(entry->host_in->get_address(entry->host_in),
+ chunk_hash(chunk_from_thing(entry->proto))));
+}
+
+/**
+ * Hashtable equals function for inbound SAs
+ */
+static bool equals_in(child_entry_t *a, child_entry_t *b)
+{
+ return a->spi_in == b->spi_in &&
+ a->proto == b->proto &&
+ a->host_in->ip_equals(a->host_in, b->host_in);
+}
+
+/**
+ * Hashtable hash function for outbound SAs
+ */
+static u_int hash_out(child_entry_t *entry)
+{
+ return chunk_hash_inc(chunk_from_thing(entry->spi_out),
+ chunk_hash_inc(entry->host_out->get_address(entry->host_out),
+ chunk_hash(chunk_from_thing(entry->proto))));
+}
+
+/**
+ * Hashtable equals function for outbound SAs
+ */
+static bool equals_out(child_entry_t *a, child_entry_t *b)
+{
+ return a->spi_out == b->spi_out &&
+ a->proto == b->proto &&
+ a->host_out->ip_equals(a->host_out, b->host_out);
+}
+
+/**
+ * Hashtable hash function for SAs by unique ID
+ */
+static u_int hash_id(child_entry_t *entry)
+{
+ return chunk_hash(chunk_from_thing(entry->unique_id));
+}
+
+/**
+ * Hashtable equals function for SAs by unique ID
+ */
+static bool equals_id(child_entry_t *a, child_entry_t *b)
+{
+ return a->unique_id == b->unique_id;
+}
+
+METHOD(child_sa_manager_t, add, void,
+ private_child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa)
+{
+ child_entry_t *entry;
+ host_t *in, *out;
+ ike_sa_id_t *id;
+
+ id = ike_sa->get_id(ike_sa);
+ in = ike_sa->get_my_host(ike_sa);
+ out = ike_sa->get_other_host(ike_sa);
+
+ INIT(entry,
+ .ike_id = id->clone(id),
+ .unique_id = child_sa->get_unique_id(child_sa),
+ .proto = child_sa->get_protocol(child_sa),
+ .spi_in = child_sa->get_spi(child_sa, TRUE),
+ .spi_out = child_sa->get_spi(child_sa, FALSE),
+ .host_in = in->clone(in),
+ .host_out = out->clone(out),
+ );
+
+ this->mutex->lock(this->mutex);
+ if (!this->in->get(this->in, entry) &&
+ !this->out->get(this->out, entry))
+ {
+ this->in->put(this->in, entry, entry);
+ this->out->put(this->out, entry, entry);
+ entry = this->ids->put(this->ids, entry, entry);
+ }
+ this->mutex->unlock(this->mutex);
+
+ if (entry)
+ {
+ child_entry_destroy(entry);
+ }
+}
+
+METHOD(child_sa_manager_t, remove_, void,
+ private_child_sa_manager_t *this, child_sa_t *child_sa)
+{
+ child_entry_t *entry, key = {
+ .unique_id = child_sa->get_unique_id(child_sa),
+ };
+
+ this->mutex->lock(this->mutex);
+ entry = this->ids->remove(this->ids, &key);
+ if (entry)
+ {
+ this->in->remove(this->in, entry);
+ this->out->remove(this->out, entry);
+ }
+ this->mutex->unlock(this->mutex);
+
+ if (entry)
+ {
+ child_entry_destroy(entry);
+ }
+}
+
+/**
+ * Check out an IKE_SA for a given CHILD_SA
+ */
+static ike_sa_t *checkout_ikesa(private_child_sa_manager_t *this,
+ ike_sa_id_t *id, u_int32_t unique_id, child_sa_t **child_sa)
+{
+ enumerator_t *enumerator;
+ child_sa_t *current;
+ ike_sa_t *ike_sa;
+ bool found = FALSE;
+
+ ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
+ id->destroy(id);
+ if (ike_sa)
+ {
+ enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (enumerator->enumerate(enumerator, &current))
+ {
+ found = current->get_unique_id(current) == unique_id;
+ if (found)
+ {
+ if (child_sa)
+ {
+ *child_sa = current;
+ }
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (found)
+ {
+ return ike_sa;
+ }
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+ }
+ return NULL;
+}
+
+METHOD(child_sa_manager_t, checkout_by_id, ike_sa_t*,
+ private_child_sa_manager_t *this, u_int32_t unique_id,
+ child_sa_t **child_sa)
+{
+ ike_sa_id_t *id;
+ child_entry_t *entry, key = {
+ .unique_id = unique_id,
+ };
+
+ this->mutex->lock(this->mutex);
+ entry = this->ids->get(this->ids, &key);
+ if (entry)
+ {
+ id = entry->ike_id->clone(entry->ike_id);
+ }
+ this->mutex->unlock(this->mutex);
+
+ if (entry)
+ {
+ return checkout_ikesa(this, id, unique_id, child_sa);
+ }
+ return NULL;
+}
+
+METHOD(child_sa_manager_t, checkout, ike_sa_t*,
+ private_child_sa_manager_t *this, protocol_id_t protocol, u_int32_t spi,
+ host_t *dst, child_sa_t **child_sa)
+{
+ ike_sa_id_t *id;
+ u_int32_t unique_id;
+ child_entry_t *entry, key = {
+ .spi_in = spi,
+ .spi_out = spi,
+ .host_in = dst,
+ .host_out = dst,
+ .proto = protocol,
+ };
+
+ this->mutex->lock(this->mutex);
+ entry = this->in->get(this->in, &key);
+ if (!entry)
+ {
+ entry = this->out->get(this->out, &key);
+ }
+ if (entry)
+ {
+ unique_id = entry->unique_id;
+ id = entry->ike_id->clone(entry->ike_id);
+ }
+ this->mutex->unlock(this->mutex);
+
+ if (entry)
+ {
+ return checkout_ikesa(this, id, unique_id, child_sa);
+ }
+ return NULL;
+}
+
+METHOD(child_sa_manager_t, destroy, void,
+ private_child_sa_manager_t *this)
+{
+ this->in->destroy(this->in);
+ this->out->destroy(this->out);
+ this->ids->destroy(this->ids);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/**
+ * See header
+ */
+child_sa_manager_t *child_sa_manager_create()
+{
+ private_child_sa_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .add = _add,
+ .remove = _remove_,
+ .checkout = _checkout,
+ .checkout_by_id = _checkout_by_id,
+ .destroy = _destroy,
+ },
+ .in = hashtable_create((hashtable_hash_t)hash_in,
+ (hashtable_equals_t)equals_in, 8),
+ .out = hashtable_create((hashtable_hash_t)hash_out,
+ (hashtable_equals_t)equals_out, 8),
+ .ids = hashtable_create((hashtable_hash_t)hash_id,
+ (hashtable_equals_t)equals_id, 8),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/child_sa_manager.h b/src/libcharon/sa/child_sa_manager.h
new file mode 100644
index 000000000..4d57528e8
--- /dev/null
+++ b/src/libcharon/sa/child_sa_manager.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_sa_manager child_sa_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef CHILD_SA_MANAGER_H_
+#define CHILD_SA_MANAGER_H_
+
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+
+typedef struct child_sa_manager_t child_sa_manager_t;
+
+/**
+ * Handle CHILD_SA to IKE_SA relations
+ */
+struct child_sa_manager_t {
+
+ /**
+ * Register a CHILD_SA/IKE_SA relation.
+ *
+ * @param child_sa CHILD_SA to register
+ * @param ike_sa IKE_SA owning the CHILD_SA
+ */
+ void (*add)(child_sa_manager_t *this, child_sa_t *child_sa, ike_sa_t *ike_sa);
+
+ /**
+ * Unregister a CHILD_SA/IKE_SA relation.
+ *
+ * @param child_sa CHILD_SA to unregister
+ */
+ void (*remove)(child_sa_manager_t *this, child_sa_t *child_sa);
+
+ /**
+ * Find a CHILD_SA and check out the associated IKE_SA by SPI.
+ *
+ * On success, the returned IKE_SA must be checked in after use to
+ * the IKE_SA manager.
+ *
+ * @param protocol IPsec protocol, AH|ESP
+ * @param spi SPI of CHILD_SA to check out
+ * @param dst SA destination host related to SPI
+ * @param child_sa returns CHILD_SA managed by IKE_SA
+ * @return IKE_SA, NULL if not found
+ */
+ ike_sa_t *(*checkout)(child_sa_manager_t *this,
+ protocol_id_t protocol, u_int32_t spi, host_t *dst,
+ child_sa_t **child_sa);
+
+ /**
+ * Find a CHILD_SA and check out the associated IKE_SA by unique_id.
+ *
+ * On success, the returned IKE_SA must be checked in after use to
+ * the IKE_SA manager.
+ *
+ * @param unique_id unique ID of CHILD_SA to check out
+ * @param child_sa returns CHILD_SA managed by IKE_SA
+ * @return IKE_SA, NULL if not found
+ */
+ ike_sa_t *(*checkout_by_id)(child_sa_manager_t *this, u_int32_t unique_id,
+ child_sa_t **child_sa);
+
+ /**
+ * Destroy a child_sa_manager_t.
+ */
+ void (*destroy)(child_sa_manager_t *this);
+};
+
+/**
+ * Create a child_sa_manager instance.
+ */
+child_sa_manager_t *child_sa_manager_create();
+
+#endif /** CHILD_SA_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h
index 6242a5a6e..689c0f990 100644
--- a/src/libcharon/sa/eap/eap_method.h
+++ b/src/libcharon/sa/eap/eap_method.h
@@ -137,6 +137,18 @@ struct eap_method_t {
void (*set_identifier) (eap_method_t *this, u_int8_t identifier);
/**
+ * Get authentication details performed by this EAP method.
+ *
+ * After EAP completion, the auth data contains additional information
+ * of the authentication process, used certificates etc.
+ * This method is optional to implement, but if it is, it must return
+ * a valid auth_cfg.
+ *
+ * @return auth method, internal data
+ */
+ auth_cfg_t* (*get_auth)(eap_method_t *this);
+
+ /**
* Destroys a eap_method_t object.
*/
void (*destroy) (eap_method_t *this);
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index d92b9df8e..3aafa4c13 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -932,6 +932,7 @@ METHOD(ike_sa_t, update_hosts, void,
/* update our address in any case */
if (force && !me->equals(me, this->my_host))
{
+ charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
set_my_host(this, me->clone(me));
update = TRUE;
}
@@ -945,6 +946,7 @@ METHOD(ike_sa_t, update_hosts, void,
(!has_condition(this, COND_NAT_HERE) ||
!has_condition(this, COND_ORIGINAL_INITIATOR)))
{
+ charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
set_other_host(this, other->clone(other));
update = TRUE;
}
@@ -964,6 +966,10 @@ METHOD(ike_sa_t, update_hosts, void,
enumerator = array_create_enumerator(this->child_sas);
while (enumerator->enumerate(enumerator, &child_sa))
{
+ charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
+ charon->child_sa_manager->add(charon->child_sa_manager,
+ child_sa, &this->public);
+
if (child_sa->update(child_sa, this->my_host, this->other_host,
vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
{
@@ -971,6 +977,7 @@ METHOD(ike_sa_t, update_hosts, void,
child_sa->get_protocol(child_sa),
child_sa->get_spi(child_sa, TRUE));
}
+
}
enumerator->destroy(enumerator);
@@ -1444,6 +1451,8 @@ METHOD(ike_sa_t, add_child_sa, void,
private_ike_sa_t *this, child_sa_t *child_sa)
{
array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
+ charon->child_sa_manager->add(charon->child_sa_manager,
+ child_sa, &this->public);
}
METHOD(ike_sa_t, get_child_sa, child_sa_t*,
@@ -1471,16 +1480,58 @@ METHOD(ike_sa_t, get_child_count, int,
return array_count(this->child_sas);
}
+/**
+ * Private data of a create_child_sa_enumerator()
+ */
+typedef struct {
+ /** implements enumerator */
+ enumerator_t public;
+ /** inner array enumerator */
+ enumerator_t *inner;
+ /** current item */
+ child_sa_t *current;
+} child_enumerator_t;
+
+METHOD(enumerator_t, child_enumerate, bool,
+ child_enumerator_t *this, child_sa_t **child_sa)
+{
+ if (this->inner->enumerate(this->inner, &this->current))
+ {
+ *child_sa = this->current;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(enumerator_t, child_enumerator_destroy, void,
+ child_enumerator_t *this)
+{
+ this->inner->destroy(this->inner);
+ free(this);
+}
+
METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
private_ike_sa_t *this)
{
- return array_create_enumerator(this->child_sas);
+ child_enumerator_t *enumerator;
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)_child_enumerate,
+ .destroy = _child_enumerator_destroy,
+ },
+ .inner = array_create_enumerator(this->child_sas),
+ );
+ return &enumerator->public;
}
METHOD(ike_sa_t, remove_child_sa, void,
private_ike_sa_t *this, enumerator_t *enumerator)
{
- array_remove_at(this->child_sas, enumerator);
+ child_enumerator_t *ce = (child_enumerator_t*)enumerator;
+
+ charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
+ array_remove_at(this->child_sas, ce->inner);
}
METHOD(ike_sa_t, rekey_child_sa, status_t,
@@ -1513,13 +1564,13 @@ METHOD(ike_sa_t, destroy_child_sa, status_t,
child_sa_t *child_sa;
status_t status = NOT_FOUND;
- enumerator = array_create_enumerator(this->child_sas);
+ enumerator = create_child_sa_enumerator(this);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
if (child_sa->get_protocol(child_sa) == protocol &&
child_sa->get_spi(child_sa, TRUE) == spi)
{
- array_remove_at(this->child_sas, enumerator);
+ remove_child_sa(this, enumerator);
child_sa->destroy(child_sa);
status = SUCCESS;
break;
@@ -1771,7 +1822,7 @@ METHOD(ike_sa_t, reestablish, status_t,
#endif /* ME */
{
/* handle existing CHILD_SAs */
- enumerator = array_create_enumerator(this->child_sas);
+ enumerator = create_child_sa_enumerator(this);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
if (has_condition(this, COND_REAUTHENTICATING))
@@ -1780,7 +1831,7 @@ METHOD(ike_sa_t, reestablish, status_t,
{
case CHILD_ROUTED:
{ /* move routed child directly */
- array_remove_at(this->child_sas, enumerator);
+ remove_child_sa(this, enumerator);
new->add_child_sa(new, child_sa);
action = ACTION_NONE;
break;
@@ -2209,6 +2260,12 @@ METHOD(ike_sa_t, inherit_post, void,
array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
}
+ /* MOBIKE additional addresses */
+ while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
+ {
+ array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
+ }
+
/* authentication information */
enumerator = array_create_enumerator(other->my_auths);
while (enumerator->enumerate(enumerator, &cfg))
@@ -2251,7 +2308,8 @@ METHOD(ike_sa_t, inherit_post, void,
/* adopt all children */
while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
{
- array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
+ charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
+ add_child_sa(this, child_sa);
}
/* move pending tasks to the new IKE_SA */
@@ -2296,8 +2354,8 @@ METHOD(ike_sa_t, destroy, void,
{
if (entry.handler)
{
- hydra->attributes->release(hydra->attributes, entry.handler,
- this->other_id, entry.type, entry.data);
+ charon->attributes->release(charon->attributes, entry.handler,
+ &this->public, entry.type, entry.data);
}
free(entry.data.ptr);
}
@@ -2305,6 +2363,7 @@ METHOD(ike_sa_t, destroy, void,
* routes that the CHILD_SA tries to uninstall. */
while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
{
+ charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
child_sa->destroy(child_sa);
}
while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
@@ -2321,12 +2380,11 @@ METHOD(ike_sa_t, destroy, void,
if (this->peer_cfg)
{
linked_list_t *pools;
- identification_t *id;
- id = get_other_eap_id(this);
pools = linked_list_create_from_enumerator(
this->peer_cfg->create_pool_enumerator(this->peer_cfg));
- hydra->attributes->release_address(hydra->attributes, pools, vip, id);
+ charon->attributes->release_address(charon->attributes,
+ pools, vip, &this->public);
pools->destroy(pools);
}
vip->destroy(vip);
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index c72d87367..9dbc805c9 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -131,6 +131,11 @@ enum ike_extension_t {
* peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
*/
EXT_IKE_FRAGMENTATION = (1<<11),
+
+ /**
+ * Signature Authentication, RFC 7427
+ */
+ EXT_SIGNATURE_AUTH = (1<<12),
};
/**
@@ -936,8 +941,9 @@ struct ike_sa_t {
/**
* Reauthenticate the IKE_SA.
*
- * Create a completely new IKE_SA with authentication, recreates all children
- * within the IKE_SA, closes this IKE_SA.
+ * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
+ * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
+ * in the new IKE_SA.
*
* @return DESTROY_ME to destroy the IKE_SA
*/
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index bdabc59b5..13fc74ff7 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
DBG2(DBG_MGR, "checkout IKE_SA by message");
- if (id->get_responder_spi(id) == 0)
+ if (id->get_responder_spi(id) == 0 &&
+ message->get_message_id(message) == 0)
{
if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
{
@@ -1383,54 +1384,35 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
}
METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
- private_ike_sa_manager_t *this, u_int32_t id, bool child)
+ private_ike_sa_manager_t *this, u_int32_t id)
{
- enumerator_t *enumerator, *children;
+ enumerator_t *enumerator;
entry_t *entry;
ike_sa_t *ike_sa = NULL;
- child_sa_t *child_sa;
u_int segment;
- DBG2(DBG_MGR, "checkout IKE_SA by ID");
+ DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id);
enumerator = create_table_enumerator(this);
while (enumerator->enumerate(enumerator, &entry, &segment))
{
if (wait_for_entry(this, entry, segment))
{
- /* look for a child with such a reqid ... */
- if (child)
- {
- children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
- while (children->enumerate(children, (void**)&child_sa))
- {
- if (child_sa->get_reqid(child_sa) == id)
- {
- ike_sa = entry->ike_sa;
- break;
- }
- }
- children->destroy(children);
- }
- else /* ... or for a IKE_SA with such a unique id */
- {
- if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
- {
- ike_sa = entry->ike_sa;
- }
- }
- /* got one, return */
- if (ike_sa)
+ if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
{
+ ike_sa = entry->ike_sa;
entry->checked_out = TRUE;
- DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
- ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
break;
}
}
}
enumerator->destroy(enumerator);
+ if (ike_sa)
+ {
+ DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
+ ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
+ }
charon->bus->set_sa(charon->bus, ike_sa);
return ike_sa;
}
@@ -1746,29 +1728,45 @@ METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
}
/**
- * Move all CHILD_SAs from old to new
+ * Move all CHILD_SAs and virtual IPs from old to new
*/
-static void adopt_children(ike_sa_t *old, ike_sa_t *new)
+static void adopt_children_and_vips(ike_sa_t *old, ike_sa_t *new)
{
enumerator_t *enumerator;
child_sa_t *child_sa;
+ host_t *vip;
+ int chcount = 0, vipcount = 0;
+
enumerator = old->create_child_sa_enumerator(old);
while (enumerator->enumerate(enumerator, &child_sa))
{
old->remove_child_sa(old, enumerator);
new->add_child_sa(new, child_sa);
+ chcount++;
}
enumerator->destroy(enumerator);
-}
-/**
- * Check if the replaced IKE_SA might get reauthenticated from host
- */
-static bool is_ikev1_reauth(ike_sa_t *duplicate, host_t *host)
-{
- return duplicate->get_version(duplicate) == IKEV1 &&
- host->equals(host, duplicate->get_other_host(duplicate));
+ enumerator = old->create_virtual_ip_enumerator(old, FALSE);
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ new->add_virtual_ip(new, FALSE, vip);
+ vipcount++;
+ }
+ enumerator->destroy(enumerator);
+ /* this does not release the addresses, which is good, but it does trigger
+ * an assign_vips(FALSE) event... */
+ old->clear_virtual_ips(old, FALSE);
+ /* ...trigger the analogous event on the new SA */
+ charon->bus->set_sa(charon->bus, new);
+ charon->bus->assign_vips(charon->bus, new, TRUE);
+ charon->bus->set_sa(charon->bus, old);
+
+ if (chcount || vipcount)
+ {
+ DBG1(DBG_IKE, "detected reauth of existing IKE_SA, adopting %d "
+ "children and %d virtual IPs", chcount, vipcount);
+ }
}
/**
@@ -1780,13 +1778,20 @@ static status_t enforce_replace(private_ike_sa_manager_t *this,
{
charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
- if (is_ikev1_reauth(duplicate, host))
+ if (host->equals(host, duplicate->get_other_host(duplicate)))
{
/* looks like a reauthentication attempt */
- adopt_children(duplicate, new);
+ if (!new->has_condition(new, COND_INIT_CONTACT_SEEN) &&
+ new->get_version(new) == IKEV1)
+ {
+ /* IKEv1 implicitly takes over children, IKEv2 recreates them
+ * explicitly. */
+ adopt_children_and_vips(duplicate, new);
+ }
/* For IKEv1 we have to delay the delete for the old IKE_SA. Some
* peers need to complete the new SA first, otherwise the quick modes
- * might get lost. */
+ * might get lost. For IKEv2 we do the same, as we want overlapping
+ * CHILD_SAs to keep connectivity up. */
lib->scheduler->schedule_job(lib->scheduler, (job_t*)
delete_ike_sa_job_create(duplicate->get_id(duplicate), TRUE), 10);
return SUCCESS;
@@ -1851,7 +1856,9 @@ METHOD(ike_sa_manager_t, check_uniqueness, bool,
other, other_host);
break;
case UNIQUE_KEEP:
- if (!is_ikev1_reauth(duplicate, other_host))
+ /* potential reauthentication? */
+ if (!other_host->equals(other_host,
+ duplicate->get_other_host(duplicate)))
{
cancel = TRUE;
/* we keep the first IKE_SA and delete all
diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h
index a68ae7763..f259d8e56 100644
--- a/src/libcharon/sa/ike_sa_manager.h
+++ b/src/libcharon/sa/ike_sa_manager.h
@@ -129,19 +129,15 @@ struct ike_sa_manager_t {
/**
* Check out an IKE_SA a unique ID.
*
- * Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
- * These checkout function uses, depending
- * on the child parameter, the unique ID of the IKE_SA or the reqid
- * of one of a IKE_SAs CHILD_SA.
+ * Every IKE_SA is uniquely identified by a numerical ID. This checkout
+ * function uses the unique ID of the IKE_SA to check it out.
*
* @param id unique ID of the object
- * @param child TRUE to use CHILD, FALSE to use IKE_SA
* @return
* - checked out IKE_SA, if found
* - NULL, if not found
*/
- ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id,
- bool child);
+ ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, u_int32_t id);
/**
* Check out an IKE_SA by the policy/connection name.
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
index aa966cd5f..bb187f07c 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -74,7 +74,10 @@ METHOD(authenticator_t, build, status_t,
keymat_v1_t *keymat;
chunk_t hash, dh;
- this->dh->get_my_public_value(this->dh, &dh);
+ if (!this->dh->get_my_public_value(this->dh, &dh))
+ {
+ return FAILED;
+ }
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
@@ -108,7 +111,10 @@ METHOD(authenticator_t, process, status_t,
return FAILED;
}
- this->dh->get_my_public_value(this->dh, &dh);
+ if (!this->dh->get_my_public_value(this->dh, &dh))
+ {
+ return FAILED;
+ }
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index bfe5ff449..52228ef2e 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -94,7 +94,11 @@ METHOD(authenticator_t, build, status_t,
return NOT_FOUND;
}
- this->dh->get_my_public_value(this->dh, &dh);
+ if (!this->dh->get_my_public_value(this->dh, &dh))
+ {
+ private->destroy(private);
+ return FAILED;
+ }
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
@@ -152,7 +156,10 @@ METHOD(authenticator_t, process, status_t,
}
id = this->ike_sa->get_other_id(this->ike_sa);
- this->dh->get_my_public_value(this->dh, &dh);
+ if (!this->dh->get_my_public_value(this->dh, &dh))
+ {
+ return FAILED;
+ }
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 619d197bd..f5a91dbeb 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -425,7 +425,7 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
return FALSE;
}
- if (dh->get_shared_secret(dh, &g_xy) != SUCCESS)
+ if (!dh->get_shared_secret(dh, &g_xy))
{
return FALSE;
}
@@ -560,7 +560,10 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
return FALSE;
}
- dh->get_my_public_value(dh, &dh_me);
+ if (!dh->get_my_public_value(dh, &dh_me))
+ {
+ return FALSE;
+ }
g_xi = this->initiator ? dh_me : dh_other;
g_xr = this->initiator ? dh_other : dh_me;
@@ -661,7 +664,7 @@ METHOD(keymat_v1_t, derive_child_keys, bool,
protocol = proposal->get_protocol(proposal);
if (dh)
{
- if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+ if (!dh->get_shared_secret(dh, &secret))
{
return FALSE;
}
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index d01a831f8..c968b2a9c 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -694,7 +694,13 @@ METHOD(phase1_t, add_nonce_ke, bool,
nonce_gen_t *nonceg;
chunk_t nonce;
- ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh);
+ ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
+ this->dh);
+ if (!ke_payload)
+ {
+ DBG1(DBG_IKE, "creating KE payload failed");
+ return FALSE;
+ }
message->add_payload(message, &ke_payload->payload_interface);
nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
@@ -739,7 +745,11 @@ METHOD(phase1_t, get_nonce_ke, bool,
return FALSE;
}
this->dh_value = chunk_clone(ke_payload->get_key_exchange_data(ke_payload));
- this->dh->set_other_public_value(this->dh, this->dh_value);
+ if (!this->dh->set_other_public_value(this->dh, this->dh_value))
+ {
+ DBG1(DBG_IKE, "unable to apply received KE value");
+ return FALSE;
+ }
nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
if (!nonce_payload)
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 0f8e8bc6d..cb22bf606 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -1596,7 +1596,8 @@ static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
child_sa->get_lifetime(child_sa, FALSE))
{
DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
+ child_sa->get_name(child_sa),
+ child_sa->get_unique_id(child_sa));
redundant = TRUE;
break;
}
@@ -1647,6 +1648,8 @@ METHOD(task_manager_t, queue_child_rekey, void,
task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
task->use_reqid(task, child_sa->get_reqid(child_sa));
+ task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value,
+ child_sa->get_mark(child_sa, FALSE).value);
task->rekey(task, child_sa->get_spi(child_sa, TRUE));
queue_task(this, &task->task);
diff --git a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
index bea0428c4..a56805afb 100644
--- a/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/isakmp_delete.c
@@ -1,4 +1,7 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2011 Martin Willi
* Copyright (C) 2011 revosec AG
*
@@ -74,6 +77,42 @@ METHOD(task_t, process_i, status_t,
METHOD(task_t, process_r, status_t,
private_isakmp_delete_t *this, message_t *message)
{
+ enumerator_t *payloads;
+ payload_t *payload;
+ delete_payload_t *delete_payload;
+ ike_sa_id_t *id;
+ u_int64_t spi_i, spi_r;
+ bool found = FALSE;
+
+ /* some peers send DELETE payloads for other IKE_SAs, e.g. those for expired
+ * ones after a rekeyeing, make sure the SPIs match */
+ id = this->ike_sa->get_id(this->ike_sa);
+ payloads = message->create_payload_enumerator(message);
+ while (payloads->enumerate(payloads, &payload))
+ {
+ if (payload->get_type(payload) == PLV1_DELETE)
+ {
+ delete_payload = (delete_payload_t*)payload;
+ if (!delete_payload->get_ike_spi(delete_payload, &spi_i, &spi_r))
+ {
+ continue;
+ }
+ if (id->get_initiator_spi(id) == spi_i &&
+ id->get_responder_spi(id) == spi_r)
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ }
+ payloads->destroy(payloads);
+
+ if (!found)
+ {
+ DBG1(DBG_IKE, "received DELETE for different IKE_SA, ignored");
+ return SUCCESS;
+ }
+
DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa));
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 2fb4c6935..3ea4a2a85 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -205,6 +205,43 @@ static status_t send_delete(private_main_mode_t *this)
return ALREADY_DONE;
}
+/**
+ * Add an INITIAL_CONTACT notify if first contact with peer
+ */
+static void add_initial_contact(private_main_mode_t *this, message_t *message,
+ identification_t *idi)
+{
+ identification_t *idr;
+ host_t *host;
+ notify_payload_t *notify;
+ ike_sa_id_t *ike_sa_id;
+ u_int64_t spi_i, spi_r;
+ chunk_t spi;
+
+ idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
+ if (idr && !idr->contains_wildcards(idr))
+ {
+ if (this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+ this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+ {
+ host = this->ike_sa->get_other_host(this->ike_sa);
+ if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+ idi, idr, host->get_family(host)))
+ {
+ notify = notify_payload_create_from_protocol_and_type(
+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+ spi = chunk_cata("cc", chunk_from_thing(spi_i),
+ chunk_from_thing(spi_r));
+ notify->set_spi_data(notify, spi);
+ message->add_payload(message, (payload_t*)notify);
+ }
+ }
+ }
+}
+
METHOD(task_t, build_i, status_t,
private_main_mode_t *this, message_t *message)
{
@@ -311,6 +348,8 @@ METHOD(task_t, build_i, status_t,
return send_notify(this, AUTHENTICATION_FAILED);
}
+ add_initial_contact(this, message, id);
+
this->state = MM_AUTH;
return NEED_MORE;
}
diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c
index 94026b9af..d0994a961 100644
--- a/src/libcharon/sa/ikev1/tasks/mode_config.c
+++ b/src/libcharon/sa/ikev1/tasks/mode_config.c
@@ -16,7 +16,6 @@
#include "mode_config.h"
#include <daemon.h>
-#include <hydra.h>
#include <encoding/payloads/cp_payload.h>
typedef struct private_mode_config_t private_mode_config_t;
@@ -136,9 +135,8 @@ static void handle_attribute(private_mode_config_t *this,
enumerator->destroy(enumerator);
/* and pass it to the handle function */
- handler = hydra->attributes->handle(hydra->attributes,
- this->ike_sa->get_other_id(this->ike_sa), handler,
- ca->get_type(ca), ca->get_chunk(ca));
+ handler = charon->attributes->handle(charon->attributes,
+ this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca));
this->ike_sa->add_configuration_attribute(this->ike_sa,
handler, ca->get_type(ca), ca->get_chunk(ca));
}
@@ -326,9 +324,8 @@ static status_t build_request(private_mode_config_t *this, message_t *message)
enumerator->destroy(enumerator);
}
- enumerator = hydra->attributes->create_initiator_enumerator(
- hydra->attributes,
- this->ike_sa->get_other_id(this->ike_sa), vips);
+ enumerator = charon->attributes->create_initiator_enumerator(
+ charon->attributes, this->ike_sa, vips);
while (enumerator->enumerate(enumerator, &handler, &type, &data))
{
add_attribute(this, cp, type, data, handler);
@@ -353,7 +350,7 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
cp_payload_t *cp;
peer_cfg_t *config;
identification_t *id;
- linked_list_t *pools;
+ linked_list_t *pools, *migrated, *vips;
host_t *any4, *any6, *found;
char *name;
@@ -361,45 +358,62 @@ static status_t build_set(private_mode_config_t *this, message_t *message)
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- any4 = host_create_any(AF_INET);
- any6 = host_create_any(AF_INET6);
+ /* if we migrated virtual IPs during reauthentication, reassign them */
+ migrated = linked_list_create_from_enumerator(
+ this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+ FALSE));
+ vips = migrated->clone_offset(migrated, offsetof(host_t, clone));
+ migrated->destroy(migrated);
this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
/* in push mode, we ask each configured pool for an address */
- enumerator = config->create_pool_enumerator(config);
- while (enumerator->enumerate(enumerator, &name))
+ if (!vips->get_count(vips))
{
- pools = linked_list_create_with_items(name, NULL);
- /* try IPv4, then IPv6 */
- found = hydra->attributes->acquire_address(hydra->attributes,
- pools, id, any4);
- if (!found)
- {
- found = hydra->attributes->acquire_address(hydra->attributes,
- pools, id, any6);
- }
- pools->destroy(pools);
- if (found)
+ any4 = host_create_any(AF_INET);
+ any6 = host_create_any(AF_INET6);
+ enumerator = config->create_pool_enumerator(config);
+ while (enumerator->enumerate(enumerator, &name))
{
- DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
- this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
- cp->add_attribute(cp, build_vip(found));
- this->vips->insert_last(this->vips, found);
+ pools = linked_list_create_with_items(name, NULL);
+ /* try IPv4, then IPv6 */
+ found = charon->attributes->acquire_address(charon->attributes,
+ pools, this->ike_sa, any4);
+ if (!found)
+ {
+ found = charon->attributes->acquire_address(charon->attributes,
+ pools, this->ike_sa, any6);
+ }
+ pools->destroy(pools);
+ if (found)
+ {
+ vips->insert_last(vips, found);
+ }
}
+ enumerator->destroy(enumerator);
+ any4->destroy(any4);
+ any6->destroy(any6);
}
- enumerator->destroy(enumerator);
- any4->destroy(any4);
- any6->destroy(any6);
+ enumerator = vips->create_enumerator(vips);
+ while (enumerator->enumerate(enumerator, &found))
+ {
+ DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+ this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+ cp->add_attribute(cp, build_vip(found));
+ this->vips->insert_last(this->vips, found);
+ vips->remove_at(vips, enumerator);
+ }
+ enumerator->destroy(enumerator);
+ vips->destroy(vips);
charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
/* query registered providers for additional attributes to include */
pools = linked_list_create_from_enumerator(
config->create_pool_enumerator(config));
- enumerator = hydra->attributes->create_responder_enumerator(
- hydra->attributes, pools, id, this->vips);
+ enumerator = charon->attributes->create_responder_enumerator(
+ charon->attributes, pools, this->ike_sa, this->vips);
while (enumerator->enumerate(enumerator, &type, &value))
{
add_attribute(this, cp, type, value, NULL);
@@ -458,6 +472,28 @@ METHOD(task_t, process_r, status_t,
}
/**
+ * Assign a migrated virtual IP
+ */
+static host_t *assign_migrated_vip(linked_list_t *migrated, host_t *requested)
+{
+ enumerator_t *enumerator;
+ host_t *found = NULL, *vip;
+
+ enumerator = migrated->create_enumerator(migrated);
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ if (vip->ip_equals(vip, requested))
+ {
+ migrated->remove_at(migrated, enumerator);
+ found = vip;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found;
+}
+
+/**
* Build CFG_REPLY message after receiving CFG_REQUEST
*/
static status_t build_reply(private_mode_config_t *this, message_t *message)
@@ -468,29 +504,35 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
cp_payload_t *cp;
peer_cfg_t *config;
identification_t *id;
- linked_list_t *vips, *pools;
- host_t *requested;
+ linked_list_t *vips, *pools, *migrated;
+ host_t *requested, *found;
cp = cp_payload_create_type(PLV1_CONFIGURATION, CFG_REPLY);
id = this->ike_sa->get_other_eap_id(this->ike_sa);
config = this->ike_sa->get_peer_cfg(this->ike_sa);
- vips = linked_list_create();
pools = linked_list_create_from_enumerator(
config->create_pool_enumerator(config));
-
+ /* if we migrated virtual IPs during reauthentication, reassign them */
+ vips = linked_list_create_from_enumerator(
+ this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+ FALSE));
+ migrated = vips->clone_offset(vips, offsetof(host_t, clone));
+ vips->destroy(vips);
this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
+ vips = linked_list_create();
enumerator = this->vips->create_enumerator(this->vips);
while (enumerator->enumerate(enumerator, &requested))
{
- host_t *found = NULL;
-
- /* query all pools until we get an address */
DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
- found = hydra->attributes->acquire_address(hydra->attributes,
- pools, id, requested);
+ found = assign_migrated_vip(migrated, requested);
+ if (!found)
+ {
+ found = charon->attributes->acquire_address(charon->attributes,
+ pools, this->ike_sa, requested);
+ }
if (found)
{
DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
@@ -509,8 +551,8 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE);
/* query registered providers for additional attributes to include */
- enumerator = hydra->attributes->create_responder_enumerator(
- hydra->attributes, pools, id, vips);
+ enumerator = charon->attributes->create_responder_enumerator(
+ charon->attributes, pools, this->ike_sa, vips);
while (enumerator->enumerate(enumerator, &type, &value))
{
cp->add_attribute(cp,
@@ -518,6 +560,15 @@ static status_t build_reply(private_mode_config_t *this, message_t *message)
type, value));
}
enumerator->destroy(enumerator);
+ /* if a client did not re-request all adresses, release them */
+ enumerator = migrated->create_enumerator(migrated);
+ while (enumerator->enumerate(enumerator, &found))
+ {
+ charon->attributes->release_address(charon->attributes,
+ pools, found, this->ike_sa);
+ }
+ enumerator->destroy(enumerator);
+ migrated->destroy_offset(migrated, offsetof(host_t, destroy));
vips->destroy_offset(vips, offsetof(host_t, destroy));
pools->destroy(pools);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_delete.c b/src/libcharon/sa/ikev1/tasks/quick_delete.c
index 499081caa..1b95a8b11 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_delete.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_delete.c
@@ -105,7 +105,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
this->spi = spi = child_sa->get_spi(child_sa, TRUE);
}
- rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYING;
+ rekeyed = child_sa->get_state(child_sa) == CHILD_REKEYED;
child_sa->set_state(child_sa, CHILD_DELETING);
my_ts = linked_list_create_from_enumerator(
@@ -116,7 +116,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
{
DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
}
@@ -127,7 +127,7 @@ static bool delete_child(private_quick_delete_t *this, protocol_id_t protocol,
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs "
"%.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
my_ts, other_ts);
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 1133aab65..96edfd8d8 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -156,6 +156,16 @@ struct private_quick_mode_t {
u_int32_t reqid;
/**
+ * Explicit inbound mark value to use, if any
+ */
+ u_int mark_in;
+
+ /**
+ * Explicit inbound mark value to use, if any
+ */
+ u_int mark_out;
+
+ /**
* SPI of SA we rekey
*/
u_int32_t rekey;
@@ -196,8 +206,8 @@ static void schedule_inactivity_timeout(private_quick_mode_t *this)
close_ike = lib->settings->get_bool(lib->settings,
"%s.inactivity_close_ike", FALSE, lib->ns);
lib->scheduler->schedule_job(lib->scheduler, (job_t*)
- inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
- timeout, close_ike), timeout);
+ inactivity_job_create(this->child_sa->get_unique_id(this->child_sa),
+ timeout, close_ike), timeout);
}
}
@@ -375,7 +385,7 @@ static bool install(private_quick_mode_t *this)
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
this->child_sa->get_name(this->child_sa),
- this->child_sa->get_reqid(this->child_sa),
+ this->child_sa->get_unique_id(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
@@ -391,15 +401,14 @@ static bool install(private_quick_mode_t *this)
if (old)
{
charon->bus->child_rekey(charon->bus, old, this->child_sa);
+ /* rekeyed CHILD_SAs stay installed until they expire */
+ old->set_state(old, CHILD_REKEYED);
}
else
{
charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
}
- if (!this->rekey)
- {
- schedule_inactivity_timeout(this);
- }
+ schedule_inactivity_timeout(this);
this->child_sa = NULL;
return TRUE;
}
@@ -456,12 +465,19 @@ static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
/**
* Add KE payload to message
*/
-static void add_ke(private_quick_mode_t *this, message_t *message)
+static bool add_ke(private_quick_mode_t *this, message_t *message)
{
ke_payload_t *ke_payload;
- ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE, this->dh);
+ ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
+ this->dh);
+ if (!ke_payload)
+ {
+ DBG1(DBG_IKE, "creating KE payload failed");
+ return FALSE;
+ }
message->add_payload(message, &ke_payload->payload_interface);
+ return TRUE;
}
/**
@@ -477,8 +493,12 @@ static bool get_ke(private_quick_mode_t *this, message_t *message)
DBG1(DBG_IKE, "KE payload missing");
return FALSE;
}
- this->dh->set_other_public_value(this->dh,
- ke_payload->get_key_exchange_data(ke_payload));
+ if (!this->dh->set_other_public_value(this->dh,
+ ke_payload->get_key_exchange_data(ke_payload)))
+ {
+ DBG1(DBG_IKE, "unable to apply received KE value");
+ return FALSE;
+ }
return TRUE;
}
@@ -788,7 +808,8 @@ METHOD(task_t, build_i, status_t,
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
- this->config, this->reqid, this->udp);
+ this->config, this->reqid, this->udp,
+ this->mark_in, this->mark_out);
if (this->udp && this->mode == MODE_TRANSPORT)
{
@@ -870,7 +891,10 @@ METHOD(task_t, build_i, status_t,
}
if (group != MODP_NONE)
{
- add_ke(this, message);
+ if (!add_ke(this, message))
+ {
+ return FAILED;
+ }
}
if (!this->tsi)
{
@@ -964,6 +988,7 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
{
case CHILD_INSTALLED:
case CHILD_REKEYING:
+ case CHILD_REKEYED:
policies = child_sa->create_policy_enumerator(child_sa);
if (policies->enumerate(policies, &local, &remote) &&
local->equals(local, this->tsr) &&
@@ -972,9 +997,14 @@ static void check_for_rekeyed_child(private_quick_mode_t *this)
{
this->reqid = child_sa->get_reqid(child_sa);
this->rekey = child_sa->get_spi(child_sa, TRUE);
+ this->mark_in = child_sa->get_mark(child_sa,
+ TRUE).value;
+ this->mark_out = child_sa->get_mark(child_sa,
+ FALSE).value;
child_sa->set_state(child_sa, CHILD_REKEYING);
DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
- child_sa->get_name(child_sa), this->reqid);
+ child_sa->get_name(child_sa),
+ child_sa->get_unique_id(child_sa));
}
policies->destroy(policies);
break;
@@ -1097,7 +1127,8 @@ METHOD(task_t, process_r, status_t,
this->child_sa = child_sa_create(
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
- this->config, this->reqid, this->udp);
+ this->config, this->reqid, this->udp,
+ this->mark_in, this->mark_out);
tsi = linked_list_create_with_items(this->tsi, NULL);
tsr = linked_list_create_with_items(this->tsr, NULL);
@@ -1202,7 +1233,10 @@ METHOD(task_t, build_r, status_t,
}
if (this->dh)
{
- add_ke(this, message);
+ if (!add_ke(this, message))
+ {
+ return FAILED;
+ }
}
add_ts(this, message);
@@ -1307,6 +1341,13 @@ METHOD(quick_mode_t, use_reqid, void,
this->reqid = reqid;
}
+METHOD(quick_mode_t, use_marks, void,
+ private_quick_mode_t *this, u_int in, u_int out)
+{
+ this->mark_in = in;
+ this->mark_out = out;
+}
+
METHOD(quick_mode_t, rekey, void,
private_quick_mode_t *this, u_int32_t spi)
{
@@ -1334,6 +1375,8 @@ METHOD(task_t, migrate, void,
this->dh = NULL;
this->spi_i = 0;
this->spi_r = 0;
+ this->mark_in = 0;
+ this->mark_out = 0;
if (!this->initiator)
{
@@ -1372,6 +1415,7 @@ quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
.destroy = _destroy,
},
.use_reqid = _use_reqid,
+ .use_marks = _use_marks,
.rekey = _rekey,
},
.ike_sa = ike_sa,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.h b/src/libcharon/sa/ikev1/tasks/quick_mode.h
index 0b80cb836..ee9b64d13 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.h
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.h
@@ -45,6 +45,14 @@ struct quick_mode_t {
void (*use_reqid)(quick_mode_t *this, u_int32_t reqid);
/**
+ * Use specific mark values, overriding configuration.
+ *
+ * @param in inbound mark value
+ * @param out outbound mark value
+ */
+ void (*use_marks)(quick_mode_t *this, u_int in, u_int out);
+
+ /**
* Set the SPI of the old SA, if rekeying.
*
* @param spi spi of SA to rekey
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index eed6d1996..ebef31930 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -522,6 +522,13 @@ METHOD(authenticator_t, process_server, status_t,
{
return FAILED;
}
+ if (this->method->get_auth)
+ {
+ auth_cfg_t *auth;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ auth->merge(auth, this->method->get_auth(this->method), FALSE);
+ }
return NEED_MORE;
}
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 6fb14bc06..151b49718 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -20,6 +20,9 @@
#include <daemon.h>
#include <encoding/payloads/auth_payload.h>
#include <sa/ikev2/keymat_v2.h>
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+#include <collections/array.h>
typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
@@ -52,83 +55,303 @@ struct private_pubkey_authenticator_t {
* Reserved bytes of ID payload
*/
char reserved[3];
+
+ /**
+ * Whether to store signature schemes on remote auth configs.
+ */
+ bool store_signature_scheme;
};
-METHOD(authenticator_t, build, status_t,
- private_pubkey_authenticator_t *this, message_t *message)
+/**
+ * Parse authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool parse_signature_auth_data(chunk_t *auth_data, key_type_t *key_type,
+ signature_scheme_t *scheme)
{
- chunk_t octets = chunk_empty, auth_data;
- status_t status = FAILED;
- private_key_t *private;
- identification_t *id;
- auth_cfg_t *auth;
- auth_payload_t *auth_payload;
- auth_method_t auth_method;
+ u_int8_t len;
+ int oid;
+
+ if (!auth_data->len)
+ {
+ return FALSE;
+ }
+ len = auth_data->ptr[0];
+ *auth_data = chunk_skip(*auth_data, 1);
+ /* we currently don't support schemes that require parameters */
+ oid = asn1_parse_algorithmIdentifier(*auth_data, 1, NULL);
+ *scheme = signature_scheme_from_oid(oid);
+ if (*scheme == SIGN_UNKNOWN)
+ {
+ return FALSE;
+ }
+ *key_type = key_type_from_signature_scheme(*scheme);
+ *auth_data = chunk_skip(*auth_data, len);
+ return TRUE;
+}
+
+/**
+ * Build authentication data used for Signature Authentication as per RFC 7427
+ */
+static bool build_signature_auth_data(chunk_t *auth_data,
+ signature_scheme_t scheme)
+{
+ chunk_t data;
+ u_int8_t len;
+ int oid;
+
+ oid = signature_scheme_to_oid(scheme);
+ if (oid == OID_UNKNOWN)
+ {
+ return FALSE;
+ }
+ data = asn1_algorithmIdentifier(oid);
+ len = data.len;
+ *auth_data = chunk_cat("cmm", chunk_from_thing(len), data, *auth_data);
+ return TRUE;
+}
+
+/**
+ * Selects possible signature schemes based on our configuration, the other
+ * peer's capabilities and the private key
+ */
+static array_t *select_signature_schemes(keymat_v2_t *keymat,
+ auth_cfg_t *auth, private_key_t *private)
+{
+ enumerator_t *enumerator;
signature_scheme_t scheme;
+ uintptr_t config;
+ auth_rule_t rule;
+ key_type_t key_type;
+ bool have_config = FALSE;
+ array_t *selected;
+
+ selected = array_create(sizeof(signature_scheme_t), 0);
+ key_type = private->get_type(private);
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &config))
+ {
+ if (rule != AUTH_RULE_SIGNATURE_SCHEME)
+ {
+ continue;
+ }
+ have_config = TRUE;
+ if (key_type == key_type_from_signature_scheme(config) &&
+ keymat->hash_algorithm_supported(keymat,
+ hasher_from_signature_scheme(config)))
+ {
+ scheme = config;
+ array_insert(selected, ARRAY_TAIL, &scheme);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!have_config)
+ {
+ /* if no specific configuration, find schemes appropriate for the key
+ * and supported by the other peer */
+ enumerator = signature_schemes_for_key(key_type,
+ private->get_keysize(private));
+ while (enumerator->enumerate(enumerator, &scheme))
+ {
+ if (keymat->hash_algorithm_supported(keymat,
+ hasher_from_signature_scheme(scheme)))
+ {
+ array_insert(selected, ARRAY_TAIL, &scheme);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* for RSA we tried at least SHA-512, also try other schemes down to
+ * what we'd use with classic authentication */
+ if (key_type == KEY_RSA)
+ {
+ signature_scheme_t schemes[] = {
+ SIGN_RSA_EMSA_PKCS1_SHA384,
+ SIGN_RSA_EMSA_PKCS1_SHA256,
+ SIGN_RSA_EMSA_PKCS1_SHA1,
+ }, contained;
+ bool found;
+ int i, j;
+
+ for (i = 0; i < countof(schemes); i++)
+ {
+ scheme = schemes[i];
+ found = FALSE;
+ for (j = 0; j < array_count(selected); j++)
+ {
+ array_get(selected, j, &contained);
+ if (scheme == contained)
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ if (!found && keymat->hash_algorithm_supported(keymat,
+ hasher_from_signature_scheme(scheme)))
+ {
+ array_insert(selected, ARRAY_TAIL, &scheme);
+ }
+ }
+ }
+ }
+ return selected;
+}
+
+/**
+ * Create a signature using RFC 7427 signature authentication
+ */
+static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
+ auth_cfg_t *auth, private_key_t *private,
+ identification_t *id, chunk_t *auth_data)
+{
+ enumerator_t *enumerator;
keymat_v2_t *keymat;
+ signature_scheme_t scheme = SIGN_UNKNOWN, *schemep;
+ array_t *schemes;
+ chunk_t octets = chunk_empty;
+ status_t status = FAILED;
- id = this->ike_sa->get_my_id(this->ike_sa);
- auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
- private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
- if (private == NULL)
+ keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+ schemes = select_signature_schemes(keymat, auth, private);
+ if (!array_count(schemes))
{
- DBG1(DBG_IKE, "no private key found for '%Y'", id);
- return NOT_FOUND;
+ DBG1(DBG_IKE, "no common hash algorithm found to create signature "
+ "with %N key", key_type_names, private->get_type(private));
+ array_destroy(schemes);
+ return FAILED;
}
+ if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+ this->nonce, id, this->reserved, &octets))
+ {
+ enumerator = array_create_enumerator(schemes);
+ while (enumerator->enumerate(enumerator, &schemep))
+ {
+ scheme = *schemep;
+ if (private->sign(private, scheme, octets, auth_data) &&
+ build_signature_auth_data(auth_data, scheme))
+ {
+ status = SUCCESS;
+ break;
+ }
+ else
+ {
+ DBG2(DBG_IKE, "unable to create %N signature for %N key",
+ signature_scheme_names, scheme, key_type_names,
+ private->get_type(private));
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
+ signature_scheme_names, scheme,
+ status == SUCCESS ? "successful" : "failed");
+ array_destroy(schemes);
+ chunk_free(&octets);
+ return status;
+}
+
+/**
+ * Create a classic IKEv2 signature
+ */
+static status_t sign_classic(private_pubkey_authenticator_t *this,
+ auth_cfg_t *auth, private_key_t *private,
+ identification_t *id, auth_method_t *auth_method,
+ chunk_t *auth_data)
+{
+ signature_scheme_t scheme;
+ keymat_v2_t *keymat;
+ chunk_t octets = chunk_empty;
+ status_t status = FAILED;
+
switch (private->get_type(private))
{
case KEY_RSA:
- /* we currently use always SHA1 for signatures,
- * TODO: support other hashes depending on configuration/auth */
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- auth_method = AUTH_RSA;
+ *auth_method = AUTH_RSA;
break;
case KEY_ECDSA:
- /* we try to deduct the signature scheme from the keysize */
+ /* deduct the signature scheme from the keysize */
switch (private->get_keysize(private))
{
case 256:
scheme = SIGN_ECDSA_256;
- auth_method = AUTH_ECDSA_256;
+ *auth_method = AUTH_ECDSA_256;
break;
case 384:
scheme = SIGN_ECDSA_384;
- auth_method = AUTH_ECDSA_384;
+ *auth_method = AUTH_ECDSA_384;
break;
case 521:
scheme = SIGN_ECDSA_521;
- auth_method = AUTH_ECDSA_521;
+ *auth_method = AUTH_ECDSA_521;
break;
default:
DBG1(DBG_IKE, "%d bit ECDSA private key size not supported",
- private->get_keysize(private));
- return status;
+ private->get_keysize(private));
+ return FAILED;
}
break;
default:
DBG1(DBG_IKE, "private key of type %N not supported",
- key_type_names, private->get_type(private));
- return status;
+ key_type_names, private->get_type(private));
+ return FAILED;
}
+
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
this->nonce, id, this->reserved, &octets) &&
- private->sign(private, scheme, octets, &auth_data))
+ private->sign(private, scheme, octets, auth_data))
{
- auth_payload = auth_payload_create();
- auth_payload->set_auth_method(auth_payload, auth_method);
- auth_payload->set_data(auth_payload, auth_data);
- chunk_free(&auth_data);
- message->add_payload(message, (payload_t*)auth_payload);
status = SUCCESS;
}
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
- auth_method_names, auth_method,
- (status == SUCCESS)? "successful":"failed");
+ auth_method_names, *auth_method,
+ status == SUCCESS ? "successful" : "failed");
chunk_free(&octets);
+ return status;
+}
+
+METHOD(authenticator_t, build, status_t,
+ private_pubkey_authenticator_t *this, message_t *message)
+{
+ private_key_t *private;
+ identification_t *id;
+ auth_cfg_t *auth;
+ chunk_t auth_data;
+ status_t status;
+ auth_payload_t *auth_payload;
+ auth_method_t auth_method;
+
+ id = this->ike_sa->get_my_id(this->ike_sa);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth);
+ if (!private)
+ {
+ DBG1(DBG_IKE, "no private key found for '%Y'", id);
+ return NOT_FOUND;
+ }
+
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_SIGNATURE_AUTH))
+ {
+ auth_method = AUTH_DS;
+ status = sign_signature_auth(this, auth, private, id, &auth_data);
+ }
+ else
+ {
+ status = sign_classic(this, auth, private, id, &auth_method,
+ &auth_data);
+ }
private->destroy(private);
+ if (status == SUCCESS)
+ {
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, auth_method);
+ auth_payload->set_data(auth_payload, auth_data);
+ chunk_free(&auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
+ }
return status;
}
@@ -153,11 +376,10 @@ METHOD(authenticator_t, process, status_t,
return FAILED;
}
auth_method = auth_payload->get_auth_method(auth_payload);
+ auth_data = auth_payload->get_data(auth_payload);
switch (auth_method)
{
case AUTH_RSA:
- /* We currently accept SHA1 signatures only
- * TODO: allow other hash algorithms and note it in "auth" */
key_type = KEY_RSA;
scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
break;
@@ -170,10 +392,15 @@ METHOD(authenticator_t, process, status_t,
case AUTH_ECDSA_521:
scheme = SIGN_ECDSA_521;
break;
+ case AUTH_DS:
+ if (parse_signature_auth_data(&auth_data, &key_type, &scheme))
+ {
+ break;
+ }
+ /* fall-through */
default:
return INVALID_ARG;
}
- auth_data = auth_payload->get_data(auth_payload);
id = this->ike_sa->get_other_id(this->ike_sa);
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
@@ -188,11 +415,16 @@ METHOD(authenticator_t, process, status_t,
{
if (public->verify(public, scheme, octets, auth_data))
{
- DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
- id, auth_method_names, auth_method);
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful", id,
+ auth_method == AUTH_DS ? signature_scheme_names : auth_method_names,
+ auth_method == AUTH_DS ? scheme : auth_method);
status = SUCCESS;
auth->merge(auth, current_auth, FALSE);
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ if (this->store_signature_scheme)
+ {
+ auth->add(auth, AUTH_RULE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+ }
break;
}
else
@@ -265,6 +497,8 @@ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
.ike_sa = ike_sa,
.ike_sa_init = received_init,
.nonce = sent_nonce,
+ .store_signature_scheme = lib->settings->get_bool(lib->settings,
+ "%s.signature_authentication_constraints", TRUE, lib->ns),
);
memcpy(this->reserved, reserved, sizeof(this->reserved));
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 88ad14faf..f70f5cfed 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -17,6 +18,7 @@
#include <daemon.h>
#include <crypto/prf_plus.h>
+#include <crypto/hashers/hash_algorithm_set.h>
typedef struct private_keymat_v2_t private_keymat_v2_t;
@@ -69,6 +71,11 @@ struct private_keymat_v2_t {
* Key to verify incoming authentication data (SKp)
*/
chunk_t skp_verify;
+
+ /**
+ * Set of hash algorithms supported by peer for signature authentication
+ */
+ hash_algorithm_set_t *hash_algorithms;
};
METHOD(keymat_t, get_version, ike_version_t,
@@ -293,7 +300,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
spi_i = chunk_alloca(sizeof(u_int64_t));
spi_r = chunk_alloca(sizeof(u_int64_t));
- if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+ if (!dh->get_shared_secret(dh, &secret))
{
return FALSE;
}
@@ -547,7 +554,7 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
if (dh)
{
- if (dh->get_shared_secret(dh, &secret) != SUCCESS)
+ if (!dh->get_shared_secret(dh, &secret))
{
return FALSE;
}
@@ -676,6 +683,26 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
return TRUE;
}
+METHOD(keymat_v2_t, hash_algorithm_supported, bool,
+ private_keymat_v2_t *this, hash_algorithm_t hash)
+{
+ if (!this->hash_algorithms)
+ {
+ return FALSE;
+ }
+ return this->hash_algorithms->contains(this->hash_algorithms, hash);
+}
+
+METHOD(keymat_v2_t, add_hash_algorithm, void,
+ private_keymat_v2_t *this, hash_algorithm_t hash)
+{
+ if (!this->hash_algorithms)
+ {
+ this->hash_algorithms = hash_algorithm_set_create();
+ }
+ this->hash_algorithms->add(this->hash_algorithms, hash);
+}
+
METHOD(keymat_t, destroy, void,
private_keymat_v2_t *this)
{
@@ -685,6 +712,7 @@ METHOD(keymat_t, destroy, void,
chunk_clear(&this->skd);
chunk_clear(&this->skp_verify);
chunk_clear(&this->skp_build);
+ DESTROY_IF(this->hash_algorithms);
free(this);
}
@@ -709,6 +737,9 @@ keymat_v2_t *keymat_v2_create(bool initiator)
.get_skd = _get_skd,
.get_auth_octets = _get_auth_octets,
.get_psk_sig = _get_psk_sig,
+ .add_hash_algorithm = _add_hash_algorithm,
+ .hash_algorithm_supported = _hash_algorithm_supported,
+
},
.initiator = initiator,
.prf_alg = PRF_UNDEFINED,
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 04432f05b..927b62b03 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -124,6 +124,22 @@ struct keymat_v2_t {
bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t secret,
identification_t *id, char reserved[3], chunk_t *sig);
+
+ /**
+ * Add a hash algorithm supported by the peer for signature authentication.
+ *
+ * @param hash hash algorithm
+ */
+ void (*add_hash_algorithm)(keymat_v2_t *this, hash_algorithm_t hash);
+
+ /**
+ * Check if a given hash algorithm is supported by the peer for signature
+ * authentication.
+ *
+ * @param hash hash algorithm
+ * @return TRUE if supported, FALSE otherwise
+ */
+ bool (*hash_algorithm_supported)(keymat_v2_t *this, hash_algorithm_t hash);
};
/**
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index eb7df3516..298167703 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -29,6 +29,7 @@
#include <sa/ikev2/tasks/ike_cert_post.h>
#include <sa/ikev2/tasks/ike_rekey.h>
#include <sa/ikev2/tasks/ike_reauth.h>
+#include <sa/ikev2/tasks/ike_reauth_complete.h>
#include <sa/ikev2/tasks/ike_delete.h>
#include <sa/ikev2/tasks/ike_config.h>
#include <sa/ikev2/tasks/ike_dpd.h>
@@ -171,6 +172,11 @@ struct private_task_manager_t {
* Base to calculate retransmission timeout
*/
double retransmit_base;
+
+ /**
+ * Use make-before-break instead of break-before-make reauth?
+ */
+ bool make_before_break;
};
/**
@@ -510,6 +516,11 @@ METHOD(task_manager_t, initiate, status_t,
break;
}
#endif /* ME */
+ if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
+ {
+ exchange = INFORMATIONAL;
+ break;
+ }
case IKE_REKEYING:
if (activate_task(this, TASK_IKE_DELETE))
{
@@ -604,6 +615,11 @@ METHOD(task_manager_t, initiate, status_t,
/* update exchange type if a task changed it */
this->initiating.type = message->get_exchange_type(message);
+ if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
+ {
+ message->destroy(message);
+ return SUCCESS;
+ }
if (!generate_message(this, message, &this->initiating.packets))
{
@@ -1170,7 +1186,7 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
{
unknown = (unknown_payload_t*)payload;
type = payload->get_type(payload);
- if (!payload_is_known(type) &&
+ if (!payload_is_known(type, msg->get_major_version(msg)) &&
unknown->is_critical(unknown))
{
DBG1(DBG_ENC, "payload type %N is not supported, "
@@ -1288,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
{
if (mid == this->responding.mid)
{
- /* reject initial messages once established */
- if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
- msg->get_exchange_type(msg) == IKE_AUTH)
+ /* reject initial messages if not received in specific states */
+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
+ (msg->get_exchange_type(msg) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
{
- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
- {
- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
- exchange_type_names, msg->get_exchange_type(msg));
- return FAILED;
- }
+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
+ exchange_type_names, msg->get_exchange_type(msg),
+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
+ return FAILED;
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
{ /* with MOBIKE, we do no implicit updates */
@@ -1339,10 +1354,6 @@ METHOD(task_manager_t, process_message, status_t,
{
DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
mid, this->responding.mid);
- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
- return DESTROY_ME;
- }
}
}
else
@@ -1505,9 +1516,79 @@ METHOD(task_manager_t, queue_ike_rekey, void,
queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
}
+/**
+ * Start reauthentication using make-before-break
+ */
+static void trigger_mbb_reauth(private_task_manager_t *this)
+{
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ child_cfg_t *cfg;
+ ike_sa_t *new;
+ host_t *host;
+ task_t *task;
+
+ new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+ this->ike_sa->get_version(this->ike_sa), TRUE);
+ if (!new)
+ { /* shouldn't happen */
+ return;
+ }
+
+ new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
+ host = this->ike_sa->get_other_host(this->ike_sa);
+ new->set_other_host(new, host->clone(host));
+ host = this->ike_sa->get_my_host(this->ike_sa);
+ new->set_my_host(new, host->clone(host));
+ enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ new->add_virtual_ip(new, TRUE, host);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+ while (enumerator->enumerate(enumerator, &child_sa))
+ {
+ cfg = child_sa->get_config(child_sa);
+ new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
+ FALSE, NULL, NULL)->task);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = array_create_enumerator(this->queued_tasks);
+ while (enumerator->enumerate(enumerator, &task))
+ {
+ if (task->get_type(task) == TASK_CHILD_CREATE)
+ {
+ task->migrate(task, new);
+ new->queue_task(new, task);
+ array_remove_at(this->queued_tasks, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
+ {
+ new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
+ this->ike_sa->get_id(this->ike_sa)));
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
+ }
+ else
+ {
+ charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
+ DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+ }
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+}
+
METHOD(task_manager_t, queue_ike_reauth, void,
private_task_manager_t *this)
{
+ if (this->make_before_break)
+ {
+ return trigger_mbb_reauth(this);
+ }
queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
}
@@ -1773,6 +1854,8 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
"%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
.retransmit_base = lib->settings->get_double(lib->settings,
"%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
+ .make_before_break = lib->settings->get_bool(lib->settings,
+ "%s.make_before_break", FALSE, lib->ns),
);
return &this->public;
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
index a1f01c276..6d9132a68 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.c
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -105,6 +105,11 @@ struct private_child_create_t {
diffie_hellman_t *dh;
/**
+ * Applying DH public value failed?
+ */
+ bool dh_failed;
+
+ /**
* group used for DH exchange
*/
diffie_hellman_group_t dh_group;
@@ -160,6 +165,16 @@ struct private_child_create_t {
u_int32_t reqid;
/**
+ * Explicit inbound mark value
+ */
+ u_int mark_in;
+
+ /**
+ * Explicit outbound mark value
+ */
+ u_int mark_out;
+
+ /**
* CHILD_SA which gets established
*/
child_sa_t *child_sa;
@@ -286,7 +301,7 @@ static bool allocate_spi(private_child_create_t *this)
*/
static void schedule_inactivity_timeout(private_child_create_t *this)
{
- u_int32_t timeout;
+ u_int32_t timeout, id;
bool close_ike;
timeout = this->config->get_inactivity(this->config);
@@ -294,9 +309,9 @@ static void schedule_inactivity_timeout(private_child_create_t *this)
{
close_ike = lib->settings->get_bool(lib->settings,
"%s.inactivity_close_ike", FALSE, lib->ns);
+ id = this->child_sa->get_unique_id(this->child_sa);
lib->scheduler->schedule_job(lib->scheduler, (job_t*)
- inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
- timeout, close_ike), timeout);
+ inactivity_job_create(id, timeout, close_ike), timeout);
}
}
@@ -683,10 +698,7 @@ static status_t select_and_install(private_child_create_t *this,
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
this->established = TRUE;
- if (!this->rekey)
- { /* a rekeyed SA uses the same reqid, no need for a new job */
- schedule_inactivity_timeout(this);
- }
+ schedule_inactivity_timeout(this);
my_ts = linked_list_create_from_enumerator(
this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
@@ -696,7 +708,7 @@ static status_t select_and_install(private_child_create_t *this,
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
this->child_sa->get_name(this->child_sa),
- this->child_sa->get_reqid(this->child_sa),
+ this->child_sa->get_unique_id(this->child_sa),
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
@@ -709,7 +721,7 @@ static status_t select_and_install(private_child_create_t *this,
/**
* build the payloads for the message
*/
-static void build_payloads(private_child_create_t *this, message_t *message)
+static bool build_payloads(private_child_create_t *this, message_t *message)
{
sa_payload_t *sa_payload;
nonce_payload_t *nonce_payload;
@@ -741,6 +753,11 @@ static void build_payloads(private_child_create_t *this, message_t *message)
{
ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
this->dh);
+ if (!ke_payload)
+ {
+ DBG1(DBG_IKE, "creating KE payload failed");
+ return FALSE;
+ }
message->add_payload(message, (payload_t*)ke_payload);
}
@@ -769,6 +786,7 @@ static void build_payloads(private_child_create_t *this, message_t *message)
message->add_notify(message, FALSE, ESP_TFC_PADDING_NOT_SUPPORTED,
chunk_empty);
}
+ return TRUE;
}
/**
@@ -880,7 +898,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
}
if (this->dh)
{
- this->dh->set_other_public_value(this->dh,
+ this->dh_failed = !this->dh->set_other_public_value(this->dh,
ke_payload->get_key_exchange_data(ke_payload));
}
break;
@@ -996,7 +1014,8 @@ METHOD(task_t, build_i, status_t,
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
- this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+ this->mark_in, this->mark_out);
if (!allocate_spi(this))
{
@@ -1027,7 +1046,10 @@ METHOD(task_t, build_i, status_t,
NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
}
- build_payloads(this, message);
+ if (!build_payloads(this, message))
+ {
+ return FAILED;
+ }
this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
@@ -1168,12 +1190,19 @@ METHOD(task_t, build_r, status_t,
case IKE_SA_INIT:
return get_nonce(message, &this->my_nonce);
case CREATE_CHILD_SA:
- if (generate_nonce(this) != SUCCESS)
+ if (generate_nonce(this) != SUCCESS )
{
message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
chunk_empty);
return SUCCESS;
}
+ if (this->dh_failed)
+ {
+ DBG1(DBG_IKE, "applying DH public value failed");
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+ chunk_empty);
+ return SUCCESS;
+ }
no_dh = FALSE;
break;
case IKE_AUTH:
@@ -1241,7 +1270,8 @@ METHOD(task_t, build_r, status_t,
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
- this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY),
+ this->mark_in, this->mark_out);
if (this->ipcomp_received != IPCOMP_NONE)
{
@@ -1279,7 +1309,12 @@ METHOD(task_t, build_r, status_t,
return SUCCESS;
}
- build_payloads(this, message);
+ if (!build_payloads(this, message))
+ {
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
if (!this->rekey)
{ /* invoke the child_up() hook if we are not rekeying */
@@ -1408,6 +1443,7 @@ METHOD(task_t, process_i, status_t,
this->dh_group, diffie_hellman_group_names, group);
this->retry = TRUE;
this->dh_group = group;
+ this->child_sa->set_state(this->child_sa, CHILD_RETRYING);
this->public.task.migrate(&this->public.task, this->ike_sa);
enumerator->destroy(enumerator);
return NEED_MORE;
@@ -1456,6 +1492,13 @@ METHOD(task_t, process_i, status_t,
return delete_failed_sa(this);
}
+ if (this->dh_failed)
+ {
+ DBG1(DBG_IKE, "applying DH public value failed");
+ handle_child_sa_failure(this, message);
+ return delete_failed_sa(this);
+ }
+
if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
{
if (!this->rekey)
@@ -1477,6 +1520,13 @@ METHOD(child_create_t, use_reqid, void,
this->reqid = reqid;
}
+METHOD(child_create_t, use_marks, void,
+ private_child_create_t *this, u_int in, u_int out)
+{
+ this->mark_in = in;
+ this->mark_out = out;
+}
+
METHOD(child_create_t, get_child, child_sa_t*,
private_child_create_t *this)
{
@@ -1526,6 +1576,7 @@ METHOD(task_t, migrate, void,
DESTROY_IF(this->child_sa);
DESTROY_IF(this->proposal);
DESTROY_IF(this->dh);
+ this->dh_failed = FALSE;
if (this->proposals)
{
this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
@@ -1544,6 +1595,8 @@ METHOD(task_t, migrate, void,
this->ipcomp_received = IPCOMP_NONE;
this->other_cpi = 0;
this->reqid = 0;
+ this->mark_in = 0;
+ this->mark_out = 0;
this->established = FALSE;
}
@@ -1592,6 +1645,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa,
.set_config = _set_config,
.get_lower_nonce = _get_lower_nonce,
.use_reqid = _use_reqid,
+ .use_marks = _use_marks,
.task = {
.get_type = _get_type,
.migrate = _migrate,
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
index d29ba3d98..46d9403ee 100644
--- a/src/libcharon/sa/ikev2/tasks/child_create.h
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -52,6 +52,14 @@ struct child_create_t {
void (*use_reqid) (child_create_t *this, u_int32_t reqid);
/**
+ * Use specific mark values to override configuration.
+ *
+ * @param in inbound mark value
+ * @param out outbound mark value
+ */
+ void (*use_marks)(child_create_t *this, u_int in, u_int out);
+
+ /**
* Get the lower of the two nonces, used for rekey collisions.
*
* @return lower nonce
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
index 2b1697423..f0b11e291 100644
--- a/src/libcharon/sa/ikev2/tasks/child_delete.c
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -267,7 +267,7 @@ static void log_children(private_child_delete_t *this)
{
DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
"with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)), my_ts, other_ts);
}
@@ -278,7 +278,7 @@ static void log_children(private_child_delete_t *this)
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
"(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
- child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ child_sa->get_name(child_sa), child_sa->get_unique_id(child_sa),
ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
my_ts, other_ts);
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
index db872827d..c806e19ca 100644
--- a/src/libcharon/sa/ikev2/tasks/child_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -96,9 +96,9 @@ static void schedule_delayed_rekey(private_child_rekey_t *this)
retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
job = (job_t*)rekey_child_sa_job_create(
- this->child_sa->get_reqid(this->child_sa),
this->child_sa->get_protocol(this->child_sa),
- this->child_sa->get_spi(this->child_sa, TRUE));
+ this->child_sa->get_spi(this->child_sa, TRUE),
+ this->ike_sa->get_my_host(this->ike_sa));
DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry);
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
lib->scheduler->schedule_job(lib->scheduler, job, retry);
@@ -184,6 +184,9 @@ METHOD(task_t, build_i, status_t,
}
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
+ this->child_create->use_marks(this->child_create,
+ this->child_sa->get_mark(this->child_sa, TRUE).value,
+ this->child_sa->get_mark(this->child_sa, FALSE).value);
if (this->child_create->task.build(&this->child_create->task,
message) != NEED_MORE)
@@ -224,6 +227,9 @@ METHOD(task_t, build_r, status_t,
/* let the CHILD_CREATE task build the response */
reqid = this->child_sa->get_reqid(this->child_sa);
this->child_create->use_reqid(this->child_create, reqid);
+ this->child_create->use_marks(this->child_create,
+ this->child_sa->get_mark(this->child_sa, TRUE).value,
+ this->child_sa->get_mark(this->child_sa, FALSE).value);
config = this->child_sa->get_config(this->child_sa);
this->child_create->set_config(this->child_create, config->get_ref(config));
this->child_create->task.build(&this->child_create->task, message);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
index 0dac975e7..ca17494de 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -229,12 +229,12 @@ static void process_x509(cert_payload_t *payload, auth_cfg_t *auth,
return;
}
url = strdup(url);
- if (first)
+ if (*first)
{ /* first URL is for an end entity certificate */
DBG1(DBG_IKE, "received hash-and-url for end entity cert \"%s\"",
url);
auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
- first = FALSE;
+ *first = FALSE;
}
else
{
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
index da06e2a36..646f20c61 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_config.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -17,7 +17,6 @@
#include "ike_config.h"
#include <daemon.h>
-#include <hydra.h>
#include <encoding/payloads/cp_payload.h>
typedef struct private_ike_config_t private_ike_config_t;
@@ -127,9 +126,8 @@ static void handle_attribute(private_ike_config_t *this,
enumerator->destroy(enumerator);
/* and pass it to the handle function */
- handler = hydra->attributes->handle(hydra->attributes,
- this->ike_sa->get_other_id(this->ike_sa), handler,
- ca->get_type(ca), ca->get_chunk(ca));
+ handler = charon->attributes->handle(charon->attributes,
+ this->ike_sa, handler, ca->get_type(ca), ca->get_chunk(ca));
this->ike_sa->add_configuration_attribute(this->ike_sa,
handler, ca->get_type(ca), ca->get_chunk(ca));
}
@@ -274,9 +272,8 @@ METHOD(task_t, build_i, status_t,
enumerator->destroy(enumerator);
}
- enumerator = hydra->attributes->create_initiator_enumerator(
- hydra->attributes,
- this->ike_sa->get_other_id(this->ike_sa), vips);
+ enumerator = charon->attributes->create_initiator_enumerator(
+ charon->attributes, this->ike_sa, vips);
while (enumerator->enumerate(enumerator, &handler, &type, &data))
{
configuration_attribute_t *ca;
@@ -352,8 +349,8 @@ METHOD(task_t, build_r, status_t,
/* query all pools until we get an address */
DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
- found = hydra->attributes->acquire_address(hydra->attributes,
- pools, id, requested);
+ found = charon->attributes->acquire_address(charon->attributes,
+ pools, this->ike_sa, requested);
if (found)
{
DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
@@ -398,8 +395,8 @@ METHOD(task_t, build_r, status_t,
}
/* query registered providers for additional attributes to include */
- enumerator = hydra->attributes->create_responder_enumerator(
- hydra->attributes, pools, id, vips);
+ enumerator = charon->attributes->create_responder_enumerator(
+ charon->attributes, pools, this->ike_sa, vips);
while (enumerator->enumerate(enumerator, &type, &value))
{
if (!cp)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index 71c5f22fa..0d5700ef2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -20,8 +20,11 @@
#include <string.h>
#include <daemon.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
#include <sa/ikev2/keymat_v2.h>
#include <crypto/diffie_hellman.h>
+#include <crypto/hashers/hash_algorithm_set.h>
#include <encoding/payloads/sa_payload.h>
#include <encoding/payloads/ke_payload.h>
#include <encoding/payloads/nonce_payload.h>
@@ -67,6 +70,11 @@ struct private_ike_init_t {
diffie_hellman_t *dh;
/**
+ * Applying DH public value failed?
+ */
+ bool dh_failed;
+
+ /**
* Keymat derivation (from IKE_SA)
*/
keymat_v2_t *keymat;
@@ -100,12 +108,114 @@ struct private_ike_init_t {
* retries done so far after failure (cookie or bad dh group)
*/
u_int retry;
+
+ /**
+ * Whether to use Signature Authentication as per RFC 7427
+ */
+ bool signature_authentication;
};
/**
+ * Notify the peer about the hash algorithms we support or expect,
+ * as per RFC 7427
+ */
+static void send_supported_hash_algorithms(private_ike_init_t *this,
+ message_t *message)
+{
+ hash_algorithm_set_t *algos;
+ enumerator_t *enumerator, *rounds;
+ bio_writer_t *writer;
+ hash_algorithm_t hash;
+ peer_cfg_t *peer;
+ auth_cfg_t *auth;
+ auth_rule_t rule;
+ uintptr_t config;
+ char *plugin_name;
+
+ algos = hash_algorithm_set_create();
+ peer = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (peer)
+ {
+ rounds = peer->create_auth_cfg_enumerator(peer, FALSE);
+ while (rounds->enumerate(rounds, &auth))
+ {
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &rule, &config))
+ {
+ if (rule == AUTH_RULE_SIGNATURE_SCHEME)
+ {
+ hash = hasher_from_signature_scheme(config);
+ if (hasher_algorithm_for_ikev2(hash))
+ {
+ algos->add(algos, hash);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ rounds->destroy(rounds);
+ }
+
+ if (!algos->count(algos))
+ {
+ enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
+ while (enumerator->enumerate(enumerator, &hash, &plugin_name))
+ {
+ if (hasher_algorithm_for_ikev2(hash))
+ {
+ algos->add(algos, hash);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ if (algos->count(algos))
+ {
+ writer = bio_writer_create(0);
+ enumerator = algos->create_enumerator(algos);
+ while (enumerator->enumerate(enumerator, &hash))
+ {
+ writer->write_uint16(writer, hash);
+ }
+ enumerator->destroy(enumerator);
+ message->add_notify(message, FALSE, SIGNATURE_HASH_ALGORITHMS,
+ writer->get_buf(writer));
+ writer->destroy(writer);
+ }
+ algos->destroy(algos);
+}
+
+/**
+ * Store algorithms supported by other peer
+ */
+static void handle_supported_hash_algorithms(private_ike_init_t *this,
+ notify_payload_t *notify)
+{
+ bio_reader_t *reader;
+ u_int16_t algo;
+ bool added = FALSE;
+
+ reader = bio_reader_create(notify->get_notification_data(notify));
+ while (reader->remaining(reader) >= 2 && reader->read_uint16(reader, &algo))
+ {
+ if (hasher_algorithm_for_ikev2(algo))
+ {
+ this->keymat->add_hash_algorithm(this->keymat, algo);
+ added = TRUE;
+ }
+ }
+ reader->destroy(reader);
+
+ if (added)
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_SIGNATURE_AUTH);
+ }
+}
+
+/**
* build the payloads for the message
*/
-static void build_payloads(private_ike_init_t *this, message_t *message)
+static bool build_payloads(private_ike_init_t *this, message_t *message)
{
sa_payload_t *sa_payload;
ke_payload_t *ke_payload;
@@ -149,7 +259,13 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
nonce_payload = nonce_payload_create(PLV2_NONCE);
nonce_payload->set_nonce(nonce_payload, this->my_nonce);
- ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE, this->dh);
+ ke_payload = ke_payload_create_from_diffie_hellman(PLV2_KEY_EXCHANGE,
+ this->dh);
+ if (!ke_payload)
+ {
+ DBG1(DBG_IKE, "creating KE payload failed");
+ return FALSE;
+ }
if (this->old_sa)
{ /* payload order differs if we are rekeying */
@@ -174,6 +290,17 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
chunk_empty);
}
}
+ /* submit supported hash algorithms for signature authentication */
+ if (!this->old_sa && this->signature_authentication)
+ {
+ if (this->initiator ||
+ this->ike_sa->supports_extension(this->ike_sa,
+ EXT_SIGNATURE_AUTH))
+ {
+ send_supported_hash_algorithms(this, message);
+ }
+ }
+ return TRUE;
}
/**
@@ -183,6 +310,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
{
enumerator_t *enumerator;
payload_t *payload;
+ ke_payload_t *ke_payload = NULL;
enumerator = message->create_payload_enumerator(message);
while (enumerator->enumerate(enumerator, &payload))
@@ -211,19 +339,9 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
}
case PLV2_KEY_EXCHANGE:
{
- ke_payload_t *ke_payload = (ke_payload_t*)payload;
+ ke_payload = (ke_payload_t*)payload;
this->dh_group = ke_payload->get_dh_group_number(ke_payload);
- if (!this->initiator)
- {
- this->dh = this->keymat->keymat.create_dh(
- &this->keymat->keymat, this->dh_group);
- }
- if (this->dh)
- {
- this->dh->set_other_public_value(this->dh,
- ke_payload->get_key_exchange_data(ke_payload));
- }
break;
}
case PLV2_NONCE:
@@ -237,17 +355,44 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
{
notify_payload_t *notify = (notify_payload_t*)payload;
- if (notify->get_notify_type(notify) == FRAGMENTATION_SUPPORTED)
+ switch (notify->get_notify_type(notify))
{
- this->ike_sa->enable_extension(this->ike_sa,
- EXT_IKE_FRAGMENTATION);
+ case FRAGMENTATION_SUPPORTED:
+ this->ike_sa->enable_extension(this->ike_sa,
+ EXT_IKE_FRAGMENTATION);
+ break;
+ case SIGNATURE_HASH_ALGORITHMS:
+ if (this->signature_authentication)
+ {
+ handle_supported_hash_algorithms(this, notify);
+ }
+ break;
+ default:
+ /* other notifies are handled elsewhere */
+ break;
}
+
}
default:
break;
}
}
enumerator->destroy(enumerator);
+
+ if (ke_payload && this->proposal &&
+ this->proposal->has_dh_group(this->proposal, this->dh_group))
+ {
+ if (!this->initiator)
+ {
+ this->dh = this->keymat->keymat.create_dh(
+ &this->keymat->keymat, this->dh_group);
+ }
+ if (this->dh)
+ {
+ this->dh_failed = !this->dh->set_other_public_value(this->dh,
+ ke_payload->get_key_exchange_data(ke_payload));
+ }
+ }
}
METHOD(task_t, build_i, status_t,
@@ -305,7 +450,10 @@ METHOD(task_t, build_i, status_t,
message->add_notify(message, FALSE, COOKIE, this->cookie);
}
- build_payloads(this, message);
+ if (!build_payloads(this, message))
+ {
+ return FAILED;
+ }
#ifdef ME
{
@@ -433,13 +581,24 @@ METHOD(task_t, build_r, status_t,
return FAILED;
}
+ if (this->dh_failed)
+ {
+ DBG1(DBG_IKE, "applying DH public value failed");
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return FAILED;
+ }
+
if (!derive_keys(this, this->other_nonce, this->my_nonce))
{
DBG1(DBG_IKE, "key derivation failed");
message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
return FAILED;
}
- build_payloads(this, message);
+ if (!build_payloads(this, message))
+ {
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return FAILED;
+ }
return SUCCESS;
}
@@ -554,6 +713,12 @@ METHOD(task_t, process_i, status_t,
return FAILED;
}
+ if (this->dh_failed)
+ {
+ DBG1(DBG_IKE, "applying DH public value failed");
+ return FAILED;
+ }
+
if (!derive_keys(this, this->my_nonce, this->other_nonce))
{
DBG1(DBG_IKE, "key derivation failed");
@@ -577,6 +742,7 @@ METHOD(task_t, migrate, void,
this->ike_sa = ike_sa;
this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
this->proposal = NULL;
+ this->dh_failed = FALSE;
if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
{ /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
this->dh->destroy(this->dh);
@@ -631,6 +797,8 @@ ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
.dh_group = MODP_NONE,
.keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
.old_sa = old_sa,
+ .signature_authentication = lib->settings->get_bool(lib->settings,
+ "%s.signature_authentication", TRUE, lib->ns),
);
if (initiator)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
index d91fa5862..6295d7960 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_mobike.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -256,6 +256,7 @@ static void update_children(private_ike_mobike_t *this)
enumerator_t *enumerator;
child_sa_t *child_sa;
linked_list_t *vips;
+ status_t status;
host_t *host;
vips = linked_list_create();
@@ -270,15 +271,25 @@ static void update_children(private_ike_mobike_t *this)
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
while (enumerator->enumerate(enumerator, (void**)&child_sa))
{
- if (child_sa->update(child_sa,
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa), vips,
- this->ike_sa->has_condition(this->ike_sa,
- COND_NAT_ANY)) == NOT_SUPPORTED)
+ status = child_sa->update(child_sa,
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa), vips,
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+ switch (status)
{
- this->ike_sa->rekey_child_sa(this->ike_sa,
- child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE));
+ case NOT_SUPPORTED:
+ this->ike_sa->rekey_child_sa(this->ike_sa,
+ child_sa->get_protocol(child_sa),
+ child_sa->get_spi(child_sa, TRUE));
+ break;
+ case SUCCESS:
+ charon->child_sa_manager->remove(charon->child_sa_manager,
+ child_sa);
+ charon->child_sa_manager->add(charon->child_sa_manager,
+ child_sa, this->ike_sa);
+ break;
+ default:
+ break;
}
}
enumerator->destroy(enumerator);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
index 781b463a7..e2e48f0d4 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_reauth.h
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
@@ -29,6 +29,8 @@ typedef struct ike_reauth_t ike_reauth_t;
/**
* Task of type ike_reauth, reestablishes an IKE_SA.
+ *
+ * This task implements break-before-make reauthentication.
*/
struct ike_reauth_t {
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c
new file mode 100644
index 000000000..a01489c03
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_reauth_complete.h"
+
+#include <daemon.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+
+
+typedef struct private_ike_reauth_complete_t private_ike_reauth_complete_t;
+
+/**
+ * Private members of a ike_reauth_complete_t task.
+ */
+struct private_ike_reauth_complete_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_reauth_complete_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Reauthenticated IKE_SA identifier
+ */
+ ike_sa_id_t *id;
+};
+
+METHOD(task_t, build_i, status_t,
+ private_ike_reauth_complete_t *this, message_t *message)
+{
+ message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)delete_ike_sa_job_create(this->id, TRUE));
+ return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_reauth_complete_t *this, message_t *message)
+{
+ return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_reauth_complete_t *this)
+{
+ return TASK_IKE_REAUTH_COMPLETE;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_reauth_complete_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_reauth_complete_t *this)
+{
+ this->id->destroy(this->id);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa,
+ ike_sa_id_t *id)
+{
+ private_ike_reauth_complete_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .build = _build_i,
+ .process = _process_i,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .id = id->clone(id),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h
new file mode 100644
index 000000000..cc3d3b713
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth_complete.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_reauth_complete ike_reauth_complete
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REAUTH_COMPLETE_H_
+#define IKE_REAUTH_COMPLETE_H_
+
+typedef struct ike_reauth_complete_t ike_reauth_complete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type IKE_REAUTH_COMPLETE, removes reauthenticated SA after reauth.
+ *
+ * This task completes make-before-break reauthentication by deleting the
+ * old, reauthenticated IKE_SA after the new one established.
+ */
+struct ike_reauth_complete_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_reauth_complete task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param id old, reauthenticated IKE_SA
+ * @return ike_reauth_complete task to handle by the task_manager
+ */
+ike_reauth_complete_t *ike_reauth_complete_create(ike_sa_t *ike_sa,
+ ike_sa_id_t *id);
+
+#endif /** IKE_REAUTH_COMPLETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
index 444ac6ade..1855517ce 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_rekey.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -22,6 +22,7 @@
#include <sa/ikev2/tasks/ike_delete.h>
#include <processing/jobs/delete_ike_sa_job.h>
#include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/initiate_tasks_job.h>
typedef struct private_ike_rekey_t private_ike_rekey_t;
@@ -68,12 +69,33 @@ struct private_ike_rekey_t {
};
/**
+ * Check if an IKE_SA has any queued tasks, return initiation job
+ */
+static job_t* check_queued_tasks(ike_sa_t *ike_sa)
+{
+ enumerator_t *enumerator;
+ task_t *task;
+ job_t *job = NULL;
+
+ enumerator = ike_sa->create_task_enumerator(ike_sa, TASK_QUEUE_QUEUED);
+ if (enumerator->enumerate(enumerator, &task))
+ {
+ job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa));
+ }
+ enumerator->destroy(enumerator);
+
+ return job;
+}
+
+/**
* Establish the new replacement IKE_SA
*/
static void establish_new(private_ike_rekey_t *this)
{
if (this->new_sa)
{
+ job_t *job;
+
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
@@ -85,7 +107,14 @@ static void establish_new(private_ike_rekey_t *this)
this->new_sa->inherit_post(this->new_sa, this->ike_sa);
charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+ job = check_queued_tasks(this->new_sa);
+ /* don't queue job before checkin(), as the IKE_SA is not yet
+ * registered at the manager */
charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+ if (job)
+ {
+ lib->processor->queue_job(lib->processor, job);
+ }
this->new_sa = NULL;
/* set threads active IKE_SA after checkin */
charon->bus->set_sa(charon->bus, this->ike_sa);
@@ -163,6 +192,7 @@ METHOD(task_t, process_r, status_t,
{
case CHILD_CREATED:
case CHILD_REKEYING:
+ case CHILD_RETRYING:
case CHILD_DELETING:
/* we do not allow rekeying while we have children in-progress */
DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
@@ -209,6 +239,12 @@ METHOD(task_t, build_r, status_t,
this->public.task.build = _build_r_delete;
this->public.task.process = _process_r_delete;
+ /* the peer does have to delete the IKE_SA. If it does not, we get a
+ * unusable IKE_SA in REKEYING state without a replacement. We consider
+ * this a timeout condition by the peer, and trigger a delete actively. */
+ lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+ delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90);
+
return NEED_MORE;
}
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index 4336b23ff..b35b58185 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -27,6 +27,7 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
"IKE_CONFIG",
"IKE_REKEY",
"IKE_REAUTH",
+ "IKE_REAUTH_COMPLETE",
"IKE_DELETE",
"IKE_DPD",
"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index f2c4299cc..7bd3da1fe 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -22,6 +22,8 @@
#ifndef TASK_H_
#define TASK_H_
+#include <utils/utils.h>
+
typedef enum task_type_t task_type_t;
typedef struct task_t task_t;
@@ -51,8 +53,10 @@ enum task_type_t {
TASK_IKE_CONFIG,
/** rekey an IKE_SA */
TASK_IKE_REKEY,
- /** reestablish a complete IKE_SA */
+ /** reestablish a complete IKE_SA, break-before-make */
TASK_IKE_REAUTH,
+ /** completion task for make-before-break IKE_SA re-authentication */
+ TASK_IKE_REAUTH_COMPLETE,
/** delete an IKE_SA */
TASK_IKE_DELETE,
/** liveness check */
diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c
index 7e55d6b0f..d6ff3c8c5 100644
--- a/src/libcharon/sa/trap_manager.c
+++ b/src/libcharon/sa/trap_manager.c
@@ -65,6 +65,11 @@ struct private_trap_manager_t {
* listener to track acquiring IKE_SAs
*/
trap_listener_t listener;
+
+ /**
+ * Whether to ignore traffic selectors from acquires
+ */
+ bool ignore_acquire_ts;
};
/**
@@ -171,7 +176,7 @@ METHOD(trap_manager_t, install, u_int32_t,
this->lock->unlock(this->lock);
/* create and route CHILD_SA */
- child_sa = child_sa_create(me, other, child, reqid, FALSE);
+ child_sa = child_sa_create(me, other, child, reqid, FALSE, 0, 0);
list = linked_list_create_with_items(me, NULL);
my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
@@ -353,7 +358,7 @@ METHOD(trap_manager_t, acquire, void,
{
ike_sa->set_peer_cfg(ike_sa, peer);
}
- if (ike_sa->get_version(ike_sa) == IKEV1)
+ if (this->ignore_acquire_ts || ike_sa->get_version(ike_sa) == IKEV1)
{ /* in IKEv1, don't prepend the acquiring packet TS, as we only
* have a single TS that we can establish in a Quick Mode. */
src = dst = NULL;
@@ -484,6 +489,8 @@ trap_manager_t *trap_manager_create(void)
},
.traps = linked_list_create(),
.lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .ignore_acquire_ts = lib->settings->get_bool(lib->settings,
+ "%s.ignore_acquire_ts", FALSE, lib->ns),
);
charon->bus->add_listener(charon->bus, &this->listener.listener);
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
new file mode 100644
index 000000000..c8be28594
--- /dev/null
+++ b/src/libcharon/tests/Makefile.am
@@ -0,0 +1,21 @@
+TESTS = libcharon_tests
+
+check_PROGRAMS = $(TESTS)
+
+libcharon_tests_SOURCES = \
+ suites/test_mem_pool.c \
+ libcharon_tests.h libcharon_tests.c
+
+libcharon_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libcharon \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ @COVERAGE_CFLAGS@
+
+libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+libcharon_tests_LDADD = \
+ $(top_builddir)/src/libcharon/libcharon.la \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
new file mode 100644
index 000000000..7f4f4b24e
--- /dev/null
+++ b/src/libcharon/tests/Makefile.in
@@ -0,0 +1,874 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = libcharon_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libcharon/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = libcharon_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libcharon_tests_OBJECTS = \
+ suites/libcharon_tests-test_mem_pool.$(OBJEXT) \
+ libcharon_tests-libcharon_tests.$(OBJEXT)
+libcharon_tests_OBJECTS = $(am_libcharon_tests_OBJECTS)
+libcharon_tests_DEPENDENCIES = \
+ $(top_builddir)/src/libcharon/libcharon.la \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libcharon_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(libcharon_tests_CFLAGS) $(CFLAGS) $(libcharon_tests_LDFLAGS) \
+ $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libcharon_tests_SOURCES)
+DIST_SOURCES = $(libcharon_tests_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+libcharon_tests_SOURCES = \
+ suites/test_mem_pool.c \
+ libcharon_tests.h libcharon_tests.c
+
+libcharon_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libcharon \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ @COVERAGE_CFLAGS@
+
+libcharon_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+libcharon_tests_LDADD = \
+ $(top_builddir)/src/libcharon/libcharon.la \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/tests/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+suites/$(am__dirstamp):
+ @$(MKDIR_P) suites
+ @: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) suites/$(DEPDIR)
+ @: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/libcharon_tests-test_mem_pool.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+
+libcharon_tests$(EXEEXT): $(libcharon_tests_OBJECTS) $(libcharon_tests_DEPENDENCIES) $(EXTRA_libcharon_tests_DEPENDENCIES)
+ @rm -f libcharon_tests$(EXEEXT)
+ $(AM_V_CCLD)$(libcharon_tests_LINK) $(libcharon_tests_OBJECTS) $(libcharon_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+ -rm -f suites/*.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcharon_tests-libcharon_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+suites/libcharon_tests-test_mem_pool.o: suites/test_mem_pool.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.o -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.o `test -f 'suites/test_mem_pool.c' || echo '$(srcdir)/'`suites/test_mem_pool.c
+
+suites/libcharon_tests-test_mem_pool.obj: suites/test_mem_pool.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT suites/libcharon_tests-test_mem_pool.obj -MD -MP -MF suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Tpo suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mem_pool.c' object='suites/libcharon_tests-test_mem_pool.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o suites/libcharon_tests-test_mem_pool.obj `if test -f 'suites/test_mem_pool.c'; then $(CYGPATH_W) 'suites/test_mem_pool.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mem_pool.c'; fi`
+
+libcharon_tests-libcharon_tests.o: libcharon_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.o -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.o `test -f 'libcharon_tests.c' || echo '$(srcdir)/'`libcharon_tests.c
+
+libcharon_tests-libcharon_tests.obj: libcharon_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -MT libcharon_tests-libcharon_tests.obj -MD -MP -MF $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libcharon_tests-libcharon_tests.Tpo $(DEPDIR)/libcharon_tests-libcharon_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libcharon_tests.c' object='libcharon_tests-libcharon_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libcharon_tests_CFLAGS) $(CFLAGS) -c -o libcharon_tests-libcharon_tests.obj `if test -f 'libcharon_tests.c'; then $(CYGPATH_W) 'libcharon_tests.c'; else $(CYGPATH_W) '$(srcdir)/libcharon_tests.c'; fi`
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f suites/$(DEPDIR)/$(am__dirstamp)
+ -rm -f suites/$(am__dirstamp)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
new file mode 100644
index 000000000..1ed0f0c95
--- /dev/null
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+#include <hydra.h>
+#include <daemon.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "libcharon_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+ { .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+ { .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "libcharon_tests.h"
+ { .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+ if (init)
+ {
+ libhydra_init();
+ libcharon_init();
+ }
+ else
+ {
+ lib->processor->set_threads(lib->processor, 0);
+ lib->processor->cancel(lib->processor);
+ libcharon_deinit();
+ libhydra_deinit();
+ }
+ return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+ return test_runner_run("libcharon", tests, test_runner_init);
+}
diff --git a/src/libcharon/tests/libcharon_tests.h b/src/libcharon/tests/libcharon_tests.h
new file mode 100644
index 000000000..dc9681aeb
--- /dev/null
+++ b/src/libcharon/tests/libcharon_tests.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(mem_pool_suite_create)
diff --git a/src/libcharon/tests/suites/test_mem_pool.c b/src/libcharon/tests/suites/test_mem_pool.c
new file mode 100644
index 000000000..4204d4bab
--- /dev/null
+++ b/src/libcharon/tests/suites/test_mem_pool.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <attributes/mem_pool.h>
+
+static void assert_host(char *expected, host_t *host)
+{
+ if (!expected)
+ {
+ ck_assert_msg(!host, "not epxecting IP != %+H", host);
+ }
+ else
+ {
+ host_t *verifier;
+ verifier = host_create_from_string(expected, 0);
+ ck_assert_msg(host, "expected IP %+H != NULL", verifier);
+ ck_assert_msg(verifier->ip_equals(verifier, host), "expected IP %+H != "
+ "%+H", verifier, host);;
+ verifier->destroy(verifier);
+ }
+}
+
+static void assert_acquire(mem_pool_t *pool, char *requested, char *expected,
+ mem_pool_op_t operation)
+{
+ identification_t *id;
+ host_t *req, *acquired;
+
+ id = identification_create_from_string("tester");
+ req = host_create_from_string(requested, 0);
+
+ acquired = pool->acquire_address(pool, id, req, operation, NULL);
+ assert_host(expected, acquired);
+ DESTROY_IF(acquired);
+
+ req->destroy(req);
+ id->destroy(id);
+}
+
+static void assert_acquires_new(mem_pool_t *pool, char *pattern, int first)
+{
+ char expected[16];
+ int i;
+
+ for (i = 0; i < pool->get_size(pool); i++)
+ {
+ snprintf(expected, sizeof(expected), pattern, first + i);
+ assert_acquire(pool, "0.0.0.0", expected, MEM_POOL_NEW);
+ ck_assert_int_eq(i + 1, pool->get_online(pool));
+ }
+ assert_acquire(pool, "0.0.0.0", NULL, MEM_POOL_NEW);
+}
+
+START_TEST(test_config)
+{
+ mem_pool_t *pool;
+
+ pool = mem_pool_create("test", NULL, 0);
+ ck_assert_int_eq(0, pool->get_size(pool));
+ assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW);
+ assert_acquire(pool, "10.0.1.1", "10.0.1.1", MEM_POOL_NEW);
+ assert_acquire(pool, "0.0.0.0", "0.0.0.0", MEM_POOL_NEW);
+ assert_acquire(pool, "255.255.255.255", "255.255.255.255", MEM_POOL_NEW);
+ ck_assert_int_eq(0, pool->get_online(pool));
+ pool->destroy(pool);
+}
+END_TEST
+
+START_TEST(test_cidr)
+{
+ mem_pool_t *pool;
+ host_t *base;
+
+ base = host_create_from_string("192.168.0.0", 0);
+
+ pool = mem_pool_create("test", base, 32);
+ ck_assert_int_eq(1, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 0);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 31);
+ ck_assert_int_eq(2, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 0);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 30);
+ ck_assert_int_eq(2, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 1);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 29);
+ ck_assert_int_eq(6, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 1);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 24);
+ ck_assert_int_eq(254, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 1);
+ pool->destroy(pool);
+
+ base->destroy(base);
+}
+END_TEST
+
+START_TEST(test_cidr_offset)
+{
+ mem_pool_t *pool;
+ host_t *base;
+
+ base = host_create_from_string("192.168.0.1", 0);
+ pool = mem_pool_create("test", base, 31);
+ ck_assert_int_eq(1, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 1);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 30);
+ ck_assert_int_eq(2, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 1);
+ pool->destroy(pool);
+ base->destroy(base);
+
+ base = host_create_from_string("192.168.0.2", 0);
+ pool = mem_pool_create("test", base, 30);
+ ck_assert_int_eq(1, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 2);
+ pool->destroy(pool);
+
+ pool = mem_pool_create("test", base, 24);
+ ck_assert_int_eq(253, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 2);
+ pool->destroy(pool);
+ base->destroy(base);
+
+ base = host_create_from_string("192.168.0.254", 0);
+ pool = mem_pool_create("test", base, 24);
+ ck_assert_int_eq(1, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 254);
+ pool->destroy(pool);
+ base->destroy(base);
+
+ /* due to size == 0 we get the requested IP back */
+ base = host_create_from_string("192.168.0.255", 0);
+ pool = mem_pool_create("test", base, 24);
+ ck_assert_int_eq(0, pool->get_size(pool));
+ assert_acquire(pool, "192.168.0.1", "192.168.0.1", MEM_POOL_NEW);
+ pool->destroy(pool);
+
+ base->destroy(base);
+}
+END_TEST
+
+START_TEST(test_range)
+{
+ mem_pool_t *pool;
+ host_t *from, *to;
+
+ from = host_create_from_string("192.168.0.0", 0);
+ to = host_create_from_string("192.168.0.0", 0);
+ pool = mem_pool_create_range("test", from, to);
+ ck_assert_int_eq(1, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 0);
+ pool->destroy(pool);
+
+ to->destroy(to);
+ to = host_create_from_string("192.168.0.1", 0);
+ pool = mem_pool_create_range("test", from, to);
+ ck_assert_int_eq(2, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 0);
+ pool->destroy(pool);
+
+ from->destroy(from);
+ from = host_create_from_string("192.168.0.10", 0);
+ pool = mem_pool_create_range("test", from, to);
+ ck_assert(!pool);
+
+ to->destroy(to);
+ to = host_create_from_string("192.168.0.20", 0);
+ pool = mem_pool_create_range("test", from, to);
+ ck_assert_int_eq(11, pool->get_size(pool));
+ assert_acquires_new(pool, "192.168.0.%d", 10);
+ pool->destroy(pool);
+
+ from->destroy(from);
+ from = host_create_from_string("fec::1", 0);
+ to->destroy(to);
+ to = host_create_from_string("fed::1", 0);
+ pool = mem_pool_create_range("test", from, to);
+ ck_assert(!pool);
+
+ from->destroy(from);
+ to->destroy(to);
+}
+END_TEST
+
+Suite *mem_pool_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("mem_pool");
+
+ tc = tcase_create("%config-like pool");
+ tcase_add_test(tc, test_config);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("cidr constructor");
+ tcase_add_test(tc, test_cidr);
+ tcase_add_test(tc, test_cidr_offset);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("range constructor");
+ tcase_add_test(tc, test_range);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index f0e9cbe35..6a3a4ebd5 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libhydra/Android.mk b/src/libhydra/Android.mk
index ff134da7b..af39f04ec 100644
--- a/src/libhydra/Android.mk
+++ b/src/libhydra/Android.mk
@@ -4,10 +4,6 @@ include $(CLEAR_VARS)
# copy-n-paste from Makefile.am
libhydra_la_SOURCES := \
hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
kernel/kernel_interface.c kernel/kernel_interface.h \
kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
kernel/kernel_net.c kernel/kernel_net.h \
@@ -17,8 +13,6 @@ LOCAL_SRC_FILES := $(filter %.c,$(libhydra_la_SOURCES))
# adding the plugin source files
-LOCAL_SRC_FILES += $(call add_plugin, attr)
-
LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey)
LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink)
@@ -42,4 +36,3 @@ LOCAL_PRELINK_MODULE := false
LOCAL_SHARED_LIBRARIES += libstrongswan
include $(BUILD_SHARED_LIBRARY)
-
diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am
index 510f2a124..9cdbc0147 100644
--- a/src/libhydra/Makefile.am
+++ b/src/libhydra/Makefile.am
@@ -2,10 +2,6 @@ ipseclib_LTLIBRARIES = libhydra.la
libhydra_la_SOURCES = \
hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
kernel/kernel_interface.c kernel/kernel_interface.h \
kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
kernel/kernel_net.c kernel/kernel_net.h \
@@ -37,20 +33,6 @@ else
SUBDIRS = .
endif
-if USE_ATTR
- SUBDIRS += plugins/attr
-if MONOLITHIC
- libhydra_la_LIBADD += plugins/attr/libstrongswan-attr.la
-endif
-endif
-
-if USE_ATTR_SQL
- SUBDIRS += plugins/attr_sql
-if MONOLITHIC
- libhydra_la_LIBADD += plugins/attr_sql/libstrongswan-attr-sql.la
-endif
-endif
-
if USE_KERNEL_PFKEY
SUBDIRS += plugins/kernel_pfkey
if MONOLITHIC
@@ -72,9 +54,7 @@ if MONOLITHIC
endif
endif
-if USE_RESOLVE
- SUBDIRS += plugins/resolve
if MONOLITHIC
- libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la
-endif
+ SUBDIRS += .
endif
+SUBDIRS += tests
diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in
index e3ff1981c..9bb2e839a 100644
--- a/src/libhydra/Makefile.in
+++ b/src/libhydra/Makefile.in
@@ -79,18 +79,12 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@USE_WINDOWS_TRUE@am__append_1 = -lws2_32
-@USE_ATTR_TRUE@am__append_2 = plugins/attr
-@MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_3 = plugins/attr/libstrongswan-attr.la
-@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql
-@MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_5 = plugins/attr_sql/libstrongswan-attr-sql.la
-@USE_KERNEL_PFKEY_TRUE@am__append_6 = plugins/kernel_pfkey
-@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
-@USE_KERNEL_PFROUTE_TRUE@am__append_8 = plugins/kernel_pfroute
-@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
-@USE_KERNEL_NETLINK_TRUE@am__append_10 = plugins/kernel_netlink
-@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_11 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
-@USE_RESOLVE_TRUE@am__append_12 = plugins/resolve
-@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_13 = plugins/resolve/libstrongswan-resolve.la
+@USE_KERNEL_PFKEY_TRUE@am__append_2 = plugins/kernel_pfkey
+@MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE@am__append_3 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+@USE_KERNEL_PFROUTE_TRUE@am__append_4 = plugins/kernel_pfroute
+@MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE@am__append_5 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+@USE_KERNEL_NETLINK_TRUE@am__append_6 = plugins/kernel_netlink
+@MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE@am__append_7 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
subdir = src/libhydra
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
@@ -144,13 +138,10 @@ am__DEPENDENCIES_1 =
libhydra_la_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
$(am__DEPENDENCIES_1) $(am__append_3) $(am__append_5) \
- $(am__append_7) $(am__append_9) $(am__append_11) \
- $(am__append_13)
+ $(am__append_7)
am__dirstamp = $(am__leading_dot)dirstamp
-am_libhydra_la_OBJECTS = hydra.lo attributes/attributes.lo \
- attributes/attribute_manager.lo attributes/mem_pool.lo \
- kernel/kernel_interface.lo kernel/kernel_ipsec.lo \
- kernel/kernel_net.lo
+am_libhydra_la_OBJECTS = hydra.lo kernel/kernel_interface.lo \
+ kernel/kernel_ipsec.lo kernel/kernel_net.lo
libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -232,8 +223,8 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
-DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/kernel_pfkey \
- plugins/kernel_pfroute plugins/kernel_netlink plugins/resolve
+DIST_SUBDIRS = . plugins/kernel_pfkey plugins/kernel_pfroute \
+ plugins/kernel_netlink tests
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -285,6 +276,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -345,10 +337,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -422,6 +416,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -483,10 +479,6 @@ xml_LIBS = @xml_LIBS@
ipseclib_LTLIBRARIES = libhydra.la
libhydra_la_SOURCES = \
hydra.c hydra.h \
-attributes/attributes.c attributes/attributes.h \
-attributes/attribute_provider.h attributes/attribute_handler.h \
-attributes/attribute_manager.c attributes/attribute_manager.h \
-attributes/mem_pool.c attributes/mem_pool.h \
kernel/kernel_interface.c kernel/kernel_interface.h \
kernel/kernel_ipsec.c kernel/kernel_ipsec.h \
kernel/kernel_net.c kernel/kernel_net.h \
@@ -495,8 +487,7 @@ kernel/kernel_listener.h
libhydra_la_LIBADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
$(am__append_1) $(am__append_3) $(am__append_5) \
- $(am__append_7) $(am__append_9) $(am__append_11) \
- $(am__append_13)
+ $(am__append_7)
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-DIPSEC_DIR=\"${ipsecdir}\" \
@@ -507,14 +498,12 @@ AM_LDFLAGS = \
EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_2) $(am__append_4) \
-@MONOLITHIC_FALSE@ $(am__append_6) $(am__append_8) \
-@MONOLITHIC_FALSE@ $(am__append_10) $(am__append_12)
+@MONOLITHIC_FALSE@ $(am__append_6) tests
# build optional plugins
########################
@MONOLITHIC_TRUE@SUBDIRS = $(am__append_2) $(am__append_4) \
-@MONOLITHIC_TRUE@ $(am__append_6) $(am__append_8) \
-@MONOLITHIC_TRUE@ $(am__append_10) $(am__append_12)
+@MONOLITHIC_TRUE@ $(am__append_6) . tests
all: all-recursive
.SUFFIXES:
@@ -584,18 +573,6 @@ clean-ipseclibLTLIBRARIES:
echo rm -f $${locs}; \
rm -f $${locs}; \
}
-attributes/$(am__dirstamp):
- @$(MKDIR_P) attributes
- @: > attributes/$(am__dirstamp)
-attributes/$(DEPDIR)/$(am__dirstamp):
- @$(MKDIR_P) attributes/$(DEPDIR)
- @: > attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/attributes.lo: attributes/$(am__dirstamp) \
- attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/attribute_manager.lo: attributes/$(am__dirstamp) \
- attributes/$(DEPDIR)/$(am__dirstamp)
-attributes/mem_pool.lo: attributes/$(am__dirstamp) \
- attributes/$(DEPDIR)/$(am__dirstamp)
kernel/$(am__dirstamp):
@$(MKDIR_P) kernel
@: > kernel/$(am__dirstamp)
@@ -614,8 +591,6 @@ libhydra.la: $(libhydra_la_OBJECTS) $(libhydra_la_DEPENDENCIES) $(EXTRA_libhydra
mostlyclean-compile:
-rm -f *.$(OBJEXT)
- -rm -f attributes/*.$(OBJEXT)
- -rm -f attributes/*.lo
-rm -f kernel/*.$(OBJEXT)
-rm -f kernel/*.lo
@@ -623,9 +598,6 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attribute_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/attributes.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@attributes/$(DEPDIR)/mem_pool.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_interface.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_ipsec.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@kernel/$(DEPDIR)/kernel_net.Plo@am__quote@
@@ -659,7 +631,6 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
- -rm -rf attributes/.libs attributes/_libs
-rm -rf kernel/.libs kernel/_libs
# This directory's subdirectories are mostly independent; you can cd
@@ -850,8 +821,6 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
- -rm -f attributes/$(DEPDIR)/$(am__dirstamp)
- -rm -f attributes/$(am__dirstamp)
-rm -f kernel/$(DEPDIR)/$(am__dirstamp)
-rm -f kernel/$(am__dirstamp)
@@ -864,7 +833,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
distclean: distclean-recursive
- -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -910,7 +879,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
- -rm -rf ./$(DEPDIR) attributes/$(DEPDIR) kernel/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) kernel/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libhydra/hydra.c b/src/libhydra/hydra.c
index 1b5065081..47ffb59c6 100644
--- a/src/libhydra/hydra.c
+++ b/src/libhydra/hydra.c
@@ -57,7 +57,6 @@ void libhydra_deinit()
return;
}
- this->public.attributes->destroy(this->public.attributes);
this->public.kernel_interface->destroy(this->public.kernel_interface);
free(this);
hydra = NULL;
@@ -78,9 +77,6 @@ bool libhydra_init()
}
INIT(this,
- .public = {
- .attributes = attribute_manager_create(),
- },
.ref = 1,
);
hydra = &this->public;
diff --git a/src/libhydra/hydra.h b/src/libhydra/hydra.h
index 94209ff59..b23a30584 100644
--- a/src/libhydra/hydra.h
+++ b/src/libhydra/hydra.h
@@ -16,9 +16,6 @@
/**
* @defgroup libhydra libhydra
*
- * @defgroup attributes attributes
- * @ingroup libhydra
- *
* @defgroup hkernel kernel
* @ingroup libhydra
*
@@ -34,7 +31,6 @@
typedef struct hydra_t hydra_t;
-#include <attributes/attribute_manager.h>
#include <kernel/kernel_interface.h>
#include <library.h>
@@ -45,11 +41,6 @@ typedef struct hydra_t hydra_t;
struct hydra_t {
/**
- * manager for payload attributes
- */
- attribute_manager_t *attributes;
-
- /**
* kernel interface to communicate with kernel
*/
kernel_interface_t *kernel_interface;
diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c
index 3fa28e054..ce31bd410 100644
--- a/src/libhydra/kernel/kernel_interface.c
+++ b/src/libhydra/kernel/kernel_interface.c
@@ -43,6 +43,8 @@
#include <utils/debug.h>
#include <threading/mutex.h>
#include <collections/linked_list.h>
+#include <collections/hashtable.h>
+#include <collections/array.h>
typedef struct private_kernel_interface_t private_kernel_interface_t;
@@ -115,6 +117,16 @@ struct private_kernel_interface_t {
linked_list_t *listeners;
/**
+ * Reqid entries indexed by reqids
+ */
+ hashtable_t *reqids;
+
+ /**
+ * Reqid entries indexed by traffic selectors
+ */
+ hashtable_t *reqids_by_ts;
+
+ /**
* mutex for algorithm mappings
*/
mutex_t *mutex_algs;
@@ -155,24 +167,252 @@ METHOD(kernel_interface_t, get_features, kernel_feature_t,
METHOD(kernel_interface_t, get_spi, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
if (!this->ipsec)
{
return NOT_SUPPORTED;
}
- return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
+ return this->ipsec->get_spi(this->ipsec, src, dst, protocol, spi);
}
METHOD(kernel_interface_t, get_cpi, status_t,
private_kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
if (!this->ipsec)
{
return NOT_SUPPORTED;
}
- return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
+ return this->ipsec->get_cpi(this->ipsec, src, dst, cpi);
+}
+
+/**
+ * Reqid mapping entry
+ */
+typedef struct {
+ /** allocated reqid */
+ u_int32_t reqid;
+ /** references to this entry */
+ u_int refs;
+ /** inbound mark used for SA */
+ mark_t mark_in;
+ /** outbound mark used for SA */
+ mark_t mark_out;
+ /** local traffic selectors */
+ array_t *local;
+ /** remote traffic selectors */
+ array_t *remote;
+} reqid_entry_t;
+
+/**
+ * Destroy a reqid mapping entry
+ */
+static void reqid_entry_destroy(reqid_entry_t *entry)
+{
+ array_destroy_offset(entry->local, offsetof(traffic_selector_t, destroy));
+ array_destroy_offset(entry->remote, offsetof(traffic_selector_t, destroy));
+ free(entry);
+}
+
+/**
+ * Hashtable hash function for reqid entries using reqid as key
+ */
+static u_int hash_reqid(reqid_entry_t *entry)
+{
+ return chunk_hash_inc(chunk_from_thing(entry->reqid),
+ chunk_hash_inc(chunk_from_thing(entry->mark_in),
+ chunk_hash(chunk_from_thing(entry->mark_out))));
+}
+
+/**
+ * Hashtable equals function for reqid entries using reqid as key
+ */
+static bool equals_reqid(reqid_entry_t *a, reqid_entry_t *b)
+{
+ return a->reqid == b->reqid &&
+ a->mark_in.value == b->mark_in.value &&
+ a->mark_in.mask == b->mark_in.mask &&
+ a->mark_out.value == b->mark_out.value &&
+ a->mark_out.mask == b->mark_out.mask;
+}
+
+/**
+ * Hash an array of traffic selectors
+ */
+static u_int hash_ts_array(array_t *array, u_int hash)
+{
+ enumerator_t *enumerator;
+ traffic_selector_t *ts;
+
+ enumerator = array_create_enumerator(array);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ hash = ts->hash(ts, hash);
+ }
+ enumerator->destroy(enumerator);
+
+ return hash;
+}
+
+/**
+ * Hashtable hash function for reqid entries using traffic selectors as key
+ */
+static u_int hash_reqid_by_ts(reqid_entry_t *entry)
+{
+ return hash_ts_array(entry->local, hash_ts_array(entry->remote,
+ chunk_hash_inc(chunk_from_thing(entry->mark_in),
+ chunk_hash(chunk_from_thing(entry->mark_out)))));
+}
+
+/**
+ * Compare two array with traffic selectors for equality
+ */
+static bool ts_array_equals(array_t *a, array_t *b)
+{
+ traffic_selector_t *tsa, *tsb;
+ enumerator_t *ae, *be;
+ bool equal = TRUE;
+
+ if (array_count(a) != array_count(b))
+ {
+ return FALSE;
+ }
+
+ ae = array_create_enumerator(a);
+ be = array_create_enumerator(b);
+ while (equal && ae->enumerate(ae, &tsa) && be->enumerate(be, &tsb))
+ {
+ equal = tsa->equals(tsa, tsb);
+ }
+ ae->destroy(ae);
+ be->destroy(be);
+
+ return equal;
+}
+
+/**
+ * Hashtable equals function for reqid entries using traffic selectors as key
+ */
+static bool equals_reqid_by_ts(reqid_entry_t *a, reqid_entry_t *b)
+{
+ return ts_array_equals(a->local, b->local) &&
+ ts_array_equals(a->remote, b->remote) &&
+ a->mark_in.value == b->mark_in.value &&
+ a->mark_in.mask == b->mark_in.mask &&
+ a->mark_out.value == b->mark_out.value &&
+ a->mark_out.mask == b->mark_out.mask;
+}
+
+/**
+ * Create an array from copied traffic selector list items
+ */
+static array_t *array_from_ts_list(linked_list_t *list)
+{
+ enumerator_t *enumerator;
+ traffic_selector_t *ts;
+ array_t *array;
+
+ array = array_create(0, 0);
+
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ array_insert(array, ARRAY_TAIL, ts->clone(ts));
+ }
+ enumerator->destroy(enumerator);
+
+ return array;
+}
+
+METHOD(kernel_interface_t, alloc_reqid, status_t,
+ private_kernel_interface_t *this,
+ linked_list_t *local_ts, linked_list_t *remote_ts,
+ mark_t mark_in, mark_t mark_out, u_int32_t *reqid)
+{
+ static u_int32_t counter = 0;
+ reqid_entry_t *entry = NULL, *tmpl;
+ status_t status = SUCCESS;
+
+ INIT(tmpl,
+ .local = array_from_ts_list(local_ts),
+ .remote = array_from_ts_list(remote_ts),
+ .mark_in = mark_in,
+ .mark_out = mark_out,
+ .reqid = *reqid,
+ );
+
+ this->mutex->lock(this->mutex);
+ if (tmpl->reqid)
+ {
+ /* search by reqid if given */
+ entry = this->reqids->get(this->reqids, tmpl);
+ }
+ if (entry)
+ {
+ /* we don't require a traffic selector match for explicit reqids,
+ * as we wan't to reuse a reqid for trap-triggered policies that
+ * got narrowed during negotiation. */
+ reqid_entry_destroy(tmpl);
+ }
+ else
+ {
+ /* search by traffic selectors */
+ entry = this->reqids_by_ts->get(this->reqids_by_ts, tmpl);
+ if (entry)
+ {
+ reqid_entry_destroy(tmpl);
+ }
+ else
+ {
+ /* none found, create a new entry, allocating a reqid */
+ entry = tmpl;
+ entry->reqid = ++counter;
+ this->reqids_by_ts->put(this->reqids_by_ts, entry, entry);
+ this->reqids->put(this->reqids, entry, entry);
+ }
+ *reqid = entry->reqid;
+ }
+ entry->refs++;
+ this->mutex->unlock(this->mutex);
+
+ return status;
+}
+
+METHOD(kernel_interface_t, release_reqid, status_t,
+ private_kernel_interface_t *this, u_int32_t reqid,
+ mark_t mark_in, mark_t mark_out)
+{
+ reqid_entry_t *entry, tmpl = {
+ .reqid = reqid,
+ .mark_in = mark_in,
+ .mark_out = mark_out,
+ };
+
+ this->mutex->lock(this->mutex);
+ entry = this->reqids->remove(this->reqids, &tmpl);
+ if (entry)
+ {
+ if (--entry->refs == 0)
+ {
+ entry = this->reqids_by_ts->remove(this->reqids_by_ts, entry);
+ if (entry)
+ {
+ reqid_entry_destroy(entry);
+ }
+ }
+ else
+ {
+ this->reqids->put(this->reqids, entry, entry);
+ }
+ }
+ this->mutex->unlock(this->mutex);
+
+ if (entry)
+ {
+ return SUCCESS;
+ }
+ return NOT_FOUND;
}
METHOD(kernel_interface_t, add_sa, status_t,
@@ -181,8 +421,8 @@ METHOD(kernel_interface_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
{
if (!this->ipsec)
{
@@ -191,7 +431,7 @@ METHOD(kernel_interface_t, add_sa, status_t,
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode,
ipcomp, cpi, replay_window, initiator, encap, esn, inbound,
- src_ts, dst_ts);
+ update, src_ts, dst_ts);
}
METHOD(kernel_interface_t, update_sa, status_t,
@@ -575,17 +815,18 @@ METHOD(kernel_interface_t, acquire, void,
}
METHOD(kernel_interface_t, expire, void,
- private_kernel_interface_t *this, u_int32_t reqid, u_int8_t protocol,
- u_int32_t spi, bool hard)
+ private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard)
{
kernel_listener_t *listener;
enumerator_t *enumerator;
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &listener))
{
if (listener->expire &&
- !listener->expire(listener, reqid, protocol, spi, hard))
+ !listener->expire(listener, protocol, spi, dst, hard))
{
this->listeners->remove_at(this->listeners, enumerator);
}
@@ -595,17 +836,18 @@ METHOD(kernel_interface_t, expire, void,
}
METHOD(kernel_interface_t, mapping, void,
- private_kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
- host_t *remote)
+ private_kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, host_t *remote)
{
kernel_listener_t *listener;
enumerator_t *enumerator;
+
this->mutex->lock(this->mutex);
enumerator = this->listeners->create_enumerator(this->listeners);
while (enumerator->enumerate(enumerator, &listener))
{
if (listener->mapping &&
- !listener->mapping(listener, reqid, spi, remote))
+ !listener->mapping(listener, protocol, spi, dst, remote))
{
this->listeners->remove_at(this->listeners, enumerator);
}
@@ -733,6 +975,8 @@ METHOD(kernel_interface_t, destroy, void,
DESTROY_IF(this->ipsec);
DESTROY_IF(this->net);
DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+ this->reqids->destroy(this->reqids);
+ this->reqids_by_ts->destroy(this->reqids_by_ts);
this->listeners->destroy(this->listeners);
this->mutex->destroy(this->mutex);
free(this);
@@ -751,6 +995,8 @@ kernel_interface_t *kernel_interface_create()
.get_features = _get_features,
.get_spi = _get_spi,
.get_cpi = _get_cpi,
+ .alloc_reqid = _alloc_reqid,
+ .release_reqid = _release_reqid,
.add_sa = _add_sa,
.update_sa = _update_sa,
.query_sa = _query_sa,
@@ -795,6 +1041,10 @@ kernel_interface_t *kernel_interface_create()
.listeners = linked_list_create(),
.mutex_algs = mutex_create(MUTEX_TYPE_DEFAULT),
.algorithms = linked_list_create(),
+ .reqids = hashtable_create((hashtable_hash_t)hash_reqid,
+ (hashtable_equals_t)equals_reqid, 8),
+ .reqids_by_ts = hashtable_create((hashtable_hash_t)hash_reqid_by_ts,
+ (hashtable_equals_t)equals_reqid_by_ts, 8),
);
ifaces = lib->settings->get_str(lib->settings,
diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h
index cd550383c..96ce9e26d 100644
--- a/src/libhydra/kernel/kernel_interface.h
+++ b/src/libhydra/kernel/kernel_interface.h
@@ -104,39 +104,67 @@ struct kernel_interface_t {
* @param src source address of SA
* @param dst destination address of SA
* @param protocol protocol for SA (ESP/AH)
- * @param reqid unique ID for this SA
* @param spi allocated spi
- * @return SUCCESS if operation completed
+ * @return SUCCESS if operation completed
*/
status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+ u_int8_t protocol, u_int32_t *spi);
/**
* Get a Compression Parameter Index (CPI) from the kernel.
*
* @param src source address of SA
* @param dst destination address of SA
- * @param reqid unique ID for the corresponding SA
* @param cpi allocated cpi
- * @return SUCCESS if operation completed
+ * @return SUCCESS if operation completed
*/
status_t (*get_cpi)(kernel_interface_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi);
+ u_int16_t *cpi);
+
+ /**
+ * Allocate or confirm a reqid to use for a given SA pair.
+ *
+ * Each returned reqid by a successful call to alloc_reqid() must be
+ * released using release_reqid().
+ *
+ * The reqid parameter is an in/out parameter. If it points to non-zero,
+ * the reqid is confirmed and registered for use. If it points to zero,
+ * a reqid is allocated for the given selectors, and returned to reqid.
+ *
+ * @param local_ts traffic selectors of local side for SA
+ * @param remote_ts traffic selectors of remote side for SA
+ * @param mark_in inbound mark on SA
+ * @param mark_out outbound mark on SA
+ * @param reqid allocated reqid
+ * @return SUCCESS if reqid allocated
+ */
+ status_t (*alloc_reqid)(kernel_interface_t *this,
+ linked_list_t *local_ts, linked_list_t *remote_ts,
+ mark_t mark_in, mark_t mark_out,
+ u_int32_t *reqid);
+
+ /**
+ * Release a previously allocated reqid.
+ *
+ * @param reqid reqid to release
+ * @param mark_in inbound mark on SA
+ * @param mark_out outbound mark on SA
+ * @return SUCCESS if reqid released
+ */
+ status_t (*release_reqid)(kernel_interface_t *this, u_int32_t reqid,
+ mark_t mark_in, mark_t mark_out);
/**
* Add an SA to the SAD.
*
- * add_sa() may update an already allocated
- * SPI (via get_spi). In this case, the replace
- * flag must be set.
- * This function does install a single SA for a
- * single protocol in one direction.
+ * This function does install a single SA for a single protocol in one
+ * direction.
*
* @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
- * @param reqid unique ID for this SA
+ * @param reqid reqid for this SA
* @param mark optional mark for this SA
* @param tfc Traffic Flow Confidentiality padding for this SA
* @param lifetime lifetime_cfg_t for this SA
@@ -152,8 +180,9 @@ struct kernel_interface_t {
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
- * @param src_ts traffic selector with BEET source address
- * @param dst_ts traffic selector with BEET destination address
+ * @param update TRUE if an SPI has already been allocated for SA
+ * @param src_ts list of source traffic selectors
+ * @param dst_ts list of destination traffic selectors
* @return SUCCESS if operation completed
*/
status_t (*add_sa) (kernel_interface_t *this,
@@ -163,9 +192,9 @@ struct kernel_interface_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+ u_int32_t replay_window, bool initiator, bool encap,
+ bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts);
/**
* Update the hosts on an installed SA.
@@ -531,23 +560,24 @@ struct kernel_interface_t {
/**
* Raise an expire event.
*
- * @param reqid reqid of the expired SA
* @param protocol protocol of the expired SA
* @param spi spi of the expired SA
+ * @param dst destination address of expired SA
* @param hard TRUE if it is a hard expire, FALSE otherwise
*/
- void (*expire)(kernel_interface_t *this, u_int32_t reqid,
- u_int8_t protocol, u_int32_t spi, bool hard);
+ void (*expire)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard);
/**
* Raise a mapping event.
*
- * @param reqid reqid of the SA
+ * @param protocol protocol of affected SA
* @param spi spi of the SA
+ * @param dst original destination address of SA
* @param remote new remote host
*/
- void (*mapping)(kernel_interface_t *this, u_int32_t reqid, u_int32_t spi,
- host_t *remote);
+ void (*mapping)(kernel_interface_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, host_t *remote);
/**
* Raise a migrate event.
diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h
index eec7401e9..19caaa400 100644
--- a/src/libhydra/kernel/kernel_ipsec.h
+++ b/src/libhydra/kernel/kernel_ipsec.h
@@ -58,33 +58,28 @@ struct kernel_ipsec_t {
* @param src source address of SA
* @param dst destination address of SA
* @param protocol protocol for SA (ESP/AH)
- * @param reqid unique ID for this SA
* @param spi allocated spi
- * @return SUCCESS if operation completed
+ * @return SUCCESS if operation completed
*/
status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+ u_int8_t protocol, u_int32_t *spi);
/**
* Get a Compression Parameter Index (CPI) from the kernel.
*
* @param src source address of SA
* @param dst destination address of SA
- * @param reqid unique ID for the corresponding SA
* @param cpi allocated cpi
- * @return SUCCESS if operation completed
+ * @return SUCCESS if operation completed
*/
status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi);
+ u_int16_t *cpi);
/**
* Add an SA to the SAD.
*
- * add_sa() may update an already allocated
- * SPI (via get_spi). In this case, the replace
- * flag must be set.
- * This function does install a single SA for a
- * single protocol in one direction.
+ * This function does install a single SA for a single protocol in one
+ * direction.
*
* @param src source address for this SA
* @param dst destination address for this SA
@@ -106,8 +101,9 @@ struct kernel_ipsec_t {
* @param encap enable UDP encapsulation for NAT traversal
* @param esn TRUE to use Extended Sequence Numbers
* @param inbound TRUE if this is an inbound SA
- * @param src_ts traffic selector with BEET source address
- * @param dst_ts traffic selector with BEET destination address
+ * @param update TRUE if an SPI has already been allocated for SA
+ * @param src_ts list of source traffic selectors
+ * @param dst_ts list of destination traffic selectors
* @return SUCCESS if operation completed
*/
status_t (*add_sa) (kernel_ipsec_t *this,
@@ -117,9 +113,9 @@ struct kernel_ipsec_t {
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts);
+ u_int32_t replay_window, bool initiator, bool encap,
+ bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts);
/**
* Update the hosts on an installed SA.
diff --git a/src/libhydra/kernel/kernel_listener.h b/src/libhydra/kernel/kernel_listener.h
index 4382a43fd..8074356a4 100644
--- a/src/libhydra/kernel/kernel_listener.h
+++ b/src/libhydra/kernel/kernel_listener.h
@@ -49,25 +49,26 @@ struct kernel_listener_t {
/**
* Hook called if an exire event for an IPsec SA is received.
*
- * @param reqid reqid of the expired SA
* @param protocol protocol of the expired SA
* @param spi spi of the expired SA
+ * @param dst destination address of expired SA
* @param hard TRUE if it is a hard expire, FALSE otherwise
* @return TRUE to remain registered, FALSE to unregister
*/
- bool (*expire)(kernel_listener_t *this, u_int32_t reqid,
- u_int8_t protocol, u_int32_t spi, bool hard);
+ bool (*expire)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard);
/**
* Hook called if the NAT mappings of an IPsec SA changed.
*
- * @param reqid reqid of the SA
+ * @param protocol IPsec protocol of affected SA
* @param spi spi of the SA
+ * @param dst old destinatino address of SA
* @param remote new remote host
* @return TRUE to remain registered, FALSE to unregister
*/
- bool (*mapping)(kernel_listener_t *this, u_int32_t reqid, u_int32_t spi,
- host_t *remote);
+ bool (*mapping)(kernel_listener_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, host_t *remote);
/**
* Hook called if a migrate event for a policy is received.
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.am b/src/libhydra/plugins/kernel_netlink/Makefile.am
index c91f9a9e4..cc8855406 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.am
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.am
@@ -21,3 +21,24 @@ libstrongswan_kernel_netlink_la_SOURCES = \
kernel_netlink_shared.h kernel_netlink_shared.c
libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+
+
+TESTS = tests
+
+check_PROGRAMS = $(TESTS)
+
+tests_SOURCES = \
+ tests.h tests.c \
+ suites/test_socket.c \
+ kernel_netlink_shared.c
+
+tests_CFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \
+ @COVERAGE_CFLAGS@
+
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in
index a9b523eb8..962fe1ba1 100644
--- a/src/libhydra/plugins/kernel_netlink/Makefile.in
+++ b/src/libhydra/plugins/kernel_netlink/Makefile.in
@@ -78,6 +78,8 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
+TESTS = tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
subdir = src/libhydra/plugins/kernel_netlink
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(top_srcdir)/depcomp
@@ -144,6 +146,18 @@ libstrongswan_kernel_netlink_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
@MONOLITHIC_FALSE@am_libstrongswan_kernel_netlink_la_rpath = -rpath \
@MONOLITHIC_FALSE@ $(plugindir)
@MONOLITHIC_TRUE@am_libstrongswan_kernel_netlink_la_rpath =
+am__EXEEXT_1 = tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_tests_OBJECTS = tests-tests.$(OBJEXT) \
+ suites/tests-test_socket.$(OBJEXT) \
+ tests-kernel_netlink_shared.$(OBJEXT)
+tests_OBJECTS = $(am_tests_OBJECTS)
+tests_DEPENDENCIES = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(tests_CFLAGS) $(CFLAGS) \
+ $(tests_LDFLAGS) $(LDFLAGS) -o $@
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -178,8 +192,9 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
-DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES)
+SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) $(tests_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_netlink_la_SOURCES) \
+ $(tests_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -204,6 +219,28 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
@@ -230,6 +267,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +328,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +407,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -444,6 +486,22 @@ libstrongswan_kernel_netlink_la_SOURCES = \
kernel_netlink_shared.h kernel_netlink_shared.c
libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
+tests_SOURCES = \
+ tests.h tests.c \
+ suites/test_socket.c \
+ kernel_netlink_shared.c
+
+tests_CFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -DNETLINK_MSG_LOSS_HOOK=netlink_msg_loss \
+ @COVERAGE_CFLAGS@
+
+tests_LDFLAGS = @COVERAGE_LDFLAGS@
+tests_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+
all: all-am
.SUFFIXES:
@@ -528,8 +586,30 @@ clean-pluginLTLIBRARIES:
libstrongswan-kernel-netlink.la: $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_DEPENDENCIES) $(EXTRA_libstrongswan_kernel_netlink_la_DEPENDENCIES)
$(AM_V_CCLD)$(libstrongswan_kernel_netlink_la_LINK) $(am_libstrongswan_kernel_netlink_la_rpath) $(libstrongswan_kernel_netlink_la_OBJECTS) $(libstrongswan_kernel_netlink_la_LIBADD) $(LIBS)
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+suites/$(am__dirstamp):
+ @$(MKDIR_P) suites
+ @: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) suites/$(DEPDIR)
+ @: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_socket.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+
+tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES)
+ @rm -f tests$(EXEEXT)
+ $(AM_V_CCLD)$(tests_LINK) $(tests_OBJECTS) $(tests_LDADD) $(LIBS)
+
mostlyclean-compile:
-rm -f *.$(OBJEXT)
+ -rm -f suites/*.$(OBJEXT)
distclean-compile:
-rm -f *.tab.c
@@ -538,6 +618,9 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_net.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_plugin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_netlink_shared.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-kernel_netlink_shared.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tests-tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_socket.Po@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
@@ -563,6 +646,48 @@ distclean-compile:
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+tests-tests.o: tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.o -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.o `test -f 'tests.c' || echo '$(srcdir)/'`tests.c
+
+tests-tests.obj: tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-tests.obj -MD -MP -MF $(DEPDIR)/tests-tests.Tpo -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-tests.Tpo $(DEPDIR)/tests-tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tests.c' object='tests-tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-tests.obj `if test -f 'tests.c'; then $(CYGPATH_W) 'tests.c'; else $(CYGPATH_W) '$(srcdir)/tests.c'; fi`
+
+suites/tests-test_socket.o: suites/test_socket.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.o -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.o `test -f 'suites/test_socket.c' || echo '$(srcdir)/'`suites/test_socket.c
+
+suites/tests-test_socket.obj: suites/test_socket.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_socket.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_socket.Tpo -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_socket.Tpo suites/$(DEPDIR)/tests-test_socket.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_socket.c' object='suites/tests-test_socket.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_socket.obj `if test -f 'suites/test_socket.c'; then $(CYGPATH_W) 'suites/test_socket.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_socket.c'; fi`
+
+tests-kernel_netlink_shared.o: kernel_netlink_shared.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.o -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.o `test -f 'kernel_netlink_shared.c' || echo '$(srcdir)/'`kernel_netlink_shared.c
+
+tests-kernel_netlink_shared.obj: kernel_netlink_shared.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT tests-kernel_netlink_shared.obj -MD -MP -MF $(DEPDIR)/tests-kernel_netlink_shared.Tpo -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/tests-kernel_netlink_shared.Tpo $(DEPDIR)/tests-kernel_netlink_shared.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kernel_netlink_shared.c' object='tests-kernel_netlink_shared.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o tests-kernel_netlink_shared.obj `if test -f 'kernel_netlink_shared.c'; then $(CYGPATH_W) 'kernel_netlink_shared.c'; else $(CYGPATH_W) '$(srcdir)/kernel_netlink_shared.c'; fi`
+
mostlyclean-libtool:
-rm -f *.lo
@@ -621,6 +746,99 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
@@ -652,6 +870,8 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
all-am: Makefile $(LTLIBRARIES)
installdirs:
@@ -684,17 +904,19 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f suites/$(DEPDIR)/$(am__dirstamp)
+ -rm -f suites/$(am__dirstamp)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
-clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
- clean-pluginLTLIBRARIES mostlyclean-am
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+ clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR)
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -740,7 +962,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -759,22 +981,23 @@ ps-am:
uninstall-am: uninstall-pluginLTLIBRARIES
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
- clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
- cscopelist-am ctags ctags-am distclean distclean-compile \
- distclean-generic distclean-libtool distclean-tags distdir dvi \
- dvi-am html html-am info info-am install install-am \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-pdf \
- install-pdf-am install-pluginLTLIBRARIES install-ps \
- install-ps-am install-strip installcheck installcheck-am \
- installdirs maintainer-clean maintainer-clean-generic \
- mostlyclean mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
- uninstall-am uninstall-pluginLTLIBRARIES
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+ clean-checkPROGRAMS clean-generic clean-libtool \
+ clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-pluginLTLIBRARIES install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-generic mostlyclean \
+ mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
+ pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index dfd71f3bd..03e44e510 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -38,6 +38,7 @@
#include <hydra.h>
#include <utils/debug.h>
#include <threading/mutex.h>
+#include <collections/array.h>
#include <collections/hashtable.h>
#include <collections/linked_list.h>
@@ -319,6 +320,16 @@ struct private_kernel_netlink_ipsec_t {
* Whether to track the history of a policy
*/
bool policy_history;
+
+ /**
+ * Whether to always use UPDATE to install policies
+ */
+ bool policy_update;
+
+ /**
+ * Installed port based IKE bypass policies, as bypass_t
+ */
+ array_t *bypass;
};
typedef struct route_entry_t route_entry_t;
@@ -859,25 +870,26 @@ static void process_expire(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_user_expire *expire;
- u_int32_t spi, reqid;
+ u_int32_t spi;
u_int8_t protocol;
+ host_t *dst;
expire = NLMSG_DATA(hdr);
protocol = expire->state.id.proto;
spi = expire->state.id.spi;
- reqid = expire->state.reqid;
DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE");
- if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+ if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
{
- DBG2(DBG_KNL, "ignoring XFRM_MSG_EXPIRE for SA with SPI %.8x and "
- "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
- return;
+ dst = xfrm2host(expire->state.family, &expire->state.id.daddr, 0);
+ if (dst)
+ {
+ hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+ spi, dst, expire->hard != 0);
+ dst->destroy(dst);
+ }
}
-
- hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
- spi, expire->hard != 0);
}
/**
@@ -961,23 +973,29 @@ static void process_mapping(private_kernel_netlink_ipsec_t *this,
struct nlmsghdr *hdr)
{
struct xfrm_user_mapping *mapping;
- u_int32_t spi, reqid;
+ u_int32_t spi;
mapping = NLMSG_DATA(hdr);
spi = mapping->id.spi;
- reqid = mapping->reqid;
DBG2(DBG_KNL, "received a XFRM_MSG_MAPPING");
if (mapping->id.proto == IPPROTO_ESP)
{
- host_t *host;
- host = xfrm2host(mapping->id.family, &mapping->new_saddr,
- mapping->new_sport);
- if (host)
+ host_t *dst, *new;
+
+ dst = xfrm2host(mapping->id.family, &mapping->id.daddr, 0);
+ if (dst)
{
- hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
- spi, host);
+ new = xfrm2host(mapping->id.family, &mapping->new_saddr,
+ mapping->new_sport);
+ if (new)
+ {
+ hydra->kernel_interface->mapping(hydra->kernel_interface,
+ IPPROTO_ESP, spi, dst, new);
+ new->destroy(new);
+ }
+ dst->destroy(dst);
}
}
}
@@ -1055,7 +1073,7 @@ METHOD(kernel_ipsec_t, get_features, kernel_feature_t,
*/
static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
- u_int32_t reqid, u_int32_t *spi)
+ u_int32_t *spi)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out;
@@ -1075,7 +1093,6 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
host2xfrm(dst, &userspi->info.id.daddr);
userspi->info.id.proto = proto;
userspi->info.mode = XFRM_MODE_TUNNEL;
- userspi->info.reqid = reqid;
userspi->info.family = src->get_family(src);
userspi->min = min;
userspi->max = max;
@@ -1122,39 +1139,35 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
- DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+ 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+ DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
}
- DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+ DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
return SUCCESS;
}
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
u_int32_t received_spi = 0;
- DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
-
if (get_spi_internal(this, src, dst, IPPROTO_COMP,
- 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+ 0x100, 0xEFFF, &received_spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+ DBG1(DBG_KNL, "unable to get CPI");
return FAILED;
}
*cpi = htons((u_int16_t)ntohl(received_spi));
- DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+ DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
return SUCCESS;
}
@@ -1184,8 +1197,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t* src_ts, traffic_selector_t* dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t* src_ts, linked_list_t* dst_ts)
{
netlink_buf_t request;
char *alg_name;
@@ -1193,6 +1206,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
struct xfrm_usersa_info *sa;
u_int16_t icv_size = 64;
ipsec_mode_t original_mode = mode;
+ traffic_selector_t *first_src_ts, *first_dst_ts;
status_t status = FAILED;
/* if IPComp is used, we install an additional IPComp SA. if the cpi is 0
@@ -1203,7 +1217,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
chunk_empty, mode, ipcomp, 0, 0, initiator, FALSE, FALSE,
- inbound, src_ts, dst_ts);
+ inbound, update, src_ts, dst_ts);
ipcomp = IPCOMP_NONE;
/* use transport mode ESP SA, IPComp uses tunnel mode */
mode = MODE_TRANSPORT;
@@ -1216,7 +1230,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
hdr = &request.hdr;
hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
- hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
+ hdr->nlmsg_type = update ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA;
hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info));
sa = NLMSG_DATA(hdr);
@@ -1238,9 +1252,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
* selector can be installed other traffic would get dropped */
break;
}
- if (src_ts && dst_ts)
+ if (src_ts->get_first(src_ts, (void**)&first_src_ts) == SUCCESS &&
+ dst_ts->get_first(dst_ts, (void**)&first_dst_ts) == SUCCESS)
{
- sa->sel = ts2selector(src_ts, dst_ts);
+ sa->sel = ts2selector(first_src_ts, first_dst_ts);
if (!this->proto_port_transport)
{
/* don't install proto/port on SA. This would break
@@ -1535,7 +1550,8 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
host_t *dst, mark_t mark,
struct xfrm_replay_state_esn **replay_esn,
u_int32_t *replay_esn_len,
- struct xfrm_replay_state **replay)
+ struct xfrm_replay_state **replay,
+ struct xfrm_lifetime_cur **lifetime)
{
netlink_buf_t request;
struct nlmsghdr *hdr, *out = NULL;
@@ -1603,20 +1619,27 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
while (RTA_OK(rta, rtasize))
{
+ if (rta->rta_type == XFRMA_LTIME_VAL &&
+ RTA_PAYLOAD(rta) == sizeof(**lifetime))
+ {
+ free(*lifetime);
+ *lifetime = malloc(RTA_PAYLOAD(rta));
+ memcpy(*lifetime, RTA_DATA(rta), RTA_PAYLOAD(rta));
+ }
if (rta->rta_type == XFRMA_REPLAY_VAL &&
RTA_PAYLOAD(rta) == sizeof(**replay))
{
+ free(*replay);
*replay = malloc(RTA_PAYLOAD(rta));
memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta));
- break;
}
if (rta->rta_type == XFRMA_REPLAY_ESN_VAL &&
RTA_PAYLOAD(rta) >= sizeof(**replay_esn))
{
+ free(*replay_esn);
*replay_esn = malloc(RTA_PAYLOAD(rta));
*replay_esn_len = RTA_PAYLOAD(rta);
memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta));
- break;
}
rta = RTA_NEXT(rta, rtasize);
}
@@ -1798,6 +1821,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
struct xfrm_encap_tmpl* tmpl = NULL;
struct xfrm_replay_state *replay = NULL;
struct xfrm_replay_state_esn *replay_esn = NULL;
+ struct xfrm_lifetime_cur *lifetime = NULL;
u_int32_t replay_esn_len;
status_t status = FAILED;
@@ -1863,7 +1887,8 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
goto failed;
}
- get_replay_state(this, spi, protocol, dst, mark, &replay_esn, &replay_esn_len, &replay);
+ get_replay_state(this, spi, protocol, dst, mark, &replay_esn,
+ &replay_esn_len, &replay, &lifetime);
/* delete the old SA (without affecting the IPComp SA) */
if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS)
@@ -1952,8 +1977,25 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
}
else
{
- DBG1(DBG_KNL, "unable to copy replay state from old SAD entry "
- "with SPI %.8x", ntohl(spi));
+ DBG1(DBG_KNL, "unable to copy replay state from old SAD entry with "
+ "SPI %.8x", ntohl(spi));
+ }
+ if (lifetime)
+ {
+ struct xfrm_lifetime_cur *state;
+
+ state = netlink_reserve(hdr, sizeof(request), XFRMA_LTIME_VAL,
+ sizeof(*state));
+ if (!state)
+ {
+ goto failed;
+ }
+ memcpy(state, lifetime, sizeof(*state));
+ }
+ else
+ {
+ DBG1(DBG_KNL, "unable to copy usage stats from old SAD entry with "
+ "SPI %.8x", ntohl(spi));
}
if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS)
@@ -1966,6 +2008,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
failed:
free(replay);
free(replay_esn);
+ free(lifetime);
memwipe(out, len);
memwipe(&request, sizeof(request));
free(out);
@@ -2313,6 +2356,11 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
return SUCCESS;
}
+ if (this->policy_update)
+ {
+ found = TRUE;
+ }
+
DBG2(DBG_KNL, "%s policy %R === %R %N (mark %u/0x%08x)",
found ? "updating" : "adding", src_ts, dst_ts,
policy_dir_names, direction, mark.value, mark.mask);
@@ -2576,9 +2624,11 @@ METHOD(kernel_ipsec_t, flush_policies, status_t,
return SUCCESS;
}
-
-METHOD(kernel_ipsec_t, bypass_socket, bool,
- private_kernel_netlink_ipsec_t *this, int fd, int family)
+/**
+ * Bypass socket using a per-socket policy
+ */
+static bool add_socket_bypass(private_kernel_netlink_ipsec_t *this,
+ int fd, int family)
{
struct xfrm_userpolicy_info policy;
u_int sol, ipsec_policy;
@@ -2618,6 +2668,154 @@ METHOD(kernel_ipsec_t, bypass_socket, bool,
return TRUE;
}
+/**
+ * Port based IKE bypass policy
+ */
+typedef struct {
+ /** address family */
+ int family;
+ /** layer 4 protocol */
+ int proto;
+ /** port number, network order */
+ u_int16_t port;
+} bypass_t;
+
+/**
+ * Add or remove a bypass policy from/to kernel
+ */
+static bool manage_bypass(private_kernel_netlink_ipsec_t *this,
+ int type, policy_dir_t dir, bypass_t *bypass)
+{
+ netlink_buf_t request;
+ struct xfrm_selector *sel;
+ struct nlmsghdr *hdr;
+
+ memset(&request, 0, sizeof(request));
+ hdr = &request.hdr;
+ hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
+ hdr->nlmsg_type = type;
+
+ if (type == XFRM_MSG_NEWPOLICY)
+ {
+ struct xfrm_userpolicy_info *policy;
+
+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info));
+
+ policy = NLMSG_DATA(hdr);
+ policy->dir = dir;
+ policy->priority = 32;
+ policy->action = XFRM_POLICY_ALLOW;
+ policy->share = XFRM_SHARE_ANY;
+
+ policy->lft.soft_byte_limit = XFRM_INF;
+ policy->lft.soft_packet_limit = XFRM_INF;
+ policy->lft.hard_byte_limit = XFRM_INF;
+ policy->lft.hard_packet_limit = XFRM_INF;
+
+ sel = &policy->sel;
+ }
+ else /* XFRM_MSG_DELPOLICY */
+ {
+ struct xfrm_userpolicy_id *policy;
+
+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id));
+
+ policy = NLMSG_DATA(hdr);
+ policy->dir = dir;
+
+ sel = &policy->sel;
+ }
+
+ sel->family = bypass->family;
+ sel->proto = bypass->proto;
+ if (dir == POLICY_IN)
+ {
+ sel->dport = bypass->port;
+ sel->dport_mask = 0xffff;
+ }
+ else
+ {
+ sel->sport = bypass->port;
+ sel->sport_mask = 0xffff;
+ }
+ return this->socket_xfrm->send_ack(this->socket_xfrm, hdr) == SUCCESS;
+}
+
+/**
+ * Bypass socket using a port-based bypass policy
+ */
+static bool add_port_bypass(private_kernel_netlink_ipsec_t *this,
+ int fd, int family)
+{
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in in;
+ struct sockaddr_in6 in6;
+ } saddr;
+ socklen_t len;
+ bypass_t bypass = {
+ .family = family,
+ };
+
+ len = sizeof(saddr);
+ if (getsockname(fd, &saddr.sa, &len) != 0)
+ {
+ return FALSE;
+ }
+#ifdef SO_PROTOCOL /* since 2.6.32 */
+ len = sizeof(bypass.proto);
+ if (getsockopt(fd, SOL_SOCKET, SO_PROTOCOL, &bypass.proto, &len) != 0)
+#endif
+ { /* assume UDP if SO_PROTOCOL not supported */
+ bypass.proto = IPPROTO_UDP;
+ }
+ switch (family)
+ {
+ case AF_INET:
+ bypass.port = saddr.in.sin_port;
+ break;
+ case AF_INET6:
+ bypass.port = saddr.in6.sin6_port;
+ break;
+ default:
+ return FALSE;
+ }
+
+ if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_IN, &bypass))
+ {
+ return FALSE;
+ }
+ if (!manage_bypass(this, XFRM_MSG_NEWPOLICY, POLICY_OUT, &bypass))
+ {
+ manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, &bypass);
+ return FALSE;
+ }
+ array_insert(this->bypass, ARRAY_TAIL, &bypass);
+
+ return TRUE;
+}
+
+/**
+ * Remove installed port based bypass policy
+ */
+static void remove_port_bypass(bypass_t *bypass, int idx,
+ private_kernel_netlink_ipsec_t *this)
+{
+ manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_OUT, bypass);
+ manage_bypass(this, XFRM_MSG_DELPOLICY, POLICY_IN, bypass);
+}
+
+METHOD(kernel_ipsec_t, bypass_socket, bool,
+ private_kernel_netlink_ipsec_t *this, int fd, int family)
+{
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.port_bypass", FALSE, lib->ns))
+ {
+ return add_port_bypass(this, fd, family);
+ }
+ return add_socket_bypass(this, fd, family);
+}
+
METHOD(kernel_ipsec_t, enable_udp_decap, bool,
private_kernel_netlink_ipsec_t *this, int fd, int family, u_int16_t port)
{
@@ -2637,6 +2835,8 @@ METHOD(kernel_ipsec_t, destroy, void,
enumerator_t *enumerator;
policy_entry_t *policy;
+ array_destroy_function(this->bypass,
+ (array_callback_t)remove_port_bypass, this);
if (this->socket_xfrm_events > 0)
{
lib->watcher->remove(lib->watcher, this->socket_xfrm_events);
@@ -2688,8 +2888,11 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
(hashtable_equals_t)policy_equals, 32),
.sas = hashtable_create((hashtable_hash_t)ipsec_sa_hash,
(hashtable_equals_t)ipsec_sa_equals, 32),
+ .bypass = array_create(sizeof(bypass_t), 0),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.policy_history = TRUE,
+ .policy_update = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.policy_update", FALSE, lib->ns),
.install_routes = lib->settings->get_bool(lib->settings,
"%s.install_routes", TRUE, lib->ns),
.proto_port_transport = lib->settings->get_bool(lib->settings,
@@ -2711,7 +2914,9 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
fclose(f);
}
- this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names);
+ this->socket_xfrm = netlink_socket_create(NETLINK_XFRM, xfrm_msg_names,
+ lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.parallel_xfrm", FALSE, lib->ns));
if (!this->socket_xfrm)
{
destroy(this);
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
index 9d9f15974..a431e49b7 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1538,6 +1538,7 @@ typedef struct {
u_int8_t dst_len;
u_int32_t table;
u_int32_t oif;
+ u_int32_t priority;
} rt_entry_t;
/**
@@ -1573,6 +1574,7 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
route->dst_len = msg->rtm_dst_len;
route->table = msg->rtm_table;
route->oif = 0;
+ route->priority = 0;
}
else
{
@@ -1601,6 +1603,12 @@ static rt_entry_t *parse_route(struct nlmsghdr *hdr, rt_entry_t *route)
route->oif = *(u_int32_t*)RTA_DATA(rta);
}
break;
+ case RTA_PRIORITY:
+ if (RTA_PAYLOAD(rta) == sizeof(route->priority))
+ {
+ route->priority = *(u_int32_t*)RTA_DATA(rta);
+ }
+ break;
#ifdef HAVE_RTA_TABLE
case RTA_TABLE:
if (RTA_PAYLOAD(rta) == sizeof(route->table))
@@ -1724,11 +1732,16 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
}
route->src_host = src;
}
- /* insert route, sorted by decreasing network prefix */
+ /* insert route, sorted by priority and network prefix */
enumerator = routes->create_enumerator(routes);
while (enumerator->enumerate(enumerator, &other))
{
- if (route->dst_len > other->dst_len)
+ if (route->priority < other->priority)
+ {
+ break;
+ }
+ if (route->priority == other->priority &&
+ route->dst_len > other->dst_len)
{
break;
}
@@ -1975,6 +1988,8 @@ METHOD(kernel_net_t, add_ip, status_t,
if (iface)
{
addr_entry_t *addr;
+ char *ifname;
+ int ifi;
INIT(addr,
.ip = virtual_ip->clone(virtual_ip),
@@ -1983,26 +1998,30 @@ METHOD(kernel_net_t, add_ip, status_t,
);
iface->addrs->insert_last(iface->addrs, addr);
addr_map_entry_add(this->vips, addr, iface);
+ ifi = iface->ifindex;
+ this->lock->unlock(this->lock);
if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL,
- iface->ifindex, virtual_ip, prefix) == SUCCESS)
+ ifi, virtual_ip, prefix) == SUCCESS)
{
+ this->lock->write_lock(this->lock);
while (!is_vip_installed_or_gone(this, virtual_ip, &entry))
{ /* wait until address appears */
this->condvar->wait(this->condvar, this->lock);
}
if (entry)
{ /* we fail if the interface got deleted in the meantime */
- DBG2(DBG_KNL, "virtual IP %H installed on %s", virtual_ip,
- entry->iface->ifname);
+ ifname = strdup(entry->iface->ifname);
this->lock->unlock(this->lock);
+ DBG2(DBG_KNL, "virtual IP %H installed on %s",
+ virtual_ip, ifname);
/* during IKEv1 reauthentication, children get moved from
* old the new SA before the virtual IP is available. This
* kills the route for our virtual IP, reinstall. */
- queue_route_reinstall(this, strdup(entry->iface->ifname));
+ queue_route_reinstall(this, ifname);
return SUCCESS;
}
+ this->lock->unlock(this->lock);
}
- this->lock->unlock(this->lock);
DBG1(DBG_KNL, "adding virtual IP %H failed", virtual_ip);
return FAILED;
}
@@ -2048,20 +2067,23 @@ METHOD(kernel_net_t, del_ip, status_t,
if (entry->addr->refcount == 1)
{
status_t status;
+ int ifi;
/* we set this flag so that threads calling add_ip will block and wait
* until the entry is gone, also so we can wait below */
entry->addr->installed = FALSE;
- status = manage_ipaddr(this, RTM_DELADDR, 0, entry->iface->ifindex,
- virtual_ip, prefix);
+ ifi = entry->iface->ifindex;
+ this->lock->unlock(this->lock);
+ status = manage_ipaddr(this, RTM_DELADDR, 0, ifi, virtual_ip, prefix);
if (status == SUCCESS && wait)
{ /* wait until the address is really gone */
+ this->lock->write_lock(this->lock);
while (is_known_vip(this, virtual_ip))
{
this->condvar->wait(this->condvar, this->lock);
}
+ this->lock->unlock(this->lock);
}
- this->lock->unlock(this->lock);
return status;
}
else
@@ -2490,7 +2512,9 @@ kernel_netlink_net_t *kernel_netlink_net_create()
.destroy = _destroy,
},
},
- .socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names),
+ .socket = netlink_socket_create(NETLINK_ROUTE, rt_msg_names,
+ lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.parallel_route", FALSE, lib->ns)),
.rt_exclude = linked_list_create(),
.routes = hashtable_create((hashtable_hash_t)route_entry_hash,
(hashtable_equals_t)route_entry_equals, 16),
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
index b4cece720..a9adfe091 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -1,4 +1,6 @@
/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
* Copyright (C) 2008 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
@@ -16,6 +18,7 @@
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
+#include <linux/xfrm.h>
#include <errno.h>
#include <unistd.h>
@@ -23,6 +26,9 @@
#include <utils/debug.h>
#include <threading/mutex.h>
+#include <threading/condvar.h>
+#include <collections/array.h>
+#include <collections/hashtable.h>
typedef struct private_netlink_socket_t private_netlink_socket_t;
@@ -30,20 +36,26 @@ typedef struct private_netlink_socket_t private_netlink_socket_t;
* Private variables and functions of netlink_socket_t class.
*/
struct private_netlink_socket_t {
+
/**
* public part of the netlink_socket_t object.
*/
netlink_socket_t public;
/**
- * mutex to lock access to netlink socket
+ * mutex to lock access entries
*/
mutex_t *mutex;
/**
- * current sequence number for netlink request
+ * Netlink request entries currently active, uintptr_t seq => entry_t
+ */
+ hashtable_t *entries;
+
+ /**
+ * Current sequence number for Netlink requests
*/
- int seq;
+ refcount_t seq;
/**
* netlink socket
@@ -51,119 +63,420 @@ struct private_netlink_socket_t {
int socket;
/**
+ * Netlink protocol
+ */
+ int protocol;
+
+ /**
* Enum names for Netlink messages
*/
enum_name_t *names;
+
+ /**
+ * Timeout for Netlink replies, in ms
+ */
+ u_int timeout;
+
+ /**
+ * Number of times to repeat timed out queries
+ */
+ u_int retries;
+
+ /**
+ * Use parallel netlink queries
+ */
+ bool parallel;
+
+ /**
+ * Ignore errors potentially resulting from a retransmission
+ */
+ bool ignore_retransmit_errors;
};
/**
- * Imported from kernel_netlink_ipsec.c
+ * #definable hook to simulate request message loss
*/
-extern enum_name_t *xfrm_msg_names;
-
-METHOD(netlink_socket_t, netlink_send, status_t,
- private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
- size_t *out_len)
-{
- union {
- struct nlmsghdr hdr;
- u_char bytes[4096];
- } response;
- struct sockaddr_nl addr;
- chunk_t result = chunk_empty;
- int len;
+#ifdef NETLINK_MSG_LOSS_HOOK
+bool NETLINK_MSG_LOSS_HOOK(struct nlmsghdr *msg);
+#define msg_loss_hook(msg) NETLINK_MSG_LOSS_HOOK(msg)
+#else
+#define msg_loss_hook(msg) FALSE
+#endif
- this->mutex->lock(this->mutex);
+/**
+ * Request entry the answer for a waiting thread is collected in
+ */
+typedef struct {
+ /** Condition variable thread is waiting */
+ condvar_t *condvar;
+ /** Array of hdrs in a multi-message response, as struct nlmsghdr* */
+ array_t *hdrs;
+ /** All response messages received? */
+ bool complete;
+} entry_t;
- in->nlmsg_seq = ++this->seq;
- in->nlmsg_pid = getpid();
+/**
+ * Clean up a thread waiting entry
+ */
+static void destroy_entry(entry_t *entry)
+{
+ entry->condvar->destroy(entry->condvar);
+ array_destroy_function(entry->hdrs, (void*)free, NULL);
+ free(entry);
+}
- memset(&addr, 0, sizeof(addr));
- addr.nl_family = AF_NETLINK;
- addr.nl_pid = 0;
- addr.nl_groups = 0;
+/**
+ * Write a Netlink message to socket
+ */
+static bool write_msg(private_netlink_socket_t *this, struct nlmsghdr *msg)
+{
+ struct sockaddr_nl addr = {
+ .nl_family = AF_NETLINK,
+ };
+ int len;
- if (this->names)
+ if (msg_loss_hook(msg))
{
- DBG3(DBG_KNL, "sending %N: %b",
- this->names, in->nlmsg_type, in, in->nlmsg_len);
+ return TRUE;
}
+
while (TRUE)
{
- len = sendto(this->socket, in, in->nlmsg_len, 0,
+ len = sendto(this->socket, msg, msg->nlmsg_len, 0,
(struct sockaddr*)&addr, sizeof(addr));
-
- if (len != in->nlmsg_len)
+ if (len != msg->nlmsg_len)
{
if (errno == EINTR)
{
- /* interrupted, try again */
continue;
}
- this->mutex->unlock(this->mutex);
- DBG1(DBG_KNL, "error sending to netlink socket: %s", strerror(errno));
- return FAILED;
+ DBG1(DBG_KNL, "netlink write error: %s", strerror(errno));
+ return FALSE;
}
- break;
+ return TRUE;
}
+}
- while (TRUE)
+/**
+ * Read a single Netlink message from socket, return 0 on error, -1 on timeout
+ */
+static ssize_t read_msg(private_netlink_socket_t *this,
+ char buf[4096], size_t buflen, bool block)
+{
+ ssize_t len;
+
+ if (block)
{
- len = recv(this->socket, &response, sizeof(response), 0);
- if (len < 0)
+ fd_set set;
+ timeval_t tv = {};
+
+ FD_ZERO(&set);
+ FD_SET(this->socket, &set);
+ timeval_add_ms(&tv, this->timeout);
+
+ if (select(this->socket + 1, &set, NULL, NULL,
+ this->timeout ? &tv : NULL) <= 0)
{
- if (errno == EINTR)
+ return -1;
+ }
+ }
+ len = recv(this->socket, buf, buflen, block ? 0 : MSG_DONTWAIT);
+ if (len == buflen)
+ {
+ DBG1(DBG_KNL, "netlink response exceeds buffer size");
+ return 0;
+ }
+ if (len < 0)
+ {
+ if (errno != EAGAIN && errno != EWOULDBLOCK && errno != EINTR)
+ {
+ DBG1(DBG_KNL, "netlink read error: %s", strerror(errno));
+ }
+ return 0;
+ }
+ return len;
+}
+
+/**
+ * Queue received response message
+ */
+static bool queue(private_netlink_socket_t *this, struct nlmsghdr *buf)
+{
+ struct nlmsghdr *hdr;
+ entry_t *entry;
+ uintptr_t seq;
+
+ seq = (uintptr_t)buf->nlmsg_seq;
+
+ this->mutex->lock(this->mutex);
+ entry = this->entries->get(this->entries, (void*)seq);
+ if (entry)
+ {
+ hdr = malloc(buf->nlmsg_len);
+ memcpy(hdr, buf, buf->nlmsg_len);
+ array_insert(entry->hdrs, ARRAY_TAIL, hdr);
+ if (hdr->nlmsg_type == NLMSG_DONE || !(hdr->nlmsg_flags & NLM_F_MULTI))
+ {
+ entry->complete = TRUE;
+ entry->condvar->signal(entry->condvar);
+ }
+ }
+ else
+ {
+ DBG1(DBG_KNL, "received unknown netlink seq %u, ignored", seq);
+ }
+ this->mutex->unlock(this->mutex);
+
+ return entry != NULL;
+}
+
+/**
+ * Read and queue response message, optionally blocking, returns TRUE on timeout
+ */
+static bool read_and_queue(private_netlink_socket_t *this, bool block)
+{
+ struct nlmsghdr *hdr;
+ union {
+ struct nlmsghdr hdr;
+ char bytes[4096];
+ } buf;
+ ssize_t len;
+
+ len = read_msg(this, buf.bytes, sizeof(buf.bytes), block);
+ if (len == -1)
+ {
+ return TRUE;
+ }
+ if (len)
+ {
+ hdr = &buf.hdr;
+ while (NLMSG_OK(hdr, len))
+ {
+ if (!queue(this, hdr))
{
- DBG1(DBG_KNL, "got interrupted");
- /* interrupted, try again */
- continue;
+ break;
}
- DBG1(DBG_KNL, "error reading from netlink socket: %s", strerror(errno));
- this->mutex->unlock(this->mutex);
- free(result.ptr);
- return FAILED;
+ hdr = NLMSG_NEXT(hdr, len);
}
- if (!NLMSG_OK(&response.hdr, len))
+ }
+ return FALSE;
+}
+
+CALLBACK(watch, bool,
+ private_netlink_socket_t *this, int fd, watcher_event_t event)
+{
+ if (event == WATCHER_READ)
+ {
+ read_and_queue(this, FALSE);
+ }
+ return TRUE;
+}
+
+/**
+ * Send a netlink request, try once
+ */
+static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
+ uintptr_t seq, struct nlmsghdr **out, size_t *out_len)
+{
+ struct nlmsghdr *hdr;
+ chunk_t result = {};
+ entry_t *entry;
+
+ in->nlmsg_seq = seq;
+ in->nlmsg_pid = getpid();
+
+ if (this->names)
+ {
+ DBG3(DBG_KNL, "sending %N %u: %b", this->names, in->nlmsg_type,
+ (u_int)seq, in, in->nlmsg_len);
+ }
+
+ this->mutex->lock(this->mutex);
+ if (!write_msg(this, in))
+ {
+ this->mutex->unlock(this->mutex);
+ return FAILED;
+ }
+
+ INIT(entry,
+ .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
+ .hdrs = array_create(0, 0),
+ );
+ this->entries->put(this->entries, (void*)seq, entry);
+
+ while (!entry->complete)
+ {
+ if (this->parallel &&
+ lib->watcher->get_state(lib->watcher) == WATCHER_RUNNING)
{
- DBG1(DBG_KNL, "received corrupted netlink message");
- this->mutex->unlock(this->mutex);
- free(result.ptr);
- return FAILED;
+ if (this->timeout)
+ {
+ if (entry->condvar->timed_wait(entry->condvar, this->mutex,
+ this->timeout))
+ {
+ break;
+ }
+ }
+ else
+ {
+ entry->condvar->wait(entry->condvar, this->mutex);
+ }
}
- if (response.hdr.nlmsg_seq != this->seq)
- {
- DBG1(DBG_KNL, "received invalid netlink sequence number");
- if (response.hdr.nlmsg_seq < this->seq)
+ else
+ { /* During (de-)initialization, no watcher thread is active.
+ * collect responses ourselves. */
+ if (read_and_queue(this, TRUE))
{
- continue;
+ break;
}
- this->mutex->unlock(this->mutex);
- free(result.ptr);
- return FAILED;
}
+ }
+ this->entries->remove(this->entries, (void*)seq);
- result = chunk_cat("mc", result, chunk_create(response.bytes, len));
+ this->mutex->unlock(this->mutex);
- /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence
- * numbers to detect multi header messages */
- len = recv(this->socket, &response.hdr, sizeof(response.hdr),
- MSG_PEEK | MSG_DONTWAIT);
- if (len == sizeof(response.hdr) && response.hdr.nlmsg_seq == this->seq)
+ if (!entry->complete)
+ { /* timeout */
+ destroy_entry(entry);
+ return OUT_OF_RES;
+ }
+
+ while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr))
+ {
+ if (this->names)
{
- /* seems to be multipart */
- continue;
+ DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type,
+ hdr->nlmsg_seq, hdr, hdr->nlmsg_len);
}
- break;
+ result = chunk_cat("mm", result,
+ chunk_create((char*)hdr, hdr->nlmsg_len));
}
+ destroy_entry(entry);
*out_len = result.len;
*out = (struct nlmsghdr*)result.ptr;
- this->mutex->unlock(this->mutex);
-
return SUCCESS;
}
+/**
+ * Ignore errors for message types that might have completed previously
+ */
+static void ignore_retransmit_error(private_netlink_socket_t *this,
+ struct nlmsgerr *err, int type)
+{
+ switch (err->error)
+ {
+ case -EEXIST:
+ switch (this->protocol)
+ {
+ case NETLINK_XFRM:
+ switch (type)
+ {
+ case XFRM_MSG_NEWPOLICY:
+ case XFRM_MSG_NEWSA:
+ err->error = 0;
+ break;
+ }
+ break;
+ case NETLINK_ROUTE:
+ switch (type)
+ {
+ case RTM_NEWADDR:
+ case RTM_NEWLINK:
+ case RTM_NEWNEIGH:
+ case RTM_NEWROUTE:
+ case RTM_NEWRULE:
+ err->error = 0;
+ break;
+ }
+ break;
+ }
+ break;
+ case -ENOENT:
+ switch (this->protocol)
+ {
+ case NETLINK_XFRM:
+ switch (type)
+ {
+ case XFRM_MSG_DELPOLICY:
+ case XFRM_MSG_DELSA:
+ err->error = 0;
+ break;
+ }
+ break;
+ case NETLINK_ROUTE:
+ switch (type)
+ {
+ case RTM_DELADDR:
+ case RTM_DELLINK:
+ case RTM_DELNEIGH:
+ case RTM_DELROUTE:
+ case RTM_DELRULE:
+ err->error = 0;
+ break;
+ }
+ break;
+ }
+ break;
+ }
+}
+
+METHOD(netlink_socket_t, netlink_send, status_t,
+ private_netlink_socket_t *this, struct nlmsghdr *in, struct nlmsghdr **out,
+ size_t *out_len)
+{
+ uintptr_t seq;
+ u_int try;
+
+ seq = ref_get(&this->seq);
+
+ for (try = 0; try <= this->retries; ++try)
+ {
+ struct nlmsghdr *hdr;
+ status_t status;
+ size_t len;
+
+ if (try > 0)
+ {
+ DBG1(DBG_KNL, "retransmitting Netlink request (%u/%u)",
+ try, this->retries);
+ }
+ status = send_once(this, in, seq, &hdr, &len);
+ switch (status)
+ {
+ case SUCCESS:
+ break;
+ case OUT_OF_RES:
+ continue;
+ default:
+ return status;
+ }
+ if (hdr->nlmsg_type == NLMSG_ERROR)
+ {
+ struct nlmsgerr* err;
+
+ err = NLMSG_DATA(hdr);
+ if (err->error == -EBUSY)
+ {
+ free(hdr);
+ try--;
+ continue;
+ }
+ if (this->ignore_retransmit_errors && try > 0)
+ {
+ ignore_retransmit_error(this, err, in->nlmsg_type);
+ }
+ }
+ *out = hdr;
+ *out_len = len;
+ return SUCCESS;
+ }
+ DBG1(DBG_KNL, "Netlink request timed out after %u retransmits",
+ this->retries);
+ return OUT_OF_RES;
+}
+
METHOD(netlink_socket_t, netlink_send_ack, status_t,
private_netlink_socket_t *this, struct nlmsghdr *in)
{
@@ -221,8 +534,13 @@ METHOD(netlink_socket_t, destroy, void,
{
if (this->socket != -1)
{
+ if (this->parallel)
+ {
+ lib->watcher->remove(lib->watcher, this->socket);
+ }
close(this->socket);
}
+ this->entries->destroy(this->entries);
this->mutex->destroy(this->mutex);
free(this);
}
@@ -230,7 +548,8 @@ METHOD(netlink_socket_t, destroy, void,
/**
* Described in header.
*/
-netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
+ bool parallel)
{
private_netlink_socket_t *this;
struct sockaddr_nl addr = {
@@ -244,9 +563,19 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
.destroy = _destroy,
},
.seq = 200,
- .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .mutex = mutex_create(MUTEX_TYPE_RECURSIVE),
.socket = socket(AF_NETLINK, SOCK_RAW, protocol),
+ .entries = hashtable_create(hashtable_hash_ptr, hashtable_equals_ptr, 4),
+ .protocol = protocol,
.names = names,
+ .timeout = lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-netlink.timeout", 0, lib->ns),
+ .retries = lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-netlink.retries", 0, lib->ns),
+ .ignore_retransmit_errors = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.ignore_retransmit_errors",
+ FALSE, lib->ns),
+ .parallel = parallel,
);
if (this->socket == -1)
@@ -261,6 +590,10 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names)
destroy(this);
return NULL;
}
+ if (this->parallel)
+ {
+ lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this);
+ }
return &this->public;
}
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
index 069f746d1..66682907d 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -66,8 +66,10 @@ struct netlink_socket_t {
*
* @param protocol protocol type (e.g. NETLINK_XFRM or NETLINK_ROUTE)
* @param names optional enum names for Netlink messages
+ * @param parallel support parallel queries on this Netlink socket
*/
-netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names);
+netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
+ bool parallel);
/**
* Creates an rtattr and adds it to the given netlink message.
diff --git a/src/libhydra/plugins/kernel_netlink/suites/test_socket.c b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
new file mode 100644
index 000000000..3e8facd0a
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/suites/test_socket.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_suite.h>
+
+#include <threading/thread.h>
+
+#include "../kernel_netlink_shared.h"
+
+/**
+ * Netlink message drop configuration
+ */
+static int drop_interval = 0;
+
+/**
+ * Netlink message drop hook
+ */
+bool netlink_msg_loss(struct nlmsghdr *hdr)
+{
+ static refcount_t i;
+
+ if (drop_interval)
+ {
+ return ref_get(&i) % drop_interval == drop_interval - 1;
+ }
+ return FALSE;
+}
+
+START_TEST(test_echo)
+{
+ netlink_socket_t *s;
+ struct nlmsghdr *out;
+ struct rtmsg *msg;
+ char dst[] = {
+ 127,0,0,1
+ };
+ size_t len;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)),
+ .nlmsg_flags = NLM_F_REQUEST,
+ .nlmsg_type = RTM_GETROUTE,
+ },
+ };
+
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtm_family = AF_INET;
+ netlink_add_attribute(&request.hdr, RTA_DST,
+ chunk_from_thing(dst), sizeof(request));
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+
+ ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+ ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE);
+ free(out);
+ s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_echo_dump)
+{
+ netlink_socket_t *s;
+ struct nlmsghdr *out, *current;
+ struct rtgenmsg *msg;
+ size_t len;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+ .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+ .nlmsg_type = RTM_GETLINK,
+ },
+ };
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtgen_family = AF_UNSPEC;
+
+ ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+ current = out;
+ while (TRUE)
+ {
+ ck_assert(NLMSG_OK(current, len));
+ if (current->nlmsg_type == NLMSG_DONE)
+ {
+ break;
+ }
+ ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK);
+ current = NLMSG_NEXT(current, len);
+ }
+ free(out);
+ s->destroy(s);
+}
+END_TEST
+
+CALLBACK(stress, void*,
+ netlink_socket_t *s)
+{
+ struct nlmsghdr *out;
+ struct rtmsg *msg;
+ char dst[] = {
+ 127,0,0,1
+ };
+ size_t len;
+ int i;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)),
+ .nlmsg_flags = NLM_F_REQUEST,
+ .nlmsg_type = RTM_GETROUTE,
+ },
+ };
+
+ for (i = 0; i < 10; i++)
+ {
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtm_family = AF_INET;
+ netlink_add_attribute(&request.hdr, RTA_DST,
+ chunk_from_thing(dst), sizeof(request));
+
+ ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+ ck_assert_int_eq(out->nlmsg_type, RTM_NEWROUTE);
+ free(out);
+ }
+ return NULL;
+}
+
+CALLBACK(stress_dump, void*,
+ netlink_socket_t *s)
+{
+ struct nlmsghdr *out, *current;
+ struct rtgenmsg *msg;
+ size_t len;
+ int i;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+ .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+ .nlmsg_type = RTM_GETLINK,
+ },
+ };
+
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtgen_family = AF_UNSPEC;
+
+ for (i = 0; i < 10; i++)
+ {
+ ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+ current = out;
+ while (TRUE)
+ {
+ ck_assert(NLMSG_OK(current, len));
+ if (current->nlmsg_type == NLMSG_DONE)
+ {
+ break;
+ }
+ ck_assert_int_eq(current->nlmsg_type, RTM_NEWLINK);
+ current = NLMSG_NEXT(current, len);
+ }
+ free(out);
+ }
+ return NULL;
+}
+
+START_TEST(test_stress)
+{
+ thread_t *threads[10];
+ netlink_socket_t *s;
+ int i;
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+ for (i = 0; i < countof(threads); i++)
+ {
+ threads[i] = thread_create(stress, s);
+ }
+ for (i = 0; i < countof(threads); i++)
+ {
+ threads[i]->join(threads[i]);
+ }
+ s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_stress_dump)
+{
+ thread_t *threads[10];
+ netlink_socket_t *s;
+ int i;
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+ for (i = 0; i < countof(threads); i++)
+ {
+ threads[i] = thread_create(stress_dump, s);
+ }
+ for (i = 0; i < countof(threads); i++)
+ {
+ threads[i]->join(threads[i]);
+ }
+ s->destroy(s);
+}
+END_TEST
+
+START_TEST(test_retransmit_success)
+{
+ netlink_socket_t *s;
+ struct nlmsghdr *out;
+ struct rtgenmsg *msg;
+ size_t len;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+ .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+ .nlmsg_type = RTM_GETLINK,
+ },
+ };
+
+ drop_interval = 2;
+
+ lib->settings->set_int(lib->settings,
+ "%s.plugins.kernel-netlink.timeout", 100, lib->ns);
+ lib->settings->set_int(lib->settings,
+ "%s.plugins.kernel-netlink.retries", 1, lib->ns);
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtgen_family = AF_UNSPEC;
+
+ ck_assert(s->send(s, &request.hdr, &out, &len) == SUCCESS);
+ free(out);
+ s->destroy(s);
+
+ drop_interval = 0;
+}
+END_TEST
+
+START_TEST(test_retransmit_fail)
+{
+ netlink_socket_t *s;
+ struct nlmsghdr *out;
+ struct rtgenmsg *msg;
+ size_t len;
+ netlink_buf_t request = {
+ .hdr = {
+ .nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)),
+ .nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT,
+ .nlmsg_type = RTM_GETLINK,
+ },
+ };
+
+ drop_interval = 1;
+
+ lib->settings->set_int(lib->settings,
+ "%s.plugins.kernel-netlink.timeout", 50, lib->ns);
+ lib->settings->set_int(lib->settings,
+ "%s.plugins.kernel-netlink.retries", 3, lib->ns);
+
+ s = netlink_socket_create(NETLINK_ROUTE, NULL, _i != 0);
+ msg = NLMSG_DATA(&request.hdr);
+ msg->rtgen_family = AF_UNSPEC;
+
+ ck_assert(s->send(s, &request.hdr, &out, &len) == OUT_OF_RES);
+ s->destroy(s);
+
+ drop_interval = 0;
+}
+END_TEST
+
+Suite *socket_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("netlink socket");
+
+ tc = tcase_create("echo");
+ tcase_add_loop_test(tc, test_echo, 0, 2);
+ tcase_add_loop_test(tc, test_echo_dump, 0, 2);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("stress");
+ tcase_add_loop_test(tc, test_stress, 0, 2);
+ tcase_add_loop_test(tc, test_stress_dump, 0, 2);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("retransmit");
+ tcase_add_loop_test(tc, test_retransmit_success, 0, 2);
+ tcase_add_loop_test(tc, test_retransmit_fail, 0, 2);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libhydra/plugins/kernel_netlink/tests.c b/src/libhydra/plugins/kernel_netlink/tests.c
new file mode 100644
index 000000000..136b34d29
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/tests.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+#include <hydra.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#include "tests.h"
+#undef TEST_SUITE
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+ { .suite = x, },
+#include "tests.h"
+ { .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+ if (init)
+ {
+ dbg_default_set_level(0);
+ lib->processor->set_threads(lib->processor, 8);
+ dbg_default_set_level(1);
+ }
+ else
+ {
+ lib->processor->set_threads(lib->processor, 0);
+ lib->processor->cancel(lib->processor);
+ }
+ return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+ return test_runner_run("kernel-netlink", tests, test_runner_init);
+}
diff --git a/src/libhydra/plugins/kernel_netlink/tests.h b/src/libhydra/plugins/kernel_netlink/tests.h
new file mode 100644
index 000000000..2b6715a78
--- /dev/null
+++ b/src/libhydra/plugins/kernel_netlink/tests.h
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(socket_suite_create)
diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in
index 821ad7710..177d2f23f 100644
--- a/src/libhydra/plugins/kernel_pfkey/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 00ab5ab5a..3b32ba553 100644
--- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1296,7 +1296,8 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
{
pfkey_msg_t response;
u_int8_t protocol;
- u_int32_t spi, reqid;
+ u_int32_t spi;
+ host_t *dst;
bool hard;
DBG2(DBG_KNL, "received an SADB_EXPIRE");
@@ -1309,18 +1310,18 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this,
protocol = satype2proto(msg->sadb_msg_satype);
spi = response.sa->sadb_sa_spi;
- reqid = response.x_sa2->sadb_x_sa2_reqid;
hard = response.lft_hard != NULL;
- if (protocol != IPPROTO_ESP && protocol != IPPROTO_AH)
+ if (protocol == IPPROTO_ESP || protocol == IPPROTO_AH)
{
- DBG2(DBG_KNL, "ignoring SADB_EXPIRE for SA with SPI %.8x and "
- "reqid {%u} which is not a CHILD_SA", ntohl(spi), reqid);
- return;
+ dst = host_create_from_sockaddr((sockaddr_t*)(response.dst + 1));
+ if (dst)
+ {
+ hydra->kernel_interface->expire(hydra->kernel_interface, protocol,
+ spi, dst, hard);
+ dst->destroy(dst);
+ }
}
-
- hydra->kernel_interface->expire(hydra->kernel_interface, reqid, protocol,
- spi, hard);
}
#ifdef SADB_X_MIGRATE
@@ -1387,9 +1388,9 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
struct sadb_msg* msg)
{
pfkey_msg_t response;
- u_int32_t spi, reqid;
+ u_int32_t spi;
sockaddr_t *sa;
- host_t *host;
+ host_t *dst, *new;
DBG2(DBG_KNL, "received an SADB_X_NAT_T_NEW_MAPPING");
@@ -1407,7 +1408,6 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
}
spi = response.sa->sadb_sa_spi;
- reqid = response.x_sa2->sadb_x_sa2_reqid;
if (satype2proto(msg->sadb_msg_satype) != IPPROTO_ESP)
{
@@ -1415,6 +1415,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
}
sa = (sockaddr_t*)(response.dst + 1);
+ dst = host_create_from_sockaddr(sa);
switch (sa->sa_family)
{
case AF_INET:
@@ -1432,12 +1433,16 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this,
default:
break;
}
-
- host = host_create_from_sockaddr(sa);
- if (host)
+ if (dst)
{
- hydra->kernel_interface->mapping(hydra->kernel_interface, reqid,
- spi, host);
+ new = host_create_from_sockaddr(sa);
+ if (new)
+ {
+ hydra->kernel_interface->mapping(hydra->kernel_interface,
+ IPPROTO_ESP, spi, dst, new);
+ new->destroy(new);
+ }
+ dst->destroy(dst);
}
}
#endif /*SADB_X_NAT_T_NEW_MAPPING*/
@@ -1518,11 +1523,10 @@ static bool receive_events(private_kernel_pfkey_ipsec_t *this, int fd,
static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
host_t *src, host_t *dst, u_int8_t proto, u_int32_t min, u_int32_t max,
- u_int32_t reqid, u_int32_t *spi)
+ u_int32_t *spi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
- struct sadb_x_sa2 *sa2;
struct sadb_spirange *range;
pfkey_msg_t response;
u_int32_t received_spi = 0;
@@ -1536,12 +1540,6 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
msg->sadb_msg_satype = proto2satype(proto);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
- sa2 = (struct sadb_x_sa2*)PFKEY_EXT_ADD_NEXT(msg);
- sa2->sadb_x_sa2_exttype = SADB_X_EXT_SA2;
- sa2->sadb_x_sa2_len = PFKEY_LEN(sizeof(struct sadb_spirange));
- sa2->sadb_x_sa2_reqid = reqid;
- PFKEY_EXT_ADD(msg, sa2);
-
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0, FALSE);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0, FALSE);
@@ -1577,39 +1575,37 @@ static status_t get_spi_internal(private_kernel_pfkey_ipsec_t *this,
METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi)
+ u_int8_t protocol, u_int32_t *spi)
{
- DBG2(DBG_KNL, "getting SPI for reqid {%u}", reqid);
-
if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, reqid, spi) != SUCCESS)
+ 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get SPI for reqid {%u}", reqid);
+ DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
}
- DBG2(DBG_KNL, "got SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+ DBG2(DBG_KNL, "got SPI %.8x", ntohl(*spi));
return SUCCESS;
}
METHOD(kernel_ipsec_t, get_cpi, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
- u_int32_t reqid, u_int16_t *cpi)
+ u_int16_t *cpi)
{
u_int32_t received_spi = 0;
- DBG2(DBG_KNL, "getting CPI for reqid {%u}", reqid);
+ DBG2(DBG_KNL, "getting CPI");
if (get_spi_internal(this, src, dst, IPPROTO_COMP,
- 0x100, 0xEFFF, reqid, &received_spi) != SUCCESS)
+ 0x100, 0xEFFF, &received_spi) != SUCCESS)
{
- DBG1(DBG_KNL, "unable to get CPI for reqid {%u}", reqid);
+ DBG1(DBG_KNL, "unable to get CPI");
return FAILED;
}
*cpi = htons((u_int16_t)ntohl(received_spi));
- DBG2(DBG_KNL, "got CPI %.4x for reqid {%u}", ntohs(*cpi), reqid);
+ DBG2(DBG_KNL, "got CPI %.4x", ntohs(*cpi));
return SUCCESS;
}
@@ -1619,8 +1615,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
u_int16_t ipcomp, u_int16_t cpi, u_int32_t replay_window,
- bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool initiator, bool encap, bool esn, bool inbound, bool update,
+ linked_list_t *src_ts, linked_list_t *dst_ts)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
@@ -1638,12 +1634,29 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark,
tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED,
chunk_empty, mode, ipcomp, 0, 0, FALSE, FALSE, FALSE, inbound,
- NULL, NULL);
+ update, NULL, NULL);
ipcomp = IPCOMP_NONE;
/* use transport mode ESP SA, IPComp uses tunnel mode */
mode = MODE_TRANSPORT;
}
+ if (update)
+ {
+ /* As we didn't know the reqid during SPI allocation, we used reqid
+ * zero. Unfortunately we can't SADB_UPDATE to the new reqid, hence we
+ * have to delete the SPI allocation state manually. The reqid
+ * selector does not count for that, therefore we have to delete
+ * that state before installing the new SA to avoid deleting the
+ * the new state after installing it. */
+ mark_t zeromark = {0, 0};
+
+ if (this->public.interface.del_sa(&this->public.interface,
+ src, dst, spi, protocol, 0, zeromark) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "deleting SPI allocation SA failed");
+ }
+ }
+
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}",
@@ -1651,7 +1664,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
msg = (struct sadb_msg*)request;
msg->sadb_msg_version = PF_KEY_V2;
- msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
+ msg->sadb_msg_type = SADB_ADD;
msg->sadb_msg_satype = proto2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
@@ -1680,7 +1693,13 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
}
else
{
+ /* Linux interprets sadb_sa_replay as number of packets/bits in the
+ * replay window, whereas on BSD it's the size of the window in bytes */
+#ifdef __linux__
sa->sadb_sa_replay = min(replay_window, 32);
+#else
+ sa->sadb_sa_replay = (replay_window + 7) / 8;
+#endif
sa->sadb_sa_auth = lookup_algorithm(INTEGRITY_ALGORITHM, int_alg);
sa->sadb_sa_encrypt = lookup_algorithm(ENCRYPTION_ALGORITHM, enc_alg);
}
@@ -2969,6 +2988,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
{
private_kernel_pfkey_ipsec_t *this;
bool register_for_events = TRUE;
+ int rcv_buffer;
INIT(this,
.public = {
@@ -3025,6 +3045,18 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
return NULL;
}
+ rcv_buffer = lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-pfkey.events_buffer_size", 0, lib->ns);
+ if (rcv_buffer > 0)
+ {
+ if (setsockopt(this->socket_events, SOL_SOCKET, SO_RCVBUF,
+ &rcv_buffer, sizeof(rcv_buffer)) == -1)
+ {
+ DBG1(DBG_KNL, "unable to set receive buffer size on PF_KEY "
+ "event socket: %s", strerror(errno));
+ }
+ }
+
/* register the event socket */
if (register_pfkey_socket(this, SADB_SATYPE_ESP) != SUCCESS ||
register_pfkey_socket(this, SADB_SATYPE_AH) != SUCCESS)
diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in
index 662f2fd7d..9f676d21d 100644
--- a/src/libhydra/plugins/kernel_pfroute/Makefile.in
+++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
index 26fae0d6b..0f7802270 100644
--- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -830,6 +830,15 @@ static void process_link(private_kernel_pfroute_net_t *this,
DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
}
}
+#ifdef __APPLE__
+ /* There seems to be a race condition on 10.10, where we get
+ * the RTM_IFINFO, but getifaddrs() does not return the virtual
+ * IP installed on a tun device, but we also don't get a
+ * RTM_NEWADDR. We therefore could miss the new address, letting
+ * virtual IP installation fail. Delaying getifaddrs() helps,
+ * but is obviously not a clean fix. */
+ usleep(50000);
+#endif
iface->flags = msg->ifm_flags;
repopulate_iface(this, iface);
found = TRUE;
diff --git a/src/libhydra/tests/Makefile.am b/src/libhydra/tests/Makefile.am
new file mode 100644
index 000000000..5acd5c28c
--- /dev/null
+++ b/src/libhydra/tests/Makefile.am
@@ -0,0 +1,18 @@
+TESTS = hydra_tests
+
+check_PROGRAMS = $(TESTS)
+
+hydra_tests_SOURCES = \
+ hydra_tests.h hydra_tests.c
+
+hydra_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ @COVERAGE_CFLAGS@
+
+hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+hydra_tests_LDADD = \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
diff --git a/src/libhydra/tests/Makefile.in b/src/libhydra/tests/Makefile.in
new file mode 100644
index 000000000..1fa889d67
--- /dev/null
+++ b/src/libhydra/tests/Makefile.in
@@ -0,0 +1,839 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = hydra_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libhydra/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = hydra_tests$(EXEEXT)
+am_hydra_tests_OBJECTS = hydra_tests-hydra_tests.$(OBJEXT)
+hydra_tests_OBJECTS = $(am_hydra_tests_OBJECTS)
+hydra_tests_DEPENDENCIES = $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+hydra_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(hydra_tests_CFLAGS) \
+ $(CFLAGS) $(hydra_tests_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(hydra_tests_SOURCES)
+DIST_SOURCES = $(hydra_tests_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+hydra_tests_SOURCES = \
+ hydra_tests.h hydra_tests.c
+
+hydra_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ @COVERAGE_CFLAGS@
+
+hydra_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+hydra_tests_LDADD = \
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/tests/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libhydra/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
+hydra_tests$(EXEEXT): $(hydra_tests_OBJECTS) $(hydra_tests_DEPENDENCIES) $(EXTRA_hydra_tests_DEPENDENCIES)
+ @rm -f hydra_tests$(EXEEXT)
+ $(AM_V_CCLD)$(hydra_tests_LINK) $(hydra_tests_OBJECTS) $(hydra_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hydra_tests-hydra_tests.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+hydra_tests-hydra_tests.o: hydra_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.o -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.o `test -f 'hydra_tests.c' || echo '$(srcdir)/'`hydra_tests.c
+
+hydra_tests-hydra_tests.obj: hydra_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -MT hydra_tests-hydra_tests.obj -MD -MP -MF $(DEPDIR)/hydra_tests-hydra_tests.Tpo -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/hydra_tests-hydra_tests.Tpo $(DEPDIR)/hydra_tests-hydra_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='hydra_tests.c' object='hydra_tests-hydra_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(hydra_tests_CFLAGS) $(CFLAGS) -c -o hydra_tests-hydra_tests.obj `if test -f 'hydra_tests.c'; then $(CYGPATH_W) 'hydra_tests.c'; else $(CYGPATH_W) '$(srcdir)/hydra_tests.c'; fi`
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libhydra/tests/hydra_tests.c b/src/libhydra/tests/hydra_tests.c
new file mode 100644
index 000000000..90abd8369
--- /dev/null
+++ b/src/libhydra/tests/hydra_tests.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+#include <hydra.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#define TEST_SUITE_DEPEND(x, ...) TEST_SUITE(x)
+#include "hydra_tests.h"
+#undef TEST_SUITE
+#undef TEST_SUITE_DEPEND
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+ { .suite = x, },
+#define TEST_SUITE_DEPEND(x, type, args) \
+ { .suite = x, .feature = PLUGIN_DEPENDS(type, args) },
+#include "hydra_tests.h"
+ { .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+ if (init)
+ {
+ libhydra_init();
+ }
+ else
+ {
+ lib->processor->set_threads(lib->processor, 0);
+ lib->processor->cancel(lib->processor);
+ libhydra_deinit();
+ }
+ return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+ return test_runner_run("libhydra", tests, test_runner_init);
+}
diff --git a/src/libhydra/tests/hydra_tests.h b/src/libhydra/tests/hydra_tests.h
new file mode 100644
index 000000000..6b213d026
--- /dev/null
+++ b/src/libhydra/tests/hydra_tests.h
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index d9a5cd50d..a61382723 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \
imv/imv_policy_manager.c \
imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
imv_policy_manager_LDADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtncif/libtncif.la
#imv/imv_policy_manager.o : $(top_builddir)/config.status
SUBDIRS = .
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 239e62a17..03778a22c 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -237,7 +237,8 @@ am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \
imv/imv_policy_manager_usage.$(OBJEXT)
imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
imv_policy_manager_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtncif/libtncif.la
SCRIPTS = $(ipsec_SCRIPTS)
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -395,6 +396,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -455,10 +457,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -532,6 +536,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -708,7 +714,8 @@ imv_policy_manager_SOURCES = \
imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
imv_policy_manager_LDADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libtncif/libtncif.la
#imv/imv_policy_manager.o : $(top_builddir)/config.status
SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 425748f59..ff6191117 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -323,6 +323,71 @@ INSERT INTO products ( /* 54 */
'Debian 7.6 armv6l'
);
+INSERT INTO products ( /* 55 */
+ name
+) VALUES (
+ 'Debian 7.7 i686'
+);
+
+INSERT INTO products ( /* 56 */
+ name
+) VALUES (
+ 'Debian 7.7 x86_64'
+);
+INSERT INTO products ( /* 57 */
+ name
+) VALUES (
+ 'Debian 7.7 armv6l'
+);
+
+INSERT INTO products ( /* 58 */
+ name
+) VALUES (
+ 'Debian 7.8 i686'
+);
+
+INSERT INTO products ( /* 59 */
+ name
+) VALUES (
+ 'Debian 7.8 x86_64'
+);
+
+INSERT INTO products ( /* 60 */
+ name
+) VALUES (
+ 'Debian 7.8 armv6l'
+);
+
+INSERT INTO products ( /* 61 */
+ name
+) VALUES (
+ 'Ubuntu 14.10 i686'
+);
+
+INSERT INTO products ( /* 62 */
+ name
+) VALUES (
+ 'Ubuntu 14.10 x86_64'
+);
+
+INSERT INTO products ( /* 63 */
+ name
+) VALUES (
+ 'Android 5.0'
+);
+
+INSERT INTO products ( /* 64 */
+ name
+) VALUES (
+ 'Android 5.0.1'
+);
+
+INSERT INTO products ( /* 65 */
+ name
+) VALUES (
+ 'Debian 7.8 armv7l'
+);
+
/* Directories */
INSERT INTO directories ( /* 1 */
@@ -741,6 +806,18 @@ INSERT INTO groups ( /* 14 */
'Debian armv6l', 2
);
+INSERT INTO groups ( /* 15 */
+ name, parent
+) VALUES (
+ 'Debian armv7l', 2
+);
+
+INSERT INTO groups ( /* 16 */
+ name
+) VALUES (
+ 'TPM TBOOT'
+);
+
/* Default Product Groups */
INSERT INTO groups_product_defaults (
@@ -800,6 +877,18 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 4, 55
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 4, 58
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
5, 2
);
@@ -854,6 +943,18 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 5, 56
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 5, 59
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
6, 9
);
@@ -902,6 +1003,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 6, 61
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
7, 8
);
@@ -956,6 +1063,12 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 7, 62
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
3, 21
);
@@ -1016,6 +1129,18 @@ INSERT INTO groups_product_defaults (
INSERT INTO groups_product_defaults (
group_id, product_id
) VALUES (
+ 3, 63
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 3, 64
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
3, 51
);
@@ -1061,6 +1186,24 @@ INSERT INTO groups_product_defaults (
14, 54
);
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 14, 57
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 14, 60
+);
+
+INSERT INTO groups_product_defaults (
+ group_id, product_id
+) VALUES (
+ 15, 65
+);
+
/* Policies */
INSERT INTO policies ( /* 1 */
@@ -1189,6 +1332,12 @@ INSERT INTO policies ( /* 21 */
16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2
);
+INSERT INTO policies ( /* 22 */
+ type, name, argument, rec_fail, rec_noresult
+) VALUES (
+ 16, 'TPM TBOOT Measurements', 'T', 2, 2
+);
+
/* Enforcements */
INSERT INTO enforcements ( /* 1 */
@@ -1293,6 +1442,12 @@ INSERT INTO enforcements ( /* 17 */
21, 13, 60
);
+INSERT INTO enforcements ( /* 18 */
+ policy, group_id, max_age
+) VALUES (
+ 22, 16, 60
+);
+
/* swid_entities */
INSERT INTO "swid_entities" ( /* 1 */
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 6b24f4b28..d0508624d 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
{
TNC_ConnectionID conn_id;
char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
- bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
+ bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
linked_list_t *ar_identities;
- enumerator_t *enumerator;
- tncif_identity_t *tnc_id;
imv_session_t *session;
uint32_t max_msg_len;
- uint32_t ar_id_type = TNC_ID_UNKNOWN;
- chunk_t ar_id_value = chunk_empty;
conn_id = state->get_connection_id(state);
if (find_connection(this, conn_id))
@@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result,
}
/* Get and display attributes from TNCS via IF-IMV */
- has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
- has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
- has_soh = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
- tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
- tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
- t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
- t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
- max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
- ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
+ has_long = get_bool_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_HAS_LONG_TYPES);
+ has_excl = get_bool_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
+ has_soh = get_bool_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_HAS_SOH);
+ tnccs_p = get_str_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
+ tnccs_v = get_str_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_IFTNCCS_VERSION);
+ t_p = get_str_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_IFT_PROTOCOL);
+ t_v = get_str_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_IFT_VERSION);
+ max_msg_len = get_uint_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+ ar_identities = get_identity_attribute(this, conn_id,
+ TNC_ATTRIBUTEID_AR_IDENTITIES);
state->set_flags(state, has_long, has_excl);
state->set_max_msg_len(state, max_msg_len);
@@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result,
DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes",
t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
- enumerator = ar_identities->create_enumerator(ar_identities);
- while (enumerator->enumerate(enumerator, &tnc_id))
- {
- pen_type_t id_type, subject_type, auth_type;
- uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
- chunk_t id_value;
-
- id_type = tnc_id->get_identity_type(tnc_id);
- id_value = tnc_id->get_identity_value(tnc_id);
- subject_type = tnc_id->get_subject_type(tnc_id);
- auth_type = tnc_id->get_auth_type(tnc_id);
-
- tcg_id_type = (id_type.vendor_id == PEN_TCG) ?
- id_type.type : TNC_ID_UNKNOWN;
- tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
- subject_type.type : TNC_SUBJECT_UNKNOWN;
- tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ?
- auth_type.type : TNC_AUTH_UNKNOWN;
-
-
- DBG2(DBG_IMV, " %N AR identity '%.*s' authenticated by %N",
- TNC_Subject_names, tcg_subject_type,
- id_value.len, id_value.ptr,
- TNC_Authentication_names, tcg_auth_type);
-
- /* keep the first access requestor ID */
- if (first)
- {
- ar_id_type = tcg_id_type;
- ar_id_value = id_value;
- first = FALSE;
- }
- }
- enumerator->destroy(enumerator);
-
- session = imcv_sessions->add_session(imcv_sessions, conn_id,
- ar_id_type, ar_id_value);
+ session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities);
state->set_session(state, session);
- /* clean up temporary variables */
- ar_identities->destroy_offset(ar_identities,
- offsetof(tncif_identity_t, destroy));
free(tnccs_p);
free(tnccs_v);
free(t_p);
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
index 0c4bb7514..0a18cd71b 100644
--- a/src/libimcv/imv/imv_database.c
+++ b/src/libimcv/imv/imv_database.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,8 @@
#include "imv_database.h"
+#include <tncif_identity.h>
+
#include <utils/debug.h>
#include <threading/mutex.h>
@@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*,
*/
static bool create_session(private_imv_database_t *this, imv_session_t *session)
{
- enumerator_t *e;
+ enumerator_t *enumerator, *e;
imv_os_info_t *os_info;
- chunk_t device_id, ar_id_value;
+ chunk_t device_id;
+ tncif_identity_t *tnc_id;
TNC_ConnectionID conn_id;
- uint32_t ar_id_type;
char *product, *device;
- int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
-
- ar_id_value = session->get_ar_id(session, &ar_id_type);
- if (ar_id_value.len)
- {
- /* get primary key of AR identity if it exists */
- e = this->db->query(this->db,
- "SELECT id FROM identities WHERE type = ? AND value = ?",
- DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
- if (e)
- {
- e->enumerate(e, &ar_id);
- e->destroy(e);
- }
-
- /* if AR identity has not been found - register it */
- if (!ar_id)
- {
- this->db->execute(this->db, &ar_id,
- "INSERT INTO identities (type, value) VALUES (?, ?)",
- DB_INT, ar_id_type, DB_BLOB, ar_id_value);
- }
-
- if (!ar_id)
- {
- DBG1(DBG_IMV, "imv_db: registering access requestor failed");
- return FALSE;
- }
- }
+ int session_id = 0, pid = 0, did = 0, trusted = 0, created;
+ bool first = TRUE, success = TRUE;
/* get product info string */
os_info = session->get_os_info(session);
@@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
created = session->get_creation_time(session);
conn_id = session->get_connection_id(session);
this->db->execute(this->db, &session_id,
- "INSERT INTO sessions (time, connection, identity, product, device) "
- "VALUES (?, ?, ?, ?, ?)",
- DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
- DB_INT, pid, DB_INT, did);
+ "INSERT INTO sessions (time, connection, product, device) "
+ "VALUES (?, ?, ?, ?)",
+ DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did);
if (session_id)
{
@@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
}
session->set_session_id(session, session_id, pid, did);
- return TRUE;
+ enumerator = session->create_ar_identities_enumerator(session);
+ while (enumerator->enumerate(enumerator, &tnc_id))
+ {
+ pen_type_t ar_id_type;
+ chunk_t ar_id_value;
+ int ar_id = 0, si_id = 0;
+
+ ar_id_type = tnc_id->get_identity_type(tnc_id);
+ ar_id_value = tnc_id->get_identity_value(tnc_id);
+
+ if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0)
+ {
+ continue;
+ }
+
+ /* get primary key of AR identity if it exists */
+ e = this->db->query(this->db,
+ "SELECT id FROM identities WHERE type = ? AND value = ?",
+ DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT);
+ if (e)
+ {
+ e->enumerate(e, &ar_id);
+ e->destroy(e);
+ }
+
+ /* if AR identity has not been found - register it */
+ if (!ar_id)
+ {
+ this->db->execute(this->db, &ar_id,
+ "INSERT INTO identities (type, value) VALUES (?, ?)",
+ DB_INT, ar_id_type.type, DB_BLOB, ar_id_value);
+ }
+ if (!ar_id)
+ {
+ DBG1(DBG_IMV, "imv_db: registering access requestor failed");
+ success = FALSE;
+ break;
+ }
+
+ this->db->execute(this->db, &si_id,
+ "INSERT INTO sessions_identities (session_id, identity_id) "
+ "VALUES (?, ?)",
+ DB_INT, session_id, DB_INT, ar_id);
+
+ if (!si_id)
+ {
+ DBG1(DBG_IMV, "imv_db: assigning identity to session failed");
+ success = FALSE;
+ break;
+ }
+
+ if (first)
+ {
+ this->db->execute(this->db, NULL,
+ "UPDATE sessions SET identity = ? WHERE id = ?",
+ DB_INT, ar_id, DB_INT, session_id);
+ first = FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return success;
}
static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 50f7f2e39..9f7e4e8f4 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -19,6 +19,8 @@
#include <library.h>
#include <utils/debug.h>
+#include <tncif_names.h>
+
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
@@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id)
static bool policy_stop(database_t *db, int session_id)
{
enumerator_t *e;
- int rec, policy;
- char *result;
+ int rec, policy, final_rec, id_type;
+ chunk_t id_value;
+ char *result, *ip_address = NULL;
+ bool success = TRUE;
+ /* store all workitem results for this session in the results table */
e = db->query(db,
"SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
"JOIN enforcements AS e ON w.enforcement = e.id "
@@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id)
}
e->destroy(e);
}
- return db->execute(db, NULL,
- "DELETE FROM workitems WHERE session = ?",
- DB_UINT, session_id) >= 0;
+ else
+ {
+ success = FALSE;
+ }
+
+ /* delete all workitems for this session from the database */
+ if (db->execute(db, NULL,
+ "DELETE FROM workitems WHERE session = ?",
+ DB_UINT, session_id) < 0)
+ {
+ success = FALSE;
+ }
+
+ final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+
+ /* retrieve the final recommendation for this session */
+ e = db->query(db,
+ "SELECT rec FROM sessions WHERE id = ?",
+ DB_INT, session_id, DB_INT);
+ if (e)
+ {
+ if (!e->enumerate(e, &final_rec))
+ {
+ success = FALSE;
+ }
+ e->destroy(e);
+ }
+ else
+ {
+ success = FALSE;
+ }
+
+ /* retrieve client IP address for this session */
+ e = db->query(db,
+ "SELECT i.type, i.value FROM identities AS i "
+ "JOIN sessions_identities AS si ON si.identity_id = i.id "
+ "WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)",
+ DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT,
+ TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB);
+ if (e)
+ {
+ if (e->enumerate(e, &id_type, &id_value))
+ {
+ ip_address = strndup(id_value.ptr, id_value.len);
+ }
+ else
+ {
+ success = FALSE;
+ }
+ e->destroy(e);
+ }
+ else
+ {
+ success = FALSE;
+ }
+
+ fprintf(stderr, "recommendation for access requestor %s is %N\n",
+ ip_address ? ip_address : "0.0.0.0",
+ TNC_IMV_Action_Recommendation_names, final_rec);
+ free(ip_address);
+
+ return success;
}
int main(int argc, char *argv[])
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
index 1f0d8cf14..bc6b5a8d1 100644
--- a/src/libimcv/imv/imv_session.c
+++ b/src/libimcv/imv/imv_session.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,8 @@
#include "imv_session.h"
+#include <tncif_identity.h>
+
#include <utils/debug.h>
typedef struct private_imv_session_t private_imv_session_t;
@@ -55,14 +57,9 @@ struct private_imv_session_t {
time_t created;
/**
- * Access Requestor ID type
- */
- uint32_t ar_id_type;
-
- /**
- * Access Requestor ID value
+ * List of Access Requestor identities
*/
- chunk_t ar_id_value;
+ linked_list_t *ar_identities;
/**
* OS information
@@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t,
return this->created;
}
-METHOD(imv_session_t, get_ar_id, chunk_t,
- private_imv_session_t *this, uint32_t *ar_id_type)
+METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*,
+ private_imv_session_t *this)
{
- if (ar_id_type)
- {
- *ar_id_type = this->ar_id_type;
- }
- return this->ar_id_value;
+ return this->ar_identities->create_enumerator(this->ar_identities);
}
METHOD(imv_session_t, get_os_info, imv_os_info_t*,
@@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void,
this->workitems->destroy_offset(this->workitems,
offsetof(imv_workitem_t, destroy));
this->os_info->destroy(this->os_info);
- free(this->ar_id_value.ptr);
+ this->ar_identities->destroy_offset(this->ar_identities,
+ offsetof(tncif_identity_t, destroy));
free(this->device_id.ptr);
free(this);
}
@@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void,
* See header
*/
imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
- uint32_t ar_id_type, chunk_t ar_id_value)
+ linked_list_t *ar_identities)
{
private_imv_session_t *this;
@@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
.get_session_id = _get_session_id,
.get_connection_id = _get_connection_id,
.get_creation_time = _get_creation_time,
- .get_ar_id = _get_ar_id,
+ .create_ar_identities_enumerator = _create_ar_identities_enumerator,
.get_os_info = _get_os_info,
.set_device_id = _set_device_id,
.get_device_id = _get_device_id,
@@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
},
.conn_id = conn_id,
.created = created,
- .ar_id_type = ar_id_type,
- .ar_id_value = chunk_clone(ar_id_value),
+ .ar_identities = ar_identities,
.os_info = imv_os_info_create(),
.workitems = linked_list_create(),
.ref = 1,
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
index 42b9118a6..107716f30 100644
--- a/src/libimcv/imv/imv_session.h
+++ b/src/libimcv/imv/imv_session.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -70,12 +70,11 @@ struct imv_session_t {
time_t (*get_creation_time)(imv_session_t *this);
/**
- * Get Access Requestor ID
+ * Get list of Access Requestor identities
*
- * @param id_type Access Requestor TCG Standard ID Type
- * @return Access Requestor TCG Standard ID Value
+ * @return List of Access Requestor identities
*/
- chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type);
+ enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this);
/**
* Get OS Information
@@ -172,10 +171,9 @@ struct imv_session_t {
*
* @param id Associated Connection ID
* @param created Session creation time
- * @param ar_id_type Access Requestor ID type
- * @param ar_id_value Access Requestor ID value
+ * @param ar_identities List of Access Requestor identities
*/
imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created,
- uint32_t ar_id_type, chunk_t ar_id_value);
+ linked_list_t *ar_identities);
#endif /** IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c
index 0fb8de45e..c97602998 100644
--- a/src/libimcv/imv/imv_session_manager.c
+++ b/src/libimcv/imv/imv_session_manager.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,9 @@
#include "imv_session_manager.h"
+#include <tncif_names.h>
+#include <tncif_identity.h>
+
#include <threading/mutex.h>
typedef struct private_imv_session_manager_t private_imv_session_manager_t;
@@ -43,9 +46,10 @@ struct private_imv_session_manager_t {
METHOD(imv_session_manager_t, add_session, imv_session_t*,
private_imv_session_manager_t *this, TNC_ConnectionID conn_id,
- uint32_t ar_id_type, chunk_t ar_id_value)
+ linked_list_t *ar_identities)
{
enumerator_t *enumerator;
+ tncif_identity_t *tnc_id;
imv_session_t *current, *session = NULL;
time_t created;
@@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*,
/* session already exists */
if (session)
{
+ ar_identities->destroy_offset(ar_identities,
+ offsetof(tncif_identity_t, destroy));
this->mutex->unlock(this->mutex);
return session->get_ref(session);
}
+ /* Output list of Access Requestor identities */
+ enumerator = ar_identities->create_enumerator(ar_identities);
+ while (enumerator->enumerate(enumerator, &tnc_id))
+ {
+ pen_type_t id_type, subject_type, auth_type;
+ uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+ chunk_t id_value;
+
+ id_type = tnc_id->get_identity_type(tnc_id);
+ id_value = tnc_id->get_identity_value(tnc_id);
+ subject_type = tnc_id->get_subject_type(tnc_id);
+ auth_type = tnc_id->get_auth_type(tnc_id);
+
+ tcg_id_type = (subject_type.vendor_id == PEN_TCG) ?
+ id_type.type : TNC_SUBJECT_UNKNOWN;
+ tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+ subject_type.type : TNC_SUBJECT_UNKNOWN;
+ tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ?
+ auth_type.type : TNC_AUTH_UNKNOWN;
+
+ DBG2(DBG_IMV, " %N AR identity '%.*s' of type %N authenticated by %N",
+ TNC_Subject_names, tcg_subject_type,
+ id_value.len, id_value.ptr,
+ TNC_Identity_names, tcg_id_type,
+ TNC_Authentication_names, tcg_auth_type);
+ }
+ enumerator->destroy(enumerator);
+
/* create a new session entry */
created = time(NULL);
- session = imv_session_create(conn_id, created, ar_id_type, ar_id_value);
+ session = imv_session_create(conn_id, created, ar_identities);
this->sessions->insert_last(this->sessions, session);
this->mutex->unlock(this->mutex);
diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h
index 8a733accb..cfae23bc9 100644
--- a/src/libimcv/imv/imv_session_manager.h
+++ b/src/libimcv/imv/imv_session_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -39,13 +39,12 @@ struct imv_session_manager_t {
* Create or get a session associated with a TNCCS connection
*
* @param conn_id TNCCS Connection ID
- * @param ar_id_type Access Requestor identity type
- * @param ar_id_value Access Requestor identity value
+ * @param ar_identities List of Access Requestor identities
* @return Session associated with TNCCS Connection
*/
imv_session_t* (*add_session)(imv_session_manager_t *this,
TNC_ConnectionID conn_id,
- uint32_t ar_id_type, chunk_t ar_id_value);
+ linked_list_t *ar_identities);
/**
* Remove a session
diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql
index 47ee41c86..cf50742c3 100644
--- a/src/libimcv/imv/tables-mysql.sql
+++ b/src/libimcv/imv/tables-mysql.sql
@@ -99,6 +99,14 @@ CREATE TABLE `sessions` (
`rec` INTEGER DEFAULT 3
);
+DROP TABLE IF EXISTS `sessions_identities`;
+CREATE TABLE `sessions_identities` (
+ `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+ `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`),
+ `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`),
+ UNIQUE (`session_id`, `identity_id`)
+);
+
DROP TABLE IF EXISTS `workitems`;
CREATE TABLE `workitems` (
`id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index f7324896e..5c2a6563b 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -104,6 +104,14 @@ CREATE TABLE sessions (
rec INTEGER DEFAULT 3
);
+DROP TABLE IF EXISTS sessions_identities;
+CREATE TABLE sessions_identities (
+ id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ session_id INTEGER NOT NULL REFERENCES sessions(id),
+ identity_id INTEGER NOT NULL REFERENCES identities(id),
+ UNIQUE (session_id, identity_id)
+);
+
DROP TABLE IF EXISTS workitems;
CREATE TABLE workitems (
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index 3c5017f32..8ad56181e 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
index 2fc2998e1..f24aec881 100644
--- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
@@ -137,7 +137,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
{
return FALSE;
}
- pts->get_my_public_value(pts, &responder_value, &responder_nonce);
+ if (!pts->get_my_public_value(pts, &responder_value,
+ &responder_nonce))
+ {
+ return FALSE;
+ }
/* Send DH Nonce Parameters Response attribute */
attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
@@ -174,8 +178,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
return FALSE;
}
- pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
- if (!pts->calculate_secret(pts))
+
+ if (!pts->set_peer_public_value(pts, initiator_value,
+ initiator_nonce) ||
+ !pts->calculate_secret(pts))
{
return FALSE;
}
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3f4cf41a9..3b7538688 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index a192b0a41..7b696896f 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index f1859a2cb..2847f09b4 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 3e1d0232f..2048caa4d 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 3ba7c8c88..09a0ab0ce 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/attest_db.c b/src/libimcv/plugins/imv_attestation/attest_db.c
index f85a02b3d..f1a1f923e 100644
--- a/src/libimcv/plugins/imv_attestation/attest_db.c
+++ b/src/libimcv/plugins/imv_attestation/attest_db.c
@@ -849,29 +849,31 @@ METHOD(attest_db_t, list_devices, void,
{
enumerator_t *e, *e_ar;
chunk_t ar_id_value = chunk_empty;
- char *product, *device;
+ char *product, *device, *description;
time_t timestamp;
- int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
+ int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0, trusted;
int session_id, rec;
u_int32_t ar_id_type;
u_int tstamp;
e = this->db->query(this->db,
- "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
+ "SELECT d.id, d.value, d.trusted, d.description, "
+ "s.id, s.time, s.identity, s.rec, p.name "
"FROM devices AS d "
"JOIN sessions AS s ON d.id = s.device "
"JOIN products AS p ON p.id = s.product "
- "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT,
- DB_INT, DB_INT, DB_TEXT);
+ "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_TEXT,
+ DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT);
if (e)
{
- while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec,
- &product))
+ while (e->enumerate(e, &id, &device, &trusted, &description,
+ &session_id, &tstamp, &ar_id, &rec, &product))
{
if (id != last_id)
{
- printf("%4d: %s - %s\n", id, device, product);
+ printf("%4d: %s %s - %s - %s\n", id, trusted ? "+" : "-",
+ device, product, description);
device_count++;
last_id = id;
}
diff --git a/src/libimcv/plugins/imv_attestation/build-database.sh b/src/libimcv/plugins/imv_attestation/build-database.sh
index ca2939b49..0babb5366 100755
--- a/src/libimcv/plugins/imv_attestation/build-database.sh
+++ b/src/libimcv/plugins/imv_attestation/build-database.sh
@@ -2,7 +2,7 @@
p="Ubuntu 14.04 x86_64"
a="x86_64-linux-gnu"
-k="3.13.0-37-generic"
+k="3.13.0-46-generic"
for hash in sha1 sha256
do
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
index c39fe8d47..db93ac45f 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
@@ -69,7 +69,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
/* Send DH nonce finish attribute */
selected_algorithm = pts->get_meas_algorithm(pts);
- pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
+ if (!pts->get_my_public_value(pts, &initiator_value,
+ &initiator_nonce))
+ {
+ return FALSE;
+ }
attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
initiator_value, initiator_nonce);
attr->set_noskip_flag(attr, TRUE);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
index 89a1f02cf..fbeb6618e 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
@@ -134,11 +134,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
}
responder_value = attr_cast->get_responder_value(attr_cast);
- pts->set_peer_public_value(pts, responder_value,
- responder_nonce);
/* Calculate secret assessment value */
- if (!pts->calculate_secret(pts))
+ if (!pts->set_peer_public_value(pts, responder_value,
+ responder_nonce) ||
+ !pts->calculate_secret(pts))
{
return FALSE;
}
@@ -198,7 +198,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
KEY_ANY, aik->get_issuer(aik), FALSE);
- while (e->enumerate(e, &issuer))
+ while (e->enumerate(e, &issuer, NULL))
{
if (aik->issued_by(aik, issuer, NULL))
{
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 36e708fc9..ec3488992 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 2677b339a..08abbf596 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 815722f9c..936bee86e 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 66da75a1e..8e0e22353 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c
index 273c18f31..ce318ec84 100644
--- a/src/libimcv/pts/components/ita/ita_comp_tboot.c
+++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -61,11 +61,6 @@ struct pts_ita_comp_tboot_t {
int cid;
/**
- * Primary key for AIK database entry
- */
- int kid;
-
- /**
* Component is registering measurements
*/
bool is_registering;
@@ -243,7 +238,7 @@ METHOD(pts_component_t, verify, status_t,
else
{
status = this->pts_db->check_comp_measurement(this->pts_db,
- measurement, this->cid, this->kid,
+ measurement, this->cid, this->aik_id,
++this->seq_no, extended_pcr, algo);
if (status != SUCCESS)
{
diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c
index 2fff4c901..1ca72098e 100644
--- a/src/libimcv/pts/pts.c
+++ b/src/libimcv/pts/pts.c
@@ -224,17 +224,24 @@ METHOD(pts_t, create_dh_nonce, bool,
return TRUE;
}
-METHOD(pts_t, get_my_public_value, void,
+METHOD(pts_t, get_my_public_value, bool,
private_pts_t *this, chunk_t *value, chunk_t *nonce)
{
- this->dh->get_my_public_value(this->dh, value);
+ if (!this->dh->get_my_public_value(this->dh, value))
+ {
+ return FALSE;
+ }
*nonce = this->is_imc ? this->responder_nonce : this->initiator_nonce;
+ return TRUE;
}
-METHOD(pts_t, set_peer_public_value, void,
+METHOD(pts_t, set_peer_public_value, bool,
private_pts_t *this, chunk_t value, chunk_t nonce)
{
- this->dh->set_other_public_value(this->dh, value);
+ if (!this->dh->set_other_public_value(this->dh, value))
+ {
+ return FALSE;
+ }
nonce = chunk_clone(nonce);
if (this->is_imc)
@@ -245,6 +252,7 @@ METHOD(pts_t, set_peer_public_value, void,
{
this->responder_nonce = nonce;
}
+ return TRUE;
}
METHOD(pts_t, calculate_secret, bool,
@@ -264,7 +272,7 @@ METHOD(pts_t, calculate_secret, bool,
DBG3(DBG_PTS, "responder nonce: %B", &this->responder_nonce);
/* Calculate the DH secret */
- if (this->dh->get_shared_secret(this->dh, &shared_secret) != SUCCESS)
+ if (!this->dh->get_shared_secret(this->dh, &shared_secret))
{
DBG1(DBG_PTS, "shared DH secret computation failed");
return FALSE;
diff --git a/src/libimcv/pts/pts.h b/src/libimcv/pts/pts.h
index be32a3464..d525306dd 100644
--- a/src/libimcv/pts/pts.h
+++ b/src/libimcv/pts/pts.h
@@ -143,16 +143,18 @@ struct pts_t {
*
* @param value My public DH value
* @param nonce My DH nonce
+ * @return TRUE if public value retrieved successfully
*/
- void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
+ bool (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
/**
* Set peer Diffie.Hellman public value
*
* @param value Peer public DH value
* @param nonce Peer DH nonce
+ * @return TRUE if public value set successfully
*/
- void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
+ bool (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
/**
* Calculates assessment secret to be used for TPM Quote as ExternalData
diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c
index c47ce2934..f38419248 100644
--- a/src/libimcv/seg/seg_env.c
+++ b/src/libimcv/seg/seg_env.c
@@ -219,6 +219,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
if (max_seg_size < PA_TNC_ATTR_HEADER_SIZE ||
max_seg_size >= PA_TNC_ATTR_HEADER_SIZE + value.len)
{
+ base_attr->destroy(base_attr);
return NULL;
}
@@ -233,7 +234,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
.destroy = _destroy,
},
.base_attr_id = base_attr_id,
- .base_attr = base_attr->get_ref(base_attr),
+ .base_attr = base_attr,
.max_seg_size = max_seg_size,
.data = base_attr->get_value(base_attr),
);
diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h
index 08d33d752..611f9a98a 100644
--- a/src/libimcv/seg/seg_env.h
+++ b/src/libimcv/seg/seg_env.h
@@ -98,7 +98,7 @@ struct seg_env_t {
* Create a PA-TNC attribute segment envelope object
*
* @param base_attr_id Base Attribute ID
- * @param base_attr Base Attribute to be segmented
+ * @param base_attr Base Attribute to be segmented, owned by seg_env_t
* @param max_seg_size Maximum segment size
*/
seg_env_t* seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c
index 469b1110d..8b51eda05 100644
--- a/src/libimcv/suites/test_imcv_seg.c
+++ b/src/libimcv/suites/test_imcv_seg.c
@@ -64,10 +64,11 @@ START_TEST(test_imcv_seg_env)
libimcv_init(FALSE);
max_seg_size = seg_env_tests[_i].max_seg_size;
last_seg_size = seg_env_tests[_i].last_seg_size;
+
base_attr = ita_attr_command_create(command);
base_attr->build(base_attr);
-
seg_env = seg_env_create(id, base_attr, max_seg_size);
+
if (seg_env_tests[_i].next_segs == 0)
{
ck_assert(seg_env == NULL);
@@ -156,7 +157,6 @@ START_TEST(test_imcv_seg_env)
seg_env1->destroy(seg_env1);
base_attr1->destroy(base_attr1);
}
- base_attr->destroy(base_attr);
libimcv_deinit();
}
END_TEST
@@ -226,7 +226,6 @@ START_TEST(test_imcv_seg_env_special)
/* cleanup */
attr->destroy(attr);
seg_env->destroy(seg_env);
- base_attr->destroy(base_attr);
}
END_TEST
@@ -306,7 +305,8 @@ START_TEST(test_imcv_seg_contract)
TRUE, issuer_id, FALSE);
contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size,
FALSE, issuer_id, TRUE);
- attr = contract_r->first_segment(contract_r, base_attr_r);
+ attr = contract_r->first_segment(contract_r,
+ base_attr_r->get_ref(base_attr_r));
if (seg_env_tests[_i].next_segs == 0)
{
@@ -422,8 +422,8 @@ START_TEST(test_imcv_seg_contract_special)
ck_assert(!oversize);
/* get first segment of each base attribute */
- attr1_f = contract_r->first_segment(contract_r, base_attr1_r);
- attr2_f = contract_r->first_segment(contract_r, base_attr2_r);
+ attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r));
+ attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r));
ck_assert(attr1_f);
ck_assert(attr2_f);
seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f;
diff --git a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
index 5b4cc273b..397882926 100644
--- a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
+++ b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
@@ -242,6 +242,8 @@ METHOD(pa_tnc_attr_t, process, status_t,
this->count--;
}
+ status = SUCCESS;
+
if (this->length != this->offset)
{
DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_TCG,
@@ -249,7 +251,6 @@ METHOD(pa_tnc_attr_t, process, status_t,
*offset = this->offset;
status = FAILED;
}
- status = SUCCESS;
end:
reader->destroy(reader);
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index 3663cf825..a80d28ac6 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -266,6 +266,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -326,10 +327,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -403,6 +406,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0998efa9d..21dbd5e89 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -443,7 +443,7 @@ ip_packet_t *ip_packet_create_from_data(host_t *src, host_t *dst,
{
struct ip6_hdr ip = {
.ip6_flow = htonl(6),
- .ip6_plen = htons(40 + data.len),
+ .ip6_plen = htons(data.len),
.ip6_nxt = next_header,
.ip6_hlim = 0x80,
};
diff --git a/src/libipsec/ipsec_event_listener.h b/src/libipsec/ipsec_event_listener.h
index c5c39b0f1..f15f6fe52 100644
--- a/src/libipsec/ipsec_event_listener.h
+++ b/src/libipsec/ipsec_event_listener.h
@@ -35,14 +35,12 @@ struct ipsec_event_listener_t {
/**
* Called when the lifetime of an IPsec SA expired
*
- * @param reqid reqid of the expired SA
* @param protocol protocol of the expired SA
* @param spi spi of the expired SA
+ * @param dst destination address of expired SA
* @param hard TRUE if this is a hard expire, FALSE otherwise
*/
- void (*expire)(u_int32_t reqid, u_int8_t protocol, u_int32_t spi,
- bool hard);
-
+ void (*expire)(u_int8_t protocol, u_int32_t spi, host_t *dst, bool hard);
};
#endif /** IPSEC_EVENT_LISTENER_H_ @}*/
diff --git a/src/libipsec/ipsec_event_relay.c b/src/libipsec/ipsec_event_relay.c
index c6b2a550d..048063053 100644
--- a/src/libipsec/ipsec_event_relay.c
+++ b/src/libipsec/ipsec_event_relay.c
@@ -65,9 +65,9 @@ typedef struct {
} type;
/**
- * Reqid of the SA, if any
+ * Protocol of the SA
*/
- u_int32_t reqid;
+ u_int8_t protocol;
/**
* SPI of the SA, if any
@@ -75,13 +75,16 @@ typedef struct {
u_int32_t spi;
/**
+ * SA destination address
+ */
+ host_t *dst;
+
+ /**
* Additional data for specific event types
*/
union {
struct {
- /** Protocol of the SA */
- u_int8_t protocol;
/** TRUE in case of a hard expire */
bool hard;
} expire;
@@ -91,6 +94,15 @@ typedef struct {
} ipsec_event_t;
/**
+ * Destroy IPsec event data
+ */
+static void ipsec_event_destroy(ipsec_event_t *event)
+{
+ event->dst->destroy(event->dst);
+ free(event);
+}
+
+/**
* Dequeue events and relay them to listeners
*/
static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
@@ -110,31 +122,31 @@ static job_requeue_t handle_events(private_ipsec_event_relay_t *this)
case IPSEC_EVENT_EXPIRE:
if (current->expire)
{
- current->expire(event->reqid, event->data.expire.protocol,
- event->spi, event->data.expire.hard);
+ current->expire(event->protocol, event->spi, event->dst,
+ event->data.expire.hard);
}
break;
}
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
- free(event);
+ ipsec_event_destroy(event);
return JOB_REQUEUE_DIRECT;
}
METHOD(ipsec_event_relay_t, expire, void,
- private_ipsec_event_relay_t *this, u_int32_t reqid, u_int8_t protocol,
- u_int32_t spi, bool hard)
+ private_ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard)
{
ipsec_event_t *event;
INIT(event,
.type = IPSEC_EVENT_EXPIRE,
- .reqid = reqid,
+ .protocol = protocol,
.spi = spi,
+ .dst = dst->clone(dst),
.data = {
.expire = {
- .protocol = protocol,
.hard = hard,
},
},
diff --git a/src/libipsec/ipsec_event_relay.h b/src/libipsec/ipsec_event_relay.h
index c6935d546..1dddf121b 100644
--- a/src/libipsec/ipsec_event_relay.h
+++ b/src/libipsec/ipsec_event_relay.h
@@ -38,13 +38,13 @@ struct ipsec_event_relay_t {
/**
* Raise an expire event.
*
- * @param reqid reqid of the expired IPsec SA
* @param protocol protocol (e.g ESP) of the expired SA
* @param spi SPI of the expired SA
+ * @param dst destination address of expired SA
* @param hard TRUE for a hard expire, FALSE otherwise
*/
- void (*expire)(ipsec_event_relay_t *this, u_int32_t reqid,
- u_int8_t protocol, u_int32_t spi, bool hard);
+ void (*expire)(ipsec_event_relay_t *this, u_int8_t protocol, u_int32_t spi,
+ host_t *dst, bool hard);
/**
* Register a listener to events raised by this manager
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
index 6ec8bd25e..ccbbb1b3c 100644
--- a/src/libipsec/ipsec_sa.c
+++ b/src/libipsec/ipsec_sa.c
@@ -194,8 +194,8 @@ METHOD(ipsec_sa_t, expire, void,
if (!this->hard_expired)
{
this->hard_expired = TRUE;
- ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
- this->spi, TRUE);
+ ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+ this->dst, TRUE);
}
}
else
@@ -203,8 +203,8 @@ METHOD(ipsec_sa_t, expire, void,
if (!this->hard_expired && !this->soft_expired)
{
this->soft_expired = TRUE;
- ipsec->events->expire(ipsec->events, this->reqid, this->protocol,
- this->spi, FALSE);
+ ipsec->events->expire(ipsec->events, this->protocol, this->spi,
+ this->dst, FALSE);
}
}
}
@@ -275,8 +275,7 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
- u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound)
{
private_ipsec_sa_t *this;
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
index 5e69f18cf..8dad29ac5 100644
--- a/src/libipsec/ipsec_sa.h
+++ b/src/libipsec/ipsec_sa.h
@@ -197,8 +197,6 @@ struct ipsec_sa_t {
* @param encap enable UDP encapsulation (must be TRUE)
* @param esn Extended Sequence Numbers (currently not supported)
* @param inbound TRUE if this is an inbound SA, FALSE otherwise
- * @param src_ts source traffic selector
- * @param dst_ts destination traffic selector
* @return the IPsec SA, or NULL if the creation failed
*/
ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
@@ -207,8 +205,6 @@ ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key,
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
- bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts);
+ bool encap, bool esn, bool inbound);
#endif /** IPSEC_SA_H_ @}*/
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index 1db1776c0..07ffa9e4f 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -396,12 +396,10 @@ static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
METHOD(ipsec_sa_mgr_t, get_spi, status_t,
private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol,
- u_int32_t reqid, u_int32_t *spi)
+ u_int32_t *spi)
{
u_int32_t spi_new;
- DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid);
-
this->mutex->lock(this->mutex);
if (!this->rng)
{
@@ -420,7 +418,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
(u_int8_t*)&spi_new))
{
this->mutex->unlock(this->mutex);
- DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid);
+ DBG1(DBG_ESP, "failed to allocate SPI");
return FAILED;
}
/* make sure the SPI is valid (not in range 0-255) */
@@ -432,7 +430,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
*spi = spi_new;
- DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
+ DBG2(DBG_ESP, "allocated SPI %.8x", ntohl(*spi));
return SUCCESS;
}
@@ -442,7 +440,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
- traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
+ bool update)
{
ipsec_sa_entry_t *entry;
ipsec_sa_t *sa_new;
@@ -456,7 +454,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
lifetime, enc_alg, enc_key, int_alg, int_key, mode,
- ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
+ ipcomp, cpi, encap, esn, inbound);
if (!sa_new)
{
DBG1(DBG_ESP, "failed to create SAD entry");
@@ -465,7 +463,7 @@ METHOD(ipsec_sa_mgr_t, add_sa, status_t,
this->mutex->lock(this->mutex);
- if (inbound)
+ if (update)
{ /* remove any pre-allocated SPIs */
u_int32_t *spi_alloc;
diff --git a/src/libipsec/ipsec_sa_mgr.h b/src/libipsec/ipsec_sa_mgr.h
index 8c234cefa..a57eab4e7 100644
--- a/src/libipsec/ipsec_sa_mgr.h
+++ b/src/libipsec/ipsec_sa_mgr.h
@@ -45,12 +45,11 @@ struct ipsec_sa_mgr_t {
* @param src source address of the SA
* @param dst destination address of the SA
* @param protocol protocol of the SA (only ESP supported)
- * @param reqid reqid for the SA
* @param spi the allocated SPI
* @return SUCCESS of operation successful
*/
status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
- u_int8_t protocol, u_int32_t reqid, u_int32_t *spi);
+ u_int8_t protocol, u_int32_t *spi);
/**
* Add a new SA
@@ -74,8 +73,7 @@ struct ipsec_sa_mgr_t {
* @param encap enable UDP encapsulation (must be TRUE)
* @param esn Extended Sequence Numbers (currently not supported)
* @param inbound TRUE if this is an inbound SA, FALSE otherwise
- * @param src_ts source traffic selector
- * @param dst_ts destination traffic selector
+ * @param update TRUE if an SPI has already been allocated for SA
* @return SUCCESS if operation completed
*/
status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
@@ -84,8 +82,7 @@ struct ipsec_sa_mgr_t {
u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg,
chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
u_int16_t cpi, bool initiator, bool encap, bool esn,
- bool inbound, traffic_selector_t *src_ts,
- traffic_selector_t *dst_ts);
+ bool inbound, bool update);
/**
* Update the hosts on an installed SA.
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 74cd8084a..96d1ae4aa 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index faaae70fe..5dd8ac56b 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -222,6 +222,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libradius/radius_socket.c b/src/libradius/radius_socket.c
index f432151c0..fe9cf3c01 100644
--- a/src/libradius/radius_socket.c
+++ b/src/libradius/radius_socket.c
@@ -129,7 +129,7 @@ METHOD(radius_socket_t, request, radius_message_t*,
private_radius_socket_t *this, radius_message_t *request)
{
chunk_t data;
- int i, *fd;
+ int i, *fd, retransmit = 0;
u_int16_t port;
rng_t *rng = NULL;
@@ -166,64 +166,59 @@ METHOD(radius_socket_t, request, radius_message_t*,
for (i = 2; i <= 5; i++)
{
radius_message_t *response;
- bool retransmit = FALSE;
- struct timeval tv;
char buf[4096];
- fd_set fds;
int res;
+ struct pollfd pfd = {
+ .fd = *fd,
+ .events = POLLIN,
+ };
+ if (retransmit)
+ {
+ DBG1(DBG_CFG, "retransmitting RADIUS %N (attempt %d)",
+ radius_message_code_names, request->get_code(request),
+ retransmit);
+ }
if (send(*fd, data.ptr, data.len, 0) != data.len)
{
DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno));
return NULL;
}
- tv.tv_sec = i;
- tv.tv_usec = 0;
-
- while (TRUE)
+ res = poll(&pfd, 1, i * 1000);
+ if (res < 0)
{
- FD_ZERO(&fds);
- FD_SET(*fd, &fds);
- res = select((*fd) + 1, &fds, NULL, NULL, &tv);
- /* TODO: updated tv to time not waited. Linux does this for us. */
- if (res < 0)
- { /* failed */
- DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
- strerror(errno));
- break;
- }
- if (res == 0)
- { /* timeout */
- DBG1(DBG_CFG, "retransmitting RADIUS message");
- retransmit = TRUE;
- break;
- }
- res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
- if (res <= 0)
- {
- DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
- strerror(errno));
- break;
- }
- response = radius_message_parse(chunk_create(buf, res));
- if (response)
- {
- if (response->verify(response,
- request->get_authenticator(request), this->secret,
- this->hasher, this->signer))
- {
- return response;
- }
- response->destroy(response);
- }
- DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+ DBG1(DBG_CFG, "waiting for RADIUS message failed: %s",
+ strerror(errno));
+ return NULL;
+ }
+ if (res == 0)
+ { /* timeout */
+ retransmit++;
+ continue;
}
- if (!retransmit)
+ res = recv(*fd, buf, sizeof(buf), MSG_DONTWAIT);
+ if (res <= 0)
{
- break;
+ DBG1(DBG_CFG, "receiving RADIUS message failed: %s",
+ strerror(errno));
+ return NULL;
}
+ response = radius_message_parse(chunk_create(buf, res));
+ if (response)
+ {
+ if (response->verify(response,
+ request->get_authenticator(request), this->secret,
+ this->hasher, this->signer))
+ {
+ return response;
+ }
+ response->destroy(response);
+ }
+ DBG1(DBG_CFG, "received invalid RADIUS message, ignored");
+ return NULL;
}
- DBG1(DBG_CFG, "RADIUS server is not responding");
+ DBG1(DBG_CFG, "RADIUS %N timed out after %d retransmits",
+ radius_message_code_names, request->get_code(request), retransmit - 1);
return NULL;
}
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index a16991927..79962d3bd 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -222,6 +222,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -282,10 +283,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -359,6 +362,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 9b775f9b3..2a8894b0e 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -8,12 +8,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/hashers/hash_algorithm_set.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
credentials/credential_factory.c credentials/builder.c \
credentials/cred_encoding.c credentials/keys/private_key.c \
credentials/keys/public_key.c credentials/keys/shared_key.c \
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 0083ffe6b..fbc752687 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -6,12 +6,14 @@ asn1/asn1.c asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c bio/bio_writer.c \
collections/blocking_queue.c collections/enumerator.c collections/hashtable.c \
collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c crypto/hashers/hasher.c \
+crypto/hashers/hash_algorithm_set.c \
crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords_static.c \
crypto/prfs/prf.c crypto/prfs/mac_prf.c crypto/pkcs5.c \
crypto/rngs/rng.c crypto/prf_plus.c crypto/signers/signer.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c crypto/crypto_tester.c \
crypto/diffie_hellman.c crypto/aead.c crypto/transform.c \
crypto/iv/iv_gen_rand.c crypto/iv/iv_gen_seq.c \
+crypto/mgf1/mgf1.c crypto/mgf1/mgf1_bitspender.c \
credentials/credential_factory.c credentials/builder.c \
credentials/cred_encoding.c credentials/keys/private_key.c \
credentials/keys/public_key.c credentials/keys/shared_key.c \
@@ -60,13 +62,15 @@ library.h \
asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
collections/linked_list.h collections/array.h collections/dictionary.h \
-crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+crypto/crypters/crypter.h crypto/hashers/hasher.h \
+crypto/hashers/hash_algorithm_set.h crypto/mac.h \
crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
credentials/credential_factory.h credentials/builder.h \
credentials/cred_encoding.h credentials/keys/private_key.h \
credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -101,8 +105,8 @@ utils/utils.h utils/chunk.h utils/debug.h utils/enum.h utils/identification.h \
utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
utils/leak_detective.h utils/printf_hook/printf_hook.h \
utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \
-utils/process.h utils/utils/strerror.h
+utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
+utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h
endif
library.lo : $(top_builddir)/config.status
@@ -133,7 +137,7 @@ if USE_WINDOWS
threading/windows/rwlock.c \
threading/windows/spinlock.c \
threading/windows/semaphore.c \
- utils/windows.c
+ utils/compat/windows.c
else
libstrongswan_la_LIBADD += $(PTHREADLIB)
endif
@@ -425,6 +429,13 @@ if MONOLITHIC
endif
endif
+if USE_FILES
+ SUBDIRS += plugins/files
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/files/libstrongswan-files.la
+endif
+endif
+
if USE_WINHTTP
SUBDIRS += plugins/winhttp
if MONOLITHIC
@@ -544,6 +555,13 @@ if MONOLITHIC
endif
endif
+if USE_BLISS
+ SUBDIRS += plugins/bliss
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/bliss/libstrongswan-bliss.la
+endif
+endif
+
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
if MONOLITHIC
@@ -555,3 +573,6 @@ if MONOLITHIC
SUBDIRS += .
endif
SUBDIRS += tests
+if USE_BLISS
+ SUBDIRS += plugins/bliss/tests
+endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 40678cbde..99b18a757 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -97,7 +97,7 @@ host_triplet = @host@
@USE_WINDOWS_TRUE@ threading/windows/rwlock.c \
@USE_WINDOWS_TRUE@ threading/windows/spinlock.c \
@USE_WINDOWS_TRUE@ threading/windows/semaphore.c \
-@USE_WINDOWS_TRUE@ utils/windows.c
+@USE_WINDOWS_TRUE@ utils/compat/windows.c
@USE_WINDOWS_FALSE@am__append_4 = $(PTHREADLIB)
@USE_DBGHELP_TRUE@am__append_5 = -ldbghelp
@@ -173,42 +173,47 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_75 = plugins/pem/libstrongswan-pem.la
@USE_CURL_TRUE@am__append_76 = plugins/curl
@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_77 = plugins/curl/libstrongswan-curl.la
-@USE_WINHTTP_TRUE@am__append_78 = plugins/winhttp
-@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_79 = plugins/winhttp/libstrongswan-winhttp.la
-@USE_UNBOUND_TRUE@am__append_80 = plugins/unbound
-@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_81 = plugins/unbound/libstrongswan-unbound.la
-@USE_SOUP_TRUE@am__append_82 = plugins/soup
-@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_83 = plugins/soup/libstrongswan-soup.la
-@USE_LDAP_TRUE@am__append_84 = plugins/ldap
-@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_85 = plugins/ldap/libstrongswan-ldap.la
-@USE_MYSQL_TRUE@am__append_86 = plugins/mysql
-@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_87 = plugins/mysql/libstrongswan-mysql.la
-@USE_SQLITE_TRUE@am__append_88 = plugins/sqlite
-@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_89 = plugins/sqlite/libstrongswan-sqlite.la
-@USE_PADLOCK_TRUE@am__append_90 = plugins/padlock
-@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_91 = plugins/padlock/libstrongswan-padlock.la
-@USE_OPENSSL_TRUE@am__append_92 = plugins/openssl
-@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_93 = plugins/openssl/libstrongswan-openssl.la
-@USE_GCRYPT_TRUE@am__append_94 = plugins/gcrypt
-@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_95 = plugins/gcrypt/libstrongswan-gcrypt.la
-@USE_FIPS_PRF_TRUE@am__append_96 = plugins/fips_prf
-@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_97 = plugins/fips_prf/libstrongswan-fips-prf.la
-@USE_AGENT_TRUE@am__append_98 = plugins/agent
-@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_99 = plugins/agent/libstrongswan-agent.la
-@USE_KEYCHAIN_TRUE@am__append_100 = plugins/keychain
-@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_101 = plugins/keychain/libstrongswan-keychain.la
-@USE_PKCS11_TRUE@am__append_102 = plugins/pkcs11
-@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_103 = plugins/pkcs11/libstrongswan-pkcs11.la
-@USE_CTR_TRUE@am__append_104 = plugins/ctr
-@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_105 = plugins/ctr/libstrongswan-ctr.la
-@USE_CCM_TRUE@am__append_106 = plugins/ccm
-@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_107 = plugins/ccm/libstrongswan-ccm.la
-@USE_GCM_TRUE@am__append_108 = plugins/gcm
-@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_109 = plugins/gcm/libstrongswan-gcm.la
-@USE_NTRU_TRUE@am__append_110 = plugins/ntru
-@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_111 = plugins/ntru/libstrongswan-ntru.la
-@USE_TEST_VECTORS_TRUE@am__append_112 = plugins/test_vectors
-@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_113 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_FILES_TRUE@am__append_78 = plugins/files
+@MONOLITHIC_TRUE@@USE_FILES_TRUE@am__append_79 = plugins/files/libstrongswan-files.la
+@USE_WINHTTP_TRUE@am__append_80 = plugins/winhttp
+@MONOLITHIC_TRUE@@USE_WINHTTP_TRUE@am__append_81 = plugins/winhttp/libstrongswan-winhttp.la
+@USE_UNBOUND_TRUE@am__append_82 = plugins/unbound
+@MONOLITHIC_TRUE@@USE_UNBOUND_TRUE@am__append_83 = plugins/unbound/libstrongswan-unbound.la
+@USE_SOUP_TRUE@am__append_84 = plugins/soup
+@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_85 = plugins/soup/libstrongswan-soup.la
+@USE_LDAP_TRUE@am__append_86 = plugins/ldap
+@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_87 = plugins/ldap/libstrongswan-ldap.la
+@USE_MYSQL_TRUE@am__append_88 = plugins/mysql
+@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_89 = plugins/mysql/libstrongswan-mysql.la
+@USE_SQLITE_TRUE@am__append_90 = plugins/sqlite
+@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_91 = plugins/sqlite/libstrongswan-sqlite.la
+@USE_PADLOCK_TRUE@am__append_92 = plugins/padlock
+@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_93 = plugins/padlock/libstrongswan-padlock.la
+@USE_OPENSSL_TRUE@am__append_94 = plugins/openssl
+@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_95 = plugins/openssl/libstrongswan-openssl.la
+@USE_GCRYPT_TRUE@am__append_96 = plugins/gcrypt
+@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_97 = plugins/gcrypt/libstrongswan-gcrypt.la
+@USE_FIPS_PRF_TRUE@am__append_98 = plugins/fips_prf
+@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_99 = plugins/fips_prf/libstrongswan-fips-prf.la
+@USE_AGENT_TRUE@am__append_100 = plugins/agent
+@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_101 = plugins/agent/libstrongswan-agent.la
+@USE_KEYCHAIN_TRUE@am__append_102 = plugins/keychain
+@MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE@am__append_103 = plugins/keychain/libstrongswan-keychain.la
+@USE_PKCS11_TRUE@am__append_104 = plugins/pkcs11
+@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_105 = plugins/pkcs11/libstrongswan-pkcs11.la
+@USE_CTR_TRUE@am__append_106 = plugins/ctr
+@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_107 = plugins/ctr/libstrongswan-ctr.la
+@USE_CCM_TRUE@am__append_108 = plugins/ccm
+@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_109 = plugins/ccm/libstrongswan-ccm.la
+@USE_GCM_TRUE@am__append_110 = plugins/gcm
+@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_111 = plugins/gcm/libstrongswan-gcm.la
+@USE_NTRU_TRUE@am__append_112 = plugins/ntru
+@MONOLITHIC_TRUE@@USE_NTRU_TRUE@am__append_113 = plugins/ntru/libstrongswan-ntru.la
+@USE_BLISS_TRUE@am__append_114 = plugins/bliss
+@MONOLITHIC_TRUE@@USE_BLISS_TRUE@am__append_115 = plugins/bliss/libstrongswan-bliss.la
+@USE_TEST_VECTORS_TRUE@am__append_116 = plugins/test_vectors
+@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_117 = plugins/test_vectors/libstrongswan-test-vectors.la
+@USE_BLISS_TRUE@am__append_118 = plugins/bliss/tests
subdir = src/libstrongswan
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
settings/settings_parser.h settings/settings_parser.c \
@@ -287,13 +292,14 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__append_95) $(am__append_97) $(am__append_99) \
$(am__append_101) $(am__append_103) $(am__append_105) \
$(am__append_107) $(am__append_109) $(am__append_111) \
- $(am__append_113)
+ $(am__append_113) $(am__append_115) $(am__append_117)
am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
bio/bio_writer.c collections/blocking_queue.c \
collections/enumerator.c collections/hashtable.c \
collections/array.c collections/linked_list.c \
crypto/crypters/crypter.c crypto/hashers/hasher.c \
+ crypto/hashers/hash_algorithm_set.c \
crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
@@ -301,7 +307,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c \
crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
crypto/transform.c crypto/iv/iv_gen_rand.c \
- crypto/iv/iv_gen_seq.c credentials/credential_factory.c \
+ crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
+ crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
credentials/builder.c credentials/cred_encoding.c \
credentials/keys/private_key.c credentials/keys/public_key.c \
credentials/keys/shared_key.c \
@@ -342,7 +349,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
threading/windows/thread.c threading/windows/thread_value.c \
threading/windows/mutex.c threading/windows/rwlock.c \
threading/windows/spinlock.c threading/windows/semaphore.c \
- utils/windows.c utils/leak_detective.c \
+ utils/compat/windows.c utils/leak_detective.c \
utils/integrity_checker.c utils/printf_hook/printf_hook_vstr.c \
utils/printf_hook/printf_hook_builtin.c \
utils/printf_hook/printf_hook_glibc.c
@@ -360,7 +367,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
@USE_WINDOWS_TRUE@ threading/windows/rwlock.lo \
@USE_WINDOWS_TRUE@ threading/windows/spinlock.lo \
@USE_WINDOWS_TRUE@ threading/windows/semaphore.lo \
-@USE_WINDOWS_TRUE@ utils/windows.lo
+@USE_WINDOWS_TRUE@ utils/compat/windows.lo
@USE_LEAK_DETECTIVE_TRUE@am__objects_3 = utils/leak_detective.lo
@USE_INTEGRITY_TEST_TRUE@am__objects_4 = utils/integrity_checker.lo
@USE_VSTR_TRUE@am__objects_5 = utils/printf_hook/printf_hook_vstr.lo
@@ -372,6 +379,7 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
collections/enumerator.lo collections/hashtable.lo \
collections/array.lo collections/linked_list.lo \
crypto/crypters/crypter.lo crypto/hashers/hasher.lo \
+ crypto/hashers/hash_algorithm_set.lo \
crypto/proposal/proposal_keywords.lo \
crypto/proposal/proposal_keywords_static.lo crypto/prfs/prf.lo \
crypto/prfs/mac_prf.lo crypto/pkcs5.lo crypto/rngs/rng.lo \
@@ -379,10 +387,11 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \
crypto/signers/mac_signer.lo crypto/crypto_factory.lo \
crypto/crypto_tester.lo crypto/diffie_hellman.lo \
crypto/aead.lo crypto/transform.lo crypto/iv/iv_gen_rand.lo \
- crypto/iv/iv_gen_seq.lo credentials/credential_factory.lo \
- credentials/builder.lo credentials/cred_encoding.lo \
- credentials/keys/private_key.lo credentials/keys/public_key.lo \
- credentials/keys/shared_key.lo \
+ crypto/iv/iv_gen_seq.lo crypto/mgf1/mgf1.lo \
+ crypto/mgf1/mgf1_bitspender.lo \
+ credentials/credential_factory.lo credentials/builder.lo \
+ credentials/cred_encoding.lo credentials/keys/private_key.lo \
+ credentials/keys/public_key.lo credentials/keys/shared_key.lo \
credentials/certificates/certificate.lo \
credentials/certificates/crl.lo \
credentials/certificates/ocsp_response.lo \
@@ -493,8 +502,8 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
collections/enumerator.h collections/hashtable.h \
collections/linked_list.h collections/array.h \
collections/dictionary.h crypto/crypters/crypter.h \
- crypto/hashers/hasher.h crypto/mac.h \
- crypto/proposal/proposal_keywords.h \
+ crypto/hashers/hasher.h crypto/hashers/hash_algorithm_set.h \
+ crypto/mac.h crypto/proposal/proposal_keywords.h \
crypto/proposal/proposal_keywords_static.h crypto/prfs/prf.h \
crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
crypto/prf_plus.h crypto/signers/signer.h \
@@ -502,6 +511,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
crypto/crypto_tester.h crypto/diffie_hellman.h crypto/aead.h \
crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+ crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
credentials/credential_factory.h credentials/builder.h \
credentials/cred_encoding.h credentials/keys/private_key.h \
credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -548,8 +558,9 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \
utils/printf_hook/printf_hook.h \
utils/printf_hook/printf_hook_vstr.h \
utils/printf_hook/printf_hook_builtin.h utils/parser_helper.h \
- utils/test.h utils/integrity_checker.h utils/windows.h \
- utils/process.h utils/utils/strerror.h
+ utils/test.h utils/integrity_checker.h utils/process.h \
+ utils/utils/strerror.h utils/compat/windows.h \
+ utils/compat/apple.h
HEADERS = $(nobase_strongswan_include_HEADERS) $(noinst_HEADERS)
RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
distclean-recursive maintainer-clean-recursive
@@ -586,11 +597,12 @@ DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \
plugins/constraints plugins/acert plugins/pubkey plugins/pkcs1 \
plugins/pkcs7 plugins/pkcs8 plugins/pkcs12 plugins/pgp \
plugins/dnskey plugins/sshkey plugins/pem plugins/curl \
- plugins/winhttp plugins/unbound plugins/soup plugins/ldap \
- plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
- plugins/gcrypt plugins/fips_prf plugins/agent plugins/keychain \
- plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \
- plugins/ntru plugins/test_vectors tests
+ plugins/files plugins/winhttp plugins/unbound plugins/soup \
+ plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \
+ plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \
+ plugins/keychain plugins/pkcs11 plugins/ctr plugins/ccm \
+ plugins/gcm plugins/ntru plugins/bliss plugins/test_vectors \
+ tests plugins/bliss/tests
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
dir0=`pwd`; \
@@ -642,6 +654,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -702,10 +715,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -779,6 +794,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -843,14 +860,16 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \
collections/blocking_queue.c collections/enumerator.c \
collections/hashtable.c collections/array.c \
collections/linked_list.c crypto/crypters/crypter.c \
- crypto/hashers/hasher.c crypto/proposal/proposal_keywords.c \
+ crypto/hashers/hasher.c crypto/hashers/hash_algorithm_set.c \
+ crypto/proposal/proposal_keywords.c \
crypto/proposal/proposal_keywords_static.c crypto/prfs/prf.c \
crypto/prfs/mac_prf.c crypto/pkcs5.c crypto/rngs/rng.c \
crypto/prf_plus.c crypto/signers/signer.c \
crypto/signers/mac_signer.c crypto/crypto_factory.c \
crypto/crypto_tester.c crypto/diffie_hellman.c crypto/aead.c \
crypto/transform.c crypto/iv/iv_gen_rand.c \
- crypto/iv/iv_gen_seq.c credentials/credential_factory.c \
+ crypto/iv/iv_gen_seq.c crypto/mgf1/mgf1.c \
+ crypto/mgf1/mgf1_bitspender.c credentials/credential_factory.c \
credentials/builder.c credentials/cred_encoding.c \
credentials/keys/private_key.c credentials/keys/public_key.c \
credentials/keys/shared_key.c \
@@ -898,13 +917,15 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE@asn1/asn1.h asn1/asn1_parser.h asn1/oid.h bio/bio_reader.h bio/bio_writer.h \
@USE_DEV_HEADERS_TRUE@collections/blocking_queue.h collections/enumerator.h collections/hashtable.h \
@USE_DEV_HEADERS_TRUE@collections/linked_list.h collections/array.h collections/dictionary.h \
-@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h crypto/mac.h \
+@USE_DEV_HEADERS_TRUE@crypto/crypters/crypter.h crypto/hashers/hasher.h \
+@USE_DEV_HEADERS_TRUE@crypto/hashers/hash_algorithm_set.h crypto/mac.h \
@USE_DEV_HEADERS_TRUE@crypto/proposal/proposal_keywords.h crypto/proposal/proposal_keywords_static.h \
@USE_DEV_HEADERS_TRUE@crypto/prfs/prf.h crypto/prfs/mac_prf.h crypto/rngs/rng.h crypto/nonce_gen.h \
@USE_DEV_HEADERS_TRUE@crypto/prf_plus.h crypto/signers/signer.h crypto/signers/mac_signer.h \
@USE_DEV_HEADERS_TRUE@crypto/crypto_factory.h crypto/crypto_tester.h crypto/diffie_hellman.h \
@USE_DEV_HEADERS_TRUE@crypto/aead.h crypto/transform.h crypto/pkcs5.h crypto/iv/iv_gen.h \
@USE_DEV_HEADERS_TRUE@crypto/iv/iv_gen_rand.h crypto/iv/iv_gen_seq.h \
+@USE_DEV_HEADERS_TRUE@crypto/mgf1/mgf1.h crypto/mgf1/mgf1_bitspender.h \
@USE_DEV_HEADERS_TRUE@credentials/credential_factory.h credentials/builder.h \
@USE_DEV_HEADERS_TRUE@credentials/cred_encoding.h credentials/keys/private_key.h \
@USE_DEV_HEADERS_TRUE@credentials/keys/public_key.h credentials/keys/shared_key.h \
@@ -939,8 +960,8 @@ settings/settings_types.h
@USE_DEV_HEADERS_TRUE@utils/lexparser.h utils/optionsfrom.h utils/capabilities.h utils/backtrace.h \
@USE_DEV_HEADERS_TRUE@utils/leak_detective.h utils/printf_hook/printf_hook.h \
@USE_DEV_HEADERS_TRUE@utils/printf_hook/printf_hook_vstr.h utils/printf_hook/printf_hook_builtin.h \
-@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/windows.h \
-@USE_DEV_HEADERS_TRUE@utils/process.h utils/utils/strerror.h
+@USE_DEV_HEADERS_TRUE@utils/parser_helper.h utils/test.h utils/integrity_checker.h utils/process.h \
+@USE_DEV_HEADERS_TRUE@utils/utils/strerror.h utils/compat/windows.h utils/compat/apple.h
libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \
$(BFDLIB) $(UNWINDLIB) $(am__append_2) $(am__append_4) \
@@ -961,7 +982,7 @@ libstrongswan_la_LIBADD = $(DLLIB) $(BTLIB) $(SOCKLIB) $(RTLIB) \
$(am__append_95) $(am__append_97) $(am__append_99) \
$(am__append_101) $(am__append_103) $(am__append_105) \
$(am__append_107) $(am__append_109) $(am__append_111) \
- $(am__append_113)
+ $(am__append_113) $(am__append_115) $(am__append_117)
AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
-DPLUGINDIR=\"${plugindir}\" \
@@ -1011,7 +1032,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_FALSE@ $(am__append_98) $(am__append_100) \
@MONOLITHIC_FALSE@ $(am__append_102) $(am__append_104) \
@MONOLITHIC_FALSE@ $(am__append_106) $(am__append_108) \
-@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) tests
+@MONOLITHIC_FALSE@ $(am__append_110) $(am__append_112) \
+@MONOLITHIC_FALSE@ $(am__append_114) $(am__append_116) tests \
+@MONOLITHIC_FALSE@ $(am__append_118)
# build plugins with their own Makefile
#######################################
@@ -1038,7 +1061,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_TRUE@ $(am__append_98) $(am__append_100) \
@MONOLITHIC_TRUE@ $(am__append_102) $(am__append_104) \
@MONOLITHIC_TRUE@ $(am__append_106) $(am__append_108) \
-@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) . tests
+@MONOLITHIC_TRUE@ $(am__append_110) $(am__append_112) \
+@MONOLITHIC_TRUE@ $(am__append_114) $(am__append_116) . tests \
+@MONOLITHIC_TRUE@ $(am__append_118)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -1159,6 +1184,8 @@ crypto/hashers/$(DEPDIR)/$(am__dirstamp):
@: > crypto/hashers/$(DEPDIR)/$(am__dirstamp)
crypto/hashers/hasher.lo: crypto/hashers/$(am__dirstamp) \
crypto/hashers/$(DEPDIR)/$(am__dirstamp)
+crypto/hashers/hash_algorithm_set.lo: crypto/hashers/$(am__dirstamp) \
+ crypto/hashers/$(DEPDIR)/$(am__dirstamp)
crypto/proposal/$(am__dirstamp):
@$(MKDIR_P) crypto/proposal
@: > crypto/proposal/$(am__dirstamp)
@@ -1228,6 +1255,16 @@ crypto/iv/iv_gen_rand.lo: crypto/iv/$(am__dirstamp) \
crypto/iv/$(DEPDIR)/$(am__dirstamp)
crypto/iv/iv_gen_seq.lo: crypto/iv/$(am__dirstamp) \
crypto/iv/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/$(am__dirstamp):
+ @$(MKDIR_P) crypto/mgf1
+ @: > crypto/mgf1/$(am__dirstamp)
+crypto/mgf1/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) crypto/mgf1/$(DEPDIR)
+ @: > crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/mgf1.lo: crypto/mgf1/$(am__dirstamp) \
+ crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+crypto/mgf1/mgf1_bitspender.lo: crypto/mgf1/$(am__dirstamp) \
+ crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
credentials/$(am__dirstamp):
@$(MKDIR_P) credentials
@: > credentials/$(am__dirstamp)
@@ -1517,8 +1554,14 @@ threading/windows/spinlock.lo: threading/windows/$(am__dirstamp) \
threading/windows/$(DEPDIR)/$(am__dirstamp)
threading/windows/semaphore.lo: threading/windows/$(am__dirstamp) \
threading/windows/$(DEPDIR)/$(am__dirstamp)
-utils/windows.lo: utils/$(am__dirstamp) \
- utils/$(DEPDIR)/$(am__dirstamp)
+utils/compat/$(am__dirstamp):
+ @$(MKDIR_P) utils/compat
+ @: > utils/compat/$(am__dirstamp)
+utils/compat/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) utils/compat/$(DEPDIR)
+ @: > utils/compat/$(DEPDIR)/$(am__dirstamp)
+utils/compat/windows.lo: utils/compat/$(am__dirstamp) \
+ utils/compat/$(DEPDIR)/$(am__dirstamp)
utils/leak_detective.lo: utils/$(am__dirstamp) \
utils/$(DEPDIR)/$(am__dirstamp)
utils/integrity_checker.lo: utils/$(am__dirstamp) \
@@ -1568,6 +1611,8 @@ mostlyclean-compile:
-rm -f crypto/hashers/*.lo
-rm -f crypto/iv/*.$(OBJEXT)
-rm -f crypto/iv/*.lo
+ -rm -f crypto/mgf1/*.$(OBJEXT)
+ -rm -f crypto/mgf1/*.lo
-rm -f crypto/prfs/*.$(OBJEXT)
-rm -f crypto/prfs/*.lo
-rm -f crypto/proposal/*.$(OBJEXT)
@@ -1608,6 +1653,8 @@ mostlyclean-compile:
-rm -f threading/windows/*.lo
-rm -f utils/*.$(OBJEXT)
-rm -f utils/*.lo
+ -rm -f utils/compat/*.$(OBJEXT)
+ -rm -f utils/compat/*.lo
-rm -f utils/printf_hook/*.$(OBJEXT)
-rm -f utils/printf_hook/*.lo
-rm -f utils/utils/*.$(OBJEXT)
@@ -1653,9 +1700,12 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/prf_plus.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/$(DEPDIR)/transform.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/crypters/$(DEPDIR)/crypter.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hash_algorithm_set.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/hashers/$(DEPDIR)/hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_rand.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/iv/$(DEPDIR)/iv_gen_seq.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@crypto/mgf1/$(DEPDIR)/mgf1_bitspender.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/mac_prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/prfs/$(DEPDIR)/prf.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@crypto/proposal/$(DEPDIR)/proposal_keywords.Plo@am__quote@
@@ -1721,7 +1771,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/process.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/test.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/utils.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@utils/$(DEPDIR)/windows.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@utils/compat/$(DEPDIR)/windows.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_builtin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_glibc.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@utils/printf_hook/$(DEPDIR)/printf_hook_vstr.Plo@am__quote@
@@ -1774,6 +1824,7 @@ clean-libtool:
-rm -rf crypto/crypters/.libs crypto/crypters/_libs
-rm -rf crypto/hashers/.libs crypto/hashers/_libs
-rm -rf crypto/iv/.libs crypto/iv/_libs
+ -rm -rf crypto/mgf1/.libs crypto/mgf1/_libs
-rm -rf crypto/prfs/.libs crypto/prfs/_libs
-rm -rf crypto/proposal/.libs crypto/proposal/_libs
-rm -rf crypto/rngs/.libs crypto/rngs/_libs
@@ -1794,6 +1845,7 @@ clean-libtool:
-rm -rf threading/.libs threading/_libs
-rm -rf threading/windows/.libs threading/windows/_libs
-rm -rf utils/.libs utils/_libs
+ -rm -rf utils/compat/.libs utils/compat/_libs
-rm -rf utils/printf_hook/.libs utils/printf_hook/_libs
-rm -rf utils/utils/.libs utils/utils/_libs
install-nobase_strongswan_includeHEADERS: $(nobase_strongswan_include_HEADERS)
@@ -2035,6 +2087,8 @@ distclean-generic:
-rm -f crypto/hashers/$(am__dirstamp)
-rm -f crypto/iv/$(DEPDIR)/$(am__dirstamp)
-rm -f crypto/iv/$(am__dirstamp)
+ -rm -f crypto/mgf1/$(DEPDIR)/$(am__dirstamp)
+ -rm -f crypto/mgf1/$(am__dirstamp)
-rm -f crypto/prfs/$(DEPDIR)/$(am__dirstamp)
-rm -f crypto/prfs/$(am__dirstamp)
-rm -f crypto/proposal/$(DEPDIR)/$(am__dirstamp)
@@ -2075,6 +2129,8 @@ distclean-generic:
-rm -f threading/windows/$(am__dirstamp)
-rm -f utils/$(DEPDIR)/$(am__dirstamp)
-rm -f utils/$(am__dirstamp)
+ -rm -f utils/compat/$(DEPDIR)/$(am__dirstamp)
+ -rm -f utils/compat/$(am__dirstamp)
-rm -f utils/printf_hook/$(DEPDIR)/$(am__dirstamp)
-rm -f utils/printf_hook/$(am__dirstamp)
-rm -f utils/utils/$(DEPDIR)/$(am__dirstamp)
@@ -2094,7 +2150,7 @@ clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
distclean: distclean-recursive
- -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -2141,7 +2197,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-recursive
- -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) asn1/$(DEPDIR) bio/$(DEPDIR) collections/$(DEPDIR) credentials/$(DEPDIR) credentials/certificates/$(DEPDIR) credentials/containers/$(DEPDIR) credentials/keys/$(DEPDIR) credentials/sets/$(DEPDIR) crypto/$(DEPDIR) crypto/crypters/$(DEPDIR) crypto/hashers/$(DEPDIR) crypto/iv/$(DEPDIR) crypto/mgf1/$(DEPDIR) crypto/prfs/$(DEPDIR) crypto/proposal/$(DEPDIR) crypto/rngs/$(DEPDIR) crypto/signers/$(DEPDIR) database/$(DEPDIR) eap/$(DEPDIR) fetcher/$(DEPDIR) ipsec/$(DEPDIR) networking/$(DEPDIR) networking/streams/$(DEPDIR) pen/$(DEPDIR) plugins/$(DEPDIR) processing/$(DEPDIR) processing/jobs/$(DEPDIR) resolver/$(DEPDIR) selectors/$(DEPDIR) settings/$(DEPDIR) threading/$(DEPDIR) threading/windows/$(DEPDIR) utils/$(DEPDIR) utils/compat/$(DEPDIR) utils/printf_hook/$(DEPDIR) utils/utils/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index b479b0f4b..a750f7fcb 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -199,12 +199,12 @@ const oid_t oid_names[] = {
{ 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */
{ 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */
- {0x2B, 391, 1, 0, "" }, /* 189 */
- { 0x06, 305, 1, 1, "dod" }, /* 190 */
+ {0x2B, 413, 1, 0, "" }, /* 189 */
+ { 0x06, 327, 1, 1, "dod" }, /* 190 */
{ 0x01, 0, 1, 2, "internet" }, /* 191 */
- { 0x04, 256, 1, 3, "private" }, /* 192 */
+ { 0x04, 278, 1, 3, "private" }, /* 192 */
{ 0x01, 0, 1, 4, "enterprise" }, /* 193 */
- { 0x82, 210, 1, 5, "" }, /* 194 */
+ { 0x82, 228, 1, 5, "" }, /* 194 */
{ 0x37, 207, 1, 6, "Microsoft" }, /* 195 */
{ 0x0A, 200, 1, 7, "" }, /* 196 */
{ 0x03, 0, 1, 8, "" }, /* 197 */
@@ -219,248 +219,270 @@ const oid_t oid_names[] = {
{ 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 206 */
{ 0xA0, 0, 1, 6, "" }, /* 207 */
{ 0x2A, 0, 1, 7, "ITA" }, /* 208 */
- { 0x01, 0, 0, 8, "strongSwan" }, /* 209 */
- { 0x89, 217, 1, 5, "" }, /* 210 */
- { 0x31, 0, 1, 6, "" }, /* 211 */
- { 0x01, 0, 1, 7, "" }, /* 212 */
- { 0x01, 0, 1, 8, "" }, /* 213 */
- { 0x02, 0, 1, 9, "" }, /* 214 */
- { 0x02, 0, 1, 10, "" }, /* 215 */
- { 0x4B, 0, 0, 11, "TCGID" }, /* 216 */
- { 0xC1, 0, 1, 5, "" }, /* 217 */
- { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 218 */
- { 0x01, 0, 1, 7, "eess" }, /* 219 */
- { 0x01, 0, 1, 8, "eess1" }, /* 220 */
- { 0x01, 225, 1, 9, "eess1-algs" }, /* 221 */
- { 0x01, 223, 0, 10, "ntru-EESS1v1-SVES" }, /* 222 */
- { 0x02, 224, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 223 */
- { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 224 */
- { 0x02, 255, 1, 9, "eess1-params" }, /* 225 */
- { 0x01, 227, 0, 10, "ees251ep1" }, /* 226 */
- { 0x02, 228, 0, 10, "ees347ep1" }, /* 227 */
- { 0x03, 229, 0, 10, "ees503ep1" }, /* 228 */
- { 0x07, 230, 0, 10, "ees251sp2" }, /* 229 */
- { 0x0C, 231, 0, 10, "ees251ep4" }, /* 230 */
- { 0x0D, 232, 0, 10, "ees251ep5" }, /* 231 */
- { 0x0E, 233, 0, 10, "ees251sp3" }, /* 232 */
- { 0x0F, 234, 0, 10, "ees251sp4" }, /* 233 */
- { 0x10, 235, 0, 10, "ees251sp5" }, /* 234 */
- { 0x11, 236, 0, 10, "ees251sp6" }, /* 235 */
- { 0x12, 237, 0, 10, "ees251sp7" }, /* 236 */
- { 0x13, 238, 0, 10, "ees251sp8" }, /* 237 */
- { 0x14, 239, 0, 10, "ees251sp9" }, /* 238 */
- { 0x22, 240, 0, 10, "ees401ep1" }, /* 239 */
- { 0x23, 241, 0, 10, "ees449ep1" }, /* 240 */
- { 0x24, 242, 0, 10, "ees677ep1" }, /* 241 */
- { 0x25, 243, 0, 10, "ees1087ep2" }, /* 242 */
- { 0x26, 244, 0, 10, "ees541ep1" }, /* 243 */
- { 0x27, 245, 0, 10, "ees613ep1" }, /* 244 */
- { 0x28, 246, 0, 10, "ees887ep1" }, /* 245 */
- { 0x29, 247, 0, 10, "ees1171ep1" }, /* 246 */
- { 0x2A, 248, 0, 10, "ees659ep1" }, /* 247 */
- { 0x2B, 249, 0, 10, "ees761ep1" }, /* 248 */
- { 0x2C, 250, 0, 10, "ees1087ep1" }, /* 249 */
- { 0x2D, 251, 0, 10, "ees1499ep1" }, /* 250 */
- { 0x2E, 252, 0, 10, "ees401ep2" }, /* 251 */
- { 0x2F, 253, 0, 10, "ees439ep1" }, /* 252 */
- { 0x30, 254, 0, 10, "ees593ep1" }, /* 253 */
- { 0x31, 0, 0, 10, "ees743ep1" }, /* 254 */
- { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 255 */
- { 0x05, 0, 1, 3, "security" }, /* 256 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 257 */
- { 0x07, 302, 1, 5, "id-pkix" }, /* 258 */
- { 0x01, 263, 1, 6, "id-pe" }, /* 259 */
- { 0x01, 261, 0, 7, "authorityInfoAccess" }, /* 260 */
- { 0x03, 262, 0, 7, "qcStatements" }, /* 261 */
- { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 262 */
- { 0x02, 266, 1, 6, "id-qt" }, /* 263 */
- { 0x01, 265, 0, 7, "cps" }, /* 264 */
- { 0x02, 0, 0, 7, "unotice" }, /* 265 */
- { 0x03, 276, 1, 6, "id-kp" }, /* 266 */
- { 0x01, 268, 0, 7, "serverAuth" }, /* 267 */
- { 0x02, 269, 0, 7, "clientAuth" }, /* 268 */
- { 0x03, 270, 0, 7, "codeSigning" }, /* 269 */
- { 0x04, 271, 0, 7, "emailProtection" }, /* 270 */
- { 0x05, 272, 0, 7, "ipsecEndSystem" }, /* 271 */
- { 0x06, 273, 0, 7, "ipsecTunnel" }, /* 272 */
- { 0x07, 274, 0, 7, "ipsecUser" }, /* 273 */
- { 0x08, 275, 0, 7, "timeStamping" }, /* 274 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 275 */
- { 0x08, 284, 1, 6, "id-otherNames" }, /* 276 */
- { 0x01, 278, 0, 7, "personalData" }, /* 277 */
- { 0x02, 279, 0, 7, "userGroup" }, /* 278 */
- { 0x03, 280, 0, 7, "id-on-permanentIdentifier" }, /* 279 */
- { 0x04, 281, 0, 7, "id-on-hardwareModuleName" }, /* 280 */
- { 0x05, 282, 0, 7, "xmppAddr" }, /* 281 */
- { 0x06, 283, 0, 7, "id-on-SIM" }, /* 282 */
- { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 283 */
- { 0x0A, 289, 1, 6, "id-aca" }, /* 284 */
- { 0x01, 286, 0, 7, "authenticationInfo" }, /* 285 */
- { 0x02, 287, 0, 7, "accessIdentity" }, /* 286 */
- { 0x03, 288, 0, 7, "chargingIdentity" }, /* 287 */
- { 0x04, 0, 0, 7, "group" }, /* 288 */
- { 0x0B, 290, 0, 6, "subjectInfoAccess" }, /* 289 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 290 */
- { 0x01, 299, 1, 7, "ocsp" }, /* 291 */
- { 0x01, 293, 0, 8, "basic" }, /* 292 */
- { 0x02, 294, 0, 8, "nonce" }, /* 293 */
- { 0x03, 295, 0, 8, "crl" }, /* 294 */
- { 0x04, 296, 0, 8, "response" }, /* 295 */
- { 0x05, 297, 0, 8, "noCheck" }, /* 296 */
- { 0x06, 298, 0, 8, "archiveCutoff" }, /* 297 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 298 */
- { 0x02, 300, 0, 7, "caIssuers" }, /* 299 */
- { 0x03, 301, 0, 7, "timeStamping" }, /* 300 */
- { 0x05, 0, 0, 7, "caRepository" }, /* 301 */
- { 0x08, 0, 1, 5, "ipsec" }, /* 302 */
- { 0x02, 0, 1, 6, "certificate" }, /* 303 */
- { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 304 */
- { 0x0E, 311, 1, 1, "oiw" }, /* 305 */
- { 0x03, 0, 1, 2, "secsig" }, /* 306 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 307 */
- { 0x07, 309, 0, 4, "des-cbc" }, /* 308 */
- { 0x1A, 310, 0, 4, "sha-1" }, /* 309 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 310 */
- { 0x24, 357, 1, 1, "TeleTrusT" }, /* 311 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 312 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 313 */
- { 0x01, 318, 1, 4, "rsaSignature" }, /* 314 */
- { 0x02, 316, 0, 5, "rsaSigWithripemd160" }, /* 315 */
- { 0x03, 317, 0, 5, "rsaSigWithripemd128" }, /* 316 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 317 */
- { 0x02, 0, 1, 4, "ecSign" }, /* 318 */
- { 0x01, 320, 0, 5, "ecSignWithsha1" }, /* 319 */
- { 0x02, 321, 0, 5, "ecSignWithripemd160" }, /* 320 */
- { 0x03, 322, 0, 5, "ecSignWithmd2" }, /* 321 */
- { 0x04, 323, 0, 5, "ecSignWithmd5" }, /* 322 */
- { 0x05, 340, 1, 5, "ttt-ecg" }, /* 323 */
- { 0x01, 328, 1, 6, "fieldType" }, /* 324 */
- { 0x01, 0, 1, 7, "characteristictwoField" }, /* 325 */
- { 0x01, 0, 1, 8, "basisType" }, /* 326 */
- { 0x01, 0, 0, 9, "ipBasis" }, /* 327 */
- { 0x02, 330, 1, 6, "keyType" }, /* 328 */
- { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 329 */
- { 0x03, 331, 0, 6, "curve" }, /* 330 */
- { 0x04, 338, 1, 6, "signatures" }, /* 331 */
- { 0x01, 333, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 332 */
- { 0x02, 334, 0, 7, "ecgdsa-with-SHA1" }, /* 333 */
- { 0x03, 335, 0, 7, "ecgdsa-with-SHA224" }, /* 334 */
- { 0x04, 336, 0, 7, "ecgdsa-with-SHA256" }, /* 335 */
- { 0x05, 337, 0, 7, "ecgdsa-with-SHA384" }, /* 336 */
- { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 337 */
- { 0x05, 0, 1, 6, "module" }, /* 338 */
- { 0x01, 0, 0, 7, "1" }, /* 339 */
- { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 340 */
- { 0x01, 0, 1, 6, "ellipticCurve" }, /* 341 */
- { 0x01, 0, 1, 7, "versionOne" }, /* 342 */
- { 0x01, 344, 0, 8, "brainpoolP160r1" }, /* 343 */
- { 0x02, 345, 0, 8, "brainpoolP160t1" }, /* 344 */
- { 0x03, 346, 0, 8, "brainpoolP192r1" }, /* 345 */
- { 0x04, 347, 0, 8, "brainpoolP192t1" }, /* 346 */
- { 0x05, 348, 0, 8, "brainpoolP224r1" }, /* 347 */
- { 0x06, 349, 0, 8, "brainpoolP224t1" }, /* 348 */
- { 0x07, 350, 0, 8, "brainpoolP256r1" }, /* 349 */
- { 0x08, 351, 0, 8, "brainpoolP256t1" }, /* 350 */
- { 0x09, 352, 0, 8, "brainpoolP320r1" }, /* 351 */
- { 0x0A, 353, 0, 8, "brainpoolP320t1" }, /* 352 */
- { 0x0B, 354, 0, 8, "brainpoolP384r1" }, /* 353 */
- { 0x0C, 355, 0, 8, "brainpoolP384t1" }, /* 354 */
- { 0x0D, 356, 0, 8, "brainpoolP512r1" }, /* 355 */
- { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 356 */
- { 0x81, 0, 1, 1, "" }, /* 357 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 358 */
- { 0x00, 0, 1, 3, "curve" }, /* 359 */
- { 0x01, 361, 0, 4, "sect163k1" }, /* 360 */
- { 0x02, 362, 0, 4, "sect163r1" }, /* 361 */
- { 0x03, 363, 0, 4, "sect239k1" }, /* 362 */
- { 0x04, 364, 0, 4, "sect113r1" }, /* 363 */
- { 0x05, 365, 0, 4, "sect113r2" }, /* 364 */
- { 0x06, 366, 0, 4, "secp112r1" }, /* 365 */
- { 0x07, 367, 0, 4, "secp112r2" }, /* 366 */
- { 0x08, 368, 0, 4, "secp160r1" }, /* 367 */
- { 0x09, 369, 0, 4, "secp160k1" }, /* 368 */
- { 0x0A, 370, 0, 4, "secp256k1" }, /* 369 */
- { 0x0F, 371, 0, 4, "sect163r2" }, /* 370 */
- { 0x10, 372, 0, 4, "sect283k1" }, /* 371 */
- { 0x11, 373, 0, 4, "sect283r1" }, /* 372 */
- { 0x16, 374, 0, 4, "sect131r1" }, /* 373 */
- { 0x17, 375, 0, 4, "sect131r2" }, /* 374 */
- { 0x18, 376, 0, 4, "sect193r1" }, /* 375 */
- { 0x19, 377, 0, 4, "sect193r2" }, /* 376 */
- { 0x1A, 378, 0, 4, "sect233k1" }, /* 377 */
- { 0x1B, 379, 0, 4, "sect233r1" }, /* 378 */
- { 0x1C, 380, 0, 4, "secp128r1" }, /* 379 */
- { 0x1D, 381, 0, 4, "secp128r2" }, /* 380 */
- { 0x1E, 382, 0, 4, "secp160r2" }, /* 381 */
- { 0x1F, 383, 0, 4, "secp192k1" }, /* 382 */
- { 0x20, 384, 0, 4, "secp224k1" }, /* 383 */
- { 0x21, 385, 0, 4, "secp224r1" }, /* 384 */
- { 0x22, 386, 0, 4, "secp384r1" }, /* 385 */
- { 0x23, 387, 0, 4, "secp521r1" }, /* 386 */
- { 0x24, 388, 0, 4, "sect409k1" }, /* 387 */
- { 0x25, 389, 0, 4, "sect409r1" }, /* 388 */
- { 0x26, 390, 0, 4, "sect571k1" }, /* 389 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 390 */
- {0x60, 445, 1, 0, "" }, /* 391 */
- { 0x86, 0, 1, 1, "" }, /* 392 */
- { 0x48, 0, 1, 2, "" }, /* 393 */
- { 0x01, 0, 1, 3, "organization" }, /* 394 */
- { 0x65, 421, 1, 4, "gov" }, /* 395 */
- { 0x03, 0, 1, 5, "csor" }, /* 396 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 397 */
- { 0x01, 408, 1, 7, "aes" }, /* 398 */
- { 0x02, 400, 0, 8, "id-aes128-CBC" }, /* 399 */
- { 0x06, 401, 0, 8, "id-aes128-GCM" }, /* 400 */
- { 0x07, 402, 0, 8, "id-aes128-CCM" }, /* 401 */
- { 0x16, 403, 0, 8, "id-aes192-CBC" }, /* 402 */
- { 0x1A, 404, 0, 8, "id-aes192-GCM" }, /* 403 */
- { 0x1B, 405, 0, 8, "id-aes192-CCM" }, /* 404 */
- { 0x2A, 406, 0, 8, "id-aes256-CBC" }, /* 405 */
- { 0x2E, 407, 0, 8, "id-aes256-GCM" }, /* 406 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 407 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 408 */
- { 0x01, 410, 0, 8, "id-sha256" }, /* 409 */
- { 0x02, 411, 0, 8, "id-sha384" }, /* 410 */
- { 0x03, 412, 0, 8, "id-sha512" }, /* 411 */
- { 0x04, 413, 0, 8, "id-sha224" }, /* 412 */
- { 0x05, 414, 0, 8, "id-sha512-224" }, /* 413 */
- { 0x06, 415, 0, 8, "id-sha512-256" }, /* 414 */
- { 0x07, 416, 0, 8, "id-sha3-224" }, /* 415 */
- { 0x08, 417, 0, 8, "id-sha3-256" }, /* 416 */
- { 0x09, 418, 0, 8, "id-sha3-384" }, /* 417 */
- { 0x0A, 419, 0, 8, "id-sha3-512" }, /* 418 */
- { 0x0B, 420, 0, 8, "id-shake128" }, /* 419 */
- { 0x0C, 0, 0, 8, "id-shake256" }, /* 420 */
- { 0x86, 0, 1, 4, "" }, /* 421 */
- { 0xf8, 0, 1, 5, "" }, /* 422 */
- { 0x42, 435, 1, 6, "netscape" }, /* 423 */
- { 0x01, 430, 1, 7, "" }, /* 424 */
- { 0x01, 426, 0, 8, "nsCertType" }, /* 425 */
- { 0x03, 427, 0, 8, "nsRevocationUrl" }, /* 426 */
- { 0x04, 428, 0, 8, "nsCaRevocationUrl" }, /* 427 */
- { 0x08, 429, 0, 8, "nsCaPolicyUrl" }, /* 428 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 429 */
- { 0x03, 433, 1, 7, "directory" }, /* 430 */
- { 0x01, 0, 1, 8, "" }, /* 431 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 432 */
- { 0x04, 0, 1, 7, "policy" }, /* 433 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 434 */
- { 0x45, 0, 1, 6, "verisign" }, /* 435 */
- { 0x01, 0, 1, 7, "pki" }, /* 436 */
- { 0x09, 0, 1, 8, "attributes" }, /* 437 */
- { 0x02, 439, 0, 9, "messageType" }, /* 438 */
- { 0x03, 440, 0, 9, "pkiStatus" }, /* 439 */
- { 0x04, 441, 0, 9, "failInfo" }, /* 440 */
- { 0x05, 442, 0, 9, "senderNonce" }, /* 441 */
- { 0x06, 443, 0, 9, "recipientNonce" }, /* 442 */
- { 0x07, 444, 0, 9, "transID" }, /* 443 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 444 */
- {0x67, 0, 1, 0, "" }, /* 445 */
- { 0x81, 0, 1, 1, "" }, /* 446 */
- { 0x05, 0, 1, 2, "" }, /* 447 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 448 */
- { 0x01, 450, 0, 4, "tcg-at-tpmManufacturer" }, /* 449 */
- { 0x02, 451, 0, 4, "tcg-at-tpmModel" }, /* 450 */
- { 0x03, 452, 0, 4, "tcg-at-tpmVersion" }, /* 451 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 452 */
+ { 0x01, 210, 0, 8, "strongSwan" }, /* 209 */
+ { 0x02, 211, 0, 8, "cps" }, /* 210 */
+ { 0x03, 212, 0, 8, "e-voting" }, /* 211 */
+ { 0x05, 0, 1, 8, "BLISS" }, /* 212 */
+ { 0x01, 215, 1, 9, "keyType" }, /* 213 */
+ { 0x01, 0, 0, 10, "blissPublicKey" }, /* 214 */
+ { 0x02, 224, 1, 9, "parameters" }, /* 215 */
+ { 0x01, 217, 0, 10, "BLISS-I" }, /* 216 */
+ { 0x02, 218, 0, 10, "BLISS-II" }, /* 217 */
+ { 0x03, 219, 0, 10, "BLISS-III" }, /* 218 */
+ { 0x04, 220, 0, 10, "BLISS-IV" }, /* 219 */
+ { 0x05, 221, 0, 10, "BLISS-B-I" }, /* 220 */
+ { 0x06, 222, 0, 10, "BLISS-B-II" }, /* 221 */
+ { 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */
+ { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */
+ { 0x03, 0, 1, 9, "blissSigType" }, /* 224 */
+ { 0x01, 226, 0, 10, "BLISS-with-SHA512" }, /* 225 */
+ { 0x02, 227, 0, 10, "BLISS-with-SHA384" }, /* 226 */
+ { 0x03, 0, 0, 10, "BLISS-with-SHA256" }, /* 227 */
+ { 0x89, 235, 1, 5, "" }, /* 228 */
+ { 0x31, 0, 1, 6, "" }, /* 229 */
+ { 0x01, 0, 1, 7, "" }, /* 230 */
+ { 0x01, 0, 1, 8, "" }, /* 231 */
+ { 0x02, 0, 1, 9, "" }, /* 232 */
+ { 0x02, 0, 1, 10, "" }, /* 233 */
+ { 0x4B, 0, 0, 11, "TCGID" }, /* 234 */
+ { 0x97, 239, 1, 5, "" }, /* 235 */
+ { 0x55, 0, 1, 6, "" }, /* 236 */
+ { 0x01, 0, 1, 7, "" }, /* 237 */
+ { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 238 */
+ { 0xC1, 0, 1, 5, "" }, /* 239 */
+ { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 240 */
+ { 0x01, 0, 1, 7, "eess" }, /* 241 */
+ { 0x01, 0, 1, 8, "eess1" }, /* 242 */
+ { 0x01, 247, 1, 9, "eess1-algs" }, /* 243 */
+ { 0x01, 245, 0, 10, "ntru-EESS1v1-SVES" }, /* 244 */
+ { 0x02, 246, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 245 */
+ { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 246 */
+ { 0x02, 277, 1, 9, "eess1-params" }, /* 247 */
+ { 0x01, 249, 0, 10, "ees251ep1" }, /* 248 */
+ { 0x02, 250, 0, 10, "ees347ep1" }, /* 249 */
+ { 0x03, 251, 0, 10, "ees503ep1" }, /* 250 */
+ { 0x07, 252, 0, 10, "ees251sp2" }, /* 251 */
+ { 0x0C, 253, 0, 10, "ees251ep4" }, /* 252 */
+ { 0x0D, 254, 0, 10, "ees251ep5" }, /* 253 */
+ { 0x0E, 255, 0, 10, "ees251sp3" }, /* 254 */
+ { 0x0F, 256, 0, 10, "ees251sp4" }, /* 255 */
+ { 0x10, 257, 0, 10, "ees251sp5" }, /* 256 */
+ { 0x11, 258, 0, 10, "ees251sp6" }, /* 257 */
+ { 0x12, 259, 0, 10, "ees251sp7" }, /* 258 */
+ { 0x13, 260, 0, 10, "ees251sp8" }, /* 259 */
+ { 0x14, 261, 0, 10, "ees251sp9" }, /* 260 */
+ { 0x22, 262, 0, 10, "ees401ep1" }, /* 261 */
+ { 0x23, 263, 0, 10, "ees449ep1" }, /* 262 */
+ { 0x24, 264, 0, 10, "ees677ep1" }, /* 263 */
+ { 0x25, 265, 0, 10, "ees1087ep2" }, /* 264 */
+ { 0x26, 266, 0, 10, "ees541ep1" }, /* 265 */
+ { 0x27, 267, 0, 10, "ees613ep1" }, /* 266 */
+ { 0x28, 268, 0, 10, "ees887ep1" }, /* 267 */
+ { 0x29, 269, 0, 10, "ees1171ep1" }, /* 268 */
+ { 0x2A, 270, 0, 10, "ees659ep1" }, /* 269 */
+ { 0x2B, 271, 0, 10, "ees761ep1" }, /* 270 */
+ { 0x2C, 272, 0, 10, "ees1087ep1" }, /* 271 */
+ { 0x2D, 273, 0, 10, "ees1499ep1" }, /* 272 */
+ { 0x2E, 274, 0, 10, "ees401ep2" }, /* 273 */
+ { 0x2F, 275, 0, 10, "ees439ep1" }, /* 274 */
+ { 0x30, 276, 0, 10, "ees593ep1" }, /* 275 */
+ { 0x31, 0, 0, 10, "ees743ep1" }, /* 276 */
+ { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 277 */
+ { 0x05, 0, 1, 3, "security" }, /* 278 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 279 */
+ { 0x07, 324, 1, 5, "id-pkix" }, /* 280 */
+ { 0x01, 285, 1, 6, "id-pe" }, /* 281 */
+ { 0x01, 283, 0, 7, "authorityInfoAccess" }, /* 282 */
+ { 0x03, 284, 0, 7, "qcStatements" }, /* 283 */
+ { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 284 */
+ { 0x02, 288, 1, 6, "id-qt" }, /* 285 */
+ { 0x01, 287, 0, 7, "cps" }, /* 286 */
+ { 0x02, 0, 0, 7, "unotice" }, /* 287 */
+ { 0x03, 298, 1, 6, "id-kp" }, /* 288 */
+ { 0x01, 290, 0, 7, "serverAuth" }, /* 289 */
+ { 0x02, 291, 0, 7, "clientAuth" }, /* 290 */
+ { 0x03, 292, 0, 7, "codeSigning" }, /* 291 */
+ { 0x04, 293, 0, 7, "emailProtection" }, /* 292 */
+ { 0x05, 294, 0, 7, "ipsecEndSystem" }, /* 293 */
+ { 0x06, 295, 0, 7, "ipsecTunnel" }, /* 294 */
+ { 0x07, 296, 0, 7, "ipsecUser" }, /* 295 */
+ { 0x08, 297, 0, 7, "timeStamping" }, /* 296 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 297 */
+ { 0x08, 306, 1, 6, "id-otherNames" }, /* 298 */
+ { 0x01, 300, 0, 7, "personalData" }, /* 299 */
+ { 0x02, 301, 0, 7, "userGroup" }, /* 300 */
+ { 0x03, 302, 0, 7, "id-on-permanentIdentifier" }, /* 301 */
+ { 0x04, 303, 0, 7, "id-on-hardwareModuleName" }, /* 302 */
+ { 0x05, 304, 0, 7, "xmppAddr" }, /* 303 */
+ { 0x06, 305, 0, 7, "id-on-SIM" }, /* 304 */
+ { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 305 */
+ { 0x0A, 311, 1, 6, "id-aca" }, /* 306 */
+ { 0x01, 308, 0, 7, "authenticationInfo" }, /* 307 */
+ { 0x02, 309, 0, 7, "accessIdentity" }, /* 308 */
+ { 0x03, 310, 0, 7, "chargingIdentity" }, /* 309 */
+ { 0x04, 0, 0, 7, "group" }, /* 310 */
+ { 0x0B, 312, 0, 6, "subjectInfoAccess" }, /* 311 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 312 */
+ { 0x01, 321, 1, 7, "ocsp" }, /* 313 */
+ { 0x01, 315, 0, 8, "basic" }, /* 314 */
+ { 0x02, 316, 0, 8, "nonce" }, /* 315 */
+ { 0x03, 317, 0, 8, "crl" }, /* 316 */
+ { 0x04, 318, 0, 8, "response" }, /* 317 */
+ { 0x05, 319, 0, 8, "noCheck" }, /* 318 */
+ { 0x06, 320, 0, 8, "archiveCutoff" }, /* 319 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 320 */
+ { 0x02, 322, 0, 7, "caIssuers" }, /* 321 */
+ { 0x03, 323, 0, 7, "timeStamping" }, /* 322 */
+ { 0x05, 0, 0, 7, "caRepository" }, /* 323 */
+ { 0x08, 0, 1, 5, "ipsec" }, /* 324 */
+ { 0x02, 0, 1, 6, "certificate" }, /* 325 */
+ { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 326 */
+ { 0x0E, 333, 1, 1, "oiw" }, /* 327 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 328 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 329 */
+ { 0x07, 331, 0, 4, "des-cbc" }, /* 330 */
+ { 0x1A, 332, 0, 4, "sha-1" }, /* 331 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 332 */
+ { 0x24, 379, 1, 1, "TeleTrusT" }, /* 333 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 334 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 335 */
+ { 0x01, 340, 1, 4, "rsaSignature" }, /* 336 */
+ { 0x02, 338, 0, 5, "rsaSigWithripemd160" }, /* 337 */
+ { 0x03, 339, 0, 5, "rsaSigWithripemd128" }, /* 338 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 339 */
+ { 0x02, 0, 1, 4, "ecSign" }, /* 340 */
+ { 0x01, 342, 0, 5, "ecSignWithsha1" }, /* 341 */
+ { 0x02, 343, 0, 5, "ecSignWithripemd160" }, /* 342 */
+ { 0x03, 344, 0, 5, "ecSignWithmd2" }, /* 343 */
+ { 0x04, 345, 0, 5, "ecSignWithmd5" }, /* 344 */
+ { 0x05, 362, 1, 5, "ttt-ecg" }, /* 345 */
+ { 0x01, 350, 1, 6, "fieldType" }, /* 346 */
+ { 0x01, 0, 1, 7, "characteristictwoField" }, /* 347 */
+ { 0x01, 0, 1, 8, "basisType" }, /* 348 */
+ { 0x01, 0, 0, 9, "ipBasis" }, /* 349 */
+ { 0x02, 352, 1, 6, "keyType" }, /* 350 */
+ { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 351 */
+ { 0x03, 353, 0, 6, "curve" }, /* 352 */
+ { 0x04, 360, 1, 6, "signatures" }, /* 353 */
+ { 0x01, 355, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 354 */
+ { 0x02, 356, 0, 7, "ecgdsa-with-SHA1" }, /* 355 */
+ { 0x03, 357, 0, 7, "ecgdsa-with-SHA224" }, /* 356 */
+ { 0x04, 358, 0, 7, "ecgdsa-with-SHA256" }, /* 357 */
+ { 0x05, 359, 0, 7, "ecgdsa-with-SHA384" }, /* 358 */
+ { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 359 */
+ { 0x05, 0, 1, 6, "module" }, /* 360 */
+ { 0x01, 0, 0, 7, "1" }, /* 361 */
+ { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 362 */
+ { 0x01, 0, 1, 6, "ellipticCurve" }, /* 363 */
+ { 0x01, 0, 1, 7, "versionOne" }, /* 364 */
+ { 0x01, 366, 0, 8, "brainpoolP160r1" }, /* 365 */
+ { 0x02, 367, 0, 8, "brainpoolP160t1" }, /* 366 */
+ { 0x03, 368, 0, 8, "brainpoolP192r1" }, /* 367 */
+ { 0x04, 369, 0, 8, "brainpoolP192t1" }, /* 368 */
+ { 0x05, 370, 0, 8, "brainpoolP224r1" }, /* 369 */
+ { 0x06, 371, 0, 8, "brainpoolP224t1" }, /* 370 */
+ { 0x07, 372, 0, 8, "brainpoolP256r1" }, /* 371 */
+ { 0x08, 373, 0, 8, "brainpoolP256t1" }, /* 372 */
+ { 0x09, 374, 0, 8, "brainpoolP320r1" }, /* 373 */
+ { 0x0A, 375, 0, 8, "brainpoolP320t1" }, /* 374 */
+ { 0x0B, 376, 0, 8, "brainpoolP384r1" }, /* 375 */
+ { 0x0C, 377, 0, 8, "brainpoolP384t1" }, /* 376 */
+ { 0x0D, 378, 0, 8, "brainpoolP512r1" }, /* 377 */
+ { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 378 */
+ { 0x81, 0, 1, 1, "" }, /* 379 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 380 */
+ { 0x00, 0, 1, 3, "curve" }, /* 381 */
+ { 0x01, 383, 0, 4, "sect163k1" }, /* 382 */
+ { 0x02, 384, 0, 4, "sect163r1" }, /* 383 */
+ { 0x03, 385, 0, 4, "sect239k1" }, /* 384 */
+ { 0x04, 386, 0, 4, "sect113r1" }, /* 385 */
+ { 0x05, 387, 0, 4, "sect113r2" }, /* 386 */
+ { 0x06, 388, 0, 4, "secp112r1" }, /* 387 */
+ { 0x07, 389, 0, 4, "secp112r2" }, /* 388 */
+ { 0x08, 390, 0, 4, "secp160r1" }, /* 389 */
+ { 0x09, 391, 0, 4, "secp160k1" }, /* 390 */
+ { 0x0A, 392, 0, 4, "secp256k1" }, /* 391 */
+ { 0x0F, 393, 0, 4, "sect163r2" }, /* 392 */
+ { 0x10, 394, 0, 4, "sect283k1" }, /* 393 */
+ { 0x11, 395, 0, 4, "sect283r1" }, /* 394 */
+ { 0x16, 396, 0, 4, "sect131r1" }, /* 395 */
+ { 0x17, 397, 0, 4, "sect131r2" }, /* 396 */
+ { 0x18, 398, 0, 4, "sect193r1" }, /* 397 */
+ { 0x19, 399, 0, 4, "sect193r2" }, /* 398 */
+ { 0x1A, 400, 0, 4, "sect233k1" }, /* 399 */
+ { 0x1B, 401, 0, 4, "sect233r1" }, /* 400 */
+ { 0x1C, 402, 0, 4, "secp128r1" }, /* 401 */
+ { 0x1D, 403, 0, 4, "secp128r2" }, /* 402 */
+ { 0x1E, 404, 0, 4, "secp160r2" }, /* 403 */
+ { 0x1F, 405, 0, 4, "secp192k1" }, /* 404 */
+ { 0x20, 406, 0, 4, "secp224k1" }, /* 405 */
+ { 0x21, 407, 0, 4, "secp224r1" }, /* 406 */
+ { 0x22, 408, 0, 4, "secp384r1" }, /* 407 */
+ { 0x23, 409, 0, 4, "secp521r1" }, /* 408 */
+ { 0x24, 410, 0, 4, "sect409k1" }, /* 409 */
+ { 0x25, 411, 0, 4, "sect409r1" }, /* 410 */
+ { 0x26, 412, 0, 4, "sect571k1" }, /* 411 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 412 */
+ {0x60, 467, 1, 0, "" }, /* 413 */
+ { 0x86, 0, 1, 1, "" }, /* 414 */
+ { 0x48, 0, 1, 2, "" }, /* 415 */
+ { 0x01, 0, 1, 3, "organization" }, /* 416 */
+ { 0x65, 443, 1, 4, "gov" }, /* 417 */
+ { 0x03, 0, 1, 5, "csor" }, /* 418 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 419 */
+ { 0x01, 430, 1, 7, "aes" }, /* 420 */
+ { 0x02, 422, 0, 8, "id-aes128-CBC" }, /* 421 */
+ { 0x06, 423, 0, 8, "id-aes128-GCM" }, /* 422 */
+ { 0x07, 424, 0, 8, "id-aes128-CCM" }, /* 423 */
+ { 0x16, 425, 0, 8, "id-aes192-CBC" }, /* 424 */
+ { 0x1A, 426, 0, 8, "id-aes192-GCM" }, /* 425 */
+ { 0x1B, 427, 0, 8, "id-aes192-CCM" }, /* 426 */
+ { 0x2A, 428, 0, 8, "id-aes256-CBC" }, /* 427 */
+ { 0x2E, 429, 0, 8, "id-aes256-GCM" }, /* 428 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 429 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 430 */
+ { 0x01, 432, 0, 8, "id-sha256" }, /* 431 */
+ { 0x02, 433, 0, 8, "id-sha384" }, /* 432 */
+ { 0x03, 434, 0, 8, "id-sha512" }, /* 433 */
+ { 0x04, 435, 0, 8, "id-sha224" }, /* 434 */
+ { 0x05, 436, 0, 8, "id-sha512-224" }, /* 435 */
+ { 0x06, 437, 0, 8, "id-sha512-256" }, /* 436 */
+ { 0x07, 438, 0, 8, "id-sha3-224" }, /* 437 */
+ { 0x08, 439, 0, 8, "id-sha3-256" }, /* 438 */
+ { 0x09, 440, 0, 8, "id-sha3-384" }, /* 439 */
+ { 0x0A, 441, 0, 8, "id-sha3-512" }, /* 440 */
+ { 0x0B, 442, 0, 8, "id-shake128" }, /* 441 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 442 */
+ { 0x86, 0, 1, 4, "" }, /* 443 */
+ { 0xf8, 0, 1, 5, "" }, /* 444 */
+ { 0x42, 457, 1, 6, "netscape" }, /* 445 */
+ { 0x01, 452, 1, 7, "" }, /* 446 */
+ { 0x01, 448, 0, 8, "nsCertType" }, /* 447 */
+ { 0x03, 449, 0, 8, "nsRevocationUrl" }, /* 448 */
+ { 0x04, 450, 0, 8, "nsCaRevocationUrl" }, /* 449 */
+ { 0x08, 451, 0, 8, "nsCaPolicyUrl" }, /* 450 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 451 */
+ { 0x03, 455, 1, 7, "directory" }, /* 452 */
+ { 0x01, 0, 1, 8, "" }, /* 453 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 454 */
+ { 0x04, 0, 1, 7, "policy" }, /* 455 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 456 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 457 */
+ { 0x01, 0, 1, 7, "pki" }, /* 458 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 459 */
+ { 0x02, 461, 0, 9, "messageType" }, /* 460 */
+ { 0x03, 462, 0, 9, "pkiStatus" }, /* 461 */
+ { 0x04, 463, 0, 9, "failInfo" }, /* 462 */
+ { 0x05, 464, 0, 9, "senderNonce" }, /* 463 */
+ { 0x06, 465, 0, 9, "recipientNonce" }, /* 464 */
+ { 0x07, 466, 0, 9, "transID" }, /* 465 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 466 */
+ {0x67, 0, 1, 0, "" }, /* 467 */
+ { 0x81, 0, 1, 1, "" }, /* 468 */
+ { 0x05, 0, 1, 2, "" }, /* 469 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 470 */
+ { 0x01, 472, 0, 4, "tcg-at-tpmManufacturer" }, /* 471 */
+ { 0x02, 473, 0, 4, "tcg-at-tpmModel" }, /* 472 */
+ { 0x03, 474, 0, 4, "tcg-at-tpmVersion" }, /* 473 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 474 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 0933f236a..0f7c5d644 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -141,99 +141,112 @@ extern const oid_t oid_names[];
#define OID_MS_SMARTCARD_LOGON 202
#define OID_USER_PRINCIPAL_NAME 203
#define OID_STRONGSWAN 209
-#define OID_TCGID 216
-#define OID_AUTHORITY_INFO_ACCESS 260
-#define OID_IP_ADDR_BLOCKS 262
-#define OID_POLICY_QUALIFIER_CPS 264
-#define OID_POLICY_QUALIFIER_UNOTICE 265
-#define OID_SERVER_AUTH 267
-#define OID_CLIENT_AUTH 268
-#define OID_OCSP_SIGNING 275
-#define OID_XMPP_ADDR 281
-#define OID_AUTHENTICATION_INFO 285
-#define OID_ACCESS_IDENTITY 286
-#define OID_CHARGING_IDENTITY 287
-#define OID_GROUP 288
-#define OID_OCSP 291
-#define OID_BASIC 292
-#define OID_NONCE 293
-#define OID_CRL 294
-#define OID_RESPONSE 295
-#define OID_NO_CHECK 296
-#define OID_ARCHIVE_CUTOFF 297
-#define OID_SERVICE_LOCATOR 298
-#define OID_CA_ISSUERS 299
-#define OID_IKE_INTERMEDIATE 304
-#define OID_DES_CBC 308
-#define OID_SHA1 309
-#define OID_SHA1_WITH_RSA_OIW 310
-#define OID_ECGDSA_PUBKEY 329
-#define OID_ECGDSA_SIG_WITH_RIPEMD160 332
-#define OID_ECGDSA_SIG_WITH_SHA1 333
-#define OID_ECGDSA_SIG_WITH_SHA224 334
-#define OID_ECGDSA_SIG_WITH_SHA256 335
-#define OID_ECGDSA_SIG_WITH_SHA384 336
-#define OID_ECGDSA_SIG_WITH_SHA512 337
-#define OID_SECT163K1 360
-#define OID_SECT163R1 361
-#define OID_SECT239K1 362
-#define OID_SECT113R1 363
-#define OID_SECT113R2 364
-#define OID_SECT112R1 365
-#define OID_SECT112R2 366
-#define OID_SECT160R1 367
-#define OID_SECT160K1 368
-#define OID_SECT256K1 369
-#define OID_SECT163R2 370
-#define OID_SECT283K1 371
-#define OID_SECT283R1 372
-#define OID_SECT131R1 373
-#define OID_SECT131R2 374
-#define OID_SECT193R1 375
-#define OID_SECT193R2 376
-#define OID_SECT233K1 377
-#define OID_SECT233R1 378
-#define OID_SECT128R1 379
-#define OID_SECT128R2 380
-#define OID_SECT160R2 381
-#define OID_SECT192K1 382
-#define OID_SECT224K1 383
-#define OID_SECT224R1 384
-#define OID_SECT384R1 385
-#define OID_SECT521R1 386
-#define OID_SECT409K1 387
-#define OID_SECT409R1 388
-#define OID_SECT571K1 389
-#define OID_SECT571R1 390
-#define OID_AES128_CBC 399
-#define OID_AES128_GCM 400
-#define OID_AES128_CCM 401
-#define OID_AES192_CBC 402
-#define OID_AES192_GCM 403
-#define OID_AES192_CCM 404
-#define OID_AES256_CBC 405
-#define OID_AES256_GCM 406
-#define OID_AES256_CCM 407
-#define OID_SHA256 409
-#define OID_SHA384 410
-#define OID_SHA512 411
-#define OID_SHA224 412
-#define OID_NS_REVOCATION_URL 426
-#define OID_NS_CA_REVOCATION_URL 427
-#define OID_NS_CA_POLICY_URL 428
-#define OID_NS_COMMENT 429
-#define OID_EMPLOYEE_NUMBER 432
-#define OID_PKI_MESSAGE_TYPE 438
-#define OID_PKI_STATUS 439
-#define OID_PKI_FAIL_INFO 440
-#define OID_PKI_SENDER_NONCE 441
-#define OID_PKI_RECIPIENT_NONCE 442
-#define OID_PKI_TRANS_ID 443
-#define OID_TPM_MANUFACTURER 449
-#define OID_TPM_MODEL 450
-#define OID_TPM_VERSION 451
-#define OID_TPM_ID_LABEL 452
+#define OID_BLISS_PUBLICKEY 214
+#define OID_BLISS_I 216
+#define OID_BLISS_II 217
+#define OID_BLISS_III 218
+#define OID_BLISS_IV 219
+#define OID_BLISS_B_I 220
+#define OID_BLISS_B_II 221
+#define OID_BLISS_B_III 222
+#define OID_BLISS_B_IV 223
+#define OID_BLISS_WITH_SHA512 225
+#define OID_BLISS_WITH_SHA384 226
+#define OID_BLISS_WITH_SHA256 227
+#define OID_TCGID 234
+#define OID_BLOWFISH_CBC 238
+#define OID_AUTHORITY_INFO_ACCESS 282
+#define OID_IP_ADDR_BLOCKS 284
+#define OID_POLICY_QUALIFIER_CPS 286
+#define OID_POLICY_QUALIFIER_UNOTICE 287
+#define OID_SERVER_AUTH 289
+#define OID_CLIENT_AUTH 290
+#define OID_OCSP_SIGNING 297
+#define OID_XMPP_ADDR 303
+#define OID_AUTHENTICATION_INFO 307
+#define OID_ACCESS_IDENTITY 308
+#define OID_CHARGING_IDENTITY 309
+#define OID_GROUP 310
+#define OID_OCSP 313
+#define OID_BASIC 314
+#define OID_NONCE 315
+#define OID_CRL 316
+#define OID_RESPONSE 317
+#define OID_NO_CHECK 318
+#define OID_ARCHIVE_CUTOFF 319
+#define OID_SERVICE_LOCATOR 320
+#define OID_CA_ISSUERS 321
+#define OID_IKE_INTERMEDIATE 326
+#define OID_DES_CBC 330
+#define OID_SHA1 331
+#define OID_SHA1_WITH_RSA_OIW 332
+#define OID_ECGDSA_PUBKEY 351
+#define OID_ECGDSA_SIG_WITH_RIPEMD160 354
+#define OID_ECGDSA_SIG_WITH_SHA1 355
+#define OID_ECGDSA_SIG_WITH_SHA224 356
+#define OID_ECGDSA_SIG_WITH_SHA256 357
+#define OID_ECGDSA_SIG_WITH_SHA384 358
+#define OID_ECGDSA_SIG_WITH_SHA512 359
+#define OID_SECT163K1 382
+#define OID_SECT163R1 383
+#define OID_SECT239K1 384
+#define OID_SECT113R1 385
+#define OID_SECT113R2 386
+#define OID_SECT112R1 387
+#define OID_SECT112R2 388
+#define OID_SECT160R1 389
+#define OID_SECT160K1 390
+#define OID_SECT256K1 391
+#define OID_SECT163R2 392
+#define OID_SECT283K1 393
+#define OID_SECT283R1 394
+#define OID_SECT131R1 395
+#define OID_SECT131R2 396
+#define OID_SECT193R1 397
+#define OID_SECT193R2 398
+#define OID_SECT233K1 399
+#define OID_SECT233R1 400
+#define OID_SECT128R1 401
+#define OID_SECT128R2 402
+#define OID_SECT160R2 403
+#define OID_SECT192K1 404
+#define OID_SECT224K1 405
+#define OID_SECT224R1 406
+#define OID_SECT384R1 407
+#define OID_SECT521R1 408
+#define OID_SECT409K1 409
+#define OID_SECT409R1 410
+#define OID_SECT571K1 411
+#define OID_SECT571R1 412
+#define OID_AES128_CBC 421
+#define OID_AES128_GCM 422
+#define OID_AES128_CCM 423
+#define OID_AES192_CBC 424
+#define OID_AES192_GCM 425
+#define OID_AES192_CCM 426
+#define OID_AES256_CBC 427
+#define OID_AES256_GCM 428
+#define OID_AES256_CCM 429
+#define OID_SHA256 431
+#define OID_SHA384 432
+#define OID_SHA512 433
+#define OID_SHA224 434
+#define OID_NS_REVOCATION_URL 448
+#define OID_NS_CA_REVOCATION_URL 449
+#define OID_NS_CA_POLICY_URL 450
+#define OID_NS_COMMENT 451
+#define OID_EMPLOYEE_NUMBER 454
+#define OID_PKI_MESSAGE_TYPE 460
+#define OID_PKI_STATUS 461
+#define OID_PKI_FAIL_INFO 462
+#define OID_PKI_SENDER_NONCE 463
+#define OID_PKI_RECIPIENT_NONCE 464
+#define OID_PKI_TRANS_ID 465
+#define OID_TPM_MANUFACTURER 471
+#define OID_TPM_MODEL 472
+#define OID_TPM_VERSION 473
+#define OID_TPM_ID_LABEL 474
-#define OID_MAX 453
+#define OID_MAX 475
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index e545188d4..919d24c43 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -208,6 +208,24 @@
0xA0 ""
0x2A "ITA"
0x01 "strongSwan" OID_STRONGSWAN
+ 0x02 "cps"
+ 0x03 "e-voting"
+ 0x05 "BLISS"
+ 0x01 "keyType"
+ 0x01 "blissPublicKey" OID_BLISS_PUBLICKEY
+ 0x02 "parameters"
+ 0x01 "BLISS-I" OID_BLISS_I
+ 0x02 "BLISS-II" OID_BLISS_II
+ 0x03 "BLISS-III" OID_BLISS_III
+ 0x04 "BLISS-IV" OID_BLISS_IV
+ 0x05 "BLISS-B-I" OID_BLISS_B_I
+ 0x06 "BLISS-B-II" OID_BLISS_B_II
+ 0x07 "BLISS-B-III" OID_BLISS_B_III
+ 0x08 "BLISS-B-IV" OID_BLISS_B_IV
+ 0x03 "blissSigType"
+ 0x01 "BLISS-with-SHA512" OID_BLISS_WITH_SHA512
+ 0x02 "BLISS-with-SHA384" OID_BLISS_WITH_SHA384
+ 0x03 "BLISS-with-SHA256" OID_BLISS_WITH_SHA256
0x89 ""
0x31 ""
0x01 ""
@@ -215,6 +233,10 @@
0x02 ""
0x02 ""
0x4B "TCGID" OID_TCGID
+ 0x97 ""
+ 0x55 ""
+ 0x01 ""
+ 0x02 "blowfish-cbc" OID_BLOWFISH_CBC
0xC1 ""
0x16 "ntruCryptosystems"
0x01 "eess"
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index db08c6b96..0ca45a15b 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -49,6 +49,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT,
"RULE_GROUP",
"RULE_RSA_STRENGTH",
"RULE_ECDSA_STRENGTH",
+ "RULE_BLISS_STRENGTH",
"RULE_SIGNATURE_SCHEME",
"RULE_CERT_POLICY",
"HELPER_IM_CERT",
@@ -71,6 +72,7 @@ static inline bool is_multi_value_rule(auth_rule_t type)
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_IDENTITY:
case AUTH_RULE_IDENTITY_LOOSE:
case AUTH_RULE_EAP_IDENTITY:
@@ -207,6 +209,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
/* integer type */
this->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -255,6 +258,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
{
return e1->value == e2->value;
@@ -345,6 +349,7 @@ static void destroy_entry_value(entry_t *entry)
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
case AUTH_RULE_MAX:
break;
@@ -376,6 +381,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator,
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
/* integer type */
entry->value = (void*)(uintptr_t)va_arg(args, u_int);
@@ -450,6 +456,7 @@ METHOD(auth_cfg_t, get, void*,
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
return (void*)0;
case AUTH_RULE_SIGNATURE_SCHEME:
return (void*)HASH_UNKNOWN;
@@ -513,6 +520,7 @@ METHOD(auth_cfg_t, complies, bool,
signature_scheme_t scheme = SIGN_UNKNOWN;
u_int strength = 0;
auth_rule_t t1, t2;
+ char *key_type;
void *value;
e1 = constraints->create_enumerator(constraints);
@@ -703,6 +711,7 @@ METHOD(auth_cfg_t, complies, bool,
}
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
{
strength = (uintptr_t)value;
break;
@@ -797,30 +806,39 @@ METHOD(auth_cfg_t, complies, bool,
e2 = create_enumerator(this);
while (e2->enumerate(e2, &t2, &strength))
{
- if (t2 == AUTH_RULE_RSA_STRENGTH ||
- t2 == AUTH_RULE_ECDSA_STRENGTH)
+ switch (t2)
{
- success = FALSE;
- e1 = constraints->create_enumerator(constraints);
- while (e1->enumerate(e1, &t1, &value))
+ default:
+ continue;
+ case AUTH_RULE_RSA_STRENGTH:
+ key_type = "RSA";
+ break;
+ case AUTH_RULE_ECDSA_STRENGTH:
+ key_type = "ECDSA";
+ break;
+ case AUTH_RULE_BLISS_STRENGTH:
+ key_type = "BLISS";
+ break;
+ }
+ success = FALSE;
+ e1 = constraints->create_enumerator(constraints);
+ while (e1->enumerate(e1, &t1, &value))
+ {
+ if (t1 == t2 && (uintptr_t)value <= strength)
{
- if (t1 == t2 && (uintptr_t)value <= strength)
- {
- success = TRUE;
- break;
- }
+ success = TRUE;
+ break;
}
- e1->destroy(e1);
- if (!success)
+ }
+ e1->destroy(e1);
+ if (!success)
+ {
+ if (log_error)
{
- if (log_error)
- {
- DBG1(DBG_CFG, "%s-%d signatures not acceptable",
- t2 == AUTH_RULE_RSA_STRENGTH ? "RSA" : "ECDSA",
- strength);
- }
- break;
+ DBG1(DBG_CFG, "%s-%d signatures not acceptable",
+ key_type, strength);
}
+ break;
}
}
e2->destroy(e2);
@@ -891,6 +909,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy
case AUTH_RULE_EAP_VENDOR:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
{
add(this, type, (uintptr_t)value);
@@ -1060,6 +1079,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*,
case AUTH_RULE_OCSP_VALIDATION:
case AUTH_RULE_RSA_STRENGTH:
case AUTH_RULE_ECDSA_STRENGTH:
+ case AUTH_RULE_BLISS_STRENGTH:
case AUTH_RULE_SIGNATURE_SCHEME:
clone->add(clone, type, (uintptr_t)value);
break;
diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h
index 95b36d706..53f1b3805 100644
--- a/src/libstrongswan/credentials/auth_cfg.h
+++ b/src/libstrongswan/credentials/auth_cfg.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -102,6 +102,8 @@ enum auth_rule_t {
AUTH_RULE_RSA_STRENGTH,
/** required ECDSA public key strength, u_int in bits */
AUTH_RULE_ECDSA_STRENGTH,
+ /** required BLISS public key strength, u_int in bits */
+ AUTH_RULE_BLISS_STRENGTH,
/** required signature scheme, signature_scheme_t */
AUTH_RULE_SIGNATURE_SCHEME,
/** certificatePolicy constraint, numerical OID as char* */
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index a6c9c30af..b4d1f4c3c 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -144,6 +144,10 @@ enum cred_encoding_part_t {
CRED_PART_PKCS10_ASN1_DER,
/** a PGP encoded certificate */
CRED_PART_PGP_CERT,
+ /** a DER encoded BLISS public key */
+ CRED_PART_BLISS_PUB_ASN1_DER,
+ /** a DER encoded BLISS private key */
+ CRED_PART_BLISS_PRIV_ASN1_DER,
CRED_PART_END,
};
diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c
index b0c8e48ba..371e6404d 100644
--- a/src/libstrongswan/credentials/credential_manager.c
+++ b/src/libstrongswan/credentials/credential_manager.c
@@ -698,6 +698,9 @@ static void get_key_strength(certificate_t *cert, auth_cfg_t *auth)
case KEY_ECDSA:
auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength);
break;
+ case KEY_BLISS:
+ auth->add(auth, AUTH_RULE_BLISS_STRENGTH, strength);
+ break;
default:
break;
}
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 37bba77d1..bd5915e60 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -1,6 +1,8 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -17,14 +19,15 @@
#include "public_key.h"
-ENUM(key_type_names, KEY_ANY, KEY_DSA,
+ENUM(key_type_names, KEY_ANY, KEY_BLISS,
"ANY",
"RSA",
"ECDSA",
- "DSA"
+ "DSA",
+ "BLISS"
);
-ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
+ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA512,
"UNKNOWN",
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
@@ -41,6 +44,9 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
"ECDSA-256",
"ECDSA-384",
"ECDSA-521",
+ "BLISS_WITH_SHA256",
+ "BLISS_WITH_SHA384",
+ "BLISS_WITH_SHA512",
);
ENUM(encryption_scheme_names, ENCRYPT_UNKNOWN, ENCRYPT_RSA_OAEP_SHA512,
@@ -130,8 +136,158 @@ signature_scheme_t signature_scheme_from_oid(int oid)
return SIGN_ECDSA_WITH_SHA384_DER;
case OID_ECDSA_WITH_SHA512:
return SIGN_ECDSA_WITH_SHA512_DER;
- default:
- return SIGN_UNKNOWN;
+ case OID_BLISS_PUBLICKEY:
+ case OID_BLISS_WITH_SHA512:
+ return SIGN_BLISS_WITH_SHA512;
+ case OID_BLISS_WITH_SHA256:
+ return SIGN_BLISS_WITH_SHA256;
+ case OID_BLISS_WITH_SHA384:
+ return SIGN_BLISS_WITH_SHA384;
}
+ return SIGN_UNKNOWN;
}
+/*
+ * Defined in header.
+ */
+int signature_scheme_to_oid(signature_scheme_t scheme)
+{
+ switch (scheme)
+ {
+ case SIGN_UNKNOWN:
+ case SIGN_RSA_EMSA_PKCS1_NULL:
+ case SIGN_ECDSA_WITH_NULL:
+ case SIGN_ECDSA_256:
+ case SIGN_ECDSA_384:
+ case SIGN_ECDSA_521:
+ break;
+ case SIGN_RSA_EMSA_PKCS1_MD5:
+ return OID_MD5_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ return OID_SHA1_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return OID_SHA224_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA256:
+ return OID_SHA256_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA384:
+ return OID_SHA384_WITH_RSA;
+ case SIGN_RSA_EMSA_PKCS1_SHA512:
+ return OID_SHA512_WITH_RSA;
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ return OID_ECDSA_WITH_SHA1;
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ return OID_ECDSA_WITH_SHA256;
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ return OID_ECDSA_WITH_SHA384;
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ return OID_ECDSA_WITH_SHA512;
+ case SIGN_BLISS_WITH_SHA256:
+ return OID_BLISS_WITH_SHA256;
+ case SIGN_BLISS_WITH_SHA384:
+ return OID_BLISS_WITH_SHA384;
+ case SIGN_BLISS_WITH_SHA512:
+ return OID_BLISS_WITH_SHA512;
+ }
+ return OID_UNKNOWN;
+}
+
+/**
+ * Map for signature schemes to the key type and maximum key size allowed.
+ * We only cover schemes with hash algorithms supported by IKEv2 signature
+ * authentication.
+ */
+static struct {
+ signature_scheme_t scheme;
+ key_type_t type;
+ int max_keysize;
+} scheme_map[] = {
+ { SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, 3072 },
+ { SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, 7680 },
+ { SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, 0 },
+ { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
+ { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
+ { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
+ { SIGN_BLISS_WITH_SHA256, KEY_BLISS, 128 },
+ { SIGN_BLISS_WITH_SHA384, KEY_BLISS, 192 },
+ { SIGN_BLISS_WITH_SHA512, KEY_BLISS, 0 },
+};
+
+/**
+ * Private data for signature scheme enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ int index;
+ key_type_t type;
+ int size;
+} private_enumerator_t;
+
+METHOD(enumerator_t, signature_schemes_enumerate, bool,
+ private_enumerator_t *this, signature_scheme_t *scheme)
+{
+ while (++this->index < countof(scheme_map))
+ {
+ if (this->type == scheme_map[this->index].type &&
+ (this->size <= scheme_map[this->index].max_keysize ||
+ !scheme_map[this->index].max_keysize))
+ {
+ *scheme = scheme_map[this->index].scheme;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+/*
+ * Defined in header.
+ */
+enumerator_t *signature_schemes_for_key(key_type_t type, int size)
+{
+ private_enumerator_t *this;
+
+ INIT(this,
+ .public = {
+ .enumerate = (void*)_signature_schemes_enumerate,
+ .destroy = (void*)free,
+ },
+ .index = -1,
+ .type = type,
+ .size = size,
+ );
+
+ return &this->public;
+}
+
+/*
+ * Defined in header.
+ */
+key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
+{
+ switch (scheme)
+ {
+ case SIGN_UNKNOWN:
+ break;
+ case SIGN_RSA_EMSA_PKCS1_NULL:
+ case SIGN_RSA_EMSA_PKCS1_MD5:
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ case SIGN_RSA_EMSA_PKCS1_SHA256:
+ case SIGN_RSA_EMSA_PKCS1_SHA384:
+ case SIGN_RSA_EMSA_PKCS1_SHA512:
+ return KEY_RSA;
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ case SIGN_ECDSA_WITH_NULL:
+ case SIGN_ECDSA_256:
+ case SIGN_ECDSA_384:
+ case SIGN_ECDSA_521:
+ return KEY_ECDSA;
+ case SIGN_BLISS_WITH_SHA256:
+ case SIGN_BLISS_WITH_SHA384:
+ case SIGN_BLISS_WITH_SHA512:
+ return KEY_BLISS;
+ }
+ return KEY_ANY;
+}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 2afcf8325..66e98b294 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,6 +1,8 @@
/*
+ * Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -42,6 +44,8 @@ enum key_type_t {
KEY_ECDSA = 2,
/** DSA */
KEY_DSA = 3,
+ /** BLISS */
+ KEY_BLISS = 4,
/** ElGamal, ... */
};
@@ -90,6 +94,12 @@ enum signature_scheme_t {
SIGN_ECDSA_384,
/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */
SIGN_ECDSA_521,
+ /** BLISS with SHA-256 */
+ SIGN_BLISS_WITH_SHA256,
+ /** BLISS with SHA-384 */
+ SIGN_BLISS_WITH_SHA384,
+ /** BLISS with SHA-512 */
+ SIGN_BLISS_WITH_SHA512,
};
/**
@@ -234,8 +244,35 @@ bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint);
* Conversion of ASN.1 signature or hash OID to signature scheme.
*
* @param oid ASN.1 OID
- * @return signature_scheme, SIGN_UNKNOWN if OID is unsupported
+ * @return signature scheme, SIGN_UNKNOWN if OID is unsupported
*/
signature_scheme_t signature_scheme_from_oid(int oid);
+/**
+ * Conversion of signature scheme to ASN.1 signature OID.
+ *
+ * @param scheme signature scheme
+ * @return ASN.1 OID, OID_UNKNOWN if not supported
+ */
+int signature_scheme_to_oid(signature_scheme_t scheme);
+
+/**
+ * Enumerate signature schemes that are appropriate for a key of the given type
+ * and size|strength.
+ *
+ * @param type type of the key
+ * @param size size or strength of the key
+ * @return enumerator over signature_scheme_t (increasing strength)
+ */
+enumerator_t *signature_schemes_for_key(key_type_t type, int size);
+
+/**
+ * Determine the type of key associated with a given signature scheme.
+ *
+ * @param scheme signature scheme
+ * @return key type (could be KEY_ANY)
+ */
+key_type_t key_type_from_signature_scheme(signature_scheme_t scheme);
+
+
#endif /** PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 563f4bdd5..60720dc57 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -143,6 +143,7 @@ METHOD(cert_cache_t, issued_by, bool,
private_cert_cache_t *this, certificate_t *subject, certificate_t *issuer,
signature_scheme_t *schemep)
{
+ certificate_t *cached_issuer = NULL;
relation_t *found = NULL, *current;
signature_scheme_t scheme;
int i;
@@ -154,39 +155,41 @@ METHOD(cert_cache_t, issued_by, bool,
current->lock->read_lock(current->lock);
if (current->subject)
{
- /* check for equal issuer */
if (issuer->equals(issuer, current->issuer))
{
- /* reuse issuer instance in cache() */
- issuer = current->issuer;
if (subject->equals(subject, current->subject))
{
- /* write hit counter is not locked, but not critical */
current->hits++;
- found = current;;
+ found = current;
if (schemep)
{
*schemep = current->scheme;
}
}
+ else if (!cached_issuer)
+ {
+ cached_issuer = current->issuer->get_ref(current->issuer);
+ }
}
}
current->lock->unlock(current->lock);
if (found)
{
+ DESTROY_IF(cached_issuer);
return TRUE;
}
}
- /* no cache hit, check and cache signature */
if (subject->issued_by(subject, issuer, &scheme))
{
- cache(this, subject, issuer, scheme);
+ cache(this, subject, cached_issuer ?: issuer, scheme);
if (schemep)
{
*schemep = scheme;
}
+ DESTROY_IF(cached_issuer);
return TRUE;
}
+ DESTROY_IF(cached_issuer);
return FALSE;
}
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index d8f568d36..7ad011b5e 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -192,6 +192,24 @@ METHOD(mem_cred_t, add_cert_ref, certificate_t*,
return add_cert_internal(this, trusted, cert);
}
+METHOD(mem_cred_t, get_cert_ref, certificate_t*,
+ private_mem_cred_t *this, certificate_t *cert)
+{
+ certificate_t *cached;
+
+ this->lock->write_lock(this->lock);
+ if (this->untrusted->find_first(this->untrusted,
+ (linked_list_match_t)certificate_equals,
+ (void**)&cached, cert) == SUCCESS)
+ {
+ cert->destroy(cert);
+ cert = cached->get_ref(cached);
+ }
+ this->lock->unlock(this->lock);
+
+ return cert;
+}
+
METHOD(mem_cred_t, add_crl, bool,
private_mem_cred_t *this, crl_t *crl)
{
@@ -736,6 +754,7 @@ mem_cred_t *mem_cred_create()
},
.add_cert = _add_cert,
.add_cert_ref = _add_cert_ref,
+ .get_cert_ref = _get_cert_ref,
.add_crl = _add_crl,
.add_key = _add_key,
.add_shared = _add_shared,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index d0dd51da1..3ce815abc 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -59,6 +59,18 @@ struct mem_cred_t {
certificate_t *cert);
/**
+ * Get an existing reference to the same certificate.
+ *
+ * Searches for the same certficate in the set, and returns a reference
+ * to it, destroying the passed certificate. If the passed certificate
+ * is not found, it is just returned.
+ *
+ * @param cert certificate to look up
+ * @return the same certificate, potentially different instance
+ */
+ certificate_t* (*get_cert_ref)(mem_cred_t *this, certificate_t *cert);
+
+ /**
* Add an X.509 CRL to the credential set.
*
* @param crl CRL, gets owned by set
diff --git a/src/libstrongswan/crypto/crypters/crypter.c b/src/libstrongswan/crypto/crypters/crypter.c
index 8123adde5..1e73baa4e 100644
--- a/src/libstrongswan/crypto/crypters/crypter.c
+++ b/src/libstrongswan/crypto/crypters/crypter.c
@@ -96,6 +96,10 @@ encryption_algorithm_t encryption_algorithm_from_oid(int oid, size_t *key_size)
alg = ENCR_CAMELLIA_CBC;
alg_key_size = 256;
break;
+ case OID_BLOWFISH_CBC:
+ alg = ENCR_BLOWFISH;
+ alg_key_size = 0;
+ break;
default:
alg = ENCR_UNDEFINED;
alg_key_size = 0;
@@ -154,6 +158,9 @@ int encryption_algorithm_to_oid(encryption_algorithm_t alg, size_t key_size)
oid = OID_UNKNOWN;
}
break;
+ case ENCR_BLOWFISH:
+ oid = OID_BLOWFISH_CBC;
+ break;
default:
oid = OID_UNKNOWN;
}
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index d09844bfa..15ed17381 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -580,13 +580,22 @@ METHOD(crypto_tester_t, test_signer, bool,
break;
}
+ data = chunk_create(vector->data, vector->len);
key = chunk_create(vector->key, signer->get_key_size(signer));
if (!signer->set_key(signer, key))
{
goto failure;
}
+ /* do partial append mode and check if key gets set correctly */
+ if (!signer->get_signature(signer, data, NULL))
+ {
+ goto failure;
+ }
+ if (!signer->set_key(signer, key))
+ {
+ goto failure;
+ }
/* allocated signature */
- data = chunk_create(vector->data, vector->len);
if (!signer->allocate_signature(signer, data, &mac))
{
goto failure;
@@ -905,13 +914,25 @@ METHOD(crypto_tester_t, test_prf, bool,
break;
}
+ seed = chunk_create(vector->seed, vector->len);
key = chunk_create(vector->key, vector->key_size);
if (!prf->set_key(prf, key))
{
goto failure;
}
+ if (alg != PRF_FIPS_SHA1_160)
+ {
+ /* do partial append mode and check if key gets set correctly */
+ if (!prf->get_bytes(prf, seed, NULL))
+ {
+ goto failure;
+ }
+ if (!prf->set_key(prf, key))
+ {
+ goto failure;
+ }
+ }
/* allocated bytes */
- seed = chunk_create(vector->seed, vector->len);
if (!prf->allocate_bytes(prf, seed, &out))
{
goto failure;
@@ -942,7 +963,7 @@ METHOD(crypto_tester_t, test_prf, bool,
goto failure;
}
/* bytes to existing buffer, using append mode */
- if (seed.len > 2)
+ if (alg != PRF_FIPS_SHA1_160 && seed.len > 2)
{
memset(out.ptr, 0, out.len);
if (vector->stateful)
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 87c9b21f8..0d4cd9109 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -42,15 +42,16 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
"ECP_256_BP",
"ECP_384_BP",
"ECP_512_BP");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_CUSTOM, ECP_512_BP,
- "MODP_NULL",
- "MODP_CUSTOM");
-ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_CUSTOM,
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
+ "MODP_NULL");
+ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
"NTRU_112",
"NTRU_128",
"NTRU_192",
"NTRU_256");
-ENUM_END(diffie_hellman_group_names, NTRU_256_BIT);
+ENUM_NEXT(diffie_hellman_group_names, MODP_CUSTOM, MODP_CUSTOM, NTRU_256_BIT,
+ "MODP_CUSTOM");
+ENUM_END(diffie_hellman_group_names, MODP_CUSTOM);
/**
@@ -439,7 +440,7 @@ void diffie_hellman_init()
{
int i;
- if (lib->settings->get_int(lib->settings,
+ if (lib->settings->get_bool(lib->settings,
"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
{
for (i = 0; i < countof(dh_params); i++)
@@ -463,7 +464,7 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
if (!dh_params[i].public.exp_len)
{
if (!dh_params[i].public.subgroup.len &&
- lib->settings->get_int(lib->settings,
+ lib->settings->get_bool(lib->settings,
"%s.dh_exponent_ansi_x9_42", TRUE, lib->ns))
{
dh_params[i].public.exp_len = dh_params[i].public.prime.len;
@@ -500,3 +501,75 @@ bool diffie_hellman_group_is_ec(diffie_hellman_group_t group)
return FALSE;
}
}
+
+/**
+ * See header.
+ */
+bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value)
+{
+ diffie_hellman_params_t *params;
+ bool valid = FALSE;
+
+ switch (group)
+ {
+ case MODP_768_BIT:
+ case MODP_1024_BIT:
+ case MODP_1536_BIT:
+ case MODP_2048_BIT:
+ case MODP_3072_BIT:
+ case MODP_4096_BIT:
+ case MODP_6144_BIT:
+ case MODP_8192_BIT:
+ case MODP_1024_160:
+ case MODP_2048_224:
+ case MODP_2048_256:
+ params = diffie_hellman_get_params(group);
+ if (params)
+ {
+ valid = value.len == params->prime.len;
+ }
+ break;
+ case ECP_192_BIT:
+ valid = value.len == 48;
+ break;
+ case ECP_224_BIT:
+ case ECP_224_BP:
+ valid = value.len == 56;
+ break;
+ case ECP_256_BIT:
+ case ECP_256_BP:
+ valid = value.len == 64;
+ break;
+ case ECP_384_BIT:
+ case ECP_384_BP:
+ valid = value.len == 96;
+ break;
+ case ECP_512_BP:
+ valid = value.len == 128;
+ break;
+ case ECP_521_BIT:
+ valid = value.len == 132;
+ break;
+ case NTRU_112_BIT:
+ case NTRU_128_BIT:
+ case NTRU_192_BIT:
+ case NTRU_256_BIT:
+ /* verification currently not supported, do in plugin */
+ valid = FALSE;
+ break;
+ case MODP_NULL:
+ case MODP_CUSTOM:
+ valid = TRUE;
+ break;
+ case MODP_NONE:
+ /* fail */
+ break;
+ /* compile-warn unhandled groups, fail verification */
+ }
+ if (!valid)
+ {
+ DBG1(DBG_ENC, "invalid DH public value size (%zu bytes) for %N",
+ value.len, diffie_hellman_group_names, group);
+ }
+ return valid;
+}
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index 105db22f1..4704cd0da 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -63,12 +63,14 @@ enum diffie_hellman_group_t {
/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
MODP_NULL = 1024,
/** MODP group with custom generator/prime */
- MODP_CUSTOM = 1025,
/** Parameters defined by IEEE 1363.1, in PRIVATE USE */
NTRU_112_BIT = 1030,
NTRU_128_BIT = 1031,
NTRU_192_BIT = 1032,
- NTRU_256_BIT = 1033
+ NTRU_256_BIT = 1033,
+ /** internally used DH group with additional parameters g and p, outside
+ * of PRIVATE USE (i.e. IKEv2 DH group range) so it can't be negotiated */
+ MODP_CUSTOM = 65536,
};
/**
@@ -87,9 +89,10 @@ struct diffie_hellman_t {
* Space for returned secret is allocated and must be freed by the caller.
*
* @param secret shared secret will be written into this chunk
- * @return SUCCESS, FAILED if not both DH values are set
+ * @return TRUE if shared secret computed successfully
*/
- status_t (*get_shared_secret) (diffie_hellman_t *this, chunk_t *secret);
+ bool (*get_shared_secret)(diffie_hellman_t *this, chunk_t *secret)
+ __attribute__((warn_unused_result));
/**
* Sets the public value of partner.
@@ -97,8 +100,10 @@ struct diffie_hellman_t {
* Chunk gets cloned and can be destroyed afterwards.
*
* @param value public value of partner
+ * @return TRUE if other public value verified and set
*/
- void (*set_other_public_value) (diffie_hellman_t *this, chunk_t value);
+ bool (*set_other_public_value)(diffie_hellman_t *this, chunk_t value)
+ __attribute__((warn_unused_result));
/**
* Gets the own public value to transmit.
@@ -106,8 +111,10 @@ struct diffie_hellman_t {
* Space for returned chunk is allocated and must be freed by the caller.
*
* @param value public value of caller is stored at this location
+ * @return TRUE if public value retrieved
*/
- void (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value);
+ bool (*get_my_public_value) (diffie_hellman_t *this, chunk_t *value)
+ __attribute__((warn_unused_result));
/**
* Get the DH group used.
@@ -168,8 +175,17 @@ diffie_hellman_params_t *diffie_hellman_get_params(diffie_hellman_group_t group)
* Check if a given DH group is an ECDH group
*
* @param group group to check
- * @return TUE if group is an ECP group
+ * @return TRUE if group is an ECP group
*/
bool diffie_hellman_group_is_ec(diffie_hellman_group_t group);
+/**
+ * Check if a diffie hellman public value is valid for given group.
+ *
+ * @param group group the value is used in
+ * @param value public DH value to check
+ * @return TRUE if value looks valid for group
+ */
+bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value);
+
#endif /** DIFFIE_HELLMAN_H_ @}*/
diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.c b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c
new file mode 100644
index 000000000..93b67cb13
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "hash_algorithm_set.h"
+
+#include <collections/array.h>
+
+typedef struct private_hash_algorithm_set_t private_hash_algorithm_set_t;
+
+struct private_hash_algorithm_set_t {
+
+ /**
+ * Public interface
+ */
+ hash_algorithm_set_t public;
+
+ /**
+ * Algorithms contained in the set
+ */
+ array_t *algorithms;
+};
+
+/**
+ * Sort hash algorithms
+ */
+static int hash_sort(const void *a, const void *b, void *user)
+{
+ const hash_algorithm_t *ha = a, *hb = b;
+ return *ha - *hb;
+}
+
+/**
+ * Find a hash algorithm
+ */
+static int hash_find(const void *a, const void *b)
+{
+ return hash_sort(a, b, NULL);
+}
+
+METHOD(hash_algorithm_set_t, contains, bool,
+ private_hash_algorithm_set_t *this, hash_algorithm_t hash)
+{
+ return array_bsearch(this->algorithms, &hash, hash_find, NULL) != -1;
+}
+
+METHOD(hash_algorithm_set_t, add, void,
+ private_hash_algorithm_set_t *this, hash_algorithm_t hash)
+{
+ if (!contains(this, hash))
+ {
+ array_insert(this->algorithms, ARRAY_TAIL, &hash);
+ array_sort(this->algorithms, hash_sort, NULL);
+ }
+}
+
+METHOD(hash_algorithm_set_t, count, int,
+ private_hash_algorithm_set_t *this)
+{
+ return array_count(this->algorithms);
+}
+
+static bool hash_filter(void *data, void **in, hash_algorithm_t *out)
+{
+ *out = **(hash_algorithm_t**)in;
+ return TRUE;
+}
+
+METHOD(hash_algorithm_set_t, create_enumerator, enumerator_t*,
+ private_hash_algorithm_set_t *this)
+{
+ return enumerator_create_filter(array_create_enumerator(this->algorithms),
+ (void*)hash_filter, NULL, NULL);
+}
+
+METHOD(hash_algorithm_set_t, destroy, void,
+ private_hash_algorithm_set_t *this)
+{
+ array_destroy(this->algorithms);
+ free(this);
+}
+
+/**
+ * Described in header
+ */
+hash_algorithm_set_t *hash_algorithm_set_create()
+{
+ private_hash_algorithm_set_t *this;
+
+ INIT(this,
+ .public = {
+ .add = _add,
+ .contains = _contains,
+ .count = _count,
+ .create_enumerator = _create_enumerator,
+ .destroy = _destroy,
+ },
+ .algorithms = array_create(sizeof(hash_algorithm_t), 0),
+ );
+
+ return &this->public;
+} \ No newline at end of file
diff --git a/src/libstrongswan/crypto/hashers/hash_algorithm_set.h b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h
new file mode 100644
index 000000000..00e90cc2e
--- /dev/null
+++ b/src/libstrongswan/crypto/hashers/hash_algorithm_set.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup hash_algorithm_set hash_algorithm_set
+ * @{ @ingroup crypto
+ */
+
+#ifndef HASH_ALGORITHM_SET_H_
+#define HASH_ALGORITHM_SET_H_
+
+typedef struct hash_algorithm_set_t hash_algorithm_set_t;
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * A set of hash algorithms
+ */
+struct hash_algorithm_set_t {
+
+ /**
+ * Add the given algorithm to the set.
+ *
+ * @param alg hash algorithm
+ */
+ void (*add)(hash_algorithm_set_t *this, hash_algorithm_t alg);
+
+ /**
+ * Check if the given algorithm is contained in the set.
+ *
+ * @param alg hash algorithm
+ * @return TRUE if contained in set
+ */
+ bool (*contains)(hash_algorithm_set_t *this, hash_algorithm_t alg);
+
+ /**
+ * Number of hash algorithms contained in the set.
+ *
+ * @return number of algorithms
+ */
+ int (*count)(hash_algorithm_set_t *this);
+
+ /**
+ * Enumerate the algorithms contained in the set.
+ *
+ * @return enumerator over hash_algorithm_t (sorted by identifier)
+ */
+ enumerator_t *(*create_enumerator)(hash_algorithm_set_t *this);
+
+ /**
+ * Destroy a hash_algorithm_set_t instance
+ */
+ void (*destroy)(hash_algorithm_set_t *this);
+};
+
+/**
+ * Create a set of hash algorithms.
+ *
+ * @return hash_algorithm_set_t instance
+ */
+hash_algorithm_set_t *hash_algorithm_set_create();
+
+#endif /** HASH_ALGORITHM_SET_H_ @}*/
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index 13cbb5a59..38eebea9c 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -19,29 +19,31 @@
#include <asn1/oid.h>
-ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512,
+ "HASH_SHA1",
+ "HASH_SHA256",
+ "HASH_SHA384",
+ "HASH_SHA512");
+ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
"HASH_UNKNOWN",
"HASH_MD2",
"HASH_MD4",
"HASH_MD5",
- "HASH_SHA1",
- "HASH_SHA224",
- "HASH_SHA256",
- "HASH_SHA384",
- "HASH_SHA512"
-);
+ "HASH_SHA224");
+ENUM_END(hash_algorithm_names, HASH_SHA224);
-ENUM(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512,
+ "sha1",
+ "sha256",
+ "sha384",
+ "sha512");
+ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA224, HASH_SHA512,
"unknown",
"md2",
"md4",
"md5",
- "sha1",
- "sha224",
- "sha256",
- "sha384",
- "sha512"
-);
+ "sha224");
+ENUM_END(hash_algorithm_short_names, HASH_SHA224);
/*
* Described in header.
@@ -249,6 +251,28 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
/*
* Described in header.
*/
+bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
+{
+ switch (alg)
+ {
+ case HASH_SHA1:
+ case HASH_SHA256:
+ case HASH_SHA384:
+ case HASH_SHA512:
+ return TRUE;
+ case HASH_UNKNOWN:
+ case HASH_MD2:
+ case HASH_MD4:
+ case HASH_MD5:
+ case HASH_SHA224:
+ break;
+ }
+ return FALSE;
+}
+
+/*
+ * Described in header.
+ */
int hasher_algorithm_to_oid(hash_algorithm_t alg)
{
int oid;
@@ -323,8 +347,56 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
default:
return OID_UNKNOWN;
}
+ case KEY_BLISS:
+ switch (alg)
+ {
+ case HASH_SHA256:
+ return OID_BLISS_WITH_SHA256;
+ case HASH_SHA384:
+ return OID_BLISS_WITH_SHA384;
+ case HASH_SHA512:
+ return OID_BLISS_WITH_SHA512;
+ default:
+ return OID_UNKNOWN;
+ }
default:
return OID_UNKNOWN;
}
}
+/*
+ * Defined in header.
+ */
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
+{
+ switch (scheme)
+ {
+ case SIGN_UNKNOWN:
+ case SIGN_RSA_EMSA_PKCS1_NULL:
+ case SIGN_ECDSA_WITH_NULL:
+ break;
+ case SIGN_RSA_EMSA_PKCS1_MD5:
+ return HASH_MD5;
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ return HASH_SHA1;
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return HASH_SHA224;
+ case SIGN_RSA_EMSA_PKCS1_SHA256:
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_256:
+ case SIGN_BLISS_WITH_SHA256:
+ return HASH_SHA256;
+ case SIGN_RSA_EMSA_PKCS1_SHA384:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_384:
+ case SIGN_BLISS_WITH_SHA384:
+ return HASH_SHA384;
+ case SIGN_RSA_EMSA_PKCS1_SHA512:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ case SIGN_ECDSA_521:
+ case SIGN_BLISS_WITH_SHA512:
+ return HASH_SHA512;
+ }
+ return HASH_UNKNOWN;
+}
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 37ef0b6ab..772586308 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -32,19 +32,19 @@ typedef struct hasher_t hasher_t;
#include <credentials/keys/public_key.h>
/**
- * Algorithms to use for hashing.
+ * Hash algorithms as defined for IKEv2 by RFC 7427
*/
enum hash_algorithm_t {
- /** not specified hash function */
- HASH_UNKNOWN = 0,
- HASH_MD2 = 1,
- HASH_MD4 = 2,
- HASH_MD5 = 3,
- HASH_SHA1 = 4,
- HASH_SHA224 = 5,
- HASH_SHA256 = 6,
- HASH_SHA384 = 7,
- HASH_SHA512 = 8
+ HASH_SHA1 = 1,
+ HASH_SHA256 = 2,
+ HASH_SHA384 = 3,
+ HASH_SHA512 = 4,
+ /* use private use range for algorithms not defined/permitted by RFC 7427 */
+ HASH_UNKNOWN = 1024,
+ HASH_MD2 = 1025,
+ HASH_MD4 = 1026,
+ HASH_MD5 = 1027,
+ HASH_SHA224 = 1028,
};
#define HASH_SIZE_MD2 16
@@ -163,6 +163,14 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
size_t length);
/**
+ * Check if the given algorithm may be used for IKEv2 signature authentication.
+ *
+ * @param alg hash algorithm
+ * @return TRUE if algorithm may be used, FALSE otherwise
+ */
+bool hasher_algorithm_for_ikev2(hash_algorithm_t alg);
+
+/**
* Conversion of hash algorithm into ASN.1 OID.
*
* @param alg hash algorithm
@@ -179,4 +187,12 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg);
*/
int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key);
+/**
+ * Determine the hash algorithm associated with a given signature scheme.
+ *
+ * @param scheme signature scheme
+ * @return hash algorithm (could be HASH_UNKNOWN)
+ */
+hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme);
+
#endif /** HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.c b/src/libstrongswan/crypto/mgf1/mgf1.c
index 2338db208..4bbcd6e99 100644
--- a/src/libstrongswan/plugins/ntru/ntru_mgf1.c
+++ b/src/libstrongswan/crypto/mgf1/mgf1.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -13,23 +13,23 @@
* for more details.
*/
-#include "ntru_mgf1.h"
+#include "mgf1.h"
-#include <crypto/hashers/hasher.h>
-#include <utils/debug.h>
-#include <utils/test.h>
+#include "crypto/hashers/hasher.h"
+#include "utils/debug.h"
+#include "utils/test.h"
-typedef struct private_ntru_mgf1_t private_ntru_mgf1_t;
+typedef struct private_mgf1_t private_mgf1_t;
/**
- * Private data of an ntru_mgf1_t object.
+ * Private data of an mgf1_t object.
*/
-struct private_ntru_mgf1_t {
+struct private_mgf1_t {
/**
- * Public ntru_mgf1_t interface.
+ * Public mgf1_t interface.
*/
- ntru_mgf1_t public;
+ mgf1_t public;
/**
* Hasher the MGF1 Mask Generation Function is based on
@@ -58,14 +58,14 @@ struct private_ntru_mgf1_t {
};
-METHOD(ntru_mgf1_t, get_hash_size, size_t,
- private_ntru_mgf1_t *this)
+METHOD(mgf1_t, get_hash_size, size_t,
+ private_mgf1_t *this)
{
return this->hasher->get_hash_size(this->hasher);
}
-METHOD(ntru_mgf1_t, get_mask, bool,
- private_ntru_mgf1_t *this, size_t mask_len, u_char *mask)
+METHOD(mgf1_t, get_mask, bool,
+ private_mgf1_t *this, size_t mask_len, u_char *mask)
{
u_char buf[HASH_SIZE_SHA512];
size_t hash_len;
@@ -102,8 +102,8 @@ METHOD(ntru_mgf1_t, get_mask, bool,
return TRUE;
}
-METHOD(ntru_mgf1_t, allocate_mask, bool,
- private_ntru_mgf1_t *this, size_t mask_len, chunk_t *mask)
+METHOD(mgf1_t, allocate_mask, bool,
+ private_mgf1_t *this, size_t mask_len, chunk_t *mask)
{
if (mask_len == 0)
{
@@ -115,8 +115,8 @@ METHOD(ntru_mgf1_t, allocate_mask, bool,
return get_mask(this, mask_len, mask->ptr);
}
-METHOD(ntru_mgf1_t, destroy, void,
- private_ntru_mgf1_t *this)
+METHOD(mgf1_t, destroy, void,
+ private_mgf1_t *this)
{
this->hasher->destroy(this->hasher);
chunk_clear(&this->state);
@@ -126,10 +126,10 @@ METHOD(ntru_mgf1_t, destroy, void,
/*
* Described in header.
*/
-ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
bool hash_seed)
{
- private_ntru_mgf1_t *this;
+ private_mgf1_t *this;
hasher_t *hasher;
size_t state_len;
@@ -178,5 +178,3 @@ ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
return &this->public;
}
-
-EXPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create);
diff --git a/src/libstrongswan/plugins/ntru/ntru_mgf1.h b/src/libstrongswan/crypto/mgf1/mgf1.h
index 53e90412a..592d31596 100644
--- a/src/libstrongswan/plugins/ntru/ntru_mgf1.h
+++ b/src/libstrongswan/crypto/mgf1/mgf1.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -14,29 +14,29 @@
*/
/**
- * @defgroup ntru_mgf1 ntru_mgf1
- * @{ @ingroup ntru_p
+ * @defgroup mgf1 mgf1
+ * @{ @ingroup crypto
*/
-#ifndef NTRU_MGF1_H_
-#define NTRU_MGF1_H_
+#ifndef MGF1_H_
+#define MGF1_H_
-typedef struct ntru_mgf1_t ntru_mgf1_t;
+typedef struct mgf1_t mgf1_t;
#include <library.h>
/**
* Implements the PKCS#1 MGF1 Mask Generation Function based on a hash function
- * defined in section 10.2.1 of RFC 2437
+ * defined in section 10.2.1 of RFC 2437
*/
-struct ntru_mgf1_t {
+struct mgf1_t {
/**
* Get the hash size of the underlying hash function
*
* @return hash size in bytes
*/
- size_t (*get_hash_size)(ntru_mgf1_t *this);
+ size_t (*get_hash_size)(mgf1_t *this);
/**
* Generate a mask pattern and copy it to an output buffer
@@ -46,7 +46,7 @@ struct ntru_mgf1_t {
* @param mask output buffer of minimum size mask_len
* @return TRUE if successful
*/
- bool (*get_mask)(ntru_mgf1_t *this, size_t mask_len, u_char *mask);
+ bool (*get_mask)(mgf1_t *this, size_t mask_len, u_char *mask);
/**
* Generate a mask pattern and return it in an allocated chunk
@@ -55,12 +55,12 @@ struct ntru_mgf1_t {
* @param mask chunk containing generated mask
* @return TRUE if successful
*/
- bool (*allocate_mask)(ntru_mgf1_t *this, size_t mask_len, chunk_t *mask);
+ bool (*allocate_mask)(mgf1_t *this, size_t mask_len, chunk_t *mask);
/**
* Destroy the MGF1 object
*/
- void (*destroy)(ntru_mgf1_t *this);
+ void (*destroy)(mgf1_t *this);
};
/**
@@ -68,10 +68,10 @@ struct ntru_mgf1_t {
*
* @param alg hash algorithm to be used by MGF1
* @param seed seed used by MGF1 to generate mask from
- * @param hash_seed hash seed before using it as a seed from MGF1
+ * @param hash_seed hash seed before using it as a seed for MGF1
*/
-ntru_mgf1_t *ntru_mgf1_create(hash_algorithm_t alg, chunk_t seed,
+mgf1_t *mgf1_create(hash_algorithm_t alg, chunk_t seed,
bool hash_seed);
-#endif /** NTRU_MGF1_H_ @}*/
+#endif /** MGF1_H_ @}*/
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
new file mode 100644
index 000000000..ef0a2bd01
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.c
@@ -0,0 +1,208 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "mgf1_bitspender.h"
+
+#include <crypto/mgf1/mgf1.h>
+
+typedef struct private_mgf1_bitspender_t private_mgf1_bitspender_t;
+
+/**
+ * Private data structure for mgf1_bitspender_t object
+ */
+struct private_mgf1_bitspender_t {
+ /**
+ * Public interface.
+ */
+ mgf1_bitspender_t public;
+
+ /**
+ * MGF1 bit mask generator
+ */
+ mgf1_t *mgf1;
+
+ /**
+ * Octet storage (accommodates up to 64 octets)
+ */
+ uint8_t octets[HASH_SIZE_SHA512];
+
+ /**
+ * Length of the returned hash value in octets
+ */
+ int hash_len;
+
+ /**
+ * Number of generated octets
+ */
+ int octets_count;
+
+ /**
+ * Number of available octets
+ */
+ int octets_left;
+
+ /**
+ * Bit storage (accommodates up to 32 bits)
+ */
+ uint32_t bits;
+
+ /**
+ * Number of available bits
+ */
+ int bits_left;
+
+ /**
+ * Byte storage (accommodates up to 4 bytes)
+ */
+ uint8_t bytes[4];
+
+ /**
+ * Number of available bytes
+ */
+ int bytes_left;
+
+};
+
+METHOD(mgf1_bitspender_t, get_bits, bool,
+ private_mgf1_bitspender_t *this, int bits_needed, uint32_t *bits)
+{
+ int bits_now;
+
+ *bits = 0x00000000;
+
+ if (bits_needed == 0)
+ {
+ /* trivial */
+ return TRUE;
+ }
+ if (bits_needed > 32)
+ {
+ /* too many bits requested */
+ return FALSE;
+ }
+
+ while (bits_needed)
+ {
+ if (this->bits_left == 0)
+ {
+ if (this->octets_left == 0)
+ {
+ /* get another block from MGF1 */
+ if (!this->mgf1->get_mask(this->mgf1, this->hash_len,
+ this->octets))
+ {
+ /* no block available */
+ return FALSE;
+ }
+ this->octets_left = this->hash_len;
+ this->octets_count += this->hash_len;
+ }
+ this->bits = untoh32(this->octets + this->hash_len -
+ this->octets_left);
+ this->bits_left = 32;
+ this->octets_left -= 4;
+ }
+ if (bits_needed > this->bits_left)
+ {
+ bits_now = this->bits_left;
+ this->bits_left = 0;
+ bits_needed -= bits_now;
+ }
+ else
+ {
+ bits_now = bits_needed;
+ this->bits_left -= bits_needed;
+ bits_needed = 0;
+ }
+ if (bits_now == 32)
+ {
+ *bits = this->bits;
+ }
+ else
+ {
+ *bits <<= bits_now;
+ *bits |= this->bits >> this->bits_left;
+ if (this->bits_left)
+ {
+ this->bits &= 0xffffffff >> (32 - this->bits_left);
+ }
+ }
+ }
+ return TRUE;
+}
+
+METHOD(mgf1_bitspender_t, get_byte, bool,
+ private_mgf1_bitspender_t *this, uint8_t *byte)
+{
+ if (this->bytes_left == 0)
+ {
+ if (this->octets_left == 0)
+ {
+ /* get another block from MGF1 */
+ if (!this->mgf1->get_mask(this->mgf1, this->hash_len, this->octets))
+ {
+ /* no block available */
+ return FALSE;
+ }
+ this->octets_left = this->hash_len;
+ this->octets_count += this->hash_len;
+ }
+ memcpy(this->bytes, this->octets + this->hash_len - this->octets_left, 4);
+ this->bytes_left = 4;
+ this->octets_left -= 4;
+ }
+ *byte = this->bytes[4 - this->bytes_left--];
+
+ return TRUE;
+}
+
+METHOD(mgf1_bitspender_t, destroy, void,
+ private_mgf1_bitspender_t *this)
+{
+ DBG2(DBG_LIB, "mgf1 generated %u octets", this->octets_count);
+ memwipe(this->octets, sizeof(this->octets));
+ this->mgf1->destroy(this->mgf1);
+ free(this);
+}
+
+/**
+ * See header.
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+ bool hash_seed)
+{
+ private_mgf1_bitspender_t *this;
+ mgf1_t *mgf1;
+
+ mgf1 = mgf1_create(alg, seed, hash_seed);
+ if (!mgf1)
+ {
+ return NULL;
+ }
+ DBG2(DBG_LIB, "mgf1 based on %N is seeded with %u octets",
+ hash_algorithm_short_names, alg, seed.len);
+
+ INIT(this,
+ .public = {
+ .get_bits = _get_bits,
+ .get_byte = _get_byte,
+ .destroy = _destroy,
+ },
+ .mgf1 = mgf1,
+ .hash_len = mgf1->get_hash_size(mgf1),
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
new file mode 100644
index 000000000..f7df8e834
--- /dev/null
+++ b/src/libstrongswan/crypto/mgf1/mgf1_bitspender.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup mgf1_bitspender mgf1_bitspender
+ * @{ @ingroup mgf1
+ */
+
+#ifndef MGF1_BITSPENDER_H_
+#define MGF1_BITSPENDER_H_
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct mgf1_bitspender_t mgf1_bitspender_t;
+
+/**
+ * Generates a given number of pseudo-random bits at a time using MGF1
+ */
+struct mgf1_bitspender_t {
+
+ /**
+ * Get pseudo-random bits
+ *
+ * @param bits_needed Number of needed bits (1..32)
+ * @param bits Pseudo-random bits
+ * @result FALSE if internal MGF1 error occurred
+ */
+ bool (*get_bits)(mgf1_bitspender_t *this, int bits_needed, uint32_t *bits);
+
+ /**
+ * Get a pseudo-random byte
+ *
+ * @param byte Pseudo-random byte
+ * @result FALSE if internal MGF1 error occurred
+ */
+ bool (*get_byte)(mgf1_bitspender_t *this, uint8_t *byte);
+
+ /**
+ * Destroy mgf1_bitspender_t object
+ */
+ void (*destroy)(mgf1_bitspender_t *this);
+};
+
+/**
+ * Create a mgf1_bitspender_t object
+ *
+ * @param alg Hash algorithm to be used with MGF1
+ * @param seed Seed used to initialize MGF1
+ * @param hash_seed Hash seed before using it as a seed for MFG1
+ */
+mgf1_bitspender_t *mgf1_bitspender_create(hash_algorithm_t alg, chunk_t seed,
+ bool hash_seed);
+
+#endif /** MGF1_BITSPENDER_H_ @}*/
diff --git a/src/libstrongswan/crypto/pkcs5.c b/src/libstrongswan/crypto/pkcs5.c
index 3b4df0e8a..478926f2f 100644
--- a/src/libstrongswan/crypto/pkcs5.c
+++ b/src/libstrongswan/crypto/pkcs5.c
@@ -108,13 +108,13 @@ struct private_pkcs5_t {
* Verify padding of decrypted blob.
* Length of blob is adjusted accordingly.
*/
-static bool verify_padding(chunk_t *blob)
+static bool verify_padding(crypter_t *crypter, chunk_t *blob)
{
u_int8_t padding, count;
padding = count = blob->ptr[blob->len - 1];
- if (padding > 8)
+ if (padding > crypter->get_block_size(crypter))
{
return FALSE;
}
@@ -153,7 +153,7 @@ static bool decrypt_generic(private_pkcs5_t *this, chunk_t password,
return FALSE;
}
memwipe(keymat.ptr, keymat.len);
- if (verify_padding(decrypted))
+ if (verify_padding(this->crypter, decrypted))
{
return TRUE;
}
@@ -504,6 +504,7 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
{
asn1_parser_t *parser;
chunk_t object, params;
+ size_t keylen;
int objectID;
bool success = FALSE;
@@ -533,20 +534,35 @@ static bool parse_pbes2_params(private_pkcs5_t *this, chunk_t blob, int level0)
{
int oid = asn1_parse_algorithmIdentifier(object,
parser->get_level(parser) + 1, &params);
- if (oid != OID_3DES_EDE_CBC)
+ this->encr = encryption_algorithm_from_oid(oid, &keylen);
+ if (this->encr == ENCR_UNDEFINED)
{ /* unsupported encryption scheme */
goto end;
}
- if (this->keylen <= 0)
- { /* default key length for DES-EDE3-CBC-Pad */
- this->keylen = 24;
+ /* prefer encoded key length */
+ this->keylen = this->keylen ?: keylen / 8;
+ if (!this->keylen)
+ { /* set default key length for known algorithms */
+ switch (this->encr)
+ {
+ case ENCR_DES:
+ this->keylen = 8;
+ break;
+ case ENCR_3DES:
+ this->keylen = 24;
+ break;
+ case ENCR_BLOWFISH:
+ this->keylen = 16;
+ break;
+ default:
+ goto end;
+ }
}
if (!asn1_parse_simple_object(&params, ASN1_OCTET_STRING,
parser->get_level(parser) + 1, "IV"))
{
goto end;
}
- this->encr = ENCR_3DES;
this->data.pbes2.iv = chunk_clone(params);
break;
}
diff --git a/src/libstrongswan/ipsec/ipsec_types.c b/src/libstrongswan/ipsec/ipsec_types.c
index 4bbd918a0..f2ee11ee8 100644
--- a/src/libstrongswan/ipsec/ipsec_types.c
+++ b/src/libstrongswan/ipsec/ipsec_types.c
@@ -48,7 +48,15 @@ bool mark_from_string(const char *value, mark_t *mark)
{
return FALSE;
}
- mark->value = strtoul(value, &endptr, 0);
+ if (strcasepfx(value, "%unique"))
+ {
+ mark->value = MARK_UNIQUE;
+ endptr = (char*)value + strlen("%unique");
+ }
+ else
+ {
+ mark->value = strtoul(value, &endptr, 0);
+ }
if (*endptr)
{
if (*endptr != '/')
diff --git a/src/libstrongswan/ipsec/ipsec_types.h b/src/libstrongswan/ipsec/ipsec_types.h
index c1465e097..fa122af30 100644
--- a/src/libstrongswan/ipsec/ipsec_types.h
+++ b/src/libstrongswan/ipsec/ipsec_types.h
@@ -169,9 +169,9 @@ struct mark_t {
};
/**
- * Special mark value that uses the reqid of the CHILD_SA as mark
+ * Special mark value that uses a unique mark for each CHILD_SA
*/
-#define MARK_REQID (0xFFFFFFFF)
+#define MARK_UNIQUE (0xFFFFFFFF)
/**
* Try to parse a mark_t from the given string of the form mark[/mask].
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 2bd5e3523..3a6dd1ba4 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -79,6 +79,9 @@
*
* @defgroup utils utils
* @ingroup libstrongswan
+ *
+ * @defgroup compat compat
+ * @ingroup utils
*/
/**
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
index 8d04a4ec9..07da3ef3b 100644
--- a/src/libstrongswan/networking/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -528,6 +528,42 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
/*
* Described in header.
*/
+bool host_create_from_range(char *string, host_t **from, host_t **to)
+{
+ char *sep, *pos;
+
+ sep = strchr(string, '-');
+ if (!sep)
+ {
+ return FALSE;
+ }
+ for (pos = sep+1; *pos && *pos == ' '; pos++)
+ {
+ /* trim spaces before to address*/
+ }
+ *to = host_create_from_string(pos, 0);
+ if (!*to)
+ {
+ return FALSE;
+ }
+ for (pos = sep-1; pos > string && *pos == ' '; pos--)
+ {
+ /* trim spaces behind from address */
+ }
+ pos = strndup(string, pos - string + 1);
+ *from = host_create_from_string_and_family(pos, (*to)->get_family(*to), 0);
+ free(pos);
+ if (!*from)
+ {
+ (*to)->destroy(*to);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*
+ * Described in header.
+ */
host_t *host_create_from_subnet(char *string, int *bits)
{
char *pos, buf[64];
diff --git a/src/libstrongswan/networking/host.h b/src/libstrongswan/networking/host.h
index 9c9b5035f..db6f4dd49 100644
--- a/src/libstrongswan/networking/host.h
+++ b/src/libstrongswan/networking/host.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2006-2014 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -24,6 +24,9 @@
#ifndef HOST_H_
#define HOST_H_
+#include <utils/utils.h>
+#include <utils/chunk.h>
+
typedef enum host_diff_t host_diff_t;
typedef struct host_t host_t;
@@ -31,9 +34,6 @@ typedef struct host_t host_t;
#include <stdio.h>
#include <sys/types.h>
-#include <utils/utils.h>
-#include <utils/chunk.h>
-
/**
* Representates a Host
*
@@ -181,6 +181,19 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port);
host_t *host_create_from_sockaddr(sockaddr_t *sockaddr);
/**
+ * Parse a range definition (1.2.3.0-1.2.3.5), return the two hosts.
+ *
+ * The two hosts are not ordered, from is simply the first, to is the second,
+ * from is not necessarily smaller.
+ *
+ * @param string string to parse
+ * @param from returns the first address (out)
+ * @param to returns the second address (out)
+ * @return TRUE if parsed successfully, FALSE otherwise
+ */
+bool host_create_from_range(char *string, host_t **from, host_t **to);
+
+/**
* Create a host from a CIDR subnet definition (1.2.3.0/24), return bits.
*
* @param string string to parse
diff --git a/src/libstrongswan/networking/host_resolver.c b/src/libstrongswan/networking/host_resolver.c
index a7524ac23..bad87e434 100644
--- a/src/libstrongswan/networking/host_resolver.c
+++ b/src/libstrongswan/networking/host_resolver.c
@@ -163,20 +163,25 @@ static void *resolve_hosts(private_host_resolver_t *this)
int error;
bool old, timed_out;
+ /* default resolver threads to non-cancellable */
+ thread_cancelability(FALSE);
+
while (TRUE)
{
this->mutex->lock(this->mutex);
- thread_cleanup_push((thread_cleanup_t)this->mutex->unlock, this->mutex);
while (this->queue->remove_first(this->queue,
(void**)&query) != SUCCESS)
{
- old = thread_cancelability(TRUE);
+ if (this->disabled)
+ {
+ this->mutex->unlock(this->mutex);
+ return NULL;
+ }
timed_out = this->new_query->timed_wait(this->new_query,
this->mutex, NEW_QUERY_WAIT_TIMEOUT * 1000);
- thread_cancelability(old);
if (this->disabled)
{
- thread_cleanup_pop(TRUE);
+ this->mutex->unlock(this->mutex);
return NULL;
}
else if (timed_out && (this->threads > this->min_threads))
@@ -185,13 +190,13 @@ static void *resolve_hosts(private_host_resolver_t *this)
this->threads--;
this->pool->remove(this->pool, thread, NULL);
- thread_cleanup_pop(TRUE);
+ this->mutex->unlock(this->mutex);
thread->detach(thread);
return NULL;
}
}
this->busy_threads++;
- thread_cleanup_pop(TRUE);
+ this->mutex->unlock(this->mutex);
memset(&hints, 0, sizeof(hints));
hints.ai_family = query->family;
diff --git a/src/libstrongswan/networking/tun_device.c b/src/libstrongswan/networking/tun_device.c
index ff2c4a337..81d215677 100644
--- a/src/libstrongswan/networking/tun_device.c
+++ b/src/libstrongswan/networking/tun_device.c
@@ -346,40 +346,27 @@ METHOD(tun_device_t, write_packet, bool,
METHOD(tun_device_t, read_packet, bool,
private_tun_device_t *this, chunk_t *packet)
{
+ chunk_t data;
ssize_t len;
- fd_set set;
bool old;
- FD_ZERO(&set);
- FD_SET(this->tunfd, &set);
+ data = chunk_alloca(get_mtu(this));
old = thread_cancelability(TRUE);
- len = select(this->tunfd + 1, &set, NULL, NULL, NULL);
+ len = read(this->tunfd, data.ptr, data.len);
thread_cancelability(old);
-
- if (len < 0)
- {
- DBG1(DBG_LIB, "select on TUN device %s failed: %s", this->if_name,
- strerror(errno));
- return FALSE;
- }
- /* FIXME: this is quite expensive for lots of small packets, copy from
- * local buffer instead? */
- *packet = chunk_alloc(get_mtu(this));
- len = read(this->tunfd, packet->ptr, packet->len);
if (len < 0)
{
DBG1(DBG_LIB, "reading from TUN device %s failed: %s", this->if_name,
strerror(errno));
- chunk_free(packet);
return FALSE;
}
- packet->len = len;
+ data.len = len;
#ifdef __APPLE__
/* UTUN's prepend packets with a 32-bit protocol number */
- packet->len -= sizeof(u_int32_t);
- memmove(packet->ptr, packet->ptr + sizeof(u_int32_t), packet->len);
+ data = chunk_skip(data, sizeof(u_int32_t));
#endif
+ *packet = chunk_clone(data);
return TRUE;
}
diff --git a/src/libstrongswan/networking/tun_device.h b/src/libstrongswan/networking/tun_device.h
index 543125beb..880369ba7 100644
--- a/src/libstrongswan/networking/tun_device.h
+++ b/src/libstrongswan/networking/tun_device.h
@@ -31,8 +31,6 @@ typedef struct tun_device_t tun_device_t;
* Class to create TUN devices
*
* Creating such a device requires the CAP_NET_ADMIN capability.
- *
- * @note The implementation is currently very Linux specific
*/
struct tun_device_t {
@@ -42,7 +40,7 @@ struct tun_device_t {
* @note This call blocks until a packet is available. It is a thread
* cancellation point.
*
- * @param packet the packet read from the device
+ * @param packet the packet read from the device, allocated
* @return TRUE if successful
*/
bool (*read_packet)(tun_device_t *this, chunk_t *packet);
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 425e8f1a9..65542ea5d 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 11dcf2907..9d79c81ee 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index 279000d88..4a86f9640 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
index 720738a84..2b7d51376 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_prf.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c
@@ -139,6 +139,7 @@ METHOD(prf_t, set_key, bool,
{
char buf[this->block_size];
+ this->ops->reset(this->ops);
if (this->xcbc)
{
/* The kernel currently does not support variable length XCBC keys,
diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
index 6ee380633..9ad01103a 100644
--- a/src/libstrongswan/plugins/af_alg/af_alg_signer.c
+++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c
@@ -156,6 +156,7 @@ METHOD(signer_t, get_block_size, size_t,
METHOD(signer_t, set_key, bool,
private_af_alg_signer_t *this, chunk_t key)
{
+ this->ops->reset(this->ops);
return this->ops->set_key(this->ops, key);
}
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index c8e8112c5..292c2fd90 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.am b/src/libstrongswan/plugins/bliss/Makefile.am
new file mode 100644
index 000000000..e2aaaf55c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/Makefile.am
@@ -0,0 +1,54 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS) \
+ @COVERAGE_CFLAGS@
+
+# these file are also used by bliss_huffman
+noinst_LTLIBRARIES = libbliss-params.la
+libbliss_params_la_SOURCES = \
+ bliss_param_set.h bliss_param_set.c \
+ bliss_fft_params.h bliss_fft_params.c
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES += libbliss.la
+libbliss_la_SOURCES = \
+ bliss_private_key.h bliss_private_key.c \
+ bliss_public_key.h bliss_public_key.c \
+ bliss_signature.h bliss_signature.c \
+ bliss_utils.h bliss_utils.c \
+ bliss_bitpacker.h bliss_bitpacker.c \
+ bliss_fft.h bliss_fft.c \
+ bliss_huffman_code.h bliss_huffman_code.c \
+ bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
+ bliss_huffman_coder.h bliss_huffman_coder.c \
+ bliss_sampler.h bliss_sampler.c
+libbliss_la_LIBADD = libbliss-params.la
+
+if MONOLITHIC
+noinst_LTLIBRARIES += libstrongswan-bliss.la
+else
+plugin_LTLIBRARIES = libstrongswan-bliss.la
+endif
+
+libstrongswan_bliss_la_SOURCES = \
+ bliss_plugin.h bliss_plugin.c
+
+libstrongswan_bliss_la_LDFLAGS = -module -avoid-version
+
+libstrongswan_bliss_la_LIBADD = libbliss.la
+
+noinst_PROGRAMS = bliss_huffman
+
+bliss_huffman_SOURCES = bliss_huffman.c
+bliss_huffman_LDADD = -lm libbliss-params.la
+
+recreate-bliss-huffman : bliss_huffman bliss_huffman_code.h
+ $(AM_V_GEN) \
+ ./bliss_huffman 1 8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null
+ $(AM_V_GEN) \
+ ./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null
+ $(AM_V_GEN) \
+ ./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
new file mode 100644
index 000000000..1361dd340
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -0,0 +1,862 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@MONOLITHIC_TRUE@am__append_1 = libstrongswan-bliss.la
+noinst_PROGRAMS = bliss_huffman$(EXEEXT)
+subdir = src/libstrongswan/plugins/bliss
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libbliss_params_la_LIBADD =
+am_libbliss_params_la_OBJECTS = bliss_param_set.lo bliss_fft_params.lo
+libbliss_params_la_OBJECTS = $(am_libbliss_params_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libbliss_la_DEPENDENCIES = libbliss-params.la
+am_libbliss_la_OBJECTS = bliss_private_key.lo bliss_public_key.lo \
+ bliss_signature.lo bliss_utils.lo bliss_bitpacker.lo \
+ bliss_fft.lo bliss_huffman_code.lo bliss_huffman_code_1.lo \
+ bliss_huffman_code_3.lo bliss_huffman_code_4.lo \
+ bliss_huffman_coder.lo bliss_sampler.lo
+libbliss_la_OBJECTS = $(am_libbliss_la_OBJECTS)
+libstrongswan_bliss_la_DEPENDENCIES = libbliss.la
+am_libstrongswan_bliss_la_OBJECTS = bliss_plugin.lo
+libstrongswan_bliss_la_OBJECTS = $(am_libstrongswan_bliss_la_OBJECTS)
+libstrongswan_bliss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_bliss_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_bliss_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_bliss_la_rpath =
+PROGRAMS = $(noinst_PROGRAMS)
+am_bliss_huffman_OBJECTS = bliss_huffman.$(OBJEXT)
+bliss_huffman_OBJECTS = $(am_bliss_huffman_OBJECTS)
+bliss_huffman_DEPENDENCIES = libbliss-params.la
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \
+ $(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES)
+DIST_SOURCES = $(libbliss_params_la_SOURCES) $(libbliss_la_SOURCES) \
+ $(libstrongswan_bliss_la_SOURCES) $(bliss_huffman_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS) \
+ @COVERAGE_CFLAGS@
+
+
+# these file are also used by bliss_huffman
+
+# these files are also used by the tests, we can't directly refer to them
+# because of the subdirectory, which would cause distclean to fail
+noinst_LTLIBRARIES = libbliss-params.la libbliss.la $(am__append_1)
+libbliss_params_la_SOURCES = \
+ bliss_param_set.h bliss_param_set.c \
+ bliss_fft_params.h bliss_fft_params.c
+
+libbliss_la_SOURCES = \
+ bliss_private_key.h bliss_private_key.c \
+ bliss_public_key.h bliss_public_key.c \
+ bliss_signature.h bliss_signature.c \
+ bliss_utils.h bliss_utils.c \
+ bliss_bitpacker.h bliss_bitpacker.c \
+ bliss_fft.h bliss_fft.c \
+ bliss_huffman_code.h bliss_huffman_code.c \
+ bliss_huffman_code_1.c bliss_huffman_code_3.c bliss_huffman_code_4.c \
+ bliss_huffman_coder.h bliss_huffman_coder.c \
+ bliss_sampler.h bliss_sampler.c
+
+libbliss_la_LIBADD = libbliss-params.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-bliss.la
+libstrongswan_bliss_la_SOURCES = \
+ bliss_plugin.h bliss_plugin.c
+
+libstrongswan_bliss_la_LDFLAGS = -module -avoid-version
+libstrongswan_bliss_la_LIBADD = libbliss.la
+bliss_huffman_SOURCES = bliss_huffman.c
+bliss_huffman_LDADD = -lm libbliss-params.la
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libbliss-params.la: $(libbliss_params_la_OBJECTS) $(libbliss_params_la_DEPENDENCIES) $(EXTRA_libbliss_params_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(libbliss_params_la_OBJECTS) $(libbliss_params_la_LIBADD) $(LIBS)
+
+libbliss.la: $(libbliss_la_OBJECTS) $(libbliss_la_DEPENDENCIES) $(EXTRA_libbliss_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(LINK) $(libbliss_la_OBJECTS) $(libbliss_la_LIBADD) $(LIBS)
+
+libstrongswan-bliss.la: $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_DEPENDENCIES) $(EXTRA_libstrongswan_bliss_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_bliss_la_LINK) $(am_libstrongswan_bliss_la_rpath) $(libstrongswan_bliss_la_OBJECTS) $(libstrongswan_bliss_la_LIBADD) $(LIBS)
+
+clean-noinstPROGRAMS:
+ @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
+bliss_huffman$(EXEEXT): $(bliss_huffman_OBJECTS) $(bliss_huffman_DEPENDENCIES) $(EXTRA_bliss_huffman_DEPENDENCIES)
+ @rm -f bliss_huffman$(EXEEXT)
+ $(AM_V_CCLD)$(LINK) $(bliss_huffman_OBJECTS) $(bliss_huffman_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_bitpacker.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_fft_params.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_1.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_3.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_code_4.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_huffman_coder.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_param_set.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_private_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_public_key.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_sampler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_signature.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_utils.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-noinstPROGRAMS clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-noinstPROGRAMS \
+ clean-pluginLTLIBRARIES cscopelist-am ctags ctags-am distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am \
+ uninstall-pluginLTLIBRARIES
+
+
+recreate-bliss-huffman : bliss_huffman bliss_huffman_code.h
+ $(AM_V_GEN) \
+ ./bliss_huffman 1 8 > $(srcdir)/bliss_huffman_code_1.c 2>/dev/null
+ $(AM_V_GEN) \
+ ./bliss_huffman 3 16 > $(srcdir)/bliss_huffman_code_3.c 2>/dev/null
+ $(AM_V_GEN) \
+ ./bliss_huffman 4 32 > $(srcdir)/bliss_huffman_code_4.c 2>/dev/null
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c
new file mode 100644
index 000000000..4d8446119
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.c
@@ -0,0 +1,207 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_bitpacker.h"
+
+typedef struct private_bliss_bitpacker_t private_bliss_bitpacker_t;
+
+/**
+ * Private data structure for bliss_bitpacker_t object
+ */
+struct private_bliss_bitpacker_t {
+ /**
+ * Public interface.
+ */
+ bliss_bitpacker_t public;
+
+ /**
+ * Current number of bits written to buffer
+ */
+ size_t bits;
+
+ /**
+ * Bit buffer for up to 32 bits
+ */
+ uint32_t bits_buf;
+
+ /**
+ * Bits left in the bit buffer
+ */
+ size_t bits_left;
+
+ /**
+ * Buffer
+ */
+ chunk_t buf;
+
+ /**
+ * Read/Write pointer into buffer
+ */
+ chunk_t pos;
+
+};
+
+METHOD(bliss_bitpacker_t, get_bits, size_t,
+ private_bliss_bitpacker_t *this)
+{
+ return this->bits;
+}
+
+METHOD(bliss_bitpacker_t, write_bits, bool,
+ private_bliss_bitpacker_t *this, uint32_t value, size_t bits)
+{
+ if (bits == 0)
+ {
+ return TRUE;
+ }
+ if (bits > 32)
+ {
+ return FALSE;
+ }
+ if (bits < 32)
+ {
+ value &= (1 << bits) - 1;
+ }
+ this->bits += bits;
+
+ while (TRUE)
+ {
+ if (bits <= this->bits_left)
+ {
+ this->bits_buf |= value << (this->bits_left - bits);
+ this->bits_left -= bits;
+ return TRUE;
+ }
+
+ this->bits_buf |= value >> (bits - this->bits_left);
+ value &= (1 << (bits - this->bits_left)) - 1;
+ bits -= this->bits_left;
+
+ if (this->pos.len < 8)
+ {
+ return FALSE;
+ }
+ htoun32(this->pos.ptr, this->bits_buf);
+ this->pos = chunk_skip(this->pos, 4);
+ this->bits_buf = 0;
+ this->bits_left = 32;
+ }
+}
+
+METHOD(bliss_bitpacker_t, read_bits, bool,
+ private_bliss_bitpacker_t *this, uint32_t *value, size_t bits)
+{
+ if (bits > 32)
+ {
+ return FALSE;
+ }
+ *value = 0;
+
+ while (TRUE)
+ {
+ if (this->bits_left == 0)
+ {
+ if (this->pos.len < 4)
+ {
+ return FALSE;
+ }
+ this->bits_buf = untoh32(this->pos.ptr);
+ this->pos = chunk_skip(this->pos, 4);
+ this->bits_left = 32;
+ }
+ if (bits <= this->bits_left)
+ {
+ *value |= this->bits_buf >> (this->bits_left - bits);
+ this->bits_buf &= (1 << (this->bits_left - bits)) - 1;
+ this->bits_left -= bits;
+
+ return TRUE;
+ }
+ *value |= this->bits_buf << (bits - this->bits_left);
+ bits -= this->bits_left;
+ this->bits_left = 0;
+ }
+}
+
+METHOD(bliss_bitpacker_t, extract_buf, chunk_t,
+ private_bliss_bitpacker_t *this)
+{
+ chunk_t buf;
+
+ htoun32(this->pos.ptr, this->bits_buf);
+ this->pos.len -= 4;
+ buf = this->buf;
+ buf.len = this->buf.len - this->pos.len - this->bits_left/8;
+ this->buf = this->pos = chunk_empty;
+
+ return buf;
+}
+
+METHOD(bliss_bitpacker_t, destroy, void,
+ private_bliss_bitpacker_t *this)
+{
+ free(this->buf.ptr);
+ free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_bitpacker_t *bliss_bitpacker_create(uint16_t max_bits)
+{
+ private_bliss_bitpacker_t *this;
+
+ INIT(this,
+ .public = {
+ .get_bits = _get_bits,
+ .write_bits = _write_bits,
+ .read_bits = _read_bits,
+ .extract_buf = _extract_buf,
+ .destroy = _destroy,
+ },
+ .bits_left = 32,
+ .buf = chunk_alloc(round_up(max_bits, 32)/8),
+ );
+
+ this->pos = this->buf;
+
+ return &this->public;
+}
+
+/**
+ * See header.
+ */
+bliss_bitpacker_t *bliss_bitpacker_create_from_data(chunk_t data)
+{
+ private_bliss_bitpacker_t *this;
+
+ INIT(this,
+ .public = {
+ .get_bits = _get_bits,
+ .write_bits = _write_bits,
+ .read_bits = _read_bits,
+ .extract_buf = _extract_buf,
+ .destroy = _destroy,
+ },
+ .bits = 8 * data.len,
+ .buf = chunk_alloc(round_up(data.len, 4)),
+ );
+
+ memset(this->buf.ptr + this->buf.len - 4, 0x00, 4);
+ memcpy(this->buf.ptr, data.ptr, data.len);
+ this->pos = this->buf;
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_bitpacker.h b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h
new file mode 100644
index 000000000..2fe6cba1c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_bitpacker.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_bitpacker bliss_bitpacker
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_BITPACKER_H_
+#define BLISS_BITPACKER_H_
+
+#include <library.h>
+
+typedef struct bliss_bitpacker_t bliss_bitpacker_t;
+
+/**
+ * Reads and writes a variable number of bits in packed format
+ * from and to an octet buffer
+ */
+struct bliss_bitpacker_t {
+
+ /**
+ * Get the number of bits written into buffer
+ *
+ * @result Number of bits written
+ */
+ size_t (*get_bits)(bliss_bitpacker_t *this);
+
+ /**
+ * Get the prime modulus of the Number Theoretic Transform
+ *
+ * @param value Value to be written
+ * @param bits Number of bits to be written
+ * @result TRUE if value could be written into buffer
+ */
+ bool (*write_bits)(bliss_bitpacker_t *this, uint32_t value, size_t bits);
+
+
+ /**
+ * Get the prime modulus of the Number Theoretic Transform
+ *
+ * @param value Value returned
+ * @param bits Number of bits to be read
+ * @result TRUE if value could be read from buffer
+ */
+ bool (*read_bits)(bliss_bitpacker_t *this, uint32_t *value, size_t bits);
+
+ /**
+ * Detach the internal octet buffer and return it
+ */
+ chunk_t (*extract_buf)(bliss_bitpacker_t *this);
+
+ /**
+ * Destroy bliss_bitpacker_t object
+ */
+ void (*destroy)(bliss_bitpacker_t *this);
+};
+
+/**
+ * Create a bliss_bitpacker_t object for writing
+ *
+ * @param max_bits Total number of bits to be stored
+ */
+bliss_bitpacker_t* bliss_bitpacker_create(uint16_t max_bits);
+
+/**
+ * Create a bliss_bitpacker_t object for reading
+ *
+ * @param data Packed array of bits
+ */
+bliss_bitpacker_t* bliss_bitpacker_create_from_data(chunk_t data);
+
+#endif /** BLISS_BITPACKER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.c b/src/libstrongswan/plugins/bliss/bliss_fft.c
new file mode 100644
index 000000000..033c2144e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_fft.h"
+
+typedef struct private_bliss_fft_t private_bliss_fft_t;
+
+/**
+ * Private data structure for bliss_fft_t object
+ */
+struct private_bliss_fft_t {
+ /**
+ * Public interface.
+ */
+ bliss_fft_t public;
+
+ /**
+ * FFT parameter set used as constants
+ */
+ bliss_fft_params_t *p;
+
+};
+
+METHOD(bliss_fft_t, get_size, uint16_t,
+ private_bliss_fft_t *this)
+{
+ return this->p->n;
+}
+
+METHOD(bliss_fft_t, get_modulus, uint16_t,
+ private_bliss_fft_t *this)
+{
+ return this->p->q;
+}
+
+/**
+ * Do an FFT butterfly operation
+ *
+ * x[i1] ---|+|------- x[i1]
+ * \/
+ * /\ w[iw]
+ * x[i2] ---|-|--|*|-- x[i2]
+ *
+ */
+static void butterfly(private_bliss_fft_t *this, uint32_t *x, int i1,int i2,
+ int iw)
+{
+ uint32_t xp, xm;
+
+ xp = x[i1] + x[i2];
+ xm = x[i1] + (this->p->q - x[i2]);
+ if (xp >= this->p->q)
+ {
+ xp -= this->p->q;
+ }
+ x[i1] = xp;
+ x[i2] = (xm * this->p->w[iw]) % this->p->q;
+}
+
+/**
+ * Trivial butterfly operation of last FFT stage
+ */
+static void butterfly_last(private_bliss_fft_t *this, uint32_t *x, int i1)
+{
+ uint32_t xp, xm;
+ int i2 = i1 + 1;
+
+ xp = x[i1] + x[i2];
+ xm = x[i1] + (this->p->q - x[i2]);
+ if (xp >= this->p->q)
+ {
+ xp -= this->p->q;
+ }
+ if (xm >= this->p->q)
+ {
+ xm -= this->p->q;
+ }
+ x[i1] = xp;
+ x[i2] = xm;
+}
+
+METHOD(bliss_fft_t, transform, void,
+ private_bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse)
+{
+ int stage, i, j, k, m, n, t, iw, i_rev;
+ uint16_t q;
+ uint32_t tmp;
+
+ /* we are going to use the transform size n and the modulus q a lot */
+ n = this->p->n;
+ q = this->p->q;
+
+ if (!inverse)
+ {
+ /* apply linear phase needed for negative wrapped convolution */
+ for (i = 0; i < n; i++)
+ {
+ b[i] = (a[i] * this->p->w[i]) % q;
+ }
+ }
+ else if (a != b)
+ {
+ /* copy if input and output array are not the same */
+ for (i = 0; i < n; i++)
+ {
+ b[i] = a[i];
+ }
+ }
+
+ m = n;
+ k = 1;
+
+ for (stage = this->p->stages; stage > 0; stage--)
+ {
+ m >>= 1;
+ t = 0;
+
+ for (j = 0; j < k; j++)
+ {
+ if (stage == 1)
+ {
+ butterfly_last(this, b, t);
+ }
+ else
+ {
+ for (i = 0; i < m; i++)
+ {
+ iw = 2 * (inverse ? (n - i * k) : (i * k));
+ butterfly(this, b, t + i, t + i + m, iw);
+ }
+ }
+ t += 2*m;
+ }
+ k <<= 1;
+ }
+
+ /* Sort output in bit-reverse order */
+ for (i = 0; i < n; i++)
+ {
+ i_rev = this->p->rev[i];
+
+ if (i_rev > i)
+ {
+ tmp = b[i];
+ b[i] = b[i_rev];
+ b[i_rev] = tmp;
+ }
+ }
+
+ /**
+ * Compensate the linear phase needed for negative wrapped convolution
+ * and normalize the output array with 1/n mod q after the inverse FFT.
+ */
+ if (inverse)
+ {
+ for (i = 0; i < n; i++)
+ {
+ b[i] = (((b[i] * this->p->w[2*n - i]) % q) * this->p->n_inv) % q;
+ }
+ }
+}
+
+METHOD(bliss_fft_t, destroy, void,
+ private_bliss_fft_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params)
+{
+ private_bliss_fft_t *this;
+
+ INIT(this,
+ .public = {
+ .get_size = _get_size,
+ .get_modulus = _get_modulus,
+ .transform = _transform,
+ .destroy = _destroy,
+ },
+ .p = params,
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft.h b/src/libstrongswan/plugins/bliss/bliss_fft.h
new file mode 100644
index 000000000..a79edd2be
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_fft bliss_fft
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_FFT_H_
+#define BLISS_FFT_H_
+
+#include "bliss_fft_params.h"
+
+#include <library.h>
+
+typedef struct bliss_fft_t bliss_fft_t;
+
+/**
+ * Implements a Number Theoretic Transform (NTT) via the FFT algorithm
+ */
+struct bliss_fft_t {
+
+ /**
+ * Get the size of the Number Theoretic Transform
+ *
+ * @result Transform size
+ */
+ uint16_t (*get_size)(bliss_fft_t *this);
+
+ /**
+ * Get the prime modulus of the Number Theoretic Transform
+ *
+ * @result Prime modulus
+ */
+ uint16_t (*get_modulus)(bliss_fft_t *this);
+
+ /**
+ * Compute the [inverse] NTT of a polynomial
+ *
+ * @param a Coefficient of input polynomial
+ * @param b Coefficient of output polynomial
+ * @param inverse TRUE if the inverse NTT has to be computed
+ */
+ void (*transform)(bliss_fft_t *this, uint32_t *a, uint32_t *b, bool inverse);
+
+ /**
+ * Destroy bliss_fft_t object
+ */
+ void (*destroy)(bliss_fft_t *this);
+};
+
+/**
+ * Create a bliss_fft_t object for a given FFT parameter set
+ *
+ * @param params FFT parameters
+ */
+bliss_fft_t *bliss_fft_create(bliss_fft_params_t *params);
+
+#endif /** BLISS_FFT_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.c b/src/libstrongswan/plugins/bliss/bliss_fft_params.c
new file mode 100644
index 000000000..c892c06e6
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.c
@@ -0,0 +1,215 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_fft_params.h"
+
+/**
+ * FFT parameters for q = 12289 and 2n = 1024
+ */
+static uint16_t w_12289_1024[] = {
+ 1, 49, 2401, 7048, 1260, 295, 2166, 7822, 2319, 3030,
+ 1002, 12231, 9447, 8210, 9042, 654, 7468, 9551, 1017, 677,
+ 8595, 3329, 3364, 5079, 3091, 3991, 11224, 9260, 11336, 2459,
+ 9890, 5339, 3542, 1512, 354, 5057, 2013, 325, 3636, 6118,
+ 4846, 3963, 9852, 3477, 10616, 4046, 1630, 6136, 5728, 10314,
+ 1537, 1579, 3637, 6167, 7247, 11011, 11112, 3772, 493, 11868,
+ 3949, 9166, 6730, 10256, 10984, 9789, 390, 6821, 2426, 8273,
+ 12129, 4449, 9088, 2908, 7313, 1956, 9821, 1958, 9919, 6760,
+ 11726, 9280, 27, 1323, 3382, 5961, 9442, 7965, 9326, 2281,
+ 1168, 8076, 2476, 10723, 9289, 468, 10643, 5369, 5012, 12097,
+
+ 2881, 5990, 10863, 3860, 4805, 1954, 9723, 9445, 8112, 4240,
+ 11136, 4948, 8961, 8974, 9611, 3957, 9558, 1360, 5195, 8775,
+ 12149, 5429, 7952, 8689, 7935, 7856, 3985, 10930, 7143, 5915,
+ 7188, 8120, 4632, 5766, 12176, 6752, 11334, 2361, 5088, 3532,
+ 1022, 922, 8311, 1702, 9664, 6554, 1632, 6234, 10530, 12121,
+ 4057, 2169, 7969, 9522, 11885, 4782, 827, 3656, 7098, 3710,
+ 9744, 10474, 9377, 4780, 729, 11143, 5291, 1190, 9154, 6142,
+ 6022, 142, 6958, 9139, 5407, 6874, 5023, 347, 4714, 9784,
+ 145, 7105, 4053, 1973, 10654, 5908, 6845, 3602, 4452, 9235,
+ 10111, 3879, 5736, 10706, 8456, 8807, 1428, 8527, 12286, 12142,
+
+ 5086, 3434, 8509, 11404, 5791, 1112, 5332, 3199, 9283, 174,
+ 8526, 12237, 9741, 10327, 2174, 8214, 9238, 10258, 11082, 2302,
+ 2197, 9341, 3016, 316, 3195, 9087, 2859, 4912, 7197, 8561,
+ 1663, 7753, 11227, 9407, 6250, 11314, 1381, 6224, 10040, 400,
+ 7311, 1858, 5019, 151, 7399, 6170, 7394, 5925, 7678, 7552,
+ 1378, 6077, 2837, 3834, 3531, 973, 10810, 1263, 442, 9369,
+ 4388, 6099, 3915, 7500, 11119, 4115, 5011, 12048, 480, 11231,
+ 9603, 3565, 2639, 6421, 7404, 6415, 7110, 4298, 1689, 9027,
+ 12208, 8320, 2143, 6695, 8541, 683, 8889, 5446, 8785, 350,
+ 4861, 4698, 9000, 10885, 4938, 8471, 9542, 576, 3646, 6608,
+
+ 4278, 709, 10163, 6427, 7698, 8532, 242, 11858, 3459, 9734,
+ 9984, 9945, 8034, 418, 8193, 8209, 8993, 10542, 420, 8291,
+ 722, 10800, 773, 1010, 334, 4077, 3149, 6833, 3014, 218,
+ 10682, 7280, 339, 4322, 2865, 5206, 9314, 1693, 9223, 9523,
+ 11934, 7183, 7875, 4916, 7393, 5876, 5277, 504, 118, 5782,
+ 671, 8301, 1212, 10232, 9808, 1321, 3284, 1159, 7635, 5445,
+ 8736, 10238, 10102, 3438, 8705, 8719, 9405, 6152, 6512, 11863,
+ 3704, 9450, 8357, 3956, 9509, 11248, 10436, 7515, 11854, 3263,
+ 130, 6370, 4905, 6854, 4043, 1483, 11222, 9162, 6534, 652,
+ 7370, 4749, 11499, 10446, 8005, 11286, 9, 441, 9320, 1987,
+
+ 11340, 2655, 7205, 8953, 8582, 2692, 9018, 11767, 11289, 156,
+ 7644, 5886, 5767, 12225, 9153, 6093, 3621, 5383, 5698, 8844,
+ 3241, 11341, 2704, 9606, 3712, 9842, 2987, 11184, 7300, 1319,
+ 3186, 8646, 5828, 2925, 8146, 5906, 6747, 11089, 2645, 6715,
+ 9521, 11836, 2381, 6068, 2396, 6803, 1544, 1922, 8155, 6347,
+ 3778, 787, 1696, 9370, 4437, 8500, 10963, 8760, 11414, 6281,
+ 544, 2078, 3510, 12233, 9545, 723, 10849, 3174, 8058, 1594,
+ 4372, 5315, 2366, 5333, 3248, 11684, 7222, 9786, 243, 11907,
+ 5860, 4493, 11244, 10240, 10200, 8240, 10512, 11239, 9995, 10484,
+ 9867, 4212, 9764, 11454, 8241, 10561, 1351, 4754, 11744, 10162,
+
+ 6378, 5297, 1484, 11271, 11563, 1293, 1912, 7665, 6915, 7032,
+ 476, 11035, 12288, 12240, 9888, 5241, 11029, 11994, 10123, 4467,
+ 9970, 9259, 11287, 58, 2842, 4079, 3247, 11635, 4821, 2738,
+ 11272, 11612, 3694, 8960, 8925, 7210, 9198, 8298, 1065, 3029,
+ 953, 9830, 2399, 6950, 8747, 10777, 11935, 7232, 10276, 11964,
+ 8653, 6171, 7443, 8326, 2437, 8812, 1673, 8243, 10659, 6153,
+ 6561, 1975, 10752, 10710, 8652, 6122, 5042, 1278, 1177, 8517,
+ 11796, 421, 8340, 3123, 5559, 2033, 1305, 2500, 11899, 5468,
+ 9863, 4016, 160, 7840, 3201, 9381, 4976, 10333, 2468, 10331,
+ 2370, 5529, 563, 3009, 12262, 10966, 8907, 6328, 2847, 4324,
+
+ 2963, 10008, 11121, 4213, 9813, 1566, 3000, 11821, 1646, 6920,
+ 7277, 192, 9408, 6299, 1426, 8429, 7484, 10335, 2566, 2844,
+ 4177, 8049, 1153, 7341, 3328, 3315, 2678, 8332, 2731, 10929,
+ 7094, 3514, 140, 6860, 4337, 3600, 4354, 4433, 8304, 1359,
+ 5146, 6374, 5101, 4169, 7657, 6523, 113, 5537, 955, 9928,
+ 7201, 8757, 11267, 11367, 3978, 10587, 2625, 5735, 10657, 6055,
+ 1759, 168, 8232, 10120, 4320, 2767, 404, 7507, 11462, 8633,
+ 5191, 8579, 2545, 1815, 2912, 7509, 11560, 1146, 6998, 11099,
+ 3135, 6147, 6267, 12147, 5331, 3150, 6882, 5415, 7266, 11942,
+ 7575, 2505, 12144, 5184, 8236, 10316, 1635, 6381, 5444, 8687,
+
+ 7837, 3054, 2178, 8410, 6553, 1583, 3833, 3482, 10861, 3762,
+ 3, 147, 7203, 8855, 3780, 885, 6498, 11177, 6957, 9090,
+ 3006, 12115, 3763, 52, 2548, 1962, 10115, 4075, 3051, 2031,
+ 1207, 9987, 10092, 2948, 9273, 11973, 9094, 3202, 9430, 7377,
+ 5092, 3728, 10626, 4536, 1062, 2882, 6039, 975, 10908, 6065,
+ 2249, 11889, 4978, 10431, 7270, 12138, 4890, 6119, 4895, 6364,
+ 4611, 4737, 10911, 6212, 9452, 8455, 8758, 11316, 1479, 11026,
+ 11847, 2920, 7901, 6190, 8374, 4789, 1170, 8174, 7278, 241,
+ 11809, 1058, 2686, 8724, 9650, 5868, 4885, 5874, 5179, 7991,
+ 10600, 3262, 81, 3969, 10146, 5594, 3748, 11606, 3400, 6843,
+
+ 3504, 11939, 7428, 7591, 3289, 1404, 7351, 3818, 2747, 11713,
+ 8643, 5681, 8011, 11580, 2126, 5862, 4591, 3757, 12047, 431,
+ 8830, 2555, 2305, 2344, 4255, 11871, 4096, 4080, 3296, 1747,
+ 11869, 3998, 11567, 1489, 11516, 11279, 11955, 8212, 9140, 5456,
+ 9275, 12071, 1607, 5009, 11950, 7967, 9424, 7083, 2975, 10596,
+ 3066, 2766, 355, 5106, 4414, 7373, 4896, 6413, 7012, 11785,
+ 12171, 6507, 11618, 3988, 11077, 2057, 2481, 10968, 9005, 11130,
+ 4654, 6844, 3553, 2051, 2187, 8851, 3584, 3570, 2884, 6137,
+ 5777, 426, 8585, 2839, 3932, 8333, 2780, 1041, 1853, 4774,
+ 435, 9026, 12159, 5919, 7384, 5435, 8246, 10806, 1067, 3127,
+
+ 5755, 11637, 4919, 7540, 790, 1843, 4284, 1003, 12280, 11848,
+ 2969, 10302, 949, 9634, 5084, 3336, 3707, 9597, 3271, 522,
+ 1000, 12133, 4645, 6403, 6522, 64, 3136, 6196, 8668, 6906,
+ 6591, 3445, 9048, 948, 9585, 2683, 8577, 2447, 9302, 1105,
+ 4989, 10970, 9103, 3643, 6461, 9364, 4143, 6383, 5542, 1200,
+ 9644, 5574, 2768, 453, 9908, 6221, 9893, 5486, 10745, 10367,
+ 4134, 5942, 8511, 11502, 10593, 2919, 7852, 3789, 1326, 3529,
+ 875, 6008, 11745, 10211, 8779, 56, 2744, 11566, 1440, 9115,
+ 4231, 10695, 7917, 6974, 9923, 6956, 9041, 605, 5067, 2503,
+ 12046, 382, 6429, 7796, 1045, 2049, 2089, 4049, 1777, 1050,
+
+ 2294, 1805, 2422, 8077, 2525, 835, 4048, 1728, 10938, 7535,
+ 545, 2127, 5911, 6992, 10805, 1018, 726, 10996, 10377, 4624,
+ 5374, 5257, 11813, 1254, 1
+};
+
+/**
+ * Bit-reversed indices for n = 512
+ */
+static uint16_t rev_512[] = {
+ 0, 256, 128, 384, 64, 320, 192, 448, 32, 288,
+ 160, 416, 96, 352, 224, 480, 16, 272, 144, 400,
+ 80, 336, 208, 464, 48, 304, 176, 432, 112, 368,
+ 240, 496, 8, 264, 136, 392, 72, 328, 200, 456,
+ 40, 296, 168, 424, 104, 360, 232, 488, 24, 280,
+ 152, 408, 88, 344, 216, 472, 56, 312, 184, 440,
+ 120, 376, 248, 504, 4, 260, 132, 388, 68, 324,
+ 196, 452, 36, 292, 164, 420, 100, 356, 228, 484,
+ 20, 276, 148, 404, 84, 340, 212, 468, 52, 308,
+ 180, 436, 116, 372, 244, 500, 12, 268, 140, 396,
+
+ 76, 332, 204, 460, 44, 300, 172, 428, 108, 364,
+ 236, 492, 28, 284, 156, 412, 92, 348, 220, 476,
+ 60, 316, 188, 444, 124, 380, 252, 508, 2, 258,
+ 130, 386, 66, 322, 194, 450, 34, 290, 162, 418,
+ 98, 354, 226, 482, 18, 274, 146, 402, 82, 338,
+ 210, 466, 50, 306, 178, 434, 114, 370, 242, 498,
+ 10, 266, 138, 394, 74, 330, 202, 458, 42, 298,
+ 170, 426, 106, 362, 234, 490, 26, 282, 154, 410,
+ 90, 346, 218, 474, 58, 314, 186, 442, 122, 378,
+ 250, 506, 6, 262, 134, 390, 70, 326, 198, 454,
+
+ 38, 294, 166, 422, 102, 358, 230, 486, 22, 278,
+ 150, 406, 86, 342, 214, 470, 54, 310, 182, 438,
+ 118, 374, 246, 502, 14, 270, 142, 398, 78, 334,
+ 206, 462, 46, 302, 174, 430, 110, 366, 238, 494,
+ 30, 286, 158, 414, 94, 350, 222, 478, 62, 318,
+ 190, 446, 126, 382, 254, 510, 1, 257, 129, 385,
+ 65, 321, 193, 449, 33, 289, 161, 417, 97, 353,
+ 225, 481, 17, 273, 145, 401, 81, 337, 209, 465,
+ 49, 305, 177, 433, 113, 369, 241, 497, 9, 265,
+ 137, 393, 73, 329, 201, 457, 41, 297, 169, 425,
+
+ 105, 361, 233, 489, 25, 281, 153, 409, 89, 345,
+ 217, 473, 57, 313, 185, 441, 121, 377, 249, 505,
+ 5, 261, 133, 389, 69, 325, 197, 453, 37, 293,
+ 165, 421, 101, 357, 229, 485, 21, 277, 149, 405,
+ 85, 341, 213, 469, 53, 309, 181, 437, 117, 373,
+ 245, 501, 13, 269, 141, 397, 77, 333, 205, 461,
+ 45, 301, 173, 429, 109, 365, 237, 493, 29, 285,
+ 157, 413, 93, 349, 221, 477, 61, 317, 189, 445,
+ 125, 381, 253, 509, 3, 259, 131, 387, 67, 323,
+ 195, 451, 35, 291, 163, 419, 99, 355, 227, 483,
+
+ 19, 275, 147, 403, 83, 339, 211, 467, 51, 307,
+ 179, 435, 115, 371, 243, 499, 11, 267, 139, 395,
+ 75, 331, 203, 459, 43, 299, 171, 427, 107, 363,
+ 235, 491, 27, 283, 155, 411, 91, 347, 219, 475,
+ 59, 315, 187, 443, 123, 379, 251, 507, 7, 263,
+ 135, 391, 71, 327, 199, 455, 39, 295, 167, 423,
+ 103, 359, 231, 487, 23, 279, 151, 407, 87, 343,
+ 215, 471, 55, 311, 183, 439, 119, 375, 247, 503,
+ 15, 271, 143, 399, 79, 335, 207, 463, 47, 303,
+ 175, 431, 111, 367, 239, 495, 31, 287, 159, 415,
+
+ 95, 351, 223, 479, 63, 319, 191, 447, 127, 383,
+ 255, 511
+};
+
+bliss_fft_params_t bliss_fft_12289_512 = {
+ 12289, 512, 12265, 9, w_12289_1024, rev_512
+};
+
+/**
+ * FFT parameters for q = 17 and n = 16
+ */
+static uint16_t w_17_16[] = {
+ 1, 3, 9, 10, 13, 5, 15, 11, 16, 14, 8, 7, 4, 12, 2, 6, 1 };
+
+/**
+ * Bit-reversed indices for n = 8
+ */
+static uint16_t rev_8[] = { 0, 4, 2, 6, 1, 5, 3, 7 };
+
+bliss_fft_params_t bliss_fft_17_8 = { 17, 8, 15, 3, w_17_16, rev_8 };
diff --git a/src/libstrongswan/plugins/bliss/bliss_fft_params.h b/src/libstrongswan/plugins/bliss/bliss_fft_params.h
new file mode 100644
index 000000000..31b151b67
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_fft_params.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_fft_params bliss_fft_params
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_FFT_PARAMS_H_
+#define BLISS_FFT_PARAMS_H_
+
+#include <library.h>
+
+typedef struct bliss_fft_params_t bliss_fft_params_t;
+
+/**
+ * Defines the parameters for an NTT computed via the FFT algorithm
+ */
+struct bliss_fft_params_t {
+
+ /**
+ * Prime modulus
+ */
+ uint16_t q;
+
+ /**
+ * Size of the FFT with the condition k * n = q-1
+ */
+ uint16_t n;
+
+ /**
+ * Inverse of n mod q used for normalization of the FFT
+ */
+ uint16_t n_inv;
+
+ /**
+ * Number of FFT stages stages = log2(n)
+ */
+ uint16_t stages;
+
+ /**
+ * FFT twiddle factors (n-th roots of unity)
+ */
+ uint16_t *w;
+
+ /**
+ * FFT bit reversal
+ */
+ uint16_t *rev;
+
+};
+
+/**
+ * FFT parameters for q = 12289 and n = 512
+ */
+extern bliss_fft_params_t bliss_fft_12289_512;
+
+/**
+ * FFT parameters for q = 17 and n = 8
+ */
+extern bliss_fft_params_t bliss_fft_17_8;
+
+#endif /** BLISS_FFT_PARAMS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman.c b/src/libstrongswan/plugins/bliss/bliss_huffman.c
new file mode 100644
index 000000000..647234fd8
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
@@ -0,0 +1,433 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+#include <stdio.h>
+#include <math.h>
+
+typedef struct tuple_t tuple_t;
+
+struct tuple_t {
+ int8_t z1;
+ int8_t z2;
+ uint16_t index;
+ uint16_t bits;
+ uint32_t code;
+};
+
+typedef struct node_t node_t;
+
+struct node_t {
+ node_t *next;
+ node_t *l;
+ node_t *r;
+ tuple_t *tuple;
+ double p;
+ uint16_t depth;
+ uint16_t index;
+};
+
+static void print_node(node_t *node)
+{
+ if (node->tuple)
+ {
+ fprintf(stderr, "(%1d,%2d)", node->tuple->z1, node->tuple->z2);
+ }
+ else
+ {
+ fprintf(stderr, " ");
+ }
+ fprintf(stderr, " %18.16f\n", node->p);
+}
+
+static double code_node(node_t *node, int *index, uint8_t bits, uint32_t code)
+{
+ double code_length = 0;
+
+ node->index = (*index)++;
+
+ if (node->tuple)
+ {
+ node->tuple->code = code;
+ node->tuple->bits = bits;
+ code_length += node->p * bits;
+ }
+ if (node->l)
+ {
+ code_length += code_node(node->l, index, bits + 1, (code << 1));
+ }
+ if (node->r)
+ {
+ code_length += code_node(node->r, index, bits + 1, (code << 1) + 1);
+ }
+
+ return code_length;
+
+}
+
+static void write_node(node_t *node)
+{
+ int16_t node_0, node_1, tuple;
+
+ node_0 = node->l ? node->l->index : BLISS_HUFFMAN_CODE_NO_NODE;
+ node_1 = node->r ? node->r->index : BLISS_HUFFMAN_CODE_NO_NODE;
+ tuple = node->tuple ? node->tuple->index : BLISS_HUFFMAN_CODE_NO_TUPLE;
+
+ printf("\t{ %3d, %3d, %3d }, /* %3d: ", node_0, node_1, tuple, node->index);
+
+ if (node->tuple)
+ {
+ printf("(%d,%2d) %2u bit%s ", node->tuple->z1, node->tuple->z2,
+ node->tuple->bits, (node->tuple->bits == 1) ? " " : "s");
+ }
+ printf("*/\n");
+
+ if (node->l)
+ {
+ write_node(node->l);
+ }
+ if (node->r)
+ {
+ write_node(node->r);
+ }
+}
+
+static void write_header(void)
+{
+ printf("/*\n");
+ printf(" * Copyright (C) 2014 Andreas Steffen\n");
+ printf(" * HSR Hochschule fuer Technik Rapperswil\n");
+ printf(" *\n");
+ printf(" * Optimum Huffman code for BLISS-X signatures\n");
+ printf(" *\n");
+ printf(" * This file has been automatically generated by the"
+ " bliss_huffman utility\n");
+ printf(" * Do not edit manually!\n");
+ printf(" */\n\n");
+};
+
+static void write_code_tables(int bliss_type, int n_z1, int n_z2, node_t *nodes,
+ tuple_t **tuples)
+{
+ int index, i, k;
+ uint32_t bit;
+ double code_length;
+
+ printf("#include \"bliss_huffman_code.h\"\n\n");
+
+ printf("static bliss_huffman_code_node_t nodes[] = {\n");
+ index = 0;
+ code_length = code_node(nodes, &index, 0, 0);
+ write_node(nodes);
+ printf("};\n\n");
+
+ printf("static bliss_huffman_code_tuple_t tuples[] = {\n");
+ index = 0;
+ for (i = 0; i < n_z1; i++)
+ {
+ if (i > 0)
+ {
+ printf("\n");
+ }
+ for (k = 1 - n_z2; k < n_z2; k++)
+ {
+ printf("\t{ %5u, %2u }, /* %3d: (%1d,%2d) ",
+ tuples[index]->code, tuples[index]->bits, index, i, k);
+ bit = 1 << (tuples[index]->bits - 1);
+ while (bit)
+ {
+ printf("%s", (tuples[index]->code & bit) ? "1" : "0");
+ bit >>= 1;
+ }
+ printf(" */\n");
+ index++;
+ }
+ }
+ printf("};\n\n");
+ printf("/* code_length = %6.4f bits/tuple (%d bits) */\n\n",
+ code_length, (int)(512 * code_length + 1));
+
+ printf("bliss_huffman_code_t bliss_huffman_code_%d = {\n", bliss_type);
+ printf("\t.n_z1 = %d,\n", n_z1);
+ printf("\t.n_z2 = %d,\n", n_z2);
+ printf("\t.tuples = tuples,\n");
+ printf("\t.nodes = nodes\n");
+ printf("};\n");
+}
+
+static void destroy_node(node_t *node)
+{
+ if (node->l)
+ {
+ destroy_node(node->l);
+ }
+ if (node->r)
+ {
+ destroy_node(node->r);
+ }
+ free(node->tuple);
+ free(node);
+}
+
+static void remove_node(node_t *list, node_t **last, node_t *node)
+{
+ node_t *current, *prev;
+
+ for (current = list->next, prev = list; current;
+ prev = current, current = current->next)
+ {
+ if (current == node)
+ {
+ prev->next = current->next;
+ if (*last == current)
+ {
+ *last = prev->next ?: prev;
+ }
+ break;
+ }
+ }
+}
+
+/**
+ * Generate a Huffman code for the optimum encoding of BLISS signatures
+ */
+int main(int argc, char *argv[])
+{
+ bliss_param_set_t *set;
+ int dx, bliss_type, depth = 1, groups, groups_left, pairs = 1;
+ int i_max = 9, k_max = 8, index_max = (2*k_max - 1) * i_max;
+ int i, i_top, k, k_top;
+ uint16_t index;
+ double p, p_z1[i_max], p_z2[k_max], x_z1[i_max], x_z2[k_max];
+ double t, x, x0, p_sum, entropy = 0, erf_i, erf_k, erf_0 = 0;
+ tuple_t *tuple, *tuples[index_max];
+ node_t *node, *node_l, *node_r, *nodes = NULL;
+ node_t *node_list, *node_last;
+
+ if (argc < 2)
+ {
+ fprintf(stderr, "usage: bliss_huffman <bliss type> [<pairs>]\n");
+ exit(1);
+ }
+ if (argc > 2)
+ {
+ pairs = atoi(argv[2]);
+ }
+ fprintf(stderr, "%d code pairs with constant length\n\n", pairs);
+ groups_left = groups = pairs >> 1;
+
+ bliss_type = atoi(argv[1]);
+ set = bliss_param_set_get_by_id(bliss_type);
+ if (!set)
+ {
+ fprintf(stderr, "bliss type %d unsupported\n", bliss_type);
+ exit(1);
+ }
+ write_header();
+ printf("/*\n");
+ printf(" * Design: sigma = %u\n", set->sigma);
+ printf(" *\n");
+
+ t = 1/(sqrt(2) * set->sigma);
+
+ /* Probability distribution for z1 */
+ i_top = (set->B_inf + 255) / 256;
+ p_sum = 0;
+ x = 0;
+
+ for (i = 0; i < i_top; i++)
+ {
+ x = min(x + 256, set->B_inf);
+ erf_i = erf(t*x);
+ p_z1[i] = erf_i - erf_0;
+ p_sum += p_z1[i];
+ erf_0 = erf_i;
+ x_z1[i] = x;
+ }
+
+ /* Normalize and print the probability distribution for z1 */
+ printf(" * i p_z1[i]\n");
+ x0 = 0;
+
+ for (i = 0; i < i_top; i++)
+ {
+ p_z1[i] /= p_sum;
+ printf(" * %2d %18.16f %4.0f .. %4.0f\n", i, p_z1[i], x0, x_z1[i]);
+ x0 = x_z1[i];
+ }
+ printf(" *\n");
+
+ /* Probability distribution for z2 */
+ dx = 1 << set->d;
+ k_top = 1 + set->B_inf / dx;
+ x = (dx >> 1) - 0.5;
+ p_sum = 0;
+
+ for (k = 0; k < k_top; k++)
+ {
+
+ erf_k = erf(t*x) / 2;
+ p_z2[k] = (k == 0) ? 2*erf_k : erf_k - erf_0;
+ p_sum += (k == 0) ? p_z2[k] : 2*p_z2[k];
+ erf_0 = erf_k;
+ x_z2[k] = x;
+ x += dx;
+ }
+
+ /* Normalize the probability distribution for z2 */
+ for (k = 0; k < k_top; k++)
+ {
+ p_z2[k] /= p_sum;
+ }
+
+ /* Print the probability distribution for z2 */
+ printf(" * k p_z2[k] dx = %d\n", dx);
+
+ for (k = 1 - k_top; k < k_top; k++)
+ {
+
+ printf(" * %2d %18.16f ",k, p_z2[abs(k)]);
+ if (k < 0)
+ {
+ printf(" %7.1f ..%7.1f\n", -x_z2[-k], -x_z2[-k-1]);
+ }
+ else if (k == 0)
+ {
+ printf(" %7.1f ..%7.1f\n", -x_z2[k], x_z2[k]);
+ }
+ else
+ {
+ printf(" %7.1f ..%7.1f\n", x_z2[k-1], x_z2[k]);
+ }
+ }
+ printf(" *\n");
+
+ /* Compute probabilities of tuples (z1, z2) */
+ INIT(node_list);
+ node_last = node_list;
+ printf(" * (i, k) p\n");
+ p_sum =0;
+ index = 0;
+
+ for (i = 0; i < i_top; i++)
+ {
+ for (k = 1 - k_top; k < k_top; k++)
+ {
+ p = p_z1[i] * p_z2[abs(k)];
+ printf(" * (%1d,%2d) %18.16f\n", i, k, p);
+ p_sum += p;
+ entropy += -log(p) * p;
+
+ INIT(tuple,
+ .z1 = i,
+ .z2 = k,
+ .index = index,
+ );
+ tuples[index++] = tuple;
+
+ INIT(node,
+ .p = p,
+ .tuple = tuple,
+ );
+ node_last->next = node;
+ node_last = node;
+ }
+ printf(" *\n");
+ }
+ entropy /= log(2);
+ printf(" * p_sum %18.16f\n", p_sum);
+ printf(" *\n");
+ printf(" * entropy = %6.4f bits/tuple (%d bits)\n",
+ entropy, (int)(512 * entropy));
+ printf(" */\n\n");
+
+ /* Build Huffman tree */
+ while (node_list->next != node_last)
+ {
+ node_r = node_l = NULL;
+
+ for (node = node_list->next; node; node = node->next)
+ {
+ if (pairs > 0)
+ {
+ if (!node->tuple)
+ {
+ continue;
+ }
+ }
+ else if (groups_left > 0)
+ {
+ if (node->tuple || node->depth != depth)
+ {
+ continue;
+ }
+ }
+ if (node_r == NULL || node->p < node_r->p)
+ {
+ node_l = node_r;
+ node_r = node;
+ }
+ else if (node_l == NULL || node->p < node_l->p)
+ {
+ node_l = node;
+ }
+ }
+
+ INIT(node,
+ .l = node_l,
+ .r = node_r,
+ .p = node_l->p + node_r->p,
+ .depth = 1 + max(node_l->depth, node_r->depth),
+ .tuple = NULL,
+ );
+ print_node(node_r);
+ print_node(node_l);
+ fprintf(stderr, " %18.16f", node->p);
+
+ remove_node(node_list, &node_last, node_l);
+ remove_node(node_list, &node_last, node_r);
+ node_last->next = node;
+ node_last = node;
+
+ if (pairs > 0)
+ {
+ pairs--;
+ }
+ else if (groups > 0)
+ {
+ if (--groups_left == 0)
+ {
+ groups >>= 1;
+ groups_left = groups;
+ depth++;
+ }
+ }
+ fprintf(stderr, "\n\n");
+ }
+
+
+ nodes = node_list->next;
+
+ write_code_tables(bliss_type, i_top, k_top, nodes, tuples);
+
+ destroy_node(nodes);
+ destroy_node(node_list);
+ exit(0);
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c
new file mode 100644
index 000000000..e31cd9d3c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_huffman_code.h"
+
+extern bliss_huffman_code_t bliss_huffman_code_1;
+extern bliss_huffman_code_t bliss_huffman_code_3;
+extern bliss_huffman_code_t bliss_huffman_code_4;
+
+/**
+ * See header.
+ */
+bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id)
+{
+ switch (id)
+ {
+ case BLISS_I:
+ case BLISS_B_I:
+ return &bliss_huffman_code_1;
+ case BLISS_III:
+ case BLISS_B_III:
+ return &bliss_huffman_code_3;
+ case BLISS_IV:
+ case BLISS_B_IV:
+ return &bliss_huffman_code_4;
+ default:
+ return NULL;
+ }
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code.h b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h
new file mode 100644
index 000000000..df8511b2e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_huffman_code bliss_huffman_code
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_HUFFMAN_CODE_H_
+#define BLISS_HUFFMAN_CODE_H_
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+typedef struct bliss_huffman_code_t bliss_huffman_code_t;
+typedef struct bliss_huffman_code_tuple_t bliss_huffman_code_tuple_t;
+typedef struct bliss_huffman_code_node_t bliss_huffman_code_node_t;
+
+struct bliss_huffman_code_tuple_t {
+ uint32_t code;
+ uint16_t bits;
+};
+
+#define BLISS_HUFFMAN_CODE_NO_TUPLE -1
+#define BLISS_HUFFMAN_CODE_NO_NODE -1
+
+struct bliss_huffman_code_node_t {
+ int16_t node_0;
+ int16_t node_1;
+ int16_t tuple;
+};
+
+/**
+ * Defines the Huffman code for the optimum encoding of a BLISS signature
+ */
+struct bliss_huffman_code_t {
+
+ /**
+ * Range of z1: 0..n_z1-1
+ */
+ uint16_t n_z1;
+
+ /**
+ * Range of z2: -n_z2..n_z2
+ */
+ uint16_t n_z2;
+
+ /**
+ * Table of tuple codewords
+ */
+ bliss_huffman_code_tuple_t *tuples;
+
+ /**
+ * Table of binary decision nodes
+ */
+ bliss_huffman_code_node_t *nodes;
+};
+
+/**
+ * Get Optimum Huffman code for BLISS signature given by BLISS parameter set ID
+ *
+ * @param id BLISS parameter set ID
+ * @return Optimum Huffman code for BLISS signature
+*/
+bliss_huffman_code_t* bliss_huffman_code_get_by_id(bliss_param_set_id_t id);
+
+#endif /** BLISS_HUFFMAN_CODE_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c
new file mode 100644
index 000000000..1bf433fd1
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_1.c
@@ -0,0 +1,160 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 215
+ *
+ * i p_z1[i]
+ * 0 0.7662277087816564 0 .. 256
+ * 1 0.2165251006508514 256 .. 512
+ * 2 0.0168930510015114 512 .. 768
+ * 3 0.0003522302274478 768 .. 1024
+ * 4 0.0000019067136680 1024 .. 1280
+ * 5 0.0000000026239598 1280 .. 1536
+ * 6 0.0000000000009052 1536 .. 1792
+ * 7 0.0000000000000001 1792 .. 2047
+ *
+ * k p_z2[k] dx = 1024
+ * -1 0.0086781953089156 -1535.5 .. -511.5
+ * 0 0.9826436093821688 -511.5 .. 511.5
+ * 1 0.0086781953089156 511.5 .. 1535.5
+ *
+ * (i, k) p
+ * (0,-1) 0.0066494737079101
+ * (0, 0) 0.7529287613658361
+ * (0, 1) 0.0066494737079101
+ *
+ * (1,-1) 0.0018790471127307
+ * (1, 0) 0.2127670064253900
+ * (1, 1) 0.0018790471127307
+ *
+ * (2,-1) 0.0001466011959546
+ * (2, 0) 0.0165998486096022
+ * (2, 1) 0.0001466011959546
+ *
+ * (3,-1) 0.0000030567227075
+ * (3, 0) 0.0003461167820328
+ * (3, 1) 0.0000030567227075
+ *
+ * (4,-1) 0.0000000165468336
+ * (4, 0) 0.0000018736200007
+ * (4, 1) 0.0000000165468336
+ *
+ * (5,-1) 0.0000000000227712
+ * (5, 0) 0.0000000025784174
+ * (5, 1) 0.0000000000227712
+ *
+ * (6,-1) 0.0000000000000079
+ * (6, 0) 0.0000000000008895
+ * (6, 1) 0.0000000000000079
+ *
+ * (7,-1) 0.0000000000000000
+ * (7, 0) 0.0000000000000001
+ * (7, 1) 0.0000000000000000
+ *
+ * p_sum 0.9999999999999998
+ *
+ * entropy = 1.0195 bits/tuple (521 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+ { 1, 2, -1 }, /* 0: */
+ { -1, -1, 1 }, /* 1: (0, 0) 1 bit */
+ { 3, 4, -1 }, /* 2: */
+ { -1, -1, 4 }, /* 3: (1, 0) 2 bits */
+ { 5, 46, -1 }, /* 4: */
+ { 6, 45, -1 }, /* 5: */
+ { 7, 8, -1 }, /* 6: */
+ { -1, -1, 0 }, /* 7: (0,-1) 5 bits */
+ { 9, 44, -1 }, /* 8: */
+ { 10, 11, -1 }, /* 9: */
+ { -1, -1, 3 }, /* 10: (1,-1) 7 bits */
+ { 12, 13, -1 }, /* 11: */
+ { -1, -1, 10 }, /* 12: (3, 0) 8 bits */
+ { 14, 29, -1 }, /* 13: */
+ { 15, 22, -1 }, /* 14: */
+ { 16, 19, -1 }, /* 15: */
+ { 17, 18, -1 }, /* 16: */
+ { -1, -1, 8 }, /* 17: (2, 1) 12 bits */
+ { -1, -1, 6 }, /* 18: (2,-1) 12 bits */
+ { 20, 21, -1 }, /* 19: */
+ { -1, -1, 11 }, /* 20: (3, 1) 12 bits */
+ { -1, -1, 9 }, /* 21: (3,-1) 12 bits */
+ { 23, 26, -1 }, /* 22: */
+ { 24, 25, -1 }, /* 23: */
+ { -1, -1, 13 }, /* 24: (4, 0) 12 bits */
+ { -1, -1, 14 }, /* 25: (4, 1) 12 bits */
+ { 27, 28, -1 }, /* 26: */
+ { -1, -1, 12 }, /* 27: (4,-1) 12 bits */
+ { -1, -1, 16 }, /* 28: (5, 0) 12 bits */
+ { 30, 37, -1 }, /* 29: */
+ { 31, 34, -1 }, /* 30: */
+ { 32, 33, -1 }, /* 31: */
+ { -1, -1, 17 }, /* 32: (5, 1) 12 bits */
+ { -1, -1, 15 }, /* 33: (5,-1) 12 bits */
+ { 35, 36, -1 }, /* 34: */
+ { -1, -1, 19 }, /* 35: (6, 0) 12 bits */
+ { -1, -1, 20 }, /* 36: (6, 1) 12 bits */
+ { 38, 41, -1 }, /* 37: */
+ { 39, 40, -1 }, /* 38: */
+ { -1, -1, 18 }, /* 39: (6,-1) 12 bits */
+ { -1, -1, 22 }, /* 40: (7, 0) 12 bits */
+ { 42, 43, -1 }, /* 41: */
+ { -1, -1, 23 }, /* 42: (7, 1) 12 bits */
+ { -1, -1, 21 }, /* 43: (7,-1) 12 bits */
+ { -1, -1, 5 }, /* 44: (1, 1) 6 bits */
+ { -1, -1, 2 }, /* 45: (0, 1) 4 bits */
+ { -1, -1, 7 }, /* 46: (2, 0) 3 bits */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+ { 24, 5 }, /* 0: (0,-1) 11000 */
+ { 0, 1 }, /* 1: (0, 0) 0 */
+ { 13, 4 }, /* 2: (0, 1) 1101 */
+
+ { 100, 7 }, /* 3: (1,-1) 1100100 */
+ { 2, 2 }, /* 4: (1, 0) 10 */
+ { 51, 6 }, /* 5: (1, 1) 110011 */
+
+ { 3249, 12 }, /* 6: (2,-1) 110010110001 */
+ { 7, 3 }, /* 7: (2, 0) 111 */
+ { 3248, 12 }, /* 8: (2, 1) 110010110000 */
+
+ { 3251, 12 }, /* 9: (3,-1) 110010110011 */
+ { 202, 8 }, /* 10: (3, 0) 11001010 */
+ { 3250, 12 }, /* 11: (3, 1) 110010110010 */
+
+ { 3254, 12 }, /* 12: (4,-1) 110010110110 */
+ { 3252, 12 }, /* 13: (4, 0) 110010110100 */
+ { 3253, 12 }, /* 14: (4, 1) 110010110101 */
+
+ { 3257, 12 }, /* 15: (5,-1) 110010111001 */
+ { 3255, 12 }, /* 16: (5, 0) 110010110111 */
+ { 3256, 12 }, /* 17: (5, 1) 110010111000 */
+
+ { 3260, 12 }, /* 18: (6,-1) 110010111100 */
+ { 3258, 12 }, /* 19: (6, 0) 110010111010 */
+ { 3259, 12 }, /* 20: (6, 1) 110010111011 */
+
+ { 3263, 12 }, /* 21: (7,-1) 110010111111 */
+ { 3261, 12 }, /* 22: (7, 0) 110010111101 */
+ { 3262, 12 }, /* 23: (7, 1) 110010111110 */
+};
+
+/* code_length = 1.3189 bits/tuple (676 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_1 = {
+ .n_z1 = 8,
+ .n_z2 = 2,
+ .tuples = tuples,
+ .nodes = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c
new file mode 100644
index 000000000..37a8084d4
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_3.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 250
+ *
+ * i p_z1[i]
+ * 0 0.6941647250930416 0 .. 256
+ * 1 0.2652752755116807 256 .. 512
+ * 2 0.0384337021454129 512 .. 768
+ * 3 0.0020842622589255 768 .. 1024
+ * 4 0.0000417294572050 1024 .. 1280
+ * 5 0.0000003047309681 1280 .. 1536
+ * 6 0.0000000008027661 1536 .. 1760
+ *
+ * k p_z2[k] dx = 512
+ * -3 0.0000001543959154 -1791.5 ..-1279.5
+ * -2 0.0010701394583782 -1279.5 .. -767.5
+ * -1 0.1523201563502276 -767.5 .. -255.5
+ * 0 0.6932190995909575 -255.5 .. 255.5
+ * 1 0.1523201563502276 255.5 .. 767.5
+ * 2 0.0010701394583782 767.5 .. 1279.5
+ * 3 0.0000001543959154 1279.5 .. 1791.5
+ *
+ * (i, k) p
+ * (0,-3) 0.0000001071761982
+ * (0,-2) 0.0007428530629363
+ * (0,-1) 0.1057352794589848
+ * (0, 0) 0.4812082456968029
+ * (0, 1) 0.1057352794589848
+ * (0, 2) 0.0007428530629363
+ * (0, 3) 0.0000001071761982
+ *
+ * (1,-3) 0.0000000409574190
+ * (1,-2) 0.0002838815396572
+ * (1,-1) 0.0404067714417889
+ * (1, 0) 0.1838938876339505
+ * (1, 1) 0.0404067714417889
+ * (1, 2) 0.0002838815396572
+ * (1, 3) 0.0000000409574190
+ *
+ * (2,-3) 0.0000000059340066
+ * (2,-2) 0.0000411294211974
+ * (2,-1) 0.0058542275199074
+ * (2, 0) 0.0266429763951902
+ * (2, 1) 0.0058542275199074
+ * (2, 2) 0.0000411294211974
+ * (2, 3) 0.0000000059340066
+ *
+ * (3,-3) 0.0000000003218016
+ * (3,-2) 0.0000022304512849
+ * (3,-1) 0.0003174751531544
+ * (3, 0) 0.0014448504064437
+ * (3, 1) 0.0003174751531544
+ * (3, 2) 0.0000022304512849
+ * (3, 3) 0.0000000003218016
+ *
+ * (4,-3) 0.0000000000064429
+ * (4,-2) 0.0000000446563387
+ * (4,-1) 0.0000063562374459
+ * (4, 0) 0.0000289276567501
+ * (4, 1) 0.0000063562374459
+ * (4, 2) 0.0000000446563387
+ * (4, 3) 0.0000000000064429
+ *
+ * (5,-3) 0.0000000000000470
+ * (5,-2) 0.0000000003261046
+ * (5,-1) 0.0000000464166687
+ * (5, 0) 0.0000002112453273
+ * (5, 1) 0.0000000464166687
+ * (5, 2) 0.0000000003261046
+ * (5, 3) 0.0000000000000470
+ *
+ * (6,-3) 0.0000000000000001
+ * (6,-2) 0.0000000000008591
+ * (6,-1) 0.0000000001222775
+ * (6, 0) 0.0000000005564928
+ * (6, 1) 0.0000000001222775
+ * (6, 2) 0.0000000000008591
+ * (6, 3) 0.0000000000000001
+ *
+ * p_sum 0.9999999999999999
+ *
+ * entropy = 2.2879 bits/tuple (1171 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+ { 1, 96, -1 }, /* 0: */
+ { 2, 93, -1 }, /* 1: */
+ { 3, 4, -1 }, /* 2: */
+ { -1, -1, 10 }, /* 3: (1, 0) 3 bits */
+ { 5, 8, -1 }, /* 4: */
+ { 6, 7, -1 }, /* 5: */
+ { -1, -1, 11 }, /* 6: (1, 1) 5 bits */
+ { -1, -1, 9 }, /* 7: (1,-1) 5 bits */
+ { 9, 10, -1 }, /* 8: */
+ { -1, -1, 17 }, /* 9: (2, 0) 5 bits */
+ { 11, 92, -1 }, /* 10: */
+ { 12, 13, -1 }, /* 11: */
+ { -1, -1, 16 }, /* 12: (2,-1) 7 bits */
+ { 14, 89, -1 }, /* 13: */
+ { 15, 16, -1 }, /* 14: */
+ { -1, -1, 24 }, /* 15: (3, 0) 9 bits */
+ { 17, 86, -1 }, /* 16: */
+ { 18, 85, -1 }, /* 17: */
+ { 19, 20, -1 }, /* 18: */
+ { -1, -1, 8 }, /* 19: (1,-2) 12 bits */
+ { 21, 84, -1 }, /* 20: */
+ { 22, 53, -1 }, /* 21: */
+ { 23, 38, -1 }, /* 22: */
+ { 24, 31, -1 }, /* 23: */
+ { 25, 28, -1 }, /* 24: */
+ { 26, 27, -1 }, /* 25: */
+ { -1, -1, 15 }, /* 26: (2,-2) 18 bits */
+ { -1, -1, 31 }, /* 27: (4, 0) 18 bits */
+ { 29, 30, -1 }, /* 28: */
+ { -1, -1, 32 }, /* 29: (4, 1) 18 bits */
+ { -1, -1, 30 }, /* 30: (4,-1) 18 bits */
+ { 32, 35, -1 }, /* 31: */
+ { 33, 34, -1 }, /* 32: */
+ { -1, -1, 26 }, /* 33: (3, 2) 18 bits */
+ { -1, -1, 22 }, /* 34: (3,-2) 18 bits */
+ { 36, 37, -1 }, /* 35: */
+ { -1, -1, 38 }, /* 36: (5, 0) 18 bits */
+ { -1, -1, 6 }, /* 37: (0, 3) 18 bits */
+ { 39, 46, -1 }, /* 38: */
+ { 40, 43, -1 }, /* 39: */
+ { 41, 42, -1 }, /* 40: */
+ { -1, -1, 0 }, /* 41: (0,-3) 18 bits */
+ { -1, -1, 39 }, /* 42: (5, 1) 18 bits */
+ { 44, 45, -1 }, /* 43: */
+ { -1, -1, 37 }, /* 44: (5,-1) 18 bits */
+ { -1, -1, 33 }, /* 45: (4, 2) 18 bits */
+ { 47, 50, -1 }, /* 46: */
+ { 48, 49, -1 }, /* 47: */
+ { -1, -1, 29 }, /* 48: (4,-2) 18 bits */
+ { -1, -1, 13 }, /* 49: (1, 3) 18 bits */
+ { 51, 52, -1 }, /* 50: */
+ { -1, -1, 7 }, /* 51: (1,-3) 18 bits */
+ { -1, -1, 20 }, /* 52: (2, 3) 18 bits */
+ { 54, 69, -1 }, /* 53: */
+ { 55, 62, -1 }, /* 54: */
+ { 56, 59, -1 }, /* 55: */
+ { 57, 58, -1 }, /* 56: */
+ { -1, -1, 14 }, /* 57: (2,-3) 18 bits */
+ { -1, -1, 45 }, /* 58: (6, 0) 18 bits */
+ { 60, 61, -1 }, /* 59: */
+ { -1, -1, 40 }, /* 60: (5, 2) 18 bits */
+ { -1, -1, 36 }, /* 61: (5,-2) 18 bits */
+ { 63, 66, -1 }, /* 62: */
+ { 64, 65, -1 }, /* 63: */
+ { -1, -1, 27 }, /* 64: (3, 3) 18 bits */
+ { -1, -1, 21 }, /* 65: (3,-3) 18 bits */
+ { 67, 68, -1 }, /* 66: */
+ { -1, -1, 46 }, /* 67: (6, 1) 18 bits */
+ { -1, -1, 44 }, /* 68: (6,-1) 18 bits */
+ { 70, 77, -1 }, /* 69: */
+ { 71, 74, -1 }, /* 70: */
+ { 72, 73, -1 }, /* 71: */
+ { -1, -1, 34 }, /* 72: (4, 3) 18 bits */
+ { -1, -1, 28 }, /* 73: (4,-3) 18 bits */
+ { 75, 76, -1 }, /* 74: */
+ { -1, -1, 47 }, /* 75: (6, 2) 18 bits */
+ { -1, -1, 43 }, /* 76: (6,-2) 18 bits */
+ { 78, 81, -1 }, /* 77: */
+ { 79, 80, -1 }, /* 78: */
+ { -1, -1, 41 }, /* 79: (5, 3) 18 bits */
+ { -1, -1, 35 }, /* 80: (5,-3) 18 bits */
+ { 82, 83, -1 }, /* 81: */
+ { -1, -1, 48 }, /* 82: (6, 3) 18 bits */
+ { -1, -1, 42 }, /* 83: (6,-3) 18 bits */
+ { -1, -1, 19 }, /* 84: (2, 2) 13 bits */
+ { -1, -1, 25 }, /* 85: (3, 1) 11 bits */
+ { 87, 88, -1 }, /* 86: */
+ { -1, -1, 23 }, /* 87: (3,-1) 11 bits */
+ { -1, -1, 12 }, /* 88: (1, 2) 11 bits */
+ { 90, 91, -1 }, /* 89: */
+ { -1, -1, 5 }, /* 90: (0, 2) 9 bits */
+ { -1, -1, 1 }, /* 91: (0,-2) 9 bits */
+ { -1, -1, 18 }, /* 92: (2, 1) 6 bits */
+ { 94, 95, -1 }, /* 93: */
+ { -1, -1, 4 }, /* 94: (0, 1) 3 bits */
+ { -1, -1, 2 }, /* 95: (0,-1) 3 bits */
+ { -1, -1, 3 }, /* 96: (0, 0) 1 bit */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+ { 59976, 18 }, /* 0: (0,-3) 001110101001001000 */
+ { 119, 9 }, /* 1: (0,-2) 001110111 */
+ { 3, 3 }, /* 2: (0,-1) 011 */
+ { 1, 1 }, /* 3: (0, 0) 1 */
+ { 2, 3 }, /* 4: (0, 1) 010 */
+ { 118, 9 }, /* 5: (0, 2) 001110110 */
+ { 59975, 18 }, /* 6: (0, 3) 001110101001000111 */
+
+ { 59982, 18 }, /* 7: (1,-3) 001110101001001110 */
+ { 936, 12 }, /* 8: (1,-2) 001110101000 */
+ { 5, 5 }, /* 9: (1,-1) 00101 */
+ { 0, 3 }, /* 10: (1, 0) 000 */
+ { 4, 5 }, /* 11: (1, 1) 00100 */
+ { 471, 11 }, /* 12: (1, 2) 00111010111 */
+ { 59981, 18 }, /* 13: (1, 3) 001110101001001101 */
+
+ { 59984, 18 }, /* 14: (2,-3) 001110101001010000 */
+ { 59968, 18 }, /* 15: (2,-2) 001110101001000000 */
+ { 28, 7 }, /* 16: (2,-1) 0011100 */
+ { 6, 5 }, /* 17: (2, 0) 00110 */
+ { 15, 6 }, /* 18: (2, 1) 001111 */
+ { 1875, 13 }, /* 19: (2, 2) 0011101010011 */
+ { 59983, 18 }, /* 20: (2, 3) 001110101001001111 */
+
+ { 59989, 18 }, /* 21: (3,-3) 001110101001010101 */
+ { 59973, 18 }, /* 22: (3,-2) 001110101001000101 */
+ { 470, 11 }, /* 23: (3,-1) 00111010110 */
+ { 116, 9 }, /* 24: (3, 0) 001110100 */
+ { 469, 11 }, /* 25: (3, 1) 00111010101 */
+ { 59972, 18 }, /* 26: (3, 2) 001110101001000100 */
+ { 59988, 18 }, /* 27: (3, 3) 001110101001010100 */
+
+ { 59993, 18 }, /* 28: (4,-3) 001110101001011001 */
+ { 59980, 18 }, /* 29: (4,-2) 001110101001001100 */
+ { 59971, 18 }, /* 30: (4,-1) 001110101001000011 */
+ { 59969, 18 }, /* 31: (4, 0) 001110101001000001 */
+ { 59970, 18 }, /* 32: (4, 1) 001110101001000010 */
+ { 59979, 18 }, /* 33: (4, 2) 001110101001001011 */
+ { 59992, 18 }, /* 34: (4, 3) 001110101001011000 */
+
+ { 59997, 18 }, /* 35: (5,-3) 001110101001011101 */
+ { 59987, 18 }, /* 36: (5,-2) 001110101001010011 */
+ { 59978, 18 }, /* 37: (5,-1) 001110101001001010 */
+ { 59974, 18 }, /* 38: (5, 0) 001110101001000110 */
+ { 59977, 18 }, /* 39: (5, 1) 001110101001001001 */
+ { 59986, 18 }, /* 40: (5, 2) 001110101001010010 */
+ { 59996, 18 }, /* 41: (5, 3) 001110101001011100 */
+
+ { 59999, 18 }, /* 42: (6,-3) 001110101001011111 */
+ { 59995, 18 }, /* 43: (6,-2) 001110101001011011 */
+ { 59991, 18 }, /* 44: (6,-1) 001110101001010111 */
+ { 59985, 18 }, /* 45: (6, 0) 001110101001010001 */
+ { 59990, 18 }, /* 46: (6, 1) 001110101001010110 */
+ { 59994, 18 }, /* 47: (6, 2) 001110101001011010 */
+ { 59998, 18 }, /* 48: (6, 3) 001110101001011110 */
+};
+
+/* code_length = 2.3227 bits/tuple (1190 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_3 = {
+ .n_z1 = 7,
+ .n_z2 = 4,
+ .tuples = tuples,
+ .nodes = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c
new file mode 100644
index 000000000..c4f709c93
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_code_4.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Optimum Huffman code for BLISS-X signatures
+ *
+ * This file has been automatically generated by the bliss_huffman utility
+ * Do not edit manually!
+ */
+
+/*
+ * Design: sigma = 271
+ *
+ * i p_z1[i]
+ * 0 0.6551621276225426 0 .. 256
+ * 1 0.2859860850630749 256 .. 512
+ * 2 0.0542541135599810 512 .. 768
+ * 3 0.0044399624814222 768 .. 1024
+ * 4 0.0001553928373912 1024 .. 1280
+ * 5 0.0000023066278552 1280 .. 1536
+ * 6 0.0000000118077330 1536 .. 1613
+ *
+ * k p_z2[k] dx = 256
+ * -6 0.0000001026458579 -1663.5 ..-1407.5
+ * -5 0.0000106295703648 -1407.5 ..-1151.5
+ * -4 0.0004651193817805 -1151.5 .. -895.5
+ * -3 0.0086670703658387 -895.5 .. -639.5
+ * -2 0.0693723939195647 -639.5 .. -383.5
+ * -1 0.2404908493690626 -383.5 .. -127.5
+ * 0 0.3619876694950614 -127.5 .. 127.5
+ * 1 0.2404908493690626 127.5 .. 383.5
+ * 2 0.0693723939195647 383.5 .. 639.5
+ * 3 0.0086670703658387 639.5 .. 895.5
+ * 4 0.0004651193817805 895.5 .. 1151.5
+ * 5 0.0000106295703648 1151.5 .. 1407.5
+ * 6 0.0000001026458579 1407.5 .. 1663.5
+ *
+ * (i, k) p
+ * (0,-6) 0.0000000672496787
+ * (0,-5) 0.0000069640919359
+ * (0,-4) 0.0003047286037658
+ * (0,-3) 0.0056783362611372
+ * (0,-2) 0.0454501651986111
+ * (0,-1) 0.1575604965463875
+ * (0, 0) 0.2371606117195102
+ * (0, 1) 0.1575604965463875
+ * (0, 2) 0.0454501651986111
+ * (0, 3) 0.0056783362611372
+ * (0, 4) 0.0003047286037658
+ * (0, 5) 0.0000069640919359
+ * (0, 6) 0.0000000672496787
+ *
+ * (1,-6) 0.0000000293552870
+ * (1,-5) 0.0000030399092145
+ * (1,-4) 0.0001330176710824
+ * (1,-3) 0.0024786615228924
+ * (1,-2) 0.0198395393485098
+ * (1,-1) 0.0687770365045519
+ * (1, 0) 0.1035234364399989
+ * (1, 1) 0.0687770365045519
+ * (1, 2) 0.0198395393485098
+ * (1, 3) 0.0024786615228924
+ * (1, 4) 0.0001330176710824
+ * (1, 5) 0.0000030399092145
+ * (1, 6) 0.0000000293552870
+ *
+ * (2,-6) 0.0000000055689600
+ * (2,-5) 0.0000005766979177
+ * (2,-4) 0.0000252346397581
+ * (2,-3) 0.0004702242198606
+ * (2,-2) 0.0037637377376398
+ * (2,-1) 0.0130476178518054
+ * (2, 0) 0.0196393201280979
+ * (2, 1) 0.0130476178518054
+ * (2, 2) 0.0037637377376398
+ * (2, 3) 0.0004702242198606
+ * (2, 4) 0.0000252346397581
+ * (2, 5) 0.0000005766979177
+ * (2, 6) 0.0000000055689600
+ *
+ * (3,-6) 0.0000000004557438
+ * (3,-5) 0.0000000471948936
+ * (3,-4) 0.0000020651126045
+ * (3,-3) 0.0000384814672482
+ * (3,-2) 0.0003080108262493
+ * (3,-1) 0.0010677703483240
+ * (3, 0) 0.0016072116712955
+ * (3, 1) 0.0010677703483240
+ * (3, 2) 0.0003080108262493
+ * (3, 3) 0.0000384814672482
+ * (3, 4) 0.0000020651126045
+ * (3, 5) 0.0000000471948936
+ * (3, 6) 0.0000000004557438
+ *
+ * (4,-6) 0.0000000000159504
+ * (4,-5) 0.0000000016517591
+ * (4,-4) 0.0000000722762205
+ * (4,-3) 0.0000013468006560
+ * (4,-2) 0.0000107799731278
+ * (4,-1) 0.0000373705554501
+ * (4, 0) 0.0000562502910635
+ * (4, 1) 0.0000373705554501
+ * (4, 2) 0.0000107799731278
+ * (4, 3) 0.0000013468006560
+ * (4, 4) 0.0000000722762205
+ * (4, 5) 0.0000000016517591
+ * (4, 6) 0.0000000000159504
+ *
+ * (5,-6) 0.0000000000002368
+ * (5,-5) 0.0000000000245185
+ * (5,-4) 0.0000000010728573
+ * (5,-3) 0.0000000199917059
+ * (5,-2) 0.0000001600162962
+ * (5,-1) 0.0000005547228921
+ * (5, 0) 0.0000008349708417
+ * (5, 1) 0.0000005547228921
+ * (5, 2) 0.0000001600162962
+ * (5, 3) 0.0000000199917059
+ * (5, 4) 0.0000000010728573
+ * (5, 5) 0.0000000000245185
+ * (5, 6) 0.0000000000002368
+ *
+ * (6,-6) 0.0000000000000012
+ * (6,-5) 0.0000000000001255
+ * (6,-4) 0.0000000000054920
+ * (6,-3) 0.0000000001023385
+ * (6,-2) 0.0000000008191307
+ * (6,-1) 0.0000000028396517
+ * (6, 0) 0.0000000042742538
+ * (6, 1) 0.0000000028396517
+ * (6, 2) 0.0000000008191307
+ * (6, 3) 0.0000000001023385
+ * (6, 4) 0.0000000000054920
+ * (6, 5) 0.0000000000001255
+ * (6, 6) 0.0000000000000012
+ *
+ * p_sum 1.0000000000000011
+ *
+ * entropy = 3.3640 bits/tuple (1722 bits)
+ */
+
+#include "bliss_huffman_code.h"
+
+static bliss_huffman_code_node_t nodes[] = {
+ { 1, 160, -1 }, /* 0: */
+ { 2, 5, -1 }, /* 1: */
+ { 3, 4, -1 }, /* 2: */
+ { -1, -1, 7 }, /* 3: (0, 1) 3 bits */
+ { -1, -1, 5 }, /* 4: (0,-1) 3 bits */
+ { 6, 157, -1 }, /* 5: */
+ { 7, 156, -1 }, /* 6: */
+ { 8, 11, -1 }, /* 7: */
+ { 9, 10, -1 }, /* 8: */
+ { -1, -1, 17 }, /* 9: (1,-2) 6 bits */
+ { -1, -1, 32 }, /* 10: (2, 0) 6 bits */
+ { 12, 155, -1 }, /* 11: */
+ { 13, 18, -1 }, /* 12: */
+ { 14, 15, -1 }, /* 13: */
+ { -1, -1, 3 }, /* 14: (0,-3) 8 bits */
+ { 16, 17, -1 }, /* 15: */
+ { -1, -1, 22 }, /* 16: (1, 3) 9 bits */
+ { -1, -1, 16 }, /* 17: (1,-3) 9 bits */
+ { 19, 154, -1 }, /* 18: */
+ { 20, 23, -1 }, /* 19: */
+ { 21, 22, -1 }, /* 20: */
+ { -1, -1, 46 }, /* 21: (3, 1) 10 bits */
+ { -1, -1, 44 }, /* 22: (3,-1) 10 bits */
+ { 24, 151, -1 }, /* 23: */
+ { 25, 88, -1 }, /* 24: */
+ { 26, 57, -1 }, /* 25: */
+ { 27, 42, -1 }, /* 26: */
+ { 28, 35, -1 }, /* 27: */
+ { 29, 32, -1 }, /* 28: */
+ { 30, 31, -1 }, /* 29: */
+ { -1, -1, 2 }, /* 30: (0,-4) 16 bits */
+ { -1, -1, 23 }, /* 31: (1, 4) 16 bits */
+ { 33, 34, -1 }, /* 32: */
+ { -1, -1, 15 }, /* 33: (1,-4) 16 bits */
+ { -1, -1, 58 }, /* 34: (4, 0) 16 bits */
+ { 36, 39, -1 }, /* 35: */
+ { 37, 38, -1 }, /* 36: */
+ { -1, -1, 48 }, /* 37: (3, 3) 16 bits */
+ { -1, -1, 42 }, /* 38: (3,-3) 16 bits */
+ { 40, 41, -1 }, /* 39: */
+ { -1, -1, 59 }, /* 40: (4, 1) 16 bits */
+ { -1, -1, 57 }, /* 41: (4,-1) 16 bits */
+ { 43, 50, -1 }, /* 42: */
+ { 44, 47, -1 }, /* 43: */
+ { 45, 46, -1 }, /* 44: */
+ { -1, -1, 36 }, /* 45: (2, 4) 16 bits */
+ { -1, -1, 28 }, /* 46: (2,-4) 16 bits */
+ { 48, 49, -1 }, /* 47: */
+ { -1, -1, 60 }, /* 48: (4, 2) 16 bits */
+ { -1, -1, 56 }, /* 49: (4,-2) 16 bits */
+ { 51, 54, -1 }, /* 50: */
+ { 52, 53, -1 }, /* 51: */
+ { -1, -1, 11 }, /* 52: (0, 5) 16 bits */
+ { -1, -1, 1 }, /* 53: (0,-5) 16 bits */
+ { 55, 56, -1 }, /* 54: */
+ { -1, -1, 24 }, /* 55: (1, 5) 16 bits */
+ { -1, -1, 14 }, /* 56: (1,-5) 16 bits */
+ { 58, 73, -1 }, /* 57: */
+ { 59, 66, -1 }, /* 58: */
+ { 60, 63, -1 }, /* 59: */
+ { 61, 62, -1 }, /* 60: */
+ { -1, -1, 49 }, /* 61: (3, 4) 16 bits */
+ { -1, -1, 41 }, /* 62: (3,-4) 16 bits */
+ { 64, 65, -1 }, /* 63: */
+ { -1, -1, 61 }, /* 64: (4, 3) 16 bits */
+ { -1, -1, 55 }, /* 65: (4,-3) 16 bits */
+ { 67, 70, -1 }, /* 66: */
+ { 68, 69, -1 }, /* 67: */
+ { -1, -1, 71 }, /* 68: (5, 0) 16 bits */
+ { -1, -1, 37 }, /* 69: (2, 5) 16 bits */
+ { 71, 72, -1 }, /* 70: */
+ { -1, -1, 27 }, /* 71: (2,-5) 16 bits */
+ { -1, -1, 72 }, /* 72: (5, 1) 16 bits */
+ { 74, 81, -1 }, /* 73: */
+ { 75, 78, -1 }, /* 74: */
+ { 76, 77, -1 }, /* 75: */
+ { -1, -1, 70 }, /* 76: (5,-1) 16 bits */
+ { -1, -1, 73 }, /* 77: (5, 2) 16 bits */
+ { 79, 80, -1 }, /* 78: */
+ { -1, -1, 69 }, /* 79: (5,-2) 16 bits */
+ { -1, -1, 62 }, /* 80: (4, 4) 16 bits */
+ { 82, 85, -1 }, /* 81: */
+ { 83, 84, -1 }, /* 82: */
+ { -1, -1, 54 }, /* 83: (4,-4) 16 bits */
+ { -1, -1, 12 }, /* 84: (0, 6) 16 bits */
+ { 86, 87, -1 }, /* 85: */
+ { -1, -1, 0 }, /* 86: (0,-6) 16 bits */
+ { -1, -1, 50 }, /* 87: (3, 5) 16 bits */
+ { 89, 120, -1 }, /* 88: */
+ { 90, 105, -1 }, /* 89: */
+ { 91, 98, -1 }, /* 90: */
+ { 92, 95, -1 }, /* 91: */
+ { 93, 94, -1 }, /* 92: */
+ { -1, -1, 40 }, /* 93: (3,-5) 16 bits */
+ { -1, -1, 25 }, /* 94: (1, 6) 16 bits */
+ { 96, 97, -1 }, /* 95: */
+ { -1, -1, 13 }, /* 96: (1,-6) 16 bits */
+ { -1, -1, 74 }, /* 97: (5, 3) 16 bits */
+ { 99, 102, -1 }, /* 98: */
+ { 100, 101, -1 }, /* 99: */
+ { -1, -1, 68 }, /* 100: (5,-3) 16 bits */
+ { -1, -1, 38 }, /* 101: (2, 6) 16 bits */
+ { 103, 104, -1 }, /* 102: */
+ { -1, -1, 26 }, /* 103: (2,-6) 16 bits */
+ { -1, -1, 84 }, /* 104: (6, 0) 16 bits */
+ { 106, 113, -1 }, /* 105: */
+ { 107, 110, -1 }, /* 106: */
+ { 108, 109, -1 }, /* 107: */
+ { -1, -1, 85 }, /* 108: (6, 1) 16 bits */
+ { -1, -1, 83 }, /* 109: (6,-1) 16 bits */
+ { 111, 112, -1 }, /* 110: */
+ { -1, -1, 63 }, /* 111: (4, 5) 16 bits */
+ { -1, -1, 53 }, /* 112: (4,-5) 16 bits */
+ { 114, 117, -1 }, /* 113: */
+ { 115, 116, -1 }, /* 114: */
+ { -1, -1, 75 }, /* 115: (5, 4) 16 bits */
+ { -1, -1, 67 }, /* 116: (5,-4) 16 bits */
+ { 118, 119, -1 }, /* 117: */
+ { -1, -1, 86 }, /* 118: (6, 2) 16 bits */
+ { -1, -1, 82 }, /* 119: (6,-2) 16 bits */
+ { 121, 136, -1 }, /* 120: */
+ { 122, 129, -1 }, /* 121: */
+ { 123, 126, -1 }, /* 122: */
+ { 124, 125, -1 }, /* 123: */
+ { -1, -1, 51 }, /* 124: (3, 6) 16 bits */
+ { -1, -1, 39 }, /* 125: (3,-6) 16 bits */
+ { 127, 128, -1 }, /* 126: */
+ { -1, -1, 87 }, /* 127: (6, 3) 16 bits */
+ { -1, -1, 81 }, /* 128: (6,-3) 16 bits */
+ { 130, 133, -1 }, /* 129: */
+ { 131, 132, -1 }, /* 130: */
+ { -1, -1, 76 }, /* 131: (5, 5) 16 bits */
+ { -1, -1, 66 }, /* 132: (5,-5) 16 bits */
+ { 134, 135, -1 }, /* 133: */
+ { -1, -1, 64 }, /* 134: (4, 6) 16 bits */
+ { -1, -1, 52 }, /* 135: (4,-6) 16 bits */
+ { 137, 144, -1 }, /* 136: */
+ { 138, 141, -1 }, /* 137: */
+ { 139, 140, -1 }, /* 138: */
+ { -1, -1, 88 }, /* 139: (6, 4) 16 bits */
+ { -1, -1, 80 }, /* 140: (6,-4) 16 bits */
+ { 142, 143, -1 }, /* 141: */
+ { -1, -1, 77 }, /* 142: (5, 6) 16 bits */
+ { -1, -1, 65 }, /* 143: (5,-6) 16 bits */
+ { 145, 148, -1 }, /* 144: */
+ { 146, 147, -1 }, /* 145: */
+ { -1, -1, 89 }, /* 146: (6, 5) 16 bits */
+ { -1, -1, 79 }, /* 147: (6,-5) 16 bits */
+ { 149, 150, -1 }, /* 148: */
+ { -1, -1, 90 }, /* 149: (6, 6) 16 bits */
+ { -1, -1, 78 }, /* 150: (6,-6) 16 bits */
+ { 152, 153, -1 }, /* 151: */
+ { -1, -1, 29 }, /* 152: (2,-3) 11 bits */
+ { -1, -1, 47 }, /* 153: (3, 2) 11 bits */
+ { -1, -1, 34 }, /* 154: (2, 2) 8 bits */
+ { -1, -1, 33 }, /* 155: (2, 1) 6 bits */
+ { -1, -1, 20 }, /* 156: (1, 1) 4 bits */
+ { 158, 159, -1 }, /* 157: */
+ { -1, -1, 18 }, /* 158: (1,-1) 4 bits */
+ { -1, -1, 8 }, /* 159: (0, 2) 4 bits */
+ { 161, 162, -1 }, /* 160: */
+ { -1, -1, 6 }, /* 161: (0, 0) 2 bits */
+ { 163, 164, -1 }, /* 162: */
+ { -1, -1, 19 }, /* 163: (1, 0) 3 bits */
+ { 165, 166, -1 }, /* 164: */
+ { -1, -1, 4 }, /* 165: (0,-2) 4 bits */
+ { 167, 180, -1 }, /* 166: */
+ { 168, 169, -1 }, /* 167: */
+ { -1, -1, 31 }, /* 168: (2,-1) 6 bits */
+ { 170, 179, -1 }, /* 169: */
+ { 171, 172, -1 }, /* 170: */
+ { -1, -1, 30 }, /* 171: (2,-2) 8 bits */
+ { 173, 174, -1 }, /* 172: */
+ { -1, -1, 45 }, /* 173: (3, 0) 9 bits */
+ { 175, 178, -1 }, /* 174: */
+ { 176, 177, -1 }, /* 175: */
+ { -1, -1, 43 }, /* 176: (3,-2) 11 bits */
+ { -1, -1, 10 }, /* 177: (0, 4) 11 bits */
+ { -1, -1, 35 }, /* 178: (2, 3) 10 bits */
+ { -1, -1, 9 }, /* 179: (0, 3) 7 bits */
+ { -1, -1, 21 }, /* 180: (1, 2) 5 bits */
+};
+
+static bliss_huffman_code_tuple_t tuples[] = {
+ { 19102, 16 }, /* 0: (0,-6) 0100101010011110 */
+ { 19085, 16 }, /* 1: (0,-5) 0100101010001101 */
+ { 19072, 16 }, /* 2: (0,-4) 0100101010000000 */
+ { 72, 8 }, /* 3: (0,-3) 01001000 */
+ { 14, 4 }, /* 4: (0,-2) 1110 */
+ { 1, 3 }, /* 5: (0,-1) 001 */
+ { 2, 2 }, /* 6: (0, 0) 10 */
+ { 0, 3 }, /* 7: (0, 1) 000 */
+ { 7, 4 }, /* 8: (0, 2) 0111 */
+ { 123, 7 }, /* 9: (0, 3) 1111011 */
+ { 1965, 11 }, /* 10: (0, 4) 11110101101 */
+ { 19084, 16 }, /* 11: (0, 5) 0100101010001100 */
+ { 19101, 16 }, /* 12: (0, 6) 0100101010011101 */
+
+ { 19106, 16 }, /* 13: (1,-6) 0100101010100010 */
+ { 19087, 16 }, /* 14: (1,-5) 0100101010001111 */
+ { 19074, 16 }, /* 15: (1,-4) 0100101010000010 */
+ { 147, 9 }, /* 16: (1,-3) 010010011 */
+ { 16, 6 }, /* 17: (1,-2) 010000 */
+ { 6, 4 }, /* 18: (1,-1) 0110 */
+ { 6, 3 }, /* 19: (1, 0) 110 */
+ { 5, 4 }, /* 20: (1, 1) 0101 */
+ { 31, 5 }, /* 21: (1, 2) 11111 */
+ { 146, 9 }, /* 22: (1, 3) 010010010 */
+ { 19073, 16 }, /* 23: (1, 4) 0100101010000001 */
+ { 19086, 16 }, /* 24: (1, 5) 0100101010001110 */
+ { 19105, 16 }, /* 25: (1, 6) 0100101010100001 */
+
+ { 19110, 16 }, /* 26: (2,-6) 0100101010100110 */
+ { 19094, 16 }, /* 27: (2,-5) 0100101010010110 */
+ { 19081, 16 }, /* 28: (2,-4) 0100101010001001 */
+ { 598, 11 }, /* 29: (2,-3) 01001010110 */
+ { 244, 8 }, /* 30: (2,-2) 11110100 */
+ { 60, 6 }, /* 31: (2,-1) 111100 */
+ { 17, 6 }, /* 32: (2, 0) 010001 */
+ { 19, 6 }, /* 33: (2, 1) 010011 */
+ { 75, 8 }, /* 34: (2, 2) 01001011 */
+ { 983, 10 }, /* 35: (2, 3) 1111010111 */
+ { 19080, 16 }, /* 36: (2, 4) 0100101010001000 */
+ { 19093, 16 }, /* 37: (2, 5) 0100101010010101 */
+ { 19109, 16 }, /* 38: (2, 6) 0100101010100101 */
+
+ { 19121, 16 }, /* 39: (3,-6) 0100101010110001 */
+ { 19104, 16 }, /* 40: (3,-5) 0100101010100000 */
+ { 19089, 16 }, /* 41: (3,-4) 0100101010010001 */
+ { 19077, 16 }, /* 42: (3,-3) 0100101010000101 */
+ { 1964, 11 }, /* 43: (3,-2) 11110101100 */
+ { 297, 10 }, /* 44: (3,-1) 0100101001 */
+ { 490, 9 }, /* 45: (3, 0) 111101010 */
+ { 296, 10 }, /* 46: (3, 1) 0100101000 */
+ { 599, 11 }, /* 47: (3, 2) 01001010111 */
+ { 19076, 16 }, /* 48: (3, 3) 0100101010000100 */
+ { 19088, 16 }, /* 49: (3, 4) 0100101010010000 */
+ { 19103, 16 }, /* 50: (3, 5) 0100101010011111 */
+ { 19120, 16 }, /* 51: (3, 6) 0100101010110000 */
+
+ { 19127, 16 }, /* 52: (4,-6) 0100101010110111 */
+ { 19115, 16 }, /* 53: (4,-5) 0100101010101011 */
+ { 19100, 16 }, /* 54: (4,-4) 0100101010011100 */
+ { 19091, 16 }, /* 55: (4,-3) 0100101010010011 */
+ { 19083, 16 }, /* 56: (4,-2) 0100101010001011 */
+ { 19079, 16 }, /* 57: (4,-1) 0100101010000111 */
+ { 19075, 16 }, /* 58: (4, 0) 0100101010000011 */
+ { 19078, 16 }, /* 59: (4, 1) 0100101010000110 */
+ { 19082, 16 }, /* 60: (4, 2) 0100101010001010 */
+ { 19090, 16 }, /* 61: (4, 3) 0100101010010010 */
+ { 19099, 16 }, /* 62: (4, 4) 0100101010011011 */
+ { 19114, 16 }, /* 63: (4, 5) 0100101010101010 */
+ { 19126, 16 }, /* 64: (4, 6) 0100101010110110 */
+
+ { 19131, 16 }, /* 65: (5,-6) 0100101010111011 */
+ { 19125, 16 }, /* 66: (5,-5) 0100101010110101 */
+ { 19117, 16 }, /* 67: (5,-4) 0100101010101101 */
+ { 19108, 16 }, /* 68: (5,-3) 0100101010100100 */
+ { 19098, 16 }, /* 69: (5,-2) 0100101010011010 */
+ { 19096, 16 }, /* 70: (5,-1) 0100101010011000 */
+ { 19092, 16 }, /* 71: (5, 0) 0100101010010100 */
+ { 19095, 16 }, /* 72: (5, 1) 0100101010010111 */
+ { 19097, 16 }, /* 73: (5, 2) 0100101010011001 */
+ { 19107, 16 }, /* 74: (5, 3) 0100101010100011 */
+ { 19116, 16 }, /* 75: (5, 4) 0100101010101100 */
+ { 19124, 16 }, /* 76: (5, 5) 0100101010110100 */
+ { 19130, 16 }, /* 77: (5, 6) 0100101010111010 */
+
+ { 19135, 16 }, /* 78: (6,-6) 0100101010111111 */
+ { 19133, 16 }, /* 79: (6,-5) 0100101010111101 */
+ { 19129, 16 }, /* 80: (6,-4) 0100101010111001 */
+ { 19123, 16 }, /* 81: (6,-3) 0100101010110011 */
+ { 19119, 16 }, /* 82: (6,-2) 0100101010101111 */
+ { 19113, 16 }, /* 83: (6,-1) 0100101010101001 */
+ { 19111, 16 }, /* 84: (6, 0) 0100101010100111 */
+ { 19112, 16 }, /* 85: (6, 1) 0100101010101000 */
+ { 19118, 16 }, /* 86: (6, 2) 0100101010101110 */
+ { 19122, 16 }, /* 87: (6, 3) 0100101010110010 */
+ { 19128, 16 }, /* 88: (6, 4) 0100101010111000 */
+ { 19132, 16 }, /* 89: (6, 5) 0100101010111100 */
+ { 19134, 16 }, /* 90: (6, 6) 0100101010111110 */
+};
+
+/* code_length = 3.3967 bits/tuple (1740 bits) */
+
+bliss_huffman_code_t bliss_huffman_code_4 = {
+ .n_z1 = 7,
+ .n_z2 = 7,
+ .tuples = tuples,
+ .nodes = nodes
+};
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c
new file mode 100644
index 000000000..018ae0efa
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.c
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY;https://www.hsr.ch/HSR-intern-Anmeldung.4409.0.html?&no_cache=1 without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_huffman_coder.h"
+
+typedef struct private_bliss_huffman_coder_t private_bliss_huffman_coder_t;
+
+/**
+ * Private data structure for bliss_huffman_coder_t object
+ */
+struct private_bliss_huffman_coder_t {
+ /**
+ * Public interface.
+ */
+ bliss_huffman_coder_t public;
+
+ /**
+ * Bitpacker to write to or read from
+ */
+ bliss_bitpacker_t *packer;
+
+ /**
+ * Huffman code table to be used
+ */
+ bliss_huffman_code_t *code;
+
+ /**
+ * Maximum index into tuples table
+ */
+ int index_max;
+
+ /**
+ * Number of encoded or decoded bits
+ */
+ size_t bits;
+
+};
+
+METHOD(bliss_huffman_coder_t, get_bits, size_t,
+ private_bliss_huffman_coder_t *this)
+{
+ return this->bits;
+}
+
+METHOD(bliss_huffman_coder_t, encode, bool,
+ private_bliss_huffman_coder_t *this, int32_t z1, int16_t z2)
+{
+ uint32_t code;
+ uint16_t bits;
+ int index;
+
+ index = z1 * (2*this->code->n_z2 - 1) + z2 + this->code->n_z2 - 1;
+ if (index >= this->index_max)
+ {
+ DBG1(DBG_LIB, "index exceeded in Huffman encoding table");
+ return FALSE;
+ }
+ code = this->code->tuples[index].code;
+ bits = this->code->tuples[index].bits;
+ if (!this->packer->write_bits(this->packer, code, bits))
+ {
+ DBG1(DBG_LIB, "bitpacker exceeded its buffer");
+ return FALSE;
+ }
+ this->bits += bits;
+
+ return TRUE;
+}
+
+METHOD(bliss_huffman_coder_t, decode, bool,
+ private_bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2)
+{
+ bliss_huffman_code_node_t *node;
+ uint32_t bit;
+
+ node = this->code->nodes;
+ while (node->tuple == BLISS_HUFFMAN_CODE_NO_TUPLE)
+ {
+ if (node->node_0 == BLISS_HUFFMAN_CODE_NO_NODE ||
+ node->node_1 == BLISS_HUFFMAN_CODE_NO_NODE)
+ {
+ DBG1(DBG_LIB, "error in Huffman decoding table");
+ return FALSE;
+ }
+ if (!this->packer->read_bits(this->packer, &bit, 1))
+ {
+ DBG1(DBG_LIB, "bitpacker depleted its buffer");
+ return FALSE;
+ }
+ node = &this->code->nodes[bit ? node->node_1 : node->node_0];
+ this->bits++;
+ }
+ *z1 = node->tuple / (2*this->code->n_z2 - 1);
+ *z2 = node->tuple - (2*this->code->n_z2 - 1) * (*z1) - this->code->n_z2 + 1;
+
+ return TRUE;
+}
+
+METHOD(bliss_huffman_coder_t, destroy, void,
+ private_bliss_huffman_coder_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_huffman_coder_t *bliss_huffman_coder_create(bliss_huffman_code_t *code,
+ bliss_bitpacker_t *packer)
+{
+ private_bliss_huffman_coder_t *this;
+
+ INIT(this,
+ .public = {
+ .get_bits = _get_bits,
+ .encode = _encode,
+ .decode = _decode,
+ .destroy = _destroy,
+ },
+ .packer = packer,
+ .code = code,
+ .index_max = (2*code->n_z2 - 1) * code->n_z1,
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h
new file mode 100644
index 000000000..59abc49c6
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_huffman_coder.h
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_huffman_coder bliss_huffman_coder
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_HUFFMAN_CODER_H_
+#define BLISS_HUFFMAN_CODER_H_
+
+#include "bliss_huffman_code.h"
+#include "bliss_bitpacker.h"
+
+#include <library.h>
+
+typedef struct bliss_huffman_coder_t bliss_huffman_coder_t;
+
+/**
+ * Encodes and decodes binary Huffman codes
+ */
+struct bliss_huffman_coder_t {
+
+ /**
+ * Get number of encoded or decoded bits
+ *
+ * @result Number of bits
+ */
+ size_t (*get_bits)(bliss_huffman_coder_t *this);
+
+ /**
+ * Encode a (z1, z2) tuple using a Huffman code
+ *
+ * @param z1 z1 value to be encoded
+ * @param z2 z2 value to be encoded
+ * @result TRUE if value could be encoded
+ */
+ bool (*encode)(bliss_huffman_coder_t *this, int32_t z1, int16_t z2);
+
+
+ /**
+ * Decode a (z1, z2) tuple using a Huffman code
+ *
+ * @param z1 Decoded z1 value returned
+ * @param z2 Decoded z2 value returned
+ * @result TRUE if value could be decoded from bitpacker
+ */
+ bool (*decode)(bliss_huffman_coder_t *this, int32_t *z1, int16_t *z2);
+
+ /**
+ * Destroy bliss_huffman_coder_t object
+ */
+ void (*destroy)(bliss_huffman_coder_t *this);
+};
+
+/**
+ * Create a bliss_huffman_coder_t object
+ *
+ * @param code Huffman code table
+ * @param packer Bitpacker to write to or read from
+ */
+bliss_huffman_coder_t* bliss_huffman_coder_create(bliss_huffman_code_t *code,
+ bliss_bitpacker_t *packer);
+
+#endif /** BLISS_HUFFMAN_CODER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.c b/src/libstrongswan/plugins/bliss/bliss_param_set.c
new file mode 100644
index 000000000..3781a588f
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.c
@@ -0,0 +1,339 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_param_set.h"
+
+#include <asn1/oid.h>
+
+ENUM(bliss_param_set_id_names, BLISS_I, BLISS_B_IV,
+ "BLISS-I",
+ "BLISS-II",
+ "BLISS-III",
+ "BLISS-IV",
+ "BLISS-B-I",
+ "BLISS-B-II",
+ "BLISS-B-III",
+ "BLISS-B-IV"
+);
+
+/**
+ * sigma = 215, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 254
+ *
+ * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 93'076.9
+ */
+static uint8_t c_bliss_i[] = {
+ 255, 255, 75, 191, 247, 94, 30, 51, 147, 246, 89, 59, 99, 248, 26, 128,
+ 255, 254, 151, 128, 109, 166, 88, 143, 30, 175, 149, 20, 240, 81, 138, 111,
+ 255, 253, 47, 2, 214, 243, 188, 76, 236, 235, 40, 62, 54, 35, 33, 205,
+ 255, 250, 94, 13, 156, 120, 121, 216, 255, 120, 90, 11, 39, 232, 120, 111,
+ 255, 244, 188, 58, 242, 219, 157, 174, 6, 31, 131, 75, 88, 109, 112, 107,
+ 255, 233, 120, 244, 202, 151, 25, 10, 197, 109, 113, 255, 157, 89, 182, 141,
+ 255, 210, 243, 229, 18, 88, 50, 239, 130, 192, 12, 167, 62, 254, 211, 202,
+ 255, 165, 239, 183, 102, 186, 123, 249, 251, 59, 116, 143, 50, 174, 125, 198,
+ 255, 75, 255, 30, 65, 137, 228, 148, 14, 17, 113, 251, 81, 177, 151, 168,
+ 254, 152, 124, 205, 192, 136, 102, 79, 5, 62, 214, 95, 36, 223, 7, 20,
+ 253, 50, 242, 124, 187, 59, 68, 224, 90, 156, 53, 202, 9, 44, 191, 226,
+ 250, 109, 189, 110, 40, 124, 88, 12, 83, 78, 176, 86, 12, 102, 13, 41,
+ 244, 250, 133, 6, 3, 13, 45, 9, 120, 121, 150, 237, 69, 190, 62, 16,
+ 234, 110, 130, 187, 138, 174, 82, 229, 217, 154, 88, 138, 228, 153, 230, 13,
+ 214, 174, 54, 179, 117, 116, 223, 152, 97, 84, 31, 99, 68, 150, 122, 244,
+ 180, 7, 186, 2, 112, 3, 68, 13, 123, 133, 244, 184, 232, 216, 133, 18,
+ 126, 154, 221, 207, 32, 206, 66, 171, 94, 100, 164, 194, 117, 191, 1, 209,
+ 62, 156, 208, 7, 129, 173, 200, 3, 23, 248, 140, 60, 69, 217, 195, 235,
+ 15, 80, 84, 209, 213, 2, 107, 160, 1, 152, 43, 130, 93, 95, 241, 218,
+ 0, 234, 131, 37, 182, 53, 201, 231, 26, 2, 151, 161, 13, 214, 150, 145,
+ 0, 0, 214, 212, 4, 32, 184, 94, 84, 90, 244, 139, 48, 69, 33, 38
+};
+
+/**
+ * sigma = 250, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 295
+ *
+ * c[i] = exp(-2^i/f), i = 0..20, with f = k_sigma^2 / ln 2 = 125'550.5
+ */
+static uint8_t c_bliss_iii[] = {
+ 255, 255, 122, 95, 16, 128, 14, 195, 60, 90, 166, 191, 205, 26, 144, 204,
+ 255, 254, 244, 190, 102, 192, 187, 141, 169, 92, 33, 30, 170, 141, 184, 56,
+ 255, 253, 233, 125, 228, 131, 93, 148, 121, 92, 52, 122, 149, 96, 29, 66,
+ 255, 251, 211, 0, 37, 9, 199, 244, 213, 217, 122, 205, 171, 200, 198, 5,
+ 255, 247, 166, 17, 185, 251, 90, 150, 1, 28, 7, 205, 125, 46, 84, 201,
+ 255, 239, 76, 105, 50, 114, 159, 235, 215, 165, 204, 182, 125, 143, 228, 222,
+ 255, 222, 153, 233, 85, 187, 45, 204, 236, 229, 38, 180, 20, 161, 7, 167,
+ 255, 189, 56, 46, 38, 4, 83, 8, 151, 137, 136, 1, 9, 180, 58, 204,
+ 255, 122, 129, 199, 240, 52, 248, 193, 76, 26, 160, 32, 195, 250, 217, 25,
+ 254, 245, 73, 44, 68, 229, 150, 74, 228, 74, 124, 249, 123, 94, 108, 127,
+ 253, 235, 168, 56, 252, 93, 188, 160, 249, 137, 236, 65, 62, 182, 153, 63,
+ 251, 219, 163, 110, 233, 251, 114, 216, 230, 35, 59, 210, 107, 100, 184, 16,
+ 247, 200, 110, 236, 134, 237, 213, 111, 240, 149, 109, 22, 216, 213, 237, 145,
+ 239, 212, 98, 249, 238, 1, 227, 248, 242, 51, 211, 134, 154, 115, 189, 83,
+ 224, 174, 65, 2, 190, 158, 9, 6, 184, 13, 130, 104, 247, 102, 38, 160,
+ 197, 49, 104, 97, 61, 210, 19, 115, 208, 54, 91, 27, 209, 227, 33, 26,
+ 151, 229, 20, 46, 200, 238, 35, 134, 72, 183, 253, 160, 193, 155, 117, 103,
+ 90, 32, 10, 204, 78, 83, 191, 230, 0, 221, 219, 6, 43, 252, 185, 95,
+ 31, 186, 139, 154, 90, 155, 17, 9, 42, 139, 40, 111, 246, 175, 4, 15,
+ 3, 238, 181, 190, 138, 94, 50, 234, 128, 193, 95, 36, 65, 236, 170, 208,
+ 0, 15, 118, 216, 230, 142, 121, 211, 13, 168, 207, 126, 145, 176, 24, 201
+};
+
+/**
+ * sigma = 271, k_sigma = ceiling[ sqrt(2*ln 2) * sigma ] = 320
+ *
+ * c[i] = exp(-2^i/f), i = 0..21, with f = k_sigma^2 / ln 2 = 147'732.0
+ */
+static uint8_t c_bliss_iv[] = {
+ 255, 255, 142, 111, 102, 2, 141, 87, 150, 42, 18, 70, 6, 224, 18, 70,
+ 255, 255, 28, 222, 254, 102, 20, 78, 133, 78, 189, 107, 29, 7, 23, 193,
+ 255, 254, 57, 190, 198, 79, 181, 181, 108, 75, 142, 145, 45, 238, 193, 29,
+ 255, 252, 115, 128, 178, 170, 212, 166, 120, 157, 85, 96, 209, 180, 211, 83,
+ 255, 248, 231, 13, 253, 108, 245, 46, 238, 155, 30, 99, 141, 228, 149, 239,
+ 255, 241, 206, 78, 90, 132, 83, 172, 228, 179, 119, 115, 240, 51, 216, 6,
+ 255, 227, 157, 102, 46, 28, 61, 128, 58, 114, 174, 136, 8, 224, 133, 84,
+ 255, 199, 61, 242, 19, 216, 133, 241, 240, 22, 146, 43, 92, 57, 82, 248,
+ 255, 142, 136, 121, 160, 225, 119, 214, 241, 44, 159, 34, 133, 118, 96, 60,
+ 255, 29, 67, 61, 254, 49, 27, 152, 48, 124, 184, 87, 66, 214, 63, 133,
+ 254, 59, 79, 77, 206, 26, 238, 42, 69, 81, 191, 149, 146, 76, 255, 232,
+ 252, 121, 191, 28, 11, 107, 141, 223, 234, 42, 226, 50, 138, 102, 16, 97,
+ 248, 255, 234, 37, 109, 169, 103, 25, 240, 109, 93, 165, 177, 22, 133, 100,
+ 242, 48, 213, 124, 209, 49, 33, 48, 57, 237, 202, 62, 102, 132, 219, 48,
+ 229, 32, 92, 240, 188, 88, 70, 34, 179, 94, 244, 70, 25, 123, 76, 140,
+ 205, 18, 234, 94, 14, 226, 237, 76, 192, 18, 240, 50, 79, 63, 34, 96,
+ 164, 71, 76, 192, 111, 161, 157, 188, 19, 189, 133, 246, 67, 127, 6, 28,
+ 105, 107, 110, 50, 56, 199, 208, 174, 16, 95, 153, 106, 217, 198, 194, 179,
+ 43, 105, 77, 122, 127, 254, 146, 221, 44, 235, 61, 22, 179, 9, 113, 118,
+ 7, 92, 139, 87, 204, 239, 111, 200, 41, 129, 122, 49, 69, 113, 122, 239,
+ 0, 54, 49, 19, 64, 40, 218, 222, 60, 82, 186, 246, 64, 155, 184, 47,
+ 0, 0, 11, 120, 189, 135, 113, 62, 143, 175, 118, 239, 190, 120, 189, 250
+};
+
+/**
+ * BLISS signature parameter set definitions
+ */
+static bliss_param_set_t bliss_param_sets[] = {
+
+ /* BLISS-I scheme */
+ {
+ .id = BLISS_I,
+ .oid = OID_BLISS_I,
+ .strength = 128,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 154,
+ .non_zero2 = 0,
+ .kappa = 23,
+ .nks_max = 46479,
+ .p_max = 0, /* not needed */
+ .sigma = 215,
+ .k_sigma = 254,
+ .k_sigma_bits = 8,
+ .c = c_bliss_i,
+ .c_cols = 16,
+ .c_rows = 21,
+ .z1_bits = 12,
+ .d = 10,
+ .p = 24,
+ .M = 46539, /* with alpha = 1.000 */
+ .B_inf = 2047, /* reduced from 2100 due to 12 bit z1 encoding */
+ .B_l2 = 12872 * 12872
+ },
+
+ /* BLISS-III scheme */
+ {
+ .id = BLISS_III,
+ .oid = OID_BLISS_III,
+ .strength = 160,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 216,
+ .non_zero2 = 16,
+ .kappa = 30,
+ .nks_max = 128626,
+ .p_max = 0, /* not needed */
+ .sigma = 250,
+ .k_sigma = 295,
+ .k_sigma_bits = 9,
+ .c = c_bliss_iii,
+ .c_cols = 16,
+ .c_rows = 21,
+ .z1_bits = 12,
+ .d = 9,
+ .p = 48,
+ .M = 128113, /* with alpha = 0.700 */
+ .B_inf = 1760,
+ .B_l2 = 10206 * 10206
+ },
+
+ /* BLISS-IV scheme */
+ {
+ .id = BLISS_IV,
+ .oid = OID_BLISS_IV,
+ .strength = 192,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 231,
+ .non_zero2 = 31,
+ .kappa = 39,
+ .nks_max = 244669,
+ .p_max = 0, /* not needed */
+ .sigma = 271,
+ .k_sigma = 320,
+ .k_sigma_bits = 9,
+ .c = c_bliss_iv,
+ .c_cols = 16,
+ .c_rows = 22,
+ .z1_bits = 12,
+ .d = 8,
+ .p = 96,
+ .M = 244186, /* with alpha = 0.550 */
+ .B_inf = 1613,
+ .B_l2 = 9901 * 9901
+ },
+
+ /* BLISS-B-I scheme */
+ {
+ .id = BLISS_B_I,
+ .oid = OID_BLISS_B_I,
+ .strength = 128,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 154,
+ .non_zero2 = 0,
+ .kappa = 23,
+ .nks_max = 0, /* not needed */
+ .p_max = 17825,
+ .sigma = 215,
+ .k_sigma = 254,
+ .k_sigma_bits = 8,
+ .c = c_bliss_i,
+ .c_cols = 16,
+ .c_rows = 21,
+ .z1_bits = 12,
+ .d = 10,
+ .p = 24,
+ .M = 17954, /* with alpha = 1.610 */
+ .B_inf = 2047, /* reduced from 2100 due to 12 bit z1 encoding */
+ .B_l2 = 12872 * 12872
+ },
+
+ /* BLISS-B-III scheme */
+ {
+ .id = BLISS_B_III,
+ .oid = OID_BLISS_B_III,
+ .strength = 160,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 216,
+ .non_zero2 = 16,
+ .kappa = 30,
+ .nks_max = 0, /* not needed */
+ .p_max = 42270,
+ .sigma = 250,
+ .k_sigma = 295,
+ .k_sigma_bits = 9,
+ .c = c_bliss_iii,
+ .c_cols = 16,
+ .c_rows = 21,
+ .z1_bits = 12,
+ .d = 9,
+ .p = 48,
+ .M = 42455, /* with alpha = 1.216 */
+ .B_inf = 1760,
+ .B_l2 = 10206 * 10206
+ },
+
+ /* BLISS-B-IV scheme */
+ {
+ .id = BLISS_B_IV,
+ .oid = OID_BLISS_B_IV,
+ .strength = 192,
+ .q = 12289,
+ .q_bits = 14,
+ .q2_inv = 6145,
+ .n = 512,
+ .n_bits = 9,
+ .fft_params = &bliss_fft_12289_512,
+ .non_zero1 = 231,
+ .non_zero2 = 31,
+ .kappa = 39,
+ .nks_max = 0, /* not needed */
+ .p_max = 69576,
+ .sigma = 271,
+ .k_sigma = 320,
+ .k_sigma_bits = 9,
+ .c = c_bliss_iv,
+ .c_cols = 16,
+ .c_rows = 22,
+ .z1_bits = 12,
+ .d = 8,
+ .p = 96,
+ .M = 70034, /* with alpha = 1.027 */
+ .B_inf = 1613,
+ .B_l2 = 9901 * 9901
+ }
+
+};
+
+/**
+ * See header.
+ */
+bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id)
+{
+ int i;
+
+ for (i = 0; i < countof(bliss_param_sets); i++)
+ {
+ if (bliss_param_sets[i].id == id)
+ {
+ return &bliss_param_sets[i];
+ }
+ }
+ return NULL;
+}
+
+
+/**
+ * See header.
+ */
+bliss_param_set_t* bliss_param_set_get_by_oid(int oid)
+{
+ int i;
+
+ for (i = 0; i < countof(bliss_param_sets); i++)
+ {
+ if (bliss_param_sets[i].oid == oid)
+ {
+ return &bliss_param_sets[i];
+ }
+ }
+ return NULL;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_param_set.h b/src/libstrongswan/plugins/bliss/bliss_param_set.h
new file mode 100644
index 000000000..33a8009ff
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_param_set.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_param_set bliss_param_set
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PARAM_SET_H_
+#define BLISS_PARAM_SET_H_
+
+typedef enum bliss_param_set_id_t bliss_param_set_id_t;
+typedef struct bliss_param_set_t bliss_param_set_t;
+
+#include "bliss_fft_params.h"
+#include "bliss_huffman_code.h"
+
+#include <library.h>
+
+/**
+ * BLISS signature parameter set ID list
+ */
+enum bliss_param_set_id_t {
+ BLISS_I = 1,
+ BLISS_II = 2,
+ BLISS_III = 3,
+ BLISS_IV = 4,
+ BLISS_B_I = 5,
+ BLISS_B_II = 6,
+ BLISS_B_III = 7,
+ BLISS_B_IV = 8
+};
+
+extern enum_name_t *bliss_param_set_id_names;
+
+/**
+ * BLISS
+ */
+struct bliss_param_set_t {
+
+ /**
+ * BLISS parameter set ID
+ */
+ bliss_param_set_id_t id;
+
+ /**
+ * BLISS parameter set OID
+ */
+ int oid;
+
+ /**
+ * Security strength in bits
+ */
+ uint16_t strength;
+
+ /**
+ * Prime modulus
+ */
+ uint16_t q;
+
+ /**
+ * Number of bits in q
+ */
+ uint16_t q_bits;
+
+ /**
+ * Inverse of (q + 2) mod 2q
+ */
+ uint16_t q2_inv;
+
+ /**
+ * Ring dimension equal to the number of polynomial coefficients
+ */
+ uint16_t n;
+
+ /**
+ * Number of bits in n
+ */
+ uint16_t n_bits;
+
+ /**
+ * FFT parameters
+ */
+ bliss_fft_params_t *fft_params;
+
+ /**
+ * Number of [-1, +1] secret key coefficients
+ */
+ uint16_t non_zero1;
+
+ /**
+ * Number of [-2, +2] secret key coefficients
+ */
+ uint16_t non_zero2;
+
+ /**
+ * Number of secret key terms that go into Nk(S) norm
+ */
+ uint16_t kappa;
+
+ /**
+ * Maximum Nk(S) tolerable NK(S) norm (BLISS only)
+ */
+ uint32_t nks_max;
+
+ /**
+ * Maximum value Pmax for ||Sc'||^2 norm (BLISS-B only)
+ */
+ uint32_t p_max;
+
+ /**
+ * Standard deviation sigma
+ */
+ uint16_t sigma;
+
+ /**
+ * k_sigma = ceiling[ sqrt(2*ln 2) * sigma ]
+ */
+ uint16_t k_sigma;
+
+ /**
+ * Number of bits in k_sigma
+ */
+ uint16_t k_sigma_bits;
+
+ /**
+ * Coefficients for Bernoulli sampling with exponential biases
+ */
+ uint8_t *c;
+
+ /**
+ * Number of columns in Bernoulli coefficient table
+ */
+ size_t c_cols;
+
+ /**
+ * Number of rows in Bernoulli coefficient table
+ */
+ size_t c_rows;
+
+ /**
+ * Number of bits in z1
+ */
+ uint16_t z1_bits;
+
+ /**
+ * Number of z2 bits to be dropped after rounding
+ */
+ uint16_t d;
+
+ /**
+ * Modulus p = floor(2q / 2^d) applied after bit dropping
+ */
+ uint16_t p;
+
+ /**
+ * M = sigma^2 / alpha_rejection^2
+ */
+ uint32_t M;
+
+ /**
+ * B_infinity bound
+ */
+ uint16_t B_inf;
+
+ /**
+ * B_verify bound
+ */
+ uint32_t B_l2;
+
+};
+
+/**
+ * Get BLISS signature parameter set by BLISS parameter set ID
+ *
+ * @param id BLISS parameter set ID
+ * @return BLISS parameter set
+*/
+bliss_param_set_t* bliss_param_set_get_by_id(bliss_param_set_id_t id);
+
+/**
+ * Get BLISS signature parameter set by BLISS parameter set OID
+ *
+ * @param oid BLISS parameter set OID
+ * @return BLISS parameter set
+*/
+bliss_param_set_t* bliss_param_set_get_by_oid(int oid);
+
+#endif /** BLISS_PARAM_SET_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.c b/src/libstrongswan/plugins/bliss/bliss_plugin.c
new file mode 100644
index 000000000..07597c318
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_plugin.h"
+#include "bliss_private_key.h"
+#include "bliss_public_key.h"
+
+#include <library.h>
+
+typedef struct private_bliss_plugin_t private_bliss_plugin_t;
+
+/**
+ * private data of bliss_plugin
+ */
+struct private_bliss_plugin_t {
+
+ /**
+ * public functions
+ */
+ bliss_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_bliss_plugin_t *this)
+{
+ return "bliss";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_bliss_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ /* private/public keys */
+ PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PRIVKEY, bliss_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+ PLUGIN_REGISTER(PRIVKEY_GEN, bliss_private_key_gen, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_BLISS),
+ PLUGIN_DEPENDS(RNG, RNG_TRUE),
+ PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PUBKEY, bliss_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
+ /* signature schemes, private */
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA256),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA384),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ /* signature verification schemes */
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA256),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA256),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA384),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA384),
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_BLISS_WITH_SHA512),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ };
+ *features = f;
+
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_bliss_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *bliss_plugin_create()
+{
+ private_bliss_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_plugin.h b/src/libstrongswan/plugins/bliss/bliss_plugin.h
new file mode 100644
index 000000000..d3d80ac5d
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_p bliss
+ * @ingroup plugins
+ *
+ * @defgroup bliss_plugin bliss_plugin
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PLUGIN_H_
+#define BLISS_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct bliss_plugin_t bliss_plugin_t;
+
+/**
+ * Plugin implementing the BLISS post-quantu authentication algorithm
+ */
+struct bliss_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** BLISS_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.c b/src/libstrongswan/plugins/bliss/bliss_private_key.c
new file mode 100644
index 000000000..e1064d2f2
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.c
@@ -0,0 +1,1316 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_private_key.h"
+#include "bliss_public_key.h"
+#include "bliss_param_set.h"
+#include "bliss_utils.h"
+#include "bliss_sampler.h"
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_fft.h"
+
+#include <crypto/mgf1/mgf1_bitspender.h>
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+
+typedef struct private_bliss_private_key_t private_bliss_private_key_t;
+
+#define SECRET_KEY_TRIALS_MAX 50
+
+/**
+ * Private data of a bliss_private_key_t object.
+ */
+struct private_bliss_private_key_t {
+ /**
+ * Public interface for this signer.
+ */
+ bliss_private_key_t public;
+
+ /**
+ * BLISS signature parameter set
+ */
+ bliss_param_set_t *set;
+
+ /**
+ * BLISS secret key S1 (coefficients of polynomial f)
+ */
+ int8_t *s1;
+
+ /**
+ * BLISS secret key S2 (coefficients of polynomial 2g + 1)
+ */
+ int8_t *s2;
+
+ /**
+ * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f)
+ */
+ uint32_t *A;
+
+ /**
+ * reference count
+ */
+ refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+ private_bliss_private_key_t *this)
+{
+ return KEY_BLISS;
+}
+
+/**
+ * Multiply secret vector s with binary challenge vector c
+ */
+static void multiply_by_c(int8_t *s, int n, uint16_t *c_indices,
+ uint16_t kappa, int32_t *product)
+{
+ int i, j, index;
+
+ for (i = 0; i < n; i++)
+ {
+ product[i] = 0;
+
+ for (j = 0; j < kappa; j++)
+ {
+ index = c_indices[j];
+ if (i - index < 0)
+ {
+ product[i] -= s[i - index + n];
+ }
+ else
+ {
+ product[i] += s[i - index];
+ }
+ }
+ }
+}
+
+/**
+ * BLISS-B GreedySC algorithm
+ */
+static void greedy_sc(int8_t *s1, int8_t *s2, int n, uint16_t *c_indices,
+ uint16_t kappa, int32_t *v1, int32_t *v2)
+{
+ int i, j, index;
+ int32_t sign;
+
+ for (i = 0; i < n; i++)
+ {
+ v1[i] = v2[i] = 0;
+ }
+ for (j = 0; j < kappa; j++)
+ {
+ index = c_indices[j];
+ sign = 0;
+
+ for (i = 0; i < index; i++)
+ {
+ sign -= (v1[i] * s1[i - index + n] + v2[i] * s2[i - index + n]);
+ }
+ for (i = index; i < n; i++)
+ {
+ sign += (v1[i] * s1[i - index] + v2[i] * s2[i - index]);
+ }
+ for (i = 0; i < index; i++)
+ {
+ if (sign > 0)
+ {
+ v1[i] += s1[i - index + n];
+ v2[i] += s2[i - index + n];
+ }
+ else
+ {
+ v1[i] -= s1[i - index + n];
+ v2[i] -= s2[i - index + n];
+ }
+ }
+ for (i = index; i < n; i++)
+ {
+ if (sign > 0)
+ {
+ v1[i] -= s1[i - index];
+ v2[i] -= s2[i - index];
+ }
+ else
+ {
+ v1[i] += s1[i - index];
+ v2[i] += s2[i - index];
+ }
+ }
+ }
+}
+
+/**
+ * Compute a BLISS signature
+ */
+static bool sign_bliss(private_bliss_private_key_t *this, hash_algorithm_t alg,
+ chunk_t data, chunk_t *signature)
+{
+ bliss_fft_t *fft;
+ bliss_signature_t *sig;
+ bliss_sampler_t *sampler = NULL;
+ rng_t *rng;
+ hasher_t *hasher;
+ hash_algorithm_t mgf1_alg;
+ size_t mgf1_seed_len;
+ uint8_t mgf1_seed_buf[HASH_SIZE_SHA512], data_hash_buf[HASH_SIZE_SHA512];
+ chunk_t mgf1_seed, data_hash;
+ uint16_t q, q2, p, p2, *c_indices, tests = 0;
+ uint32_t *ay;
+ int32_t *y1, *y2, *z1, *z2, *u, *s1c, *s2c;
+ int32_t y1_min = 0, y1i, y1_max = 0, y2_min = 0, y2i, y2_max = 0;
+ int32_t scalar, norm, ui;
+ int16_t *ud, *uz2d, *z2d, value;
+ int i, n;
+ double mean1 = 0, mean2 = 0, sigma1 = 0, sigma2 = 0;
+ bool accepted, positive, success = FALSE, use_bliss_b;
+
+ /* Initialize signature */
+ *signature = chunk_empty;
+
+ /* Create data hash */
+ hasher = lib->crypto->create_hasher(lib->crypto, alg);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+ data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher));
+
+ if (!hasher->get_hash(hasher, data, data_hash_buf))
+ {
+ hasher->destroy(hasher);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+
+ /* Create SHA512 hasher for c_indices oracle */
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+
+ /* Set MGF1 hash algorithm and seed length based on security strength */
+ if (this->set->strength > 160)
+ {
+ mgf1_alg = HASH_SHA256;
+ mgf1_seed_len = HASH_SIZE_SHA256;
+ }
+ else
+ {
+ mgf1_alg = HASH_SHA1;
+ mgf1_seed_len = HASH_SIZE_SHA1;
+ }
+ mgf1_seed = chunk_create(mgf1_seed_buf, mgf1_seed_len);
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ if (!rng)
+ {
+ hasher->destroy(hasher);
+ return FALSE;
+ }
+
+ /* Initialize a couple of needed variables */
+ n = this->set->n;
+ q = this->set->q;
+ p = this->set->p;
+ q2 = 2 * q;
+ p2 = p / 2;
+ ay = malloc(n * sizeof(uint32_t));
+ z2 = malloc(n * sizeof(int32_t));
+ s1c = malloc(n * sizeof(int32_t));
+ s2c = malloc(n * sizeof(int32_t));
+ u = malloc(n * sizeof(int32_t));
+ uz2d = malloc(n * sizeof(int16_t));
+
+ sig = bliss_signature_create(this->set);
+ sig->get_parameters(sig, &z1, &z2d, &c_indices);
+ y1 = z1;
+ y2 = z2;
+ ud = z2d;
+
+ fft = bliss_fft_create(this->set->fft_params);
+
+ /* Use of the enhanced BLISS-B signature algorithm? */
+ switch (this->set->id)
+ {
+ default:
+ case BLISS_I:
+ case BLISS_II:
+ case BLISS_III:
+ case BLISS_IV:
+ use_bliss_b = FALSE;
+ break;
+ case BLISS_B_I:
+ case BLISS_B_II:
+ case BLISS_B_III:
+ case BLISS_B_IV:
+ use_bliss_b = TRUE;
+ break;
+ }
+
+ while (true)
+ {
+ tests++;
+
+ if (!rng->get_bytes(rng, mgf1_seed_len, mgf1_seed_buf))
+ {
+ goto end;
+ }
+ DESTROY_IF(sampler);
+
+ sampler = bliss_sampler_create(mgf1_alg, mgf1_seed, this->set);
+ if (!sampler)
+ {
+ goto end;
+ }
+
+ /* Gaussian sampling for vectors y1 and y2 */
+ for (i = 0; i < n; i++)
+ {
+ if (!sampler->gaussian(sampler, &y1i) ||
+ !sampler->gaussian(sampler, &y2i))
+ {
+ goto end;
+ }
+ y1[i] = y1i;
+ y2[i] = y2i;
+
+ /* Collect statistical data on rejection sampling */
+ if (i == 0)
+ {
+ y1_min = y1_max = y1i;
+ y2_min = y2_max = y2i;
+ }
+ else
+ {
+ if (y1i < y1_min)
+ {
+ y1_min = y1i;
+ }
+ else if (y1i > y1_max)
+ {
+ y1_max = y1i;
+ }
+ if (y2i < y2_min)
+ {
+ y2_min = y2i;
+ }
+ else if (y2i > y2_max)
+ {
+ y2_max = y2i;
+ }
+ }
+ mean1 += y1i;
+ mean2 += y2i;
+ sigma1 += y1i * y1i;
+ sigma2 += y2i * y2i;
+
+ ay[i] = y1i < 0 ? q + y1i : y1i;
+ }
+
+ /* Compute statistics on vectors y1 and y2 */
+ mean1 /= n;
+ mean2 /= n;
+ sigma1 /= n;
+ sigma2 /= n;
+ sigma2 -= mean1 * mean1;
+ sigma2 -= mean2 * mean2;
+ DBG2(DBG_LIB, "y1 = %d..%d (sigma2 = %5.0f, mean = %4.1f)",
+ y1_min, y1_max, sigma1, mean1);
+ DBG2(DBG_LIB, "y2 = %d..%d (sigma2 = %5.0f, mean = %4.1f)",
+ y2_min, y2_max, sigma2, mean2);
+
+ fft->transform(fft, ay, ay, FALSE);
+
+ for (i = 0; i < n; i++)
+ {
+ ay[i] = (this->A[i] * ay[i]) % q;
+ }
+ fft->transform(fft, ay, ay, TRUE);
+
+ for (i = 0; i < n; i++)
+ {
+ ui = 2 * this->set->q2_inv * (int32_t)ay[i] + y2[i];
+ u[i] = ((ui < 0) ? q2 + ui : ui) % q2;
+ }
+ bliss_utils_round_and_drop(this->set, u, ud);
+
+ /* Detailed debugging information */
+ DBG3(DBG_LIB, " i u[i] ud[i]");
+ for (i = 0; i < n; i++)
+ {
+ DBG3(DBG_LIB, "%3d %6d %4d", i, u[i], ud[i]);
+ }
+
+ if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
+ c_indices))
+ {
+ goto end;
+ }
+
+ if (use_bliss_b)
+ {
+ /* Compute v = (s1c, s2c) with the GreedySC algorithm */
+ greedy_sc(this->s1, this->s2, n, c_indices, this->set->kappa,
+ s1c, s2c);
+
+ /* Compute norm = ||v||^2 = ||Sc'||^2 */
+ norm = bliss_utils_scalar_product(s1c, s1c, n) +
+ bliss_utils_scalar_product(s2c, s2c, n);
+
+ /* Just in case. ||v||^2 <= P_max should always be fulfilled */
+ if (norm > this->set->p_max)
+ {
+ goto end;
+ }
+ }
+ else
+ {
+ /* Compute s*c */
+ multiply_by_c(this->s1, n, c_indices, this->set->kappa, s1c);
+ multiply_by_c(this->s2, n, c_indices, this->set->kappa, s2c);
+
+ /* Compute norm = |Sc||^2 */
+ norm = bliss_utils_scalar_product(s1c, s1c, n) +
+ bliss_utils_scalar_product(s2c, s2c, n);
+ }
+
+ if (!sampler->bernoulli_exp(sampler, this->set->M - norm, &accepted))
+ {
+ goto end;
+ }
+ if (use_bliss_b)
+ {
+ DBG2(DBG_LIB, "norm2(s1*c') + norm2(s2*c') = %u (%u max), %s",
+ norm, this->set->p_max, accepted ? "accepted" : "rejected");
+
+ }
+ else
+ {
+ DBG2(DBG_LIB, "norm2(s1*c) + norm2(s2*c) = %u, %s",
+ norm, accepted ? "accepted" : "rejected");
+ }
+ if (!accepted)
+ {
+ continue;
+ }
+
+ /* Compute z */
+ if (!sampler->sign(sampler, &positive))
+ {
+ goto end;
+ }
+ for (i = 0; i < n; i++)
+ {
+ if (positive)
+ {
+ z1[i] = y1[i] + s1c[i];
+ z2[i] = y2[i] + s2c[i];
+ }
+ else
+ {
+ z1[i] = y1[i] - s1c[i];
+ z2[i] = y2[i] - s2c[i];
+ }
+ }
+ /* Reject with probability 1/cosh(scalar/sigma^2) */
+ scalar = bliss_utils_scalar_product(z1, s1c, n) +
+ bliss_utils_scalar_product(z2, s2c, n);
+
+ if (!sampler->bernoulli_cosh(sampler, scalar, &accepted))
+ {
+ goto end;
+ }
+ DBG2(DBG_LIB, "scalar(z1,s1*c) + scalar(z2,s2*c) = %d, %s",
+ scalar, accepted ? "accepted" : "rejected");
+ if (!accepted)
+ {
+ continue;
+ }
+
+ /* Compute z2 with dropped bits */
+ for (i = 0; i < n; i++)
+ {
+ u[i] -= z2[i];
+ if (u[i] < 0)
+ {
+ u[i] += q2;
+ }
+ else if (u[i] >= q2)
+ {
+ u[i] -= q2;
+ }
+ }
+ bliss_utils_round_and_drop(this->set, u, uz2d);
+
+ for (i = 0; i < n; i++)
+ {
+ value = ud[i] - uz2d[i];
+ if (value <= -p2)
+ {
+ value += p;
+ }
+ else if (value > p2)
+ {
+ value -= p;
+ }
+ z2d[i] = value;
+ }
+
+ if (!bliss_utils_check_norms(this->set, z1, z2d))
+ {
+ continue;
+ }
+
+ *signature = sig->get_encoding(sig);
+ if (signature->len == 0)
+ {
+ DBG1(DBG_LIB, "inefficient Huffman coding of signature");
+ continue;
+ }
+ DBG2(DBG_LIB, "signature generation needed %u round%s", tests,
+ (tests == 1) ? "" : "s");
+ break;
+ }
+ success = TRUE;
+
+end:
+ /* cleanup */
+ DESTROY_IF(sampler);
+ hasher->destroy(hasher);
+ sig->destroy(sig);
+ fft->destroy(fft);
+ rng->destroy(rng);
+ memwipe(s1c, n * sizeof(int32_t));
+ memwipe(s2c, n * sizeof(int32_t));
+ free(s1c);
+ free(s2c);
+ free(ay);
+ free(z2);
+ free(u);
+ free(uz2d);
+
+ return success;
+}
+
+METHOD(private_key_t, sign, bool,
+ private_bliss_private_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t *signature)
+{
+ switch (scheme)
+ {
+ case SIGN_BLISS_WITH_SHA256:
+ return sign_bliss(this, HASH_SHA256, data, signature);
+ case SIGN_BLISS_WITH_SHA384:
+ return sign_bliss(this, HASH_SHA384, data, signature);
+ case SIGN_BLISS_WITH_SHA512:
+ return sign_bliss(this, HASH_SHA512, data, signature);
+ default:
+ DBG1(DBG_LIB, "signature scheme %N not supported with BLISS",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+}
+
+METHOD(private_key_t, decrypt, bool,
+ private_bliss_private_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "encryption scheme %N not supported",
+ encryption_scheme_names, scheme);
+ return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+ private_bliss_private_key_t *this)
+{
+ return this->set->strength;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+ private_bliss_private_key_t *this)
+{
+ public_key_t *public;
+ chunk_t pubkey;
+
+ pubkey = bliss_public_key_info_encode(this->set->oid, this->A, this->set);
+ public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_BLISS,
+ BUILD_BLOB_ASN1_DER, pubkey, BUILD_END);
+ free(pubkey.ptr);
+
+ return public;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+ private_bliss_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ switch (type)
+ {
+ case PRIVKEY_ASN1_DER:
+ case PRIVKEY_PEM:
+ {
+ chunk_t s1, s2, pubkey;
+ bliss_bitpacker_t *packer;
+ size_t s_bits;
+ int8_t value;
+ bool success = TRUE;
+ int i;
+
+ pubkey = bliss_public_key_encode(this->A, this->set);
+
+ /* Use either 2 or 3 bits per array element */
+ s_bits = 2 + (this->set->non_zero2 > 0);
+
+ /* Encode secret s1 */
+ packer = bliss_bitpacker_create(s_bits * this->set->n);
+ for (i = 0; i < this->set->n; i++)
+ {
+ packer->write_bits(packer, this->s1[i], s_bits);
+ }
+ s1 = packer->extract_buf(packer);
+ packer->destroy(packer);
+
+ /* Encode secret s2 */
+ packer = bliss_bitpacker_create(s_bits * this->set->n);
+ for (i = 0; i < this->set->n; i++)
+ {
+ value = this->s2[i];
+ if (i == 0)
+ {
+ value -= 1;
+ }
+ value /= 2;
+ packer->write_bits(packer, value, s_bits);
+ }
+ s2 = packer->extract_buf(packer);
+ packer->destroy(packer);
+
+ *encoding = asn1_wrap(ASN1_SEQUENCE, "mmss",
+ asn1_build_known_oid(this->set->oid),
+ asn1_bitstring("m", pubkey),
+ asn1_bitstring("m", s1),
+ asn1_bitstring("m", s2)
+ );
+ if (type == PRIVKEY_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+ NULL, encoding, CRED_PART_BLISS_PRIV_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+ }
+ default:
+ return FALSE;
+ }
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+ private_bliss_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+ bool success;
+
+ if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+ {
+ return TRUE;
+ }
+ success = bliss_public_key_fingerprint(this->set->oid, this->A,
+ this->set, type, fp);
+ if (success)
+ {
+ lib->encoding->cache(lib->encoding, type, this, *fp);
+ }
+ return success;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+ private_bliss_private_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+ private_bliss_private_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ if (this->s1)
+ {
+ memwipe(this->s1, this->set->n * sizeof(int8_t));
+ free(this->s1);
+ }
+ if (this->s2)
+ {
+ memwipe(this->s2, this->set->n * sizeof(int8_t));
+ free(this->s2);
+ }
+ free(this->A);
+ free(this);
+ }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_bliss_private_key_t *bliss_private_key_create_empty(void)
+{
+ private_bliss_private_key_t *this;
+
+ INIT(this,
+ .public = {
+ .key = {
+ .get_type = _get_type,
+ .sign = _sign,
+ .decrypt = _decrypt,
+ .get_keysize = _get_keysize,
+ .get_public_key = _get_public_key,
+ .equals = private_key_equals,
+ .belongs_to = private_key_belongs_to,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = private_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ },
+ .ref = 1,
+ );
+ return this;
+}
+
+/**
+ * Compute the scalar product of a vector x with a negative wrapped vector y
+ */
+static int16_t wrapped_product(int8_t *x, int8_t *y, int n, int shift)
+{
+ int16_t product = 0;
+ int i;
+
+ for (i = 0; i < n - shift; i++)
+ {
+ product += x[i] * y[i + shift];
+ }
+ for (i = n - shift; i < n; i++)
+ {
+ product -= x[i] * y[i + shift - n];
+ }
+ return product;
+}
+
+/**
+ * Apply a negative wrapped rotation to a vector x
+ */
+static void wrap(int16_t *x, int n, int shift, int16_t *x_wrapped)
+{
+ int i;
+
+ for (i = 0; i < n - shift; i++)
+ {
+ x_wrapped[i + shift] = x[i];
+ }
+ for (i = n - shift; i < n; i++)
+ {
+ x_wrapped[i + shift - n] = -x[i];
+ }
+}
+
+/**
+ * int16_t compare function needed for qsort()
+ */
+static int compare(const int16_t *a, const int16_t *b)
+{
+ int16_t temp = *a - *b;
+
+ if (temp > 0)
+ {
+ return 1;
+ }
+ else if (temp < 0)
+ {
+ return -1;
+ }
+ else
+ {
+ return 0;
+ }
+}
+
+/**
+ * Compute the Nk(S) norm of S = (s1, s2)
+ */
+static uint32_t nks_norm(int8_t *s1, int8_t *s2, int n, uint16_t kappa)
+{
+ int16_t t[n], t_wrapped[n], max_kappa[n];
+ uint32_t nks = 0;
+ int i, j;
+
+ for (i = 0; i < n; i++)
+ {
+ t[i] = wrapped_product(s1, s1, n, i) + wrapped_product(s2, s2, n, i);
+ }
+
+ for (i = 0; i < n; i++)
+ {
+ wrap(t, n, i, t_wrapped);
+ qsort(t_wrapped, n, sizeof(int16_t), (__compar_fn_t)compare);
+ max_kappa[i] = 0;
+
+ for (j = 1; j <= kappa; j++)
+ {
+ max_kappa[i] += t_wrapped[n - j];
+ }
+ }
+ qsort(max_kappa, n, sizeof(int16_t), (__compar_fn_t)compare);
+
+ for (i = 1; i <= kappa; i++)
+ {
+ nks += max_kappa[n - i];
+ }
+ return nks;
+}
+
+/**
+ * Compute the inverse x1 of x modulo q as x^(-1) = x^(q-2) mod q
+ */
+static uint32_t invert(uint32_t x, uint16_t q)
+{
+ uint32_t x1, x2;
+ uint16_t q2;
+ int i, i_max;
+
+ q2 = q - 2;
+ x1 = (q2 & 1) ? x : 1;
+ x2 = x;
+ i_max = 15;
+
+ while ((q2 & (1 << i_max)) == 0)
+ {
+ i_max--;
+ }
+ for (i = 1; i <= i_max; i++)
+ {
+ x2 = (x2 * x2) % q;
+
+ if (q2 & (1 << i))
+ {
+ x1 = (x1 * x2) % q;
+ }
+ }
+
+ return x1;
+}
+
+/**
+ * Create a vector with sparse and small coefficients from seed
+ */
+static int8_t* create_vector_from_seed(private_bliss_private_key_t *this,
+ hash_algorithm_t alg, chunk_t seed)
+{
+ mgf1_bitspender_t *bitspender;
+ uint32_t index, sign;
+ int8_t *vector;
+ int non_zero;
+
+ bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+ if (!bitspender)
+ {
+ return NULL;
+ }
+
+ vector = malloc(sizeof(int8_t) * this->set->n);
+ memset(vector, 0x00, this->set->n);
+
+ non_zero = this->set->non_zero1;
+ while (non_zero)
+ {
+ if (!bitspender->get_bits(bitspender, this->set->n_bits, &index))
+ {
+ free(vector);
+ return NULL;
+ }
+ if (vector[index] != 0)
+ {
+ continue;
+ }
+
+ if (!bitspender->get_bits(bitspender, 1, &sign))
+ {
+ free(vector);
+ return NULL;
+ }
+ vector[index] = sign ? 1 : -1;
+ non_zero--;
+ }
+
+ non_zero = this->set->non_zero2;
+ while (non_zero)
+ {
+ if (!bitspender->get_bits(bitspender, this->set->n_bits, &index))
+ {
+ free(vector);
+ return NULL;
+ }
+ if (vector[index] != 0)
+ {
+ continue;
+ }
+
+ if (!bitspender->get_bits(bitspender, 1, &sign))
+ {
+ free(vector);
+ return NULL;
+ }
+ vector[index] = sign ? 2 : -2;
+ non_zero--;
+ }
+ bitspender->destroy(bitspender);
+
+ return vector;
+}
+
+/**
+ * Generate the secret key S = (s1, s2) fulfilling the Nk(S) norm
+ */
+static bool create_secret(private_bliss_private_key_t *this, rng_t *rng,
+ int8_t **s1, int8_t **s2, int *trials)
+{
+ uint8_t seed_buf[32];
+ uint8_t *f, *g;
+ uint32_t l2_norm, nks;
+ int i, n;
+ chunk_t seed;
+ size_t seed_len;
+ hash_algorithm_t alg;
+
+ n = this->set->n;
+ *s1 = NULL;
+ *s2 = NULL;
+
+ /* Set MGF1 hash algorithm and seed length based on security strength */
+ if (this->set->strength > 160)
+ {
+ alg = HASH_SHA256;
+ seed_len = HASH_SIZE_SHA256;
+ }
+ else
+ {
+ alg = HASH_SHA1;
+ seed_len = HASH_SIZE_SHA1;
+ }
+ seed = chunk_create(seed_buf, seed_len);
+
+ while (*trials < SECRET_KEY_TRIALS_MAX)
+ {
+ (*trials)++;
+
+ if (!rng->get_bytes(rng, seed_len, seed_buf))
+ {
+ return FALSE;
+ }
+ f = create_vector_from_seed(this, alg, seed);
+ if (f == NULL)
+ {
+ return FALSE;
+ }
+ if (!rng->get_bytes(rng, seed_len, seed_buf))
+ {
+ free(f);
+ return FALSE;
+ }
+ g = create_vector_from_seed(this, alg, seed);
+ if (g == NULL)
+ {
+ free(f);
+ return FALSE;
+ }
+
+ /* Compute 2g + 1 */
+ for (i = 0; i < n; i++)
+ {
+ g[i] *= 2;
+ }
+ g[0] += 1;
+
+ l2_norm = wrapped_product(f, f, n, 0) + wrapped_product(g, g, n, 0);
+ nks = nks_norm(f, g, n, this->set->kappa);
+
+ switch (this->set->id)
+ {
+ case BLISS_I:
+ case BLISS_II:
+ case BLISS_III:
+ case BLISS_IV:
+ DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u (%u max)",
+ l2_norm, nks, this->set->nks_max);
+ if (nks < this->set->nks_max)
+ {
+ *s1 = f;
+ *s2 = g;
+ return TRUE;
+ }
+ free(f);
+ free(g);
+ break;
+ case BLISS_B_I:
+ case BLISS_B_II:
+ case BLISS_B_III:
+ case BLISS_B_IV:
+ DBG2(DBG_LIB, "l2 norm of s1||s2: %d, Nk(S): %u",
+ l2_norm, nks);
+ *s1 = f;
+ *s2 = g;
+ return TRUE;
+ }
+ }
+
+ return FALSE;
+}
+
+/**
+ * See header.
+ */
+bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args)
+{
+ private_bliss_private_key_t *this;
+ u_int key_size = BLISS_B_I;
+ int i, n, trials = 0;
+ uint32_t *S1, *S2, *a;
+ uint16_t q;
+ bool success = FALSE;
+ bliss_param_set_t *set;
+ bliss_fft_t *fft;
+ rng_t *rng;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_KEY_SIZE:
+ key_size = va_arg(args, u_int);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (lib->settings->get_bool(lib->settings, "%s.plugins.bliss.use_bliss_b",
+ TRUE, lib->ns))
+ {
+ switch (key_size)
+ {
+ case BLISS_I:
+ key_size = BLISS_B_I;
+ break;
+ case BLISS_II:
+ key_size = BLISS_B_II;
+ break;
+ case BLISS_III:
+ key_size = BLISS_B_III;
+ break;
+ case BLISS_IV:
+ key_size = BLISS_B_IV;
+ break;
+ default:
+ break;
+ }
+ }
+
+ /* Only BLISS or BLISS-B types I, III, or IV are currently supported */
+ set = bliss_param_set_get_by_id(key_size);
+ if (!set)
+ {
+ DBG1(DBG_LIB, "BLISS parameter set %u not supported", key_size);
+ return NULL;
+ }
+
+ /* Some shortcuts for often used variables */
+ n = set->n;
+ q = set->q;
+
+ if (set->fft_params->n != n || set->fft_params->q != q)
+ {
+ DBG1(DBG_LIB, "FFT parameters do not match BLISS parameters");
+ return NULL;
+ }
+ this = bliss_private_key_create_empty();
+ this->set = set;
+
+ /* We derive the public key from the private key using the FFT */
+ fft = bliss_fft_create(set->fft_params);
+
+ /* Some vectors needed to derive the publi key */
+ S1 = malloc(n * sizeof(uint32_t));
+ S2 = malloc(n * sizeof(uint32_t));
+ a = malloc(n * sizeof(uint32_t));
+ this->A = malloc(n * sizeof(uint32_t));
+
+ /* Instantiate a true random generator */
+ rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+
+ /* Loop until we have an invertible polynomial s1 */
+ do
+ {
+ if (!create_secret(this, rng, &this->s1, &this->s2, &trials))
+ {
+ break;
+ }
+
+ /* Convert signed arrays to unsigned arrays before FFT */
+ for (i = 0; i < n; i++)
+ {
+ S1[i] = (this->s1[i] < 0) ? this->s1[i] + q : this->s1[i];
+ S2[i] = (this->s2[i] > 0) ? q - this->s2[i] : -this->s2[i];
+ }
+ fft->transform(fft, S1, S1, FALSE);
+ fft->transform(fft, S2, S2, FALSE);
+
+ success = TRUE;
+ for (i = 0; i < n; i++)
+ {
+ if (S1[i] == 0)
+ {
+ DBG1(DBG_LIB, "S1[%d] is zero - s1 is not invertible", i);
+ free(this->s1);
+ free(this->s2);
+ this->s1 = NULL;
+ this->s2 = NULL;
+ success = FALSE;
+ break;
+ }
+ this->A[i] = invert(S1[i], q);
+ this->A[i] = (S2[i] * this->A[i]) % q;
+ }
+ }
+ while (!success && trials < SECRET_KEY_TRIALS_MAX);
+
+ DBG1(DBG_LIB, "secret key generation %s after %d trial%s",
+ success ? "succeeded" : "failed", trials, (trials == 1) ? "" : "s");
+
+ if (success)
+ {
+ fft->transform(fft, this->A, a, TRUE);
+
+ DBG4(DBG_LIB, " i f g a F G A");
+ for (i = 0; i < n; i++)
+ {
+ DBG4(DBG_LIB, "%4d %3d %3d %5u %5u %5u %5u",
+ i, this->s1[i], this->s2[i], a[i], S1[i], S2[i], this->A[i]);
+ }
+ }
+ else
+ {
+ destroy(this);
+ }
+
+ /* Cleanup */
+ fft->destroy(fft);
+ rng->destroy(rng);
+ memwipe(S1, n * sizeof(uint32_t));
+ memwipe(S2, n * sizeof(uint32_t));
+ free(S1);
+ free(S2);
+ free(a);
+
+ return success ? &this->public : NULL;
+}
+
+/**
+ * ASN.1 definition of a BLISS private key
+ */
+static const asn1Object_t privkeyObjects[] = {
+ { 0, "BLISSPrivateKey", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "keyType", ASN1_OID, ASN1_BODY }, /* 1 */
+ { 1, "public", ASN1_BIT_STRING, ASN1_BODY }, /* 2 */
+ { 1, "secret1", ASN1_BIT_STRING, ASN1_BODY }, /* 3 */
+ { 1, "secret2", ASN1_BIT_STRING, ASN1_BODY }, /* 4 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define PRIV_KEY_TYPE 1
+#define PRIV_KEY_PUBLIC 2
+#define PRIV_KEY_SECRET1 3
+#define PRIV_KEY_SECRET2 4
+
+/**
+ * See header.
+ */
+bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args)
+{
+ private_bliss_private_key_t *this;
+ chunk_t key = chunk_empty, object;
+ bliss_bitpacker_t *packer;
+ asn1_parser_t *parser;
+ size_t s_bits = 0;
+ int8_t s, s_min = 0, s_max = 0;
+ uint32_t s_sign = 0x02, s_mask = 0xfffffffc, value;
+ bool success = FALSE;
+ int objectID, oid, i;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ key = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (key.len == 0)
+ {
+ return NULL;
+ }
+ this = bliss_private_key_create_empty();
+
+ parser = asn1_parser_create(privkeyObjects, key);
+ parser->set_flags(parser, FALSE, TRUE);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case PRIV_KEY_TYPE:
+ oid = asn1_known_oid(object);
+ if (oid == OID_UNKNOWN)
+ {
+ goto end;
+ }
+ this->set = bliss_param_set_get_by_oid(oid);
+ if (this->set == NULL)
+ {
+ goto end;
+ }
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.bliss.use_bliss_b",TRUE, lib->ns))
+ {
+ switch (this->set->id)
+ {
+ case BLISS_I:
+ this->set = bliss_param_set_get_by_id(BLISS_B_I);
+ break;
+ case BLISS_III:
+ this->set = bliss_param_set_get_by_id(BLISS_B_III);
+ break;
+ case BLISS_IV:
+ this->set = bliss_param_set_get_by_id(BLISS_B_IV);
+ break;
+ default:
+ break;
+ }
+ }
+ if (this->set->non_zero2)
+ {
+ s_min = -2;
+ s_max = 2;
+ s_bits = 3;
+ }
+ else
+ {
+ s_min = -1;
+ s_max = 1;
+ s_bits = 2;
+ }
+ s_sign = 1 << (s_bits - 1);
+ s_mask = ((1 << (32 - s_bits)) - 1) << s_bits;
+ break;
+ case PRIV_KEY_PUBLIC:
+ if (!bliss_public_key_from_asn1(object, this->set, &this->A))
+ {
+ goto end;
+ }
+ break;
+ case PRIV_KEY_SECRET1:
+ if (object.len != 1 + (s_bits * this->set->n + 7)/8)
+ {
+ goto end;
+ }
+ this->s1 = malloc(this->set->n);
+
+ /* Skip unused bits octet */
+ object = chunk_skip(object, 1);
+ packer = bliss_bitpacker_create_from_data(object);
+ for (i = 0; i < this->set->n; i++)
+ {
+ packer->read_bits(packer, &value, s_bits);
+ s = (value & s_sign) ? value | s_mask : value;
+ if (s < s_min || s > s_max)
+ {
+ packer->destroy(packer);
+ goto end;
+ }
+ this->s1[i] = s;
+ }
+ packer->destroy(packer);
+ break;
+ case PRIV_KEY_SECRET2:
+ if (object.len != 1 + (s_bits * this->set->n + 7)/8)
+ {
+ goto end;
+ }
+ this->s2 = malloc(this->set->n);
+
+ /* Skip unused bits octet */
+ object = chunk_skip(object, 1);
+ packer = bliss_bitpacker_create_from_data(object);
+ for (i = 0; i < this->set->n; i++)
+ {
+ packer->read_bits(packer, &value, s_bits);
+ s = (value & s_sign) ? value | s_mask : value;
+ if (s < s_min || s > s_max)
+ {
+ packer->destroy(packer);
+ goto end;
+ }
+ this->s2[i] = 2 * s;
+ if (i == 0)
+ {
+ this->s2[0] += 1;
+ }
+ }
+ packer->destroy(packer);
+ break;
+ }
+ }
+ success = parser->success(parser);
+
+end:
+ parser->destroy(parser);
+ if (!success)
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_private_key.h b/src/libstrongswan/plugins/bliss/bliss_private_key.h
new file mode 100644
index 000000000..cb4ff807a
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_private_key.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_private_key bliss_private_key
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PRIVATE_KEY_H_
+#define BLISS_PRIVATE_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct bliss_private_key_t bliss_private_key_t;
+
+/**
+ * Private_key_t implementation of BLISS signature algorithm.
+ */
+struct bliss_private_key_t {
+
+ /**
+ * Implements private_key_t interface
+ */
+ private_key_t key;
+};
+
+/**
+ * Generate a BLISS private key.
+ *
+ * Accepts the BUILD_KEY_SIZE argument.
+ *
+ * @param type type of the key, must be KEY_BLISS
+ * @param args builder_part_t argument list
+ * @return generated key, NULL on failure
+ */
+bliss_private_key_t *bliss_private_key_gen(key_type_t type, va_list args);
+
+/**
+ * Load a BLISS private key.
+ *
+ * Accepts BUILD_BLISS_* components.
+ *
+ * @param type type of the key, must be KEY_BLISS
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+bliss_private_key_t *bliss_private_key_load(key_type_t type, va_list args);
+
+#endif /** BLISS_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.c b/src/libstrongswan/plugins/bliss/bliss_public_key.c
new file mode 100644
index 000000000..0175b0f8e
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.c
@@ -0,0 +1,515 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_public_key.h"
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_fft.h"
+#include "bliss_utils.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+typedef struct private_bliss_public_key_t private_bliss_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_bliss_public_key_t {
+ /**
+ * Public interface for this signer.
+ */
+ bliss_public_key_t public;
+
+ /**
+ * BLISS signature parameter set
+ */
+ bliss_param_set_t *set;
+
+ /**
+ * NTT of BLISS public key a (coefficients of polynomial (2g + 1)/f)
+ */
+ uint32_t *A;
+
+ /**
+ * reference counter
+ */
+ refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+ private_bliss_public_key_t *this)
+{
+ return KEY_BLISS;
+}
+
+/**
+ * Verify a BLISS signature based on a SHA-512 hash
+ */
+static bool verify_bliss(private_bliss_public_key_t *this, hash_algorithm_t alg,
+ chunk_t data, chunk_t signature)
+{
+ int i, n;
+ int32_t *z1, *u;
+ int16_t *ud, *z2d;
+ uint16_t q, q2, p, *c_indices, *indices;
+ uint32_t *az;
+ uint8_t data_hash_buf[HASH_SIZE_SHA512];
+ chunk_t data_hash;
+ hasher_t *hasher;
+ bliss_fft_t *fft;
+ bliss_signature_t *sig;
+ bool success = FALSE;
+
+ /* Create data hash */
+ hasher = lib->crypto->create_hasher(lib->crypto, alg);
+ if (!hasher )
+ {
+ return FALSE;
+ }
+ data_hash = chunk_create(data_hash_buf, hasher->get_hash_size(hasher));
+
+ if (!hasher->get_hash(hasher, data, data_hash_buf))
+ {
+ hasher->destroy(hasher);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+
+ /* Create SHA512 hasher for c_indices oracle */
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+
+ sig = bliss_signature_create_from_data(this->set, signature);
+ if (!sig)
+ {
+ hasher->destroy(hasher);
+ return FALSE;
+ }
+ sig->get_parameters(sig, &z1, &z2d, &c_indices);
+
+ if (!bliss_utils_check_norms(this->set, z1, z2d))
+ {
+ hasher->destroy(hasher);
+ sig->destroy(sig);
+ return FALSE;
+ }
+
+ /* Initialize a couple of needed variables */
+ n = this->set->n;
+ q = this->set->q;
+ p = this->set->p;
+ q2 = 2 * q;
+ az = malloc(n * sizeof(uint32_t));
+ u = malloc(n * sizeof(int32_t));
+ ud = malloc(n * sizeof(int16_t));
+ indices = malloc(this->set->kappa * sizeof(uint16_t));
+
+ for (i = 0; i < n; i++)
+ {
+ az[i] = z1[i] < 0 ? q + z1[i] : z1[i];
+ }
+ fft = bliss_fft_create(this->set->fft_params);
+ fft->transform(fft, az, az, FALSE);
+
+ for (i = 0; i < n; i++)
+ {
+ az[i] = (this->A[i] * az[i]) % q;
+ }
+ fft->transform(fft, az, az, TRUE);
+
+ for (i = 0; i < n; i++)
+ {
+ u[i] = (2 * this->set->q2_inv * az[i]) % q2;
+ }
+
+ for (i = 0; i < this->set->kappa; i++)
+ {
+ u[c_indices[i]] = (u[c_indices[i]] + q * this->set->q2_inv) % q2;
+ }
+ bliss_utils_round_and_drop(this->set, u, ud);
+
+ for (i = 0; i < n; i++)
+ {
+ ud[i] += z2d[i];
+ if (ud[i] < 0)
+ {
+ ud[i] += p;
+ }
+ else if (ud[i] >= p)
+ {
+ ud[i] -= p;
+ }
+ }
+
+ /* Detailed debugging information */
+ DBG3(DBG_LIB, " i u[i] ud[i] z2d[i]");
+ for (i = 0; i < n; i++)
+ {
+ DBG3(DBG_LIB, "%3d %6d %4d %4d", i, u[i], ud[i], z2d[i]);
+ }
+
+ if (!bliss_utils_generate_c(hasher, data_hash, ud, n, this->set->kappa,
+ indices))
+ {
+ goto end;
+ }
+
+ for (i = 0; i < this->set->kappa; i++)
+ {
+ if (indices[i] != c_indices[i])
+ {
+ DBG1(DBG_LIB, "signature verification failed");
+ goto end;
+ }
+ }
+ success = TRUE;
+
+end:
+ /* cleanup */
+ hasher->destroy(hasher);
+ sig->destroy(sig);
+ fft->destroy(fft);
+ free(az);
+ free(u);
+ free(ud);
+ free(indices);
+
+ return success;
+}
+
+METHOD(public_key_t, verify, bool,
+ private_bliss_public_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t signature)
+{
+ switch (scheme)
+ {
+ case SIGN_BLISS_WITH_SHA256:
+ return verify_bliss(this, HASH_SHA256, data, signature);
+ case SIGN_BLISS_WITH_SHA384:
+ return verify_bliss(this, HASH_SHA384, data, signature);
+ case SIGN_BLISS_WITH_SHA512:
+ return verify_bliss(this, HASH_SHA512, data, signature);
+ default:
+ DBG1(DBG_LIB, "signature scheme %N not supported by BLISS",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+}
+
+METHOD(public_key_t, encrypt_, bool,
+ private_bliss_public_key_t *this, encryption_scheme_t scheme,
+ chunk_t plain, chunk_t *crypto)
+{
+ DBG1(DBG_LIB, "encryption scheme %N not supported",
+ encryption_scheme_names, scheme);
+ return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+ private_bliss_public_key_t *this)
+{
+ return this->set->strength;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+ private_bliss_public_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ bool success = TRUE;
+
+ *encoding = bliss_public_key_info_encode(this->set->oid, this->A, this->set);
+
+ if (type != PUBKEY_SPKI_ASN1_DER)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, type,
+ NULL, encoding, CRED_PART_BLISS_PUB_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+ private_bliss_public_key_t *this, cred_encoding_type_t type, chunk_t *fp)
+{
+ bool success;
+
+ if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+ {
+ return TRUE;
+ }
+ success = bliss_public_key_fingerprint(this->set->oid, this->A,
+ this->set, type, fp);
+ if (success)
+ {
+ lib->encoding->cache(lib->encoding, type, this, *fp);
+ }
+ return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+ private_bliss_public_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+ private_bliss_public_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ free(this->A);
+ free(this);
+ }
+}
+
+/**
+ * ASN.1 definition of a BLISS public key
+ */
+static const asn1Object_t pubkeyObjects[] = {
+ { 0, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */
+ { 1, "algorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
+ { 1, "subjectPublicKey", ASN1_BIT_STRING, ASN1_BODY }, /* 2 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+#define BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM 1
+#define BLISS_SUBJECT_PUBLIC_KEY 2
+
+/**
+ * See header.
+ */
+bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args)
+{
+ private_bliss_public_key_t *this;
+ chunk_t blob = chunk_empty, object, param;
+ asn1_parser_t *parser;
+ bool success = FALSE;
+ int objectID, oid;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ blob = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (blob.len == 0)
+ {
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .key = {
+ .get_type = _get_type,
+ .verify = _verify,
+ .encrypt = _encrypt_,
+ .equals = public_key_equals,
+ .get_keysize = _get_keysize,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = public_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ },
+ .ref = 1,
+ );
+
+ parser = asn1_parser_create(pubkeyObjects, blob);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case BLISS_SUBJECT_PUBLIC_KEY_ALGORITHM:
+ {
+ oid = asn1_parse_algorithmIdentifier(object,
+ parser->get_level(parser)+1, &param);
+ if (oid != OID_BLISS_PUBLICKEY)
+ {
+ goto end;
+ }
+ if (!asn1_parse_simple_object(&param, ASN1_OID,
+ parser->get_level(parser)+3, "blissKeyType"))
+ {
+ goto end;
+ }
+ oid = asn1_known_oid(param);
+ if (oid == OID_UNKNOWN)
+ {
+ goto end;
+ }
+ this->set = bliss_param_set_get_by_oid(oid);
+ if (this->set == NULL)
+ {
+ goto end;
+ }
+ break;
+ }
+ case BLISS_SUBJECT_PUBLIC_KEY:
+ if (!bliss_public_key_from_asn1(object, this->set, &this->A))
+ {
+ goto end;
+ }
+ break;
+ }
+ }
+ success = parser->success(parser);
+
+end:
+ parser->destroy(parser);
+ if (!success)
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
+
+/**
+ * See header.
+ */
+bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+ uint32_t **pubkey)
+{
+ bliss_bitpacker_t *packer;
+ uint32_t coefficient;
+ uint16_t needed_bits;
+ int i;
+
+ /* skip initial bit string octet defining unused bits */
+ object = chunk_skip(object, 1);
+
+ needed_bits = set->n * set->q_bits;
+
+ if (8 * object.len < needed_bits)
+ {
+ return FALSE;
+ }
+ *pubkey = malloc(set->n * sizeof(uint32_t));
+
+ packer = bliss_bitpacker_create_from_data(object);
+
+ for (i = 0; i < set->n; i++)
+ {
+ packer->read_bits(packer, &coefficient, set->q_bits);
+ if (coefficient >= set->q)
+ {
+ packer->destroy(packer);
+ return FALSE;
+ }
+ (*pubkey)[i] = coefficient;
+ }
+ packer->destroy(packer);
+
+ return TRUE;
+}
+
+/**
+ * See header.
+ */
+chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set)
+{
+ bliss_bitpacker_t *packer;
+ chunk_t encoding;
+ int i;
+
+ packer = bliss_bitpacker_create(set->n * set->q_bits);
+
+ for (i = 0; i < set->n; i++)
+ {
+ packer->write_bits(packer, pubkey[i], set->q_bits);
+ }
+ encoding = packer->extract_buf(packer);
+ packer->destroy(packer);
+
+ return encoding;
+}
+
+/**
+ * See header.
+ */
+chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
+ bliss_param_set_t *set)
+{
+ chunk_t encoding, pubkey_encoding;
+
+ pubkey_encoding = bliss_public_key_encode(pubkey, set);
+
+ encoding = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_BLISS_PUBLICKEY),
+ asn1_build_known_oid(oid)),
+ asn1_bitstring("m", pubkey_encoding));
+
+ return encoding;
+}
+
+/**
+ * See header.
+ */
+bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
+ bliss_param_set_t *set,
+ cred_encoding_type_t type, chunk_t *fp)
+{
+ hasher_t *hasher;
+ chunk_t key;
+
+ switch (type)
+ {
+ case KEYID_PUBKEY_SHA1:
+ key = bliss_public_key_encode(pubkey, set);
+ break;
+ case KEYID_PUBKEY_INFO_SHA1:
+ key = bliss_public_key_info_encode(oid, pubkey, set);
+ break;
+ default:
+ return FALSE;
+ }
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher || !hasher->allocate_hash(hasher, key, fp))
+ {
+ DBG1(DBG_LIB, "SHA1 hash algorithm not supported, fingerprinting failed");
+ DESTROY_IF(hasher);
+ free(key.ptr);
+
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+ free(key.ptr);
+
+ return TRUE;
+}
+
diff --git a/src/libstrongswan/plugins/bliss/bliss_public_key.h b/src/libstrongswan/plugins/bliss/bliss_public_key.h
new file mode 100644
index 000000000..cd8f231b2
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_public_key.h
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_public_key bliss_public_key
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_PUBLIC_KEY_H_
+#define BLISS_PUBLIC_KEY_H_
+
+#include "bliss_param_set.h"
+
+#include <credentials/builder.h>
+#include <credentials/cred_encoding.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct bliss_public_key_t bliss_public_key_t;
+
+/**
+ * public_key_t implementation of BLISS signature algorithm
+ */
+struct bliss_public_key_t {
+
+ /**
+ * Implements the public_key_t interface
+ */
+ public_key_t key;
+};
+
+/**
+ * Load a BLISS public key.
+ *
+ * Accepts BUILD_BLISS_* components.
+ *
+ * @param type type of the key, must be KEY_BLISS
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+bliss_public_key_t *bliss_public_key_load(key_type_t type, va_list args);
+
+/* The following functions are shared with the bliss_private_key class */
+
+/**
+ * Parse an ASN.1 BIT STRING into an array of public key coefficients
+ *
+ * @param object packed subjectPublicKey
+ * @param set BLISS parameter set for public key vector
+ * @param pubkey coefficients of public key vector
+ * @return TRUE if parsing successful
+ */
+bool bliss_public_key_from_asn1(chunk_t object, bliss_param_set_t *set,
+ uint32_t **pubkey);
+
+/**
+ * Encode a raw BLISS subjectPublicKey in ASN.1 DER format
+ *
+ * @param pubkey coefficients of public key vector
+ * @param set BLISS parameter set for the public key vector
+ * @result ASN.1 encoded subjectPublicKey
+ */
+chunk_t bliss_public_key_encode(uint32_t *pubkey, bliss_param_set_t *set);
+
+/**
+ * Encode a BLISS subjectPublicKeyInfo record in ASN.1 DER format
+ *
+ * @param oid BLISS public key type OID
+ * @param pubkey coefficients of public key vector
+ * @param set BLISS parameter set for the public key vector
+ * @result ASN.1 encoded subjectPublicKeyInfo record
+ */
+chunk_t bliss_public_key_info_encode(int oid, uint32_t *pubkey,
+ bliss_param_set_t *set);
+
+/**
+ * Generate a BLISS public key fingerprint
+ *
+ * @param oid BLISS public key type OID
+ * @param pubkey coefficients of public key vector
+ * @param set BLISS parameter set for the public key vector
+ * @param type type of fingerprint to be generated
+ * @param fp generated fingerprint (must be freed by caller)
+ * @result TRUE if generation was successful
+ */
+bool bliss_public_key_fingerprint(int oid, uint32_t *pubkey,
+ bliss_param_set_t *set,
+ cred_encoding_type_t type, chunk_t *fp);
+
+#endif /** BLISS_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.c b/src/libstrongswan/plugins/bliss/bliss_sampler.c
new file mode 100644
index 000000000..fa45a2fac
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_sampler.h"
+
+typedef struct private_bliss_sampler_t private_bliss_sampler_t;
+
+#include <crypto/mgf1/mgf1_bitspender.h>
+
+/**
+ * Private data of a bliss_sampler_t object.
+ */
+struct private_bliss_sampler_t {
+
+ /**
+ * Public interface.
+ */
+ bliss_sampler_t public;
+
+ /**
+ * BLISS parameter the rejection sampling is to be based on
+ */
+ bliss_param_set_t *set;
+
+ /**
+ * Bitspender used for random rejection sampling
+ */
+ mgf1_bitspender_t *bitspender;
+
+};
+
+METHOD(bliss_sampler_t, bernoulli_exp, bool,
+ private_bliss_sampler_t *this, uint32_t x, bool *accepted)
+{
+ uint32_t x_mask;
+ uint8_t *c, u;
+ int i;
+
+ x_mask = 1 << (this->set->c_rows - 1);
+ c = this->set->c;
+ c += (this->set->c_rows - 1) * this->set->c_cols;
+
+ while (x_mask > 0)
+ {
+ if (x & x_mask)
+ {
+ for (i = 0; i < this->set->c_cols; i++)
+ {
+ if (!this->bitspender->get_byte(this->bitspender, &u))
+ {
+ return FALSE;
+ }
+ if (u < c[i])
+ {
+ break;
+ }
+ else if (u > c[i])
+ {
+ *accepted = FALSE;
+ return TRUE;
+ }
+ }
+ }
+ x_mask >>= 1;
+ c -= this->set->c_cols;
+ }
+
+ *accepted = TRUE;
+ return TRUE;
+}
+
+METHOD(bliss_sampler_t, bernoulli_cosh, bool,
+ private_bliss_sampler_t *this, int32_t x, bool *accepted)
+{
+ uint32_t u;
+
+ x = 2 * (x < 0 ? -x : x);
+
+ while (TRUE)
+ {
+ if (!bernoulli_exp(this, x, accepted))
+ {
+ return FALSE;
+ }
+ if (*accepted)
+ {
+ return TRUE;
+ }
+ if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+ {
+ return FALSE;
+ }
+ if (u)
+ {
+ continue;
+ }
+ if (!bernoulli_exp(this, x, accepted))
+ {
+ return FALSE;
+ }
+ if (!(*accepted))
+ {
+ return TRUE;
+ }
+ }
+}
+
+#define MAX_SAMPLE_INDEX 16
+
+METHOD(bliss_sampler_t, pos_binary, bool,
+ private_bliss_sampler_t *this, uint32_t *x)
+{
+ uint32_t u, i;
+
+ while (TRUE)
+ {
+ for (i = 0; i <= MAX_SAMPLE_INDEX; i++)
+ {
+ if (!this->bitspender->get_bits(this->bitspender,
+ i ? (2*i - 1) : 1, &u))
+ {
+ return FALSE;
+ }
+ if (u == 0)
+ {
+ *x = i;
+ return TRUE;
+ }
+ if ((u >> 1) != 0)
+ {
+ break;
+ }
+ }
+ if (i > MAX_SAMPLE_INDEX)
+ {
+ return FALSE;
+ }
+ }
+}
+
+METHOD(bliss_sampler_t, gaussian, bool,
+ private_bliss_sampler_t *this, int32_t *z)
+{
+ uint32_t u, x, y, z_pos;
+ bool accepted;
+
+ while (TRUE)
+ {
+ if (!pos_binary(this, &x))
+ {
+ return FALSE;
+ }
+
+ do
+ {
+ if (!this->bitspender->get_bits(this->bitspender,
+ this->set->k_sigma_bits, &y))
+ {
+ return FALSE;
+ }
+ }
+ while (y >= this->set->k_sigma);
+
+ if (!bernoulli_exp(this, y * (y + 2*this->set->k_sigma * x), &accepted))
+ {
+ return FALSE;
+ }
+ if (accepted)
+ {
+ if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+ {
+ return FALSE;
+ }
+ if (x || y || u)
+ {
+ break;
+ }
+ }
+ }
+
+ z_pos = this->set->k_sigma * x + y;
+ *z = u ? z_pos : -z_pos;
+
+ return TRUE;
+}
+
+METHOD(bliss_sampler_t, sign, bool,
+ private_bliss_sampler_t *this, bool *positive)
+{
+ uint32_t u;
+
+ if (!this->bitspender->get_bits(this->bitspender, 1, &u))
+ {
+ return FALSE;
+ }
+ *positive = u;
+
+ return TRUE;
+}
+
+METHOD(bliss_sampler_t, destroy, void,
+ private_bliss_sampler_t *this)
+{
+ this->bitspender->destroy(this->bitspender);
+ free(this);
+}
+
+
+/**
+ * See header.
+ */
+bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+ bliss_param_set_t *set)
+{
+ private_bliss_sampler_t *this;
+ mgf1_bitspender_t *bitspender;
+
+ bitspender = mgf1_bitspender_create(alg, seed, FALSE);
+ if (!bitspender)
+ {
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .bernoulli_exp = _bernoulli_exp,
+ .bernoulli_cosh = _bernoulli_cosh,
+ .pos_binary = _pos_binary,
+ .gaussian = _gaussian,
+ .sign = _sign,
+ .destroy = _destroy,
+ },
+ .set = set,
+ .bitspender = bitspender,
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_sampler.h b/src/libstrongswan/plugins/bliss/bliss_sampler.h
new file mode 100644
index 000000000..2c75d4480
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_sampler.h
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_sampler bliss_sampler
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_SAMPLER_H_
+#define BLISS_SAMPLER_H_
+
+typedef struct bliss_sampler_t bliss_sampler_t;
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation various rejection sampling algorithms.
+ */
+struct bliss_sampler_t {
+
+ /**
+ * Sample according to exp(-x/(2*sigma^2))
+ *
+ * @param x Value to be sampled
+ * @param accepted TRUE if value is accepted, FALSE if rejected
+ * @result TRUE if sampling was successful
+ */
+ bool (*bernoulli_exp)(bliss_sampler_t *this, uint32_t x, bool *accepted);
+
+ /**
+ * Sample according to 1/cosh(x/sigma^2)
+ *
+ * @param x Value to be sampled
+ * @param accepted TRUE if value is accepted, FALSE if rejected
+ * @result TRUE if sampling was successful
+ */
+ bool (*bernoulli_cosh)(bliss_sampler_t *this, int32_t x, bool *accepted);
+
+ /**
+ * Sample according to 2^(-x^2) for positive x
+ *
+ * @param x Generated value
+ * @result TRUE if sampling was successful
+ */
+ bool (*pos_binary)(bliss_sampler_t *this, uint32_t *x);
+
+ /**
+ * Sample according to the Gaussian distribution exp(-x^2/(2*sigma^2))
+ *
+ * @param z Generated value with Gaussian distribution
+ * @result TRUE if sampling was successful
+ */
+ bool (*gaussian)(bliss_sampler_t *this, int32_t *z);
+
+ /**
+ * Sample the sign according to the binary distribution
+ *
+ * @param positive TRUE if positive
+ * @result TRUE if sampling was successful
+ */
+ bool (*sign)(bliss_sampler_t *this, bool *positive);
+
+ /**
+ * Destroy bliss_sampler_t object
+ */
+ void (*destroy)(bliss_sampler_t *this);
+};
+
+/**
+ * Create a bliss_sampler_t object.
+ *
+ * @param alg Hash algorithm to be used for the internal bitspender
+ * @param seed Seed used to initialize the internal bitspender
+ * @param set BLISS parameter set to be used
+ */
+bliss_sampler_t *bliss_sampler_create(hash_algorithm_t alg, chunk_t seed,
+ bliss_param_set_t *set);
+
+#endif /** BLISS_SAMPLER_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.c b/src/libstrongswan/plugins/bliss/bliss_signature.c
new file mode 100644
index 000000000..e603da399
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_signature.h"
+#include "bliss_bitpacker.h"
+#include "bliss_huffman_coder.h"
+
+
+typedef struct private_bliss_signature_t private_bliss_signature_t;
+
+/**
+ * Private data of a bliss_signature_t object.
+ */
+struct private_bliss_signature_t {
+ /**
+ * Public interface for this signer.
+ */
+ bliss_signature_t public;
+
+ /**
+ * BLISS signature parameter set
+ */
+ bliss_param_set_t *set;
+
+ /**
+ * BLISS signature vector z1 of size n
+ */
+ int32_t *z1;
+
+ /**
+ * BLISS signature vector z2d of size n
+ */
+ int16_t *z2d;
+
+ /**
+ * Indices of sparse BLISS challenge vector c of size kappa
+ */
+ uint16_t *c_indices;
+
+};
+
+METHOD(bliss_signature_t, get_encoding, chunk_t,
+ private_bliss_signature_t *this)
+{
+ bliss_bitpacker_t *packer;
+ bliss_huffman_coder_t *coder;
+ bliss_huffman_code_t *code;
+ int32_t z1;
+ uint32_t z1_sign;
+ uint16_t z2d_bits;
+ chunk_t encoding = chunk_empty;
+ int i;
+
+ z2d_bits = this->set->z1_bits - this->set->d;
+
+ /* Get Huffman code for this BLISS parameter set */
+ code = bliss_huffman_code_get_by_id(this->set->id);
+ if (!code)
+ {
+ DBG1(DBG_LIB, "no Huffman code found for parameter set %N",
+ bliss_param_set_id_names, this->set->id);
+ return chunk_empty;
+ }
+
+ packer = bliss_bitpacker_create(this->set->n * this->set->z1_bits +
+ this->set->n * z2d_bits +
+ this->set->kappa * this->set->n_bits);
+ coder = bliss_huffman_coder_create(code, packer);
+
+ for (i = 0; i < this->set->n; i++)
+ {
+ /* determine and remove the sign of z1[i]*/
+ z1_sign = this->z1[i] < 0;
+ z1 = z1_sign ? -this->z1[i] : this->z1[i];
+
+ if (!packer->write_bits(packer, z1_sign, 1) ||
+ !packer->write_bits(packer, z1 & 0xff, 8) ||
+ !coder->encode(coder, z1 >> 8, this->z2d[i]))
+ {
+ goto end;
+ }
+ }
+ for (i = 0; i < this->set->kappa; i++)
+ {
+ if (!packer->write_bits(packer, this->c_indices[i], this->set->n_bits))
+ {
+ goto end;
+ }
+ }
+ encoding = packer->extract_buf(packer);
+
+ DBG2(DBG_LIB, "efficiency of Huffman coder is %6.4f bits/tuple (%u bits)",
+ coder->get_bits(coder)/(double)(this->set->n),
+ coder->get_bits(coder));
+ DBG2(DBG_LIB, "generated BLISS signature (%u bits encoded in %u bytes)",
+ packer->get_bits(packer), encoding.len);
+
+ end:
+ coder->destroy(coder);
+ packer->destroy(packer);
+ return encoding;
+}
+
+METHOD(bliss_signature_t, get_parameters, void,
+ private_bliss_signature_t *this, int32_t **z1, int16_t **z2d,
+ uint16_t **c_indices)
+{
+ *z1 = this->z1;
+ *z2d = this->z2d;
+ *c_indices = this->c_indices;
+}
+
+METHOD(bliss_signature_t, destroy, void,
+ private_bliss_signature_t *this)
+{
+ free(this->z1);
+ free(this->z2d);
+ free(this->c_indices);
+ free(this);
+}
+
+/**
+ * See header.
+ */
+bliss_signature_t *bliss_signature_create(bliss_param_set_t *set)
+{
+ private_bliss_signature_t *this;
+
+ INIT(this,
+ .public = {
+ .get_encoding = _get_encoding,
+ .get_parameters = _get_parameters,
+ .destroy = _destroy,
+ },
+ .set = set,
+ .z1 = malloc(set->n * sizeof(int32_t)),
+ .z2d = malloc(set->n * sizeof(int16_t)),
+ .c_indices = malloc(set->n * sizeof(uint16_t)),
+ );
+
+ return &this->public;
+}
+
+/**
+ * See header.
+ */
+bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+ chunk_t encoding)
+{
+ private_bliss_signature_t *this;
+ bliss_bitpacker_t *packer;
+ bliss_huffman_coder_t *coder;
+ bliss_huffman_code_t *code;
+ uint32_t z1_sign, z1_low, value;
+ int32_t z1;
+ int16_t z2;
+ int i;
+
+ /* Get Huffman code for this BLISS parameter set */
+ code = bliss_huffman_code_get_by_id(set->id);
+ if (!code)
+ {
+ DBG1(DBG_LIB, "no Huffman code found for parameter set %N",
+ bliss_param_set_id_names, set->id);
+ return NULL;
+ }
+
+ if (encoding.len == 0)
+ {
+ DBG1(DBG_LIB, "zero length BLISS signature");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .get_encoding = _get_encoding,
+ .get_parameters = _get_parameters,
+ .destroy = _destroy,
+ },
+ .set = set,
+ .z1 = malloc(set->n * sizeof(int32_t)),
+ .z2d = malloc(set->n * sizeof(int16_t)),
+ .c_indices = malloc(set->n * sizeof(uint16_t)),
+ );
+
+ packer = bliss_bitpacker_create_from_data(encoding);
+ coder = bliss_huffman_coder_create(code, packer);
+
+ for (i = 0; i < set->n; i++)
+ {
+ if (!packer->read_bits(packer, &z1_sign, 1) ||
+ !packer->read_bits(packer, &z1_low, 8) ||
+ !coder->decode(coder, &z1, &z2))
+ {
+ DBG1(DBG_LIB, "truncated BLISS signature encoding of z1/z2");
+ coder->destroy(coder);
+ packer->destroy(packer);
+ destroy(this);
+ return NULL;
+ }
+ z1 = (z1 << 8) + z1_low;
+ this->z1[i] = z1_sign ? -z1 : z1;
+ this->z2d[i] = z2;
+ }
+ coder->destroy(coder);
+
+ for (i = 0; i < set->kappa; i++)
+ {
+ if (!packer->read_bits(packer, &value, set->n_bits))
+ {
+ DBG1(DBG_LIB, "truncated BLISS signature encoding of c_indices");
+ packer->destroy(packer);
+ destroy(this);
+ return NULL;
+ }
+ this->c_indices[i] = value;
+ }
+ packer->destroy(packer);
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_signature.h b/src/libstrongswan/plugins/bliss/bliss_signature.h
new file mode 100644
index 000000000..d37f5398b
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_signature.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_signature bliss_signature
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_SIGNATURE_H_
+#define BLISS_SIGNATURE_H_
+
+typedef struct bliss_signature_t bliss_signature_t;
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+/**
+ * Public interface of BLISS signature object
+ */
+struct bliss_signature_t {
+
+ /**
+ * Get compressed binary encoding of BLISS signature
+ *
+ * @result binary encoding of BLISS signature
+ */
+ chunk_t (*get_encoding)(bliss_signature_t *this);
+
+ /**
+ * Get signature parameters extracted from compressd binary encoding
+ *
+ * @param z1 signature vector z1 of size n
+ * @param z2d signature vector z2d of size n
+ * @param c_indices indices of sparse binary challenge vector of size kappa
+ */
+ void (*get_parameters)(bliss_signature_t *this, int32_t **z1, int16_t **z2d,
+ uint16_t **c_indices);
+
+ /**
+ * Destroy bliss_signature_t object
+ */
+ void (*destroy)(bliss_signature_t *this);
+
+};
+
+/**
+ * Create a BLISS signature object.
+ *
+ * @param set BLISS parameter set
+ */
+bliss_signature_t *bliss_signature_create(bliss_param_set_t *set);
+
+/**
+ * Create a BLISS signature object from encoding.
+ *
+ * @param set BLISS parameter set
+ * @param encoding binary signature encoding
+ */
+bliss_signature_t *bliss_signature_create_from_data(bliss_param_set_t *set,
+ chunk_t encoding);
+
+#endif /** BLISS_SIGNATURE_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.c b/src/libstrongswan/plugins/bliss/bliss_utils.c
new file mode 100644
index 000000000..5a069989c
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bliss_utils.h"
+
+#include <asn1/asn1.h>
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+
+/**
+ * See header.
+ */
+int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n)
+{
+ int32_t product = 0;
+ int i;
+
+ for (i = 0; i < n; i++)
+ {
+ product += x[i] * y[i];
+ }
+
+ return product;
+}
+
+/**
+ * See header.
+ */
+void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd)
+{
+ int32_t factor;
+ int i;
+
+ factor = 1 << set->d;
+
+ for (i = 0; i < set->n; i++)
+ {
+ xd[i] = ((x[i] + (factor >> 1)) / factor) % set->p;
+ }
+}
+
+/**
+ * See header.
+ */
+bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
+ int n, uint16_t kappa, uint16_t *c_indices)
+{
+ int i, j;
+ uint64_t extra_bits;
+ uint16_t index, rounds = 0;
+ uint8_t hash[HASH_SIZE_SHA512], un16_buf[2];
+ chunk_t un16 = { un16_buf, 2 };
+ bool index_taken[n];
+
+ while (TRUE)
+ {
+ if (!hasher->get_hash(hasher, data_hash, NULL))
+ {
+ return FALSE;
+ }
+
+ for (i = 0; i < n; i++)
+ {
+ htoun16(un16_buf, ud[i]);
+ if (!hasher->get_hash(hasher, un16, NULL))
+ {
+ return FALSE;
+ }
+ index_taken[i] = FALSE;
+ }
+
+ htoun16(un16_buf, rounds++);
+ if (!hasher->get_hash(hasher, un16, hash))
+ {
+ return FALSE;
+ }
+
+ extra_bits = untoh64(hash + sizeof(hash) - sizeof(uint64_t));
+
+ for (i = 0, j = 0; j < sizeof(hash); j++)
+ {
+ index = 2 * (uint16_t)hash[i] + (extra_bits & 1);
+ if (!index_taken[index])
+ {
+ c_indices[i++] = index;
+ index_taken[index] = TRUE;
+ }
+ if (i == kappa)
+ {
+ return TRUE;
+ }
+ }
+ }
+}
+
+/**
+ * See header.
+ */
+bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d)
+{
+ int32_t z2ds[set->n];
+ int32_t z1_min, z1_max, norm;
+ int16_t z2d_min, z2d_max;
+ int i;
+
+ /* some statistics on the values of z1 and z2d */
+ z1_min = z1_max = z1[0];
+ z2d_min = z2d_max = z2d[0];
+
+ for (i = 1; i < set->n; i++)
+ {
+ if (z1[i] < z1_min)
+ {
+ z1_min = z1[i];
+ }
+ else if (z1[i] > z1_max)
+ {
+ z1_max = z1[i];
+ }
+ if (z2d[i] < z2d_min)
+ {
+ z2d_min = z2d[i];
+ }
+ else if (z2d[i] > z2d_max)
+ {
+ z2d_max = z2d[i];
+ }
+ }
+ DBG2(DBG_LIB, "z1 = %d..%d, z2d = %d..%d", z1_min, z1_max, z2d_min, z2d_max);
+
+ /* Restriction on infinite norm */
+ for (i = 0; i < set->n; i++)
+ {
+ z2ds[i] = (1 << set->d) * z2d[i];
+
+ if (z1[i] >= set->B_inf || z2ds[i] >= set->B_inf ||
+ z1[i] <= -set->B_inf || z2ds[i] <= -set->B_inf)
+ {
+ DBG2(DBG_LIB, "signature rejected due to excessive infinite norm");
+ return FALSE;
+ }
+ }
+
+ /* Restriction on l2-norm */
+ norm = bliss_utils_scalar_product(z1, z1, set->n) +
+ bliss_utils_scalar_product(z2ds, z2ds, set->n);
+
+ if (norm >= set->B_l2)
+ {
+ DBG2(DBG_LIB, "signature rejected due to excessive l2-norm");
+ return FALSE;
+ }
+
+ return TRUE;
+}
diff --git a/src/libstrongswan/plugins/bliss/bliss_utils.h b/src/libstrongswan/plugins/bliss/bliss_utils.h
new file mode 100644
index 000000000..063fd91c8
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/bliss_utils.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bliss_utils bliss_utils
+ * @{ @ingroup bliss_p
+ */
+
+#ifndef BLISS_UTILS_H_
+#define BLISS_UTILS_H_
+
+#include "bliss_param_set.h"
+
+#include <library.h>
+
+/**
+ * Compute the scalar product of two vectors of size n
+ *
+ * @param x input vector of size n
+ * @param y input vector of size n
+ * @param n size of input vectors x and y
+ * @result scalar product of x and y
+ */
+int32_t bliss_utils_scalar_product(int32_t *x, int32_t *y, int n);
+
+/**
+ * Drop d bits but round first
+ *
+ * @param set BLISS parameter set
+ * @param x input vector x of size n
+ * @param xd rounded vector x with d bits dropped
+ */
+void bliss_utils_round_and_drop(bliss_param_set_t *set, int32_t *x, int16_t *xd);
+
+/**
+ * Generate the binary challenge vector c as an array of kappa indices
+ *
+ * @param hasher hasher used as an oracle
+ * @param data_hash hash of the data to be signed
+ * @param ud input vector ud of size n
+ * @param n size of input vector ud
+ * @param kappa parameter kappa
+ * @param c_indices indexes of non-zero challenge coefficients
+ */
+bool bliss_utils_generate_c(hasher_t *hasher, chunk_t data_hash, uint16_t *ud,
+ int n, uint16_t kappa, uint16_t *c_indices);
+
+/**
+ * Check the infinity and l2 norms of the vectors z1 and z2d << d
+ *
+ * @param set BLISS parameter set
+ * @param z1 input vector
+ * @param z2d input vector
+ * @result TRUE if infinite and l2 norms do not exceed boundaries
+ */
+bool bliss_utils_check_norms(bliss_param_set_t *set, int32_t *z1, int16_t *z2d);
+
+#endif /** BLISS_UTILS_H_ @}*/
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.am b/src/libstrongswan/plugins/bliss/tests/Makefile.am
new file mode 100644
index 000000000..bd87753f5
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.am
@@ -0,0 +1,27 @@
+TESTS = bliss_tests
+
+check_PROGRAMS = $(TESTS)
+
+bliss_tests_SOURCES = \
+ suites/test_bliss_fft.c \
+ suites/test_bliss_bitpacker.c \
+ suites/test_bliss_huffman.c \
+ suites/test_bliss_keys.c \
+ suites/test_bliss_sampler.c \
+ suites/test_bliss_signature.c \
+ suites/test_bliss_sign.c \
+ bliss_tests.h bliss_tests.c
+
+bliss_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -I$(top_srcdir)/src/libstrongswan/plugins/bliss \
+ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINS=\""${s_plugins}\"" \
+ @COVERAGE_CFLAGS@
+
+bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+bliss_tests_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la \
+ ../libbliss.la
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
new file mode 100644
index 000000000..5a1ce3d50
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -0,0 +1,985 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+TESTS = bliss_tests$(EXEEXT)
+check_PROGRAMS = $(am__EXEEXT_1)
+subdir = src/libstrongswan/plugins/bliss/tests
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__EXEEXT_1 = bliss_tests$(EXEEXT)
+am__dirstamp = $(am__leading_dot)dirstamp
+am_bliss_tests_OBJECTS = suites/bliss_tests-test_bliss_fft.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_huffman.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_keys.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_sampler.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_signature.$(OBJEXT) \
+ suites/bliss_tests-test_bliss_sign.$(OBJEXT) \
+ bliss_tests-bliss_tests.$(OBJEXT)
+bliss_tests_OBJECTS = $(am_bliss_tests_OBJECTS)
+bliss_tests_DEPENDENCIES = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la \
+ ../libbliss.la
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+bliss_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(bliss_tests_CFLAGS) \
+ $(CFLAGS) $(bliss_tests_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(bliss_tests_SOURCES)
+DIST_SOURCES = $(bliss_tests_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__tty_colors_dummy = \
+ mgn= red= grn= lgn= blu= brg= std=; \
+ am__color_tests=no
+am__tty_colors = { \
+ $(am__tty_colors_dummy); \
+ if test "X$(AM_COLOR_TESTS)" = Xno; then \
+ am__color_tests=no; \
+ elif test "X$(AM_COLOR_TESTS)" = Xalways; then \
+ am__color_tests=yes; \
+ elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \
+ am__color_tests=yes; \
+ fi; \
+ if test $$am__color_tests = yes; then \
+ red=''; \
+ grn=''; \
+ lgn=''; \
+ blu=''; \
+ mgn=''; \
+ brg=''; \
+ std=''; \
+ fi; \
+}
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+bliss_tests_SOURCES = \
+ suites/test_bliss_fft.c \
+ suites/test_bliss_bitpacker.c \
+ suites/test_bliss_huffman.c \
+ suites/test_bliss_keys.c \
+ suites/test_bliss_sampler.c \
+ suites/test_bliss_signature.c \
+ suites/test_bliss_sign.c \
+ bliss_tests.h bliss_tests.c
+
+bliss_tests_CFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libstrongswan/tests \
+ -I$(top_srcdir)/src/libstrongswan/plugins/bliss \
+ -DPLUGINDIR=\""$(abs_top_builddir)/src/libstrongswan/plugins\"" \
+ -DPLUGINS=\""${s_plugins}\"" \
+ @COVERAGE_CFLAGS@
+
+bliss_tests_LDFLAGS = @COVERAGE_LDFLAGS@
+bliss_tests_LDADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(top_builddir)/src/libstrongswan/tests/libtest.la \
+ ../libbliss.la
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/bliss/tests/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-checkPROGRAMS:
+ @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+suites/$(am__dirstamp):
+ @$(MKDIR_P) suites
+ @: > suites/$(am__dirstamp)
+suites/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) suites/$(DEPDIR)
+ @: > suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_fft.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_bitpacker.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_huffman.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_keys.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_sampler.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_signature.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/bliss_tests-test_bliss_sign.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+
+bliss_tests$(EXEEXT): $(bliss_tests_OBJECTS) $(bliss_tests_DEPENDENCIES) $(EXTRA_bliss_tests_DEPENDENCIES)
+ @rm -f bliss_tests$(EXEEXT)
+ $(AM_V_CCLD)$(bliss_tests_LINK) $(bliss_tests_OBJECTS) $(bliss_tests_LDADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+ -rm -f suites/*.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bliss_tests-bliss_tests.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+suites/bliss_tests-test_bliss_fft.o: suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.o `test -f 'suites/test_bliss_fft.c' || echo '$(srcdir)/'`suites/test_bliss_fft.c
+
+suites/bliss_tests-test_bliss_fft.obj: suites/test_bliss_fft.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_fft.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_fft.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_fft.c' object='suites/bliss_tests-test_bliss_fft.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_fft.obj `if test -f 'suites/test_bliss_fft.c'; then $(CYGPATH_W) 'suites/test_bliss_fft.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_fft.c'; fi`
+
+suites/bliss_tests-test_bliss_bitpacker.o: suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.o `test -f 'suites/test_bliss_bitpacker.c' || echo '$(srcdir)/'`suites/test_bliss_bitpacker.c
+
+suites/bliss_tests-test_bliss_bitpacker.obj: suites/test_bliss_bitpacker.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_bitpacker.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_bitpacker.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_bitpacker.c' object='suites/bliss_tests-test_bliss_bitpacker.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_bitpacker.obj `if test -f 'suites/test_bliss_bitpacker.c'; then $(CYGPATH_W) 'suites/test_bliss_bitpacker.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_bitpacker.c'; fi`
+
+suites/bliss_tests-test_bliss_huffman.o: suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.o `test -f 'suites/test_bliss_huffman.c' || echo '$(srcdir)/'`suites/test_bliss_huffman.c
+
+suites/bliss_tests-test_bliss_huffman.obj: suites/test_bliss_huffman.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_huffman.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_huffman.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_huffman.c' object='suites/bliss_tests-test_bliss_huffman.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_huffman.obj `if test -f 'suites/test_bliss_huffman.c'; then $(CYGPATH_W) 'suites/test_bliss_huffman.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_huffman.c'; fi`
+
+suites/bliss_tests-test_bliss_keys.o: suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.o `test -f 'suites/test_bliss_keys.c' || echo '$(srcdir)/'`suites/test_bliss_keys.c
+
+suites/bliss_tests-test_bliss_keys.obj: suites/test_bliss_keys.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_keys.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_keys.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_keys.c' object='suites/bliss_tests-test_bliss_keys.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_keys.obj `if test -f 'suites/test_bliss_keys.c'; then $(CYGPATH_W) 'suites/test_bliss_keys.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_keys.c'; fi`
+
+suites/bliss_tests-test_bliss_sampler.o: suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.o `test -f 'suites/test_bliss_sampler.c' || echo '$(srcdir)/'`suites/test_bliss_sampler.c
+
+suites/bliss_tests-test_bliss_sampler.obj: suites/test_bliss_sampler.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sampler.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sampler.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sampler.c' object='suites/bliss_tests-test_bliss_sampler.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sampler.obj `if test -f 'suites/test_bliss_sampler.c'; then $(CYGPATH_W) 'suites/test_bliss_sampler.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sampler.c'; fi`
+
+suites/bliss_tests-test_bliss_signature.o: suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.o `test -f 'suites/test_bliss_signature.c' || echo '$(srcdir)/'`suites/test_bliss_signature.c
+
+suites/bliss_tests-test_bliss_signature.obj: suites/test_bliss_signature.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_signature.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_signature.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_signature.c' object='suites/bliss_tests-test_bliss_signature.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_signature.obj `if test -f 'suites/test_bliss_signature.c'; then $(CYGPATH_W) 'suites/test_bliss_signature.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_signature.c'; fi`
+
+suites/bliss_tests-test_bliss_sign.o: suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.o -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.o `test -f 'suites/test_bliss_sign.c' || echo '$(srcdir)/'`suites/test_bliss_sign.c
+
+suites/bliss_tests-test_bliss_sign.obj: suites/test_bliss_sign.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT suites/bliss_tests-test_bliss_sign.obj -MD -MP -MF suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Tpo suites/$(DEPDIR)/bliss_tests-test_bliss_sign.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_bliss_sign.c' object='suites/bliss_tests-test_bliss_sign.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o suites/bliss_tests-test_bliss_sign.obj `if test -f 'suites/test_bliss_sign.c'; then $(CYGPATH_W) 'suites/test_bliss_sign.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_bliss_sign.c'; fi`
+
+bliss_tests-bliss_tests.o: bliss_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.o -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.o `test -f 'bliss_tests.c' || echo '$(srcdir)/'`bliss_tests.c
+
+bliss_tests-bliss_tests.obj: bliss_tests.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -MT bliss_tests-bliss_tests.obj -MD -MP -MF $(DEPDIR)/bliss_tests-bliss_tests.Tpo -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/bliss_tests-bliss_tests.Tpo $(DEPDIR)/bliss_tests-bliss_tests.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='bliss_tests.c' object='bliss_tests-bliss_tests.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(bliss_tests_CFLAGS) $(CFLAGS) -c -o bliss_tests-bliss_tests.obj `if test -f 'bliss_tests.c'; then $(CYGPATH_W) 'bliss_tests.c'; else $(CYGPATH_W) '$(srcdir)/bliss_tests.c'; fi`
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+check-TESTS: $(TESTS)
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
+ srcdir=$(srcdir); export srcdir; \
+ list=' $(TESTS) '; \
+ $(am__tty_colors); \
+ if test -n "$$list"; then \
+ for tst in $$list; do \
+ if test -f ./$$tst; then dir=./; \
+ elif test -f $$tst; then dir=; \
+ else dir="$(srcdir)/"; fi; \
+ if $(TESTS_ENVIRONMENT) $${dir}$$tst $(AM_TESTS_FD_REDIRECT); then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xpass=`expr $$xpass + 1`; \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=XPASS; \
+ ;; \
+ *) \
+ col=$$grn; res=PASS; \
+ ;; \
+ esac; \
+ elif test $$? -ne 77; then \
+ all=`expr $$all + 1`; \
+ case " $(XFAIL_TESTS) " in \
+ *[\ \ ]$$tst[\ \ ]*) \
+ xfail=`expr $$xfail + 1`; \
+ col=$$lgn; res=XFAIL; \
+ ;; \
+ *) \
+ failed=`expr $$failed + 1`; \
+ col=$$red; res=FAIL; \
+ ;; \
+ esac; \
+ else \
+ skip=`expr $$skip + 1`; \
+ col=$$blu; res=SKIP; \
+ fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
+ done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
+ if test "$$failed" -eq 0; then \
+ if test "$$xfail" -eq 0; then \
+ banner="$$All$$all $$tests passed"; \
+ else \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
+ fi; \
+ else \
+ if test "$$xpass" -eq 0; then \
+ banner="$$failed of $$all $$tests failed"; \
+ else \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
+ fi; \
+ fi; \
+ dashes="$$banner"; \
+ skipped=""; \
+ if test "$$skip" -ne 0; then \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
+ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$skipped"; \
+ fi; \
+ report=""; \
+ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
+ report="Please report to $(PACKAGE_BUGREPORT)"; \
+ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
+ dashes="$$report"; \
+ fi; \
+ dashes=`echo "$$dashes" | sed s/./=/g`; \
+ if test "$$failed" -eq 0; then \
+ col="$$grn"; \
+ else \
+ col="$$red"; \
+ fi; \
+ echo "$${col}$$dashes$${std}"; \
+ echo "$${col}$$banner$${std}"; \
+ test -z "$$skipped" || echo "$${col}$$skipped$${std}"; \
+ test -z "$$report" || echo "$${col}$$report$${std}"; \
+ echo "$${col}$$dashes$${std}"; \
+ test "$$failed" -eq 0; \
+ else :; fi
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS)
+ $(MAKE) $(AM_MAKEFLAGS) check-TESTS
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f suites/$(DEPDIR)/$(am__dirstamp)
+ -rm -f suites/$(am__dirstamp)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-checkPROGRAMS clean-generic clean-libtool \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR) suites/$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: check-am install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
+ clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-pdf install-pdf-am \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags tags-am uninstall uninstall-am
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.c b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c
new file mode 100644
index 000000000..de21e77b7
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.c
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <test_runner.h>
+
+#include <library.h>
+
+/* declare test suite constructors */
+#define TEST_SUITE(x) test_suite_t* x();
+#include "bliss_tests.h"
+#undef TEST_SUITE
+
+static test_configuration_t tests[] = {
+#define TEST_SUITE(x) \
+ { .suite = x, },
+#include "bliss_tests.h"
+ { .suite = NULL, }
+};
+
+static bool test_runner_init(bool init)
+{
+ if (init)
+ {
+ char *plugins, *plugindir;
+
+ plugins = lib->settings->get_str(lib->settings,
+ "tests.load", PLUGINS);
+ plugindir = lib->settings->get_str(lib->settings,
+ "tests.plugindir", PLUGINDIR);
+ plugin_loader_add_plugindirs(plugindir, plugins);
+ if (!lib->plugins->load(lib->plugins, plugins))
+ {
+ return FALSE;
+ }
+ }
+ else
+ {
+ lib->processor->set_threads(lib->processor, 0);
+ lib->processor->cancel(lib->processor);
+ lib->plugins->unload(lib->plugins);
+ }
+ return TRUE;
+}
+
+int main(int argc, char *argv[])
+{
+ return test_runner_run("bliss", tests, test_runner_init);
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/bliss_tests.h b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
new file mode 100644
index 000000000..f0959cc08
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/bliss_tests.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+TEST_SUITE(bliss_fft_suite_create)
+TEST_SUITE(bliss_bitpacker_suite_create)
+TEST_SUITE(bliss_huffman_suite_create)
+TEST_SUITE(bliss_keys_suite_create)
+TEST_SUITE(bliss_sampler_suite_create)
+TEST_SUITE(bliss_signature_suite_create)
+TEST_SUITE(bliss_sign_suite_create)
+
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c
new file mode 100644
index 000000000..6a728e280
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_bitpacker.c
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_bitpacker.h>
+
+static uint32_t bits[] = { 0, 1, 2, 3, 4, 7, 1, 14, 2, 29, 3, 28, 67, 0x2fe3a9c1};
+
+static chunk_t packed_bits = chunk_from_chars(0x6e, 0x71, 0xe1, 0x74,
+ 0x37, 0x21, 0x97, 0xf1,
+ 0xd4, 0xe0, 0x80);
+
+START_TEST(test_bliss_sign_bitpacker_write)
+{
+ chunk_t buf;
+ bliss_bitpacker_t *packer;
+ int i;
+
+ packer = bliss_bitpacker_create(81);
+
+ for (i = 0; i < 13; i++)
+ {
+ ck_assert(packer->write_bits(packer, bits[i], 1 + i/2));
+ }
+ ck_assert(packer->write_bits(packer, bits[13], 32));
+
+ buf = packer->extract_buf(packer);
+ ck_assert_int_eq(packer->get_bits(packer), 81);
+ ck_assert_chunk_eq(buf, packed_bits);
+
+ packer->destroy(packer);
+ free(buf.ptr);
+}
+END_TEST
+
+START_TEST(test_bliss_sign_bitpacker_read)
+{
+ uint32_t value;
+ bliss_bitpacker_t *packer;
+ int i;
+
+ packer = bliss_bitpacker_create_from_data(packed_bits);
+
+ ck_assert(!packer->read_bits(packer, &value, 33));
+
+ for (i = 0; i < 13; i++)
+ {
+ ck_assert(packer->read_bits(packer, &value, 1 + i/2));
+ ck_assert_int_eq(value, bits[i]);
+ }
+ ck_assert(packer->read_bits(packer, &value, 32));
+ ck_assert_int_eq(value, bits[13]);
+
+ packer->destroy(packer);
+}
+END_TEST
+
+START_TEST(test_bliss_sign_bitpacker_fail)
+{
+ bliss_bitpacker_t *packer;
+ uint32_t value;
+
+ packer = bliss_bitpacker_create(32);
+ ck_assert( packer->write_bits(packer, 0xff, 0));
+ ck_assert(!packer->write_bits(packer, 0, 33));
+ ck_assert( packer->write_bits(packer, 0x7f2a3b01, 31));
+ ck_assert(!packer->write_bits(packer, 3, 2));
+ packer->destroy(packer);
+
+ packer = bliss_bitpacker_create_from_data(
+ chunk_from_chars(0x7f, 0x2a, 0x3b, 0x01));
+ ck_assert(!packer->read_bits(packer, &value, 33));
+ ck_assert( packer->read_bits(packer, &value, 31));
+ ck_assert(!packer->read_bits(packer, &value, 2));
+ packer->destroy(packer);
+}
+END_TEST
+
+Suite *bliss_bitpacker_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_bitpacker");
+
+ tc = tcase_create("bitpacker_write");
+ tcase_add_test(tc, test_bliss_sign_bitpacker_write);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("bitpacker_read");
+ tcase_add_test(tc, test_bliss_sign_bitpacker_read);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("bitpacker_fail");
+ tcase_add_test(tc, test_bliss_sign_bitpacker_fail);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
new file mode 100644
index 000000000..009aaf802
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_fft.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_fft.h>
+
+static bliss_fft_params_t *fft_params[] = {
+ &bliss_fft_17_8,
+ &bliss_fft_12289_512
+};
+
+START_TEST(test_bliss_fft_impulse)
+{
+ bliss_fft_t *fft;
+ uint16_t n = fft_params[_i]->n;
+ uint32_t x[n], X[n];
+ int i;
+
+ for (i = 0; i < n; i++)
+ {
+ x[i] = 0;
+ }
+ x[0] = 1;
+
+ fft = bliss_fft_create(fft_params[_i]);
+ fft->transform(fft, x, X, FALSE);
+
+ for (i = 0; i < n; i++)
+ {
+ ck_assert(X[i] == 1);
+ }
+ fft->transform(fft, X, x, TRUE);
+
+ for (i = 0; i < n; i++)
+ {
+ ck_assert(x[i] == (i == 0));
+ }
+ fft->destroy(fft);
+}
+END_TEST
+
+START_TEST(test_bliss_fft_wrap)
+{
+ bliss_fft_t *fft;
+ uint16_t n = fft_params[_i]->n;
+ uint16_t q = fft_params[_i]->q;
+ uint32_t x[n],y[n], X[n], Y[n];
+ int i, j;
+
+ for (i = 0; i < n; i++)
+ {
+ x[i] = i;
+ y[i] = 0;
+ }
+ fft = bliss_fft_create(fft_params[_i]);
+ ck_assert(fft->get_size(fft) == n);
+ ck_assert(fft->get_modulus(fft) == q);
+ fft->transform(fft, x, X, FALSE);
+
+ for (j = 0; j < n; j++)
+ {
+ y[j] = 1;
+ fft->transform(fft, y, Y, FALSE);
+
+ for (i = 0; i < n; i++)
+ {
+ Y[i] = (X[i] * Y[i]) % q;
+ }
+ fft->transform(fft, Y, Y, TRUE);
+
+ for (i = 0; i < n; i++)
+ {
+ ck_assert(Y[i] == ( i < j ? q - n - i + j : i - j));
+ }
+ y[j] = 0;
+ }
+ fft->destroy(fft);
+}
+END_TEST
+
+Suite *bliss_fft_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_fft");
+
+ tc = tcase_create("impulse");
+ tcase_add_loop_test(tc, test_bliss_fft_impulse, 0, countof(fft_params));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("negative_wrap");
+ tcase_add_loop_test(tc, test_bliss_fft_wrap, 0, countof(fft_params));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c
new file mode 100644
index 000000000..5447d0741
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_huffman.c
@@ -0,0 +1,122 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_huffman_coder.h>
+
+static chunk_t data = chunk_from_chars(0x5f, 0x71, 0x9e, 0x4c);
+
+START_TEST(test_bliss_huffman_encode)
+{
+ bliss_bitpacker_t *packer;
+ bliss_huffman_code_t *code;
+ bliss_huffman_coder_t *coder;
+ chunk_t encoding;
+
+ packer = bliss_bitpacker_create(32);
+ ck_assert(packer);
+
+ code = bliss_huffman_code_get_by_id(BLISS_B_I);
+ ck_assert(code);
+
+ coder = bliss_huffman_coder_create(code, packer);
+ ck_assert(coder);
+
+ ck_assert( coder->encode(coder, 0, 0)); /* 0 */
+ ck_assert( coder->encode(coder, 1, 0)); /* 10 */
+ ck_assert( coder->encode(coder, 2, 0)); /* 111 */
+ ck_assert( coder->encode(coder, 0, 1)); /* 1101 */
+ ck_assert( coder->encode(coder, 0, -1)); /* 11000 */
+ ck_assert( coder->encode(coder, 1, 1)); /* 110011 */
+ ck_assert( coder->encode(coder, 1, -1)); /* 1100100 */
+ ck_assert(!coder->encode(coder, 3, 0)); /* 11001010 */
+ ck_assert(!coder->encode(coder, 8, 0)); /* - */
+
+ encoding = packer->extract_buf(packer);
+ ck_assert(chunk_equals(encoding, data));
+
+ chunk_free(&encoding);
+ coder->destroy(coder);
+ packer->destroy(packer);
+}
+END_TEST
+
+START_TEST(test_bliss_huffman_decode)
+{
+ bliss_bitpacker_t *packer;
+ bliss_huffman_code_t *code;
+ bliss_huffman_coder_t *coder;
+ int32_t z1;
+ int16_t z2;
+
+ packer = bliss_bitpacker_create_from_data(data);
+ ck_assert(packer);
+
+ code = bliss_huffman_code_get_by_id(BLISS_II);
+ ck_assert(!code);
+ code = bliss_huffman_code_get_by_id(BLISS_B_II);
+ ck_assert(!code);
+ code = bliss_huffman_code_get_by_id(BLISS_B_I);
+ ck_assert(code);
+
+ coder = bliss_huffman_coder_create(code, packer);
+ ck_assert(coder);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 0 */
+ ck_assert(z1 == 0 && z2 == 0);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 10 */
+ ck_assert(z1 == 1 && z2 == 0);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 111 */
+ ck_assert(z1 == 2 && z2 == 0);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 1101 */
+ ck_assert(z1 == 0 && z2 == 1);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 11000 */
+ ck_assert(z1 == 0 && z2 == -1);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 110011 */
+ ck_assert(z1 == 1 && z2 == 1);
+
+ ck_assert(coder->decode(coder, &z1, &z2)); /* 1100100 */
+ ck_assert(z1 == 1 && z2 == -1);
+
+ ck_assert(!coder->decode(coder, &z1, &z2)); /* 11001010 */
+
+ coder->destroy(coder);
+ packer->destroy(packer);
+}
+END_TEST
+
+Suite *bliss_huffman_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_huffman");
+
+ tc = tcase_create("huffman_encode");
+ tcase_add_test(tc, test_bliss_huffman_encode);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("huffman_decode");
+ tcase_add_test(tc, test_bliss_huffman_decode);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c
new file mode 100644
index 000000000..f48bc1d79
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_keys.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_private_key.h>
+#include <bliss_public_key.h>
+
+static chunk_t privkey_chunk[] = {
+ {NULL, 0},
+ chunk_from_chars(0x30, 0x00),
+ chunk_from_chars(0x30, 0x01),
+ chunk_from_chars(0x30, 0x03, 0x06, 0x01, 0x01),
+ chunk_from_chars(0x30, 0x0d, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+ 0xa0, 0x2a, 0x05, 0x02, 0x06),
+ chunk_from_chars(0x30, 0x0f, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82,
+ 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x00),
+ chunk_from_chars(0x30, 0x82, 0x04, 0x9a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+ 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05, 0x03, 0x82, 0x03,
+ 0x81, 0x00, 0x81, 0xe5, 0xd2, 0x71, 0xeb, 0x98, 0xe5, 0x24,
+ 0x34, 0xe4, 0x8a, 0x27, 0x23, 0x7d, 0x7d, 0x2c, 0xa3, 0xa7,
+ 0x3f, 0x87, 0xad, 0xae, 0xfa, 0xe4, 0x66, 0x1c, 0xef, 0x69,
+ 0x63, 0x5e, 0x91, 0xda, 0x41, 0x45, 0xd5, 0x8a, 0xb5, 0x26,
+ 0x33, 0x32, 0xe0, 0xa2, 0x9b, 0x52, 0x5e, 0x49, 0x5d, 0x0d,
+ 0x62, 0x72, 0x68, 0xa5, 0x94, 0x24, 0x03, 0x98, 0x48, 0x60,
+ 0x4a, 0x98, 0x97, 0x0d, 0x60, 0x7d, 0x00, 0x4f, 0xb9, 0xaf,
+ 0xcb, 0x6b, 0x41, 0x3d, 0x5b, 0xe4, 0x3e, 0x9a, 0xee, 0x06,
+ /* 100 */ 0xa1, 0xd0, 0x93, 0x53, 0x88, 0x58, 0x83, 0xb2, 0x44, 0xa1,
+ 0x16, 0x58, 0x3d, 0x32, 0xa1, 0x29, 0x85, 0x1a, 0x24, 0xc8,
+ 0xb8, 0x8c, 0x1f, 0x43, 0xbb, 0x4b, 0xdd, 0x8e, 0x72, 0xd3,
+ 0xf4, 0xfc, 0x02, 0x69, 0x47, 0xa5, 0x9d, 0xd0, 0xfc, 0xa6,
+ 0x94, 0x2e, 0x02, 0x6d, 0x85, 0x2c, 0x6d, 0xe3, 0x91, 0xd5,
+ 0xf1, 0x54, 0xbd, 0x1e, 0x63, 0x6b, 0xee, 0x28, 0xf9, 0xc6,
+ 0xec, 0x05, 0x99, 0xd5, 0xdd, 0xe5, 0x72, 0x9b, 0xbc, 0xa7,
+ 0x5a, 0x4a, 0x46, 0x3e, 0xec, 0xd7, 0x0b, 0xc5, 0x23, 0x00,
+ 0xdc, 0x08, 0x09, 0x57, 0x44, 0x2e, 0x43, 0x0f, 0xea, 0xca,
+ 0x2a, 0x31, 0xbe, 0xf3, 0x04, 0x8f, 0x8b, 0xa6, 0x3c, 0x35,
+ /* 200 */ 0x80, 0x2b, 0xe2, 0x18, 0x22, 0xfd, 0xe9, 0x39, 0x57, 0xed,
+ 0x77, 0x1d, 0x32, 0x02, 0x48, 0x2c, 0x85, 0x53, 0x9f, 0x4a,
+ 0xd8, 0x86, 0x4d, 0xd2, 0x26, 0x19, 0x12, 0x19, 0xa2, 0xb5,
+ 0xdf, 0x02, 0x50, 0xe4, 0x32, 0x9a, 0x27, 0xd0, 0x9e, 0x49,
+ 0x4a, 0x13, 0x9a, 0xfc, 0x07, 0x98, 0x60, 0x65, 0xf4, 0xc1,
+ 0x6c, 0x9a, 0x15, 0x28, 0x74, 0x5c, 0xd0, 0xa8, 0xe6, 0x2e,
+ 0x1f, 0xe9, 0xe6, 0x2b, 0xc8, 0x46, 0xe9, 0x26, 0xb0, 0xf0,
+ 0x8a, 0xe6, 0x8c, 0x9b, 0xbf, 0x64, 0xa0, 0x59, 0x33, 0x4f,
+ 0xc0, 0x0c, 0x16, 0x72, 0x89, 0x79, 0x2a, 0x3a, 0x5e, 0x3d,
+ 0x40, 0xbb, 0x73, 0xa9, 0xc0, 0x52, 0x70, 0x57, 0x06, 0xc1,
+ /* 300 */ 0xe7, 0x70, 0xb8, 0x6d, 0x1b, 0x50, 0x61, 0x85, 0xee, 0x3e,
+ 0xe5, 0x5a, 0x8a, 0x75, 0x9f, 0x1e, 0xb7, 0xea, 0x54, 0x5a,
+ 0x8f, 0x52, 0xc2, 0xae, 0x2c, 0x7a, 0x58, 0xe6, 0xcb, 0xa6,
+ 0x9b, 0x68, 0x84, 0x79, 0xf2, 0x82, 0x05, 0x57, 0xaa, 0xd5,
+ 0x51, 0x82, 0xec, 0x84, 0x63, 0xce, 0xf4, 0xa7, 0xdf, 0x4e,
+ 0xac, 0x7d, 0xdd, 0xc3, 0x02, 0x68, 0xe0, 0x35, 0xa1, 0x92,
+ 0x29, 0x02, 0x2c, 0xa0, 0xe4, 0x29, 0x66, 0xd3, 0xe8, 0xd9,
+ 0x52, 0x0f, 0x3b, 0xec, 0x53, 0x63, 0x57, 0xc3, 0xd2, 0x59,
+ 0x38, 0xe7, 0x74, 0xf4, 0x1d, 0x03, 0x88, 0x3c, 0xe9, 0x97,
+ 0x37, 0xd7, 0x12, 0x66, 0x2a, 0xb5, 0xf8, 0xcd, 0x10, 0x87,
+ /* 400 */ 0x5d, 0x6a, 0x69, 0xbb, 0x9b, 0xc5, 0x55, 0x3c, 0x09, 0x46,
+ 0x04, 0x57, 0xc0, 0x2f, 0x77, 0x89, 0xe2, 0x88, 0x15, 0x6b,
+ 0x71, 0x56, 0xe1, 0xa2, 0x30, 0x71, 0x5f, 0x1d, 0x27, 0x12,
+ 0xbf, 0xc3, 0x55, 0xde, 0xe5, 0x9c, 0x4e, 0xb8, 0xc6, 0xec,
+ 0x96, 0x3a, 0x5d, 0x6d, 0xe9, 0xd3, 0xf8, 0x28, 0xda, 0x3f,
+ 0x75, 0x24, 0xd0, 0x34, 0x50, 0xa6, 0x28, 0x65, 0x6a, 0xe9,
+ 0xa6, 0x89, 0xe5, 0x5d, 0x45, 0xaf, 0x63, 0x34, 0xaf, 0x31,
+ 0x29, 0x82, 0xe6, 0x03, 0x80, 0x5c, 0x34, 0x28, 0xd1, 0x9f,
+ 0xca, 0xd3, 0x96, 0xcb, 0x31, 0xde, 0xdb, 0xf0, 0x07, 0x2b,
+ 0xc5, 0xbc, 0x29, 0xd1, 0x11, 0xf4, 0x23, 0x3b, 0x14, 0xb5,
+ /* 500 */ 0xa6, 0xf1, 0x02, 0x9e, 0x66, 0xbe, 0xdc, 0xc4, 0xca, 0xf7,
+ 0xc0, 0x81, 0x92, 0x7c, 0xea, 0xe3, 0x42, 0x54, 0x8a, 0x6f,
+ 0x0a, 0x2a, 0xa7, 0x2a, 0x92, 0xab, 0x09, 0xb1, 0x61, 0x91,
+ 0xaa, 0x90, 0x54, 0xa3, 0x76, 0x64, 0xe2, 0xfd, 0x81, 0x9a,
+ 0x4c, 0x35, 0x11, 0x28, 0xf3, 0x14, 0x97, 0x1b, 0x61, 0xa4,
+ 0x67, 0x43, 0xae, 0x90, 0x6b, 0xe4, 0x29, 0x34, 0xec, 0x08,
+ 0xbc, 0x6a, 0x82, 0x45, 0xc7, 0x7d, 0xdc, 0xd0, 0x03, 0x98,
+ 0x29, 0x63, 0x05, 0x94, 0xb2, 0xb9, 0x04, 0xce, 0x34, 0x9a,
+ 0x64, 0xae, 0x9a, 0xa9, 0x11, 0xa5, 0x13, 0x07, 0xcc, 0x92,
+ 0xe9, 0xe5, 0x98, 0x13, 0x13, 0x8f, 0x8b, 0xb2, 0x77, 0x75,
+ /* 600 */ 0x2a, 0x6f, 0xb1, 0xa6, 0x98, 0xbf, 0x50, 0xaf, 0xa7, 0x15,
+ 0x2a, 0xe6, 0xdf, 0x41, 0xb6, 0x5e, 0x72, 0xb2, 0x74, 0xf2,
+ 0x38, 0x88, 0x41, 0x56, 0x53, 0xea, 0x83, 0x23, 0x8a, 0x6d,
+ 0x6c, 0x64, 0x6c, 0xa6, 0x04, 0x79, 0x51, 0x92, 0x89, 0xbe,
+ 0x2a, 0x54, 0xd8, 0x5a, 0x8d, 0x5b, 0x9c, 0xfc, 0x62, 0x05,
+ 0x0f, 0xbd, 0x85, 0x12, 0x57, 0x45, 0x96, 0x2e, 0x8f, 0x76,
+ 0xd4, 0x33, 0xfb, 0x4a, 0xc2, 0x9f, 0x57, 0x96, 0xb3, 0xa2,
+ 0xc6, 0xa6, 0x95, 0x3c, 0x9e, 0x7e, 0x15, 0x12, 0xd7, 0xe4,
+ 0x65, 0x05, 0x5d, 0x72, 0xc2, 0x28, 0x10, 0xa9, 0x68, 0xa9,
+ 0x01, 0xfe, 0x9e, 0x36, 0x07, 0x80, 0x41, 0xc8, 0xa3, 0x5f,
+ /* 700 */ 0x18, 0x3b, 0x38, 0x09, 0x95, 0xe2, 0x87, 0xad, 0x03, 0xfd,
+ 0xdd, 0xa6, 0xe9, 0x8e, 0xa8, 0x3a, 0xc9, 0x45, 0x7b, 0xdc,
+ 0xc2, 0x6a, 0x30, 0x78, 0xaa, 0xba, 0x32, 0xe9, 0x8a, 0x65,
+ 0x48, 0x13, 0x5b, 0x29, 0x18, 0x2e, 0x5c, 0x68, 0x8d, 0x71,
+ 0x01, 0x09, 0xab, 0x7d, 0x1a, 0xe9, 0x09, 0x74, 0x1b, 0xe1,
+ 0x90, 0x00, 0xb9, 0xda, 0xa3, 0x03, 0xb7, 0x6c, 0xdd, 0x40,
+ 0xb6, 0xe3, 0xde, 0xa6, 0x7b, 0xe9, 0x3d, 0x41, 0x4d, 0xc7,
+ 0xad, 0xa5, 0xf9, 0x8b, 0x88, 0xd4, 0x1a, 0x75, 0xb5, 0xb6,
+ 0x9f, 0x51, 0x9b, 0x8b, 0xd7, 0xa4, 0x02, 0xb0, 0x62, 0x45,
+ 0xdd, 0x6c, 0x11, 0x35, 0x03, 0x77, 0x1c, 0xdb, 0xc5, 0xac,
+ /* 800 */ 0x60, 0x37, 0x20, 0x15, 0xaf, 0xbd, 0xae, 0x76, 0x51, 0xd2,
+ 0xfb, 0x63, 0x23, 0x19, 0x81, 0xa6, 0x59, 0x7b, 0x68, 0x00,
+ 0x3d, 0x68, 0x89, 0x6b, 0x5a, 0x29, 0xbd, 0x4f, 0xc1, 0x50,
+ 0xe4, 0x98, 0x85, 0xe6, 0x1a, 0xdd, 0xc8, 0xe4, 0xa1, 0x2b,
+ 0x99, 0x42, 0x81, 0x4d, 0x07, 0xf4, 0x24, 0x93, 0x88, 0xfe,
+ 0x40, 0x90, 0x5a, 0x56, 0x0b, 0x7f, 0x8d, 0x14, 0x82, 0x6d,
+ 0xaf, 0xf6, 0x0a, 0x3d, 0xe6, 0x64, 0xb5, 0x48, 0x01, 0x37,
+ 0xfe, 0xf3, 0xba, 0x67, 0xcc, 0xd2, 0xba, 0x32, 0x76, 0xe8,
+ 0xa7, 0x41, 0x1f, 0x2a, 0xfc, 0xa9, 0x72, 0x66, 0xc7, 0xd5,
+ 0x76, 0x02, 0x6b, 0x77, 0xba, 0x6c, 0xd4, 0x84, 0x68, 0x0e,
+ /* 900 */ 0x62, 0xc8, 0x43, 0xb0, 0x81, 0xd5, 0x8f, 0xdb, 0x42, 0xc9,
+ 0xf4, 0xaf, 0x71, 0xbd, 0xb9, 0x6c, 0xd6, 0xdc, 0x03, 0x81,
+ 0x81, 0x00, 0xc5, 0x10, 0x40, 0x33, 0x0f, 0xc0, 0x14, 0x01,
+ 0x00, 0x03, 0x0c, 0x0c, 0x00, 0x00, 0x00, 0x4c, 0x0f, 0x10,
+ 0x03, 0x10, 0x00, 0x00, 0x01, 0xc0, 0x43, 0x40, 0x03, 0x5c,
+ 0x00, 0x07, 0xc0, 0x51, 0x34, 0x01, 0x30, 0x0c, 0x00, 0x00,
+ 0x04, 0xc0, 0x3d, 0x40, 0x03, 0x07, 0x40, 0xd3, 0x50, 0x0c,
+ 0x04, 0x03, 0x00, 0x11, 0x41, 0x30, 0x00, 0xc1, 0xc0, 0xc3,
+ 0x03, 0x5f, 0x04, 0x30, 0x01, 0x40, 0x40, 0x00, 0x40, 0x40,
+ 0x10, 0x40, 0x05, 0x05, 0x00, 0x53, 0x00, 0x04, 0x50, 0x00,
+ /* 1000 */ 0x00, 0x00, 0x0c, 0x00, 0x51, 0x00, 0x00, 0x00, 0x04, 0xc7,
+ 0x01, 0x50, 0xc0, 0x11, 0x00, 0x04, 0x03, 0xc0, 0x04, 0x00,
+ 0x70, 0x4c, 0x31, 0x03, 0xc0, 0x40, 0xc4, 0x40, 0x40, 0xc0,
+ 0x0c, 0x0c, 0xf1, 0x40, 0xc1, 0x31, 0x70, 0x17, 0xc0, 0x30,
+ 0xc1, 0x04, 0x0c, 0x04, 0x00, 0xc4, 0x01, 0x00, 0x34, 0x00,
+ 0x03, 0x81, 0x81, 0x00, 0xcc, 0x00, 0x50, 0x30, 0xc4, 0x13,
+ 0x0f, 0xf0, 0x43, 0x01, 0x33, 0x40, 0x30, 0x01, 0x40, 0x10,
+ 0x57, 0x04, 0x03, 0x04, 0x10, 0x00, 0xf0, 0x03, 0x04, 0x01,
+ 0x00, 0x10, 0x34, 0x03, 0xf0, 0x1c, 0x01, 0x40, 0x30, 0xf4,
+ 0x00, 0x40, 0x34, 0xc3, 0x00, 0x00, 0x01, 0x00, 0x01, 0x10,
+ /* 1100 */ 0x3f, 0x03, 0x40, 0x00, 0x10, 0x10, 0x00, 0x40, 0x03, 0x00,
+ 0x03, 0x04, 0x40, 0x03, 0x00, 0x13, 0x03, 0x00, 0xc0, 0x01,
+ 0x34, 0x01, 0x00, 0x00, 0x10, 0xf4, 0x00, 0xf0, 0x30, 0x00,
+ 0x00, 0xc3, 0x1c, 0x41, 0x00, 0x40, 0x30, 0x04, 0x10, 0xc4,
+ 0x11, 0x03, 0x00, 0x10, 0x04, 0x4f, 0x17, 0xc0, 0x00, 0x30,
+ 0xcd, 0x3c, 0x40, 0xc4, 0x00, 0xf0, 0x00, 0x00, 0x04, 0x30,
+ 0x0f, 0x31, 0x34, 0xf0, 0x00, 0x07, 0x0c, 0x34, 0x00, 0x50,
+ 0x05, 0x03, 0x10, 0x70, 0x00, 0x33, 0x0c, 0x00, 0xc4, 0x54,
+ 0x07, 0x00)
+};
+
+START_TEST(test_bliss_keys_priv)
+{
+ private_key_t *privkey;
+
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_BLOB, privkey_chunk[_i], BUILD_END);
+ if (_i == countof(privkey_chunk) - 1)
+ {
+ ck_assert(privkey);
+ privkey->destroy(privkey);
+ }
+ else
+ {
+ ck_assert(!privkey);
+ }
+}
+END_TEST
+
+typedef struct privkey_mod_t privkey_mod_t;
+
+struct privkey_mod_t {
+ int offset;
+ char byte;
+};
+
+static privkey_mod_t privkey_mod[] = {
+ { 20, 0x80 },
+ { 22, 0xc1 },
+ { 920, 0x80 },
+ { 922, 0x85 },
+ { 1052, 0x80 },
+ { 1054, 0x8c }
+};
+
+START_TEST(test_bliss_keys_priv_mod)
+{
+ private_key_t *privkey;
+ chunk_t data;
+
+ data = chunk_clone(privkey_chunk[countof(privkey_chunk) - 1]);
+ data.ptr[privkey_mod[_i].offset] = privkey_mod[_i].byte;
+
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_BLOB, data, BUILD_END);
+ ck_assert(!privkey);
+ chunk_free(&data);
+}
+END_TEST
+
+static chunk_t pubkey_chunk[] = {
+ {NULL, 0},
+ chunk_from_chars(0x30, 0x00),
+ chunk_from_chars(0x30, 0x01),
+ chunk_from_chars(0x30, 0x02, 0x30, 0x00),
+ chunk_from_chars(0x30, 0x05, 0x30, 0x03, 0x06, 0x01, 0x01),
+ chunk_from_chars(0x30, 0x11, 0x30, 0x0F, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+ 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x04, 0x00),
+ chunk_from_chars(0x30, 0x12, 0x30, 0x10, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+ 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x01, 0x01),
+ chunk_from_chars(0x30, 0x1c, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+ 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b,
+ 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x06),
+ chunk_from_chars(0x30, 0x1e, 0x30, 0x1a, 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04,
+ 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x01, 0x01, 0x06, 0x0b, 0x2b,
+ 0x06, 0x01, 0x04, 0x01, 0x82, 0xa0, 0x2a, 0x05, 0x02, 0x05,
+ 0x03, 0x00)
+};
+
+START_TEST(test_bliss_keys_pub)
+{
+ public_key_t *pubkey;
+
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+ BUILD_BLOB, pubkey_chunk[_i], BUILD_END);
+ ck_assert(!pubkey);
+}
+END_TEST
+
+Suite *bliss_keys_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_keys");
+
+ tc = tcase_create("keys_priv");
+ tcase_add_loop_test(tc, test_bliss_keys_priv, 0, countof(privkey_chunk));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("keys_priv_mod");
+ tcase_add_loop_test(tc, test_bliss_keys_priv_mod, 0, countof(privkey_mod));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("keys_pub");
+ tcase_add_loop_test(tc, test_bliss_keys_pub, 0, countof(pubkey_chunk));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
new file mode 100644
index 000000000..1bd1266ad
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_sampler.h>
+
+static u_int key_size[] = { 1, 3, 4};
+
+START_TEST(test_bliss_sampler_gaussian)
+{
+ bliss_sampler_t *sampler;
+ bliss_param_set_t *set;
+ int i, k, count;
+ uint32_t hist[8], sign[3];
+ int32_t z;
+ hash_algorithm_t alg;
+ size_t seed_len;
+ chunk_t seed;
+
+ set = bliss_param_set_get_by_id(key_size[_i]);
+ alg = HASH_SHA256;
+ seed_len = 32;
+ count = 10000000;
+
+ seed = chunk_alloc(seed_len);
+ memset(seed.ptr, 0xcc, seed_len);
+
+ for (k = 0; k < 3; k++)
+ {
+ sign[k] = 0;
+ }
+ for (k = 0; k < 8; k++)
+ {
+ hist[k] = 0;
+ }
+
+ sampler = bliss_sampler_create(alg, seed, set);
+ for (i = 0; i < count; i++)
+ {
+ ck_assert(sampler->gaussian(sampler, &z));
+ if (z == 0)
+ {
+ sign[1]++;
+ hist[0]++;
+ }
+ else if (z > 0)
+ {
+ sign[2]++;
+ hist[z/256]++;
+ }
+ else
+ {
+ sign[0]++;
+ hist[(-z)/256]++;
+ }
+ }
+ sampler->destroy(sampler);
+ free(seed.ptr);
+
+ DBG1(DBG_LIB, "histogram");
+ for (k = 0; k < 8; k++)
+ {
+ DBG1(DBG_LIB, "%d %7d", k, hist[k]);
+ }
+ DBG1(DBG_LIB, "- %7d", sign[0]);
+ DBG1(DBG_LIB, "0 %7d", sign[1]);
+ DBG1(DBG_LIB, "+ %7d", sign[2]);
+}
+END_TEST
+
+Suite *bliss_sampler_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_sampler");
+
+ tc = tcase_create("sampler_gaussian");
+ tcase_set_timeout(tc, 10);
+ tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
new file mode 100644
index 000000000..8b4e9cbf0
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sign.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_private_key.h>
+#include <bliss_public_key.h>
+
+static u_int key_type[] = { 1, 3, 4 };
+static u_int key_strength[] = { 128, 160, 192 };
+
+START_TEST(test_bliss_sign_all)
+{
+ signature_scheme_t signature_scheme;
+ private_key_t *privkey, *privkey1;
+ public_key_t *pubkey, *pubkey1;
+ chunk_t msg, signature, privkey_blob, pubkey_blob, pubkey_fp, privkey_fp;
+ int k;
+
+ for (k = 0; k < 4; k++)
+ {
+ int verify_count = 1000;
+
+ switch (k)
+ {
+ case 1:
+ signature_scheme = SIGN_BLISS_WITH_SHA256;
+ break;
+ case 2:
+ signature_scheme = SIGN_BLISS_WITH_SHA384;
+ break;
+ default:
+ signature_scheme = SIGN_BLISS_WITH_SHA512;
+ }
+
+ /* enforce BLISS-B key for k = 2, 3 */
+ lib->settings->set_bool(lib->settings,
+ "%s.plugins.bliss.use_bliss_b", k >= 2, lib->ns);
+
+ msg = chunk_from_str("Hello Dolly!");
+
+ /* generate private key */
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_KEY_SIZE, key_type[_i], BUILD_END);
+ ck_assert(privkey);
+
+ /* generate ASN.1 DER and PEM encoding of private key */
+ ck_assert(privkey->get_encoding(privkey, (k % 2) ?
+ PRIVKEY_ASN1_DER : PRIVKEY_PEM, &privkey_blob));
+
+ /* extract public key from private key */
+ pubkey = privkey->get_public_key(privkey);
+ ck_assert(pubkey);
+
+ /* generate ASN.1 DER and PEM encodings of public key */
+ ck_assert(pubkey->get_encoding(pubkey, (k % 2) ?
+ PUBKEY_SPKI_ASN1_DER : PUBKEY_PEM, &pubkey_blob));
+
+ /* compare fingerprints of public and private key */
+ ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ?
+ KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp));
+ ck_assert(privkey->get_fingerprint(privkey, (k % 2) ?
+ KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp));
+ ck_assert(chunk_equals(pubkey_fp, privkey_fp));
+
+ /* retrieve fingerprints of public and private key from cache */
+ ck_assert(pubkey->get_fingerprint(pubkey, (k % 2) ?
+ KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &pubkey_fp));
+ ck_assert(privkey->get_fingerprint(privkey, (k % 2) ?
+ KEYID_PUBKEY_INFO_SHA1 : KEYID_PUBKEY_SHA1, &privkey_fp));
+
+ /* get a reference of the private key and destroy both instances */
+ privkey1 = privkey->get_ref(privkey);
+ ck_assert(privkey1);
+ ck_assert(privkey1 == privkey);
+ privkey->destroy(privkey);
+ privkey1->destroy(privkey1);
+
+ /* get a reference of the public key and destroy both instances */
+ pubkey1 = pubkey->get_ref(pubkey);
+ ck_assert(pubkey1);
+ ck_assert(pubkey1 == pubkey);
+ pubkey->destroy(pubkey);
+ pubkey1->destroy(pubkey1);
+
+ /* enforce BLISS-B key for k = 1, 3 */
+ lib->settings->set_bool(lib->settings,
+ "%s.plugins.bliss.use_bliss_b", k % 2, lib->ns);
+
+ /* load private key from ASN.1 blob */
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_BLOB, privkey_blob, BUILD_END);
+ ck_assert(privkey);
+ ck_assert(privkey->get_type(privkey) == KEY_BLISS);
+ ck_assert(privkey->get_keysize(privkey) == key_strength[_i]);
+ chunk_free(&privkey_blob);
+
+ /* load public key from ASN.1 blob */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+ BUILD_BLOB, pubkey_blob, BUILD_END);
+ ck_assert(pubkey);
+ ck_assert(pubkey->get_type(pubkey) == KEY_BLISS);
+ ck_assert(pubkey->get_keysize(pubkey) == key_strength[_i]);
+ chunk_free(&pubkey_blob);
+
+ /* generate and verify 1000 BLISS signatures */
+ while (verify_count--)
+ {
+ ck_assert(privkey->sign(privkey, signature_scheme, msg,
+ &signature));
+ ck_assert(pubkey->verify(pubkey, signature_scheme, msg,
+ signature));
+ free(signature.ptr);
+ }
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+ }
+}
+END_TEST
+
+START_TEST(test_bliss_sign_fail)
+{
+ private_key_t *privkey;
+ public_key_t *pubkey;
+ chunk_t msg, signature, encoding, fp;
+
+ /* generate non-supported BLISS-II private key */
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_KEY_SIZE, BLISS_II, BUILD_END);
+ ck_assert(!privkey);
+
+ /* generate non-supported BLISS-B-II private key */
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_KEY_SIZE, BLISS_B_II, BUILD_END);
+ ck_assert(!privkey);
+
+ /* generate supported BLISS-B-I private key */
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_BLISS,
+ BUILD_KEY_SIZE, BLISS_B_I, BUILD_END);
+ ck_assert(privkey);
+
+ /* wrong private key encoding format */
+ ck_assert(!privkey->get_encoding(privkey, PUBKEY_PEM, &encoding));
+
+ /* wrong fingerprint encoding format */
+ ck_assert(!privkey->get_fingerprint(privkey, KEYID_PGPV4, &fp));
+
+ /* extract public key */
+ pubkey = privkey->get_public_key(privkey);
+ ck_assert(pubkey);
+
+ /* wrong private key encoding format */
+ ck_assert(!pubkey->get_encoding(pubkey, PRIVKEY_PEM, &encoding));
+
+ /* wrong fingerprint encoding format */
+ ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp));
+
+ /* encryption / decryption operation is not defined for BLISS */
+ ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, chunk_empty, NULL));
+ ck_assert(!privkey->decrypt(privkey, ENCRYPT_UNKNOWN, chunk_empty, NULL));
+
+ /* sign with invalid signature scheme */
+ ck_assert(!privkey->sign(privkey, SIGN_UNKNOWN, msg, &signature));
+
+ /* generate valid signature */
+ msg = chunk_from_str("Hello Dolly!");
+ ck_assert(privkey->sign(privkey, SIGN_BLISS_WITH_SHA512, msg, &signature));
+
+ /* verify with invalid signature scheme */
+ ck_assert(!pubkey->verify(pubkey, SIGN_UNKNOWN, msg, signature));
+
+ /* corrupt signature */
+ signature.ptr[signature.len - 1] ^= 0x80;
+ ck_assert(!pubkey->verify(pubkey, SIGN_BLISS_WITH_SHA512, msg, signature));
+
+ free(signature.ptr);
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+}
+END_TEST
+
+Suite *bliss_sign_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_sign");
+
+ tc = tcase_create("sign_all");
+ test_case_set_timeout(tc, 30);
+ tcase_add_loop_test(tc, test_bliss_sign_all, 0, countof(key_type));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("sign_fail");
+ tcase_add_test(tc, test_bliss_sign_fail);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
new file mode 100644
index 000000000..2a2f48c53
--- /dev/null
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_signature.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <bliss_signature.h>
+
+static chunk_t data = chunk_from_chars(
+ 0xC1, 0xA1, 0x96, 0x98, 0x4F, 0x60, 0xF5, 0xCA, 0x89, 0x9E,
+ 0x78, 0xAF, 0x64, 0xDD, 0x01, 0x76, 0x04, 0x29, 0x11, 0xD0,
+ 0x21, 0x9E, 0xE4, 0x2D, 0xC5, 0x82, 0x69, 0x19, 0x82, 0x75,
+ 0x30, 0xAC, 0xB0, 0x64, 0xCB, 0x65, 0x19, 0x22, 0x4A, 0x03,
+ 0x03, 0x61, 0x4A, 0x37, 0x8E, 0xA3, 0xB6, 0xB3, 0x58, 0x44,
+ 0xFD, 0x68, 0x38, 0xF1, 0x4B, 0xCF, 0xE8, 0xA2, 0x05, 0x39,
+ 0x87, 0xE0, 0x5E, 0x7C, 0x45, 0x33, 0x4A, 0xEB, 0x2E, 0xCF,
+ 0x98, 0x01, 0x3D, 0x28, 0x60, 0xCE, 0x90, 0x45, 0xF0, 0x8E,
+ 0x36, 0x25, 0x50, 0x8B, 0xA2, 0xC0, 0x6E, 0xDF, 0xC2, 0xA1,
+ 0x35, 0xC1, 0x16, 0x14, 0xE8, 0x6A, 0xE3, 0x9C, 0x0B, 0x32,
+ 0x53, 0x55, 0x60, 0x52, 0x43, 0x93, 0xBB, 0x9F, 0x1D, 0x17,
+ 0xDC, 0x6E, 0x26, 0x99, 0x60, 0x83, 0x12, 0x53, 0xB0, 0x2B,
+ 0x36, 0xE2, 0x95, 0xA7, 0xBF, 0x9B, 0xC0, 0x0A, 0x63, 0xD6,
+ 0x32, 0xA9, 0xE2, 0xAD, 0x02, 0x53, 0x10, 0x81, 0x00, 0xD4,
+ 0x9A, 0xC2, 0x04, 0x1B, 0x48, 0x53, 0x37, 0xF0, 0x95, 0x39,
+ 0x4B, 0x2E, 0x37, 0x28, 0xE2, 0x70, 0xAD, 0xB5, 0xF1, 0x63,
+ 0x48, 0x17, 0xEF, 0x45, 0xC0, 0x30, 0xA6, 0xAA, 0x37, 0x9A,
+ 0x00, 0x8F, 0x8D, 0xAC, 0x66, 0x2C, 0x96, 0x8C, 0xC2, 0x74,
+ 0x9D, 0x66, 0x16, 0x5D, 0x70, 0x70, 0x1D, 0x2F, 0x11, 0xBD,
+ 0x11, 0x62, 0x58, 0xC6, 0xB2, 0xA6, 0xFA, 0xB7, 0x8C, 0x10,
+ 0x6A, 0x13, 0x34, 0x25, 0xB8, 0xF2, 0x46, 0xE3, 0x08, 0xAD,
+ 0x8D, 0x49, 0x33, 0x24, 0x37, 0xA5, 0x0A, 0xF9, 0x5E, 0x95,
+ 0xF9, 0x50, 0xDA, 0x2B, 0x80, 0x4F, 0x10, 0x4F, 0xAB, 0xE4,
+ 0x96, 0xB1, 0xA1, 0x28, 0xCE, 0x6D, 0xB6, 0x17, 0x33, 0x2A,
+ 0xE0, 0xC3, 0x80, 0xAA, 0x3D, 0x1A, 0x5C, 0x48, 0xA0, 0x48,
+ 0x60, 0xCC, 0xC7, 0x29, 0x4F, 0xB8, 0x96, 0xDF, 0xC6, 0x6A,
+ 0xC2, 0x83, 0x5E, 0xFC, 0xD7, 0x4E, 0xCA, 0x14, 0xB4, 0xC6,
+ 0x30, 0x29, 0xC7, 0xCE, 0x79, 0x42, 0x2D, 0x22, 0x28, 0x99,
+ 0x59, 0x14, 0xFB, 0x04, 0xAD, 0x79, 0x3C, 0x74, 0x34, 0xC6,
+ 0x7A, 0x1C, 0x13, 0x07, 0x17, 0xB1, 0x8A, 0x02, 0xA7, 0x70,
+ 0x3C, 0x5B, 0xBA, 0x88, 0xA2, 0xE6, 0x4B, 0x2A, 0xC1, 0x1E,
+ 0x42, 0xDD, 0x83, 0x2B, 0x00, 0xCC, 0xF8, 0x80, 0x03, 0x7E,
+ 0x97, 0xA4, 0x04, 0xE1, 0xB2, 0x0B, 0xE2, 0xF3, 0x91, 0x91,
+ 0x80, 0xA0, 0xC5, 0x44, 0x67, 0xB1, 0x56, 0xD0, 0x13, 0x58,
+ 0x7B, 0x6E, 0x12, 0xE7, 0x3A, 0x90, 0xE4, 0x2C, 0x44, 0x17,
+ 0xA3, 0xBD, 0x21, 0x68, 0x45, 0x61, 0x20, 0x57, 0x8D, 0x4A,
+ 0xF1, 0xE6, 0xD3, 0x17, 0xC9, 0xB0, 0xF8, 0x3A, 0x87, 0x6A,
+ 0x7E, 0x25, 0x45, 0xDC, 0x9A, 0x1D, 0xAC, 0x10, 0xB6, 0xF6,
+ 0x07, 0x4C, 0x50, 0x92, 0xF9, 0xE1, 0x3E, 0xAD, 0x3B, 0x80,
+ 0x20, 0xA8, 0x34, 0x04, 0xD6, 0x0D, 0x2D, 0x46, 0x69, 0x5E,
+ 0x8C, 0x4B, 0xB0, 0x1C, 0x37, 0xD8, 0x0D, 0x72, 0x7B, 0xE6,
+ 0xEE, 0x04, 0x81, 0x98, 0x78, 0x69, 0x88, 0xD8, 0xDF, 0x04,
+ 0xF0, 0x80, 0xE2, 0x0A, 0xD3, 0x60, 0x94, 0xDF, 0x49, 0xF7,
+ 0x52, 0x95, 0xA6, 0xAF, 0x8C, 0x13, 0x10, 0x09, 0xAA, 0x03,
+ 0xAC, 0x2C, 0x89, 0x2D, 0x2C, 0x61, 0x0F, 0xBE, 0x5C, 0x29,
+ 0x01, 0x7C, 0x9E, 0xD2, 0xFF, 0x34, 0xA1, 0x9E, 0xEE, 0xBF,
+ 0x28, 0x18, 0x3A, 0x17, 0xA6, 0x40, 0x94, 0xD5, 0xC4, 0xEC,
+ 0x27, 0x0A, 0x40, 0x1C, 0xC4, 0x16, 0x80, 0x4E, 0x6F, 0xDD,
+ 0xA5, 0x6A, 0x03, 0xE8, 0xBA, 0xB2, 0xAA, 0x7A, 0x7F, 0x4B,
+ 0x30, 0x11, 0x11, 0x12, 0x4A, 0xFE, 0xB2, 0x99, 0xC6, 0x12,
+ 0x1A, 0x98, 0xC0, 0x15, 0x41, 0xE1, 0x55, 0x35, 0x54, 0xF2,
+ 0x1C, 0xE2, 0x78, 0x85, 0x66, 0xD3, 0x9C, 0x8A, 0x88, 0x7C,
+ 0x86, 0x7F, 0x48, 0xBE, 0xB7, 0x1C, 0xE4, 0xCF, 0x35, 0xEE,
+ 0x24, 0xA6, 0x62, 0xD6, 0x36, 0x1F, 0x66, 0x10, 0x5D, 0xEF,
+ 0x07, 0x64, 0xA8, 0xD0, 0xAD, 0x2F, 0x47, 0x02, 0xA2, 0x0F,
+ 0x73, 0x96, 0x2A, 0x21, 0x20, 0x36, 0x01, 0xA3, 0x2F, 0x5E,
+ 0xC8, 0x80, 0x3A, 0x54, 0xA6, 0xB5, 0xD0, 0x19, 0xBF, 0xC4,
+ 0x35, 0x01, 0x0B, 0x2A, 0x8E, 0x61, 0x4A, 0xDD, 0xB2, 0x4A,
+ 0xE1, 0x0C, 0x15, 0x94, 0x9C, 0xD2, 0x54, 0x93, 0x85, 0x16,
+ 0x49, 0x69, 0xA0, 0x41, 0x34, 0x16, 0x69, 0x28, 0x74, 0x11,
+ 0x88, 0x44, 0xC8, 0x46, 0x5E, 0x62, 0xFF, 0x6E, 0xC5, 0xA8,
+ 0xE8, 0x8A, 0x8A, 0xFA, 0x2D, 0x94, 0x14, 0xD4, 0x51, 0x16,
+ 0xB0, 0x40, 0xDC, 0xF3, 0xAA, 0x97, 0x39, 0x1A, 0xDA, 0x7F,
+ 0x41, 0x61, 0x25, 0x1E, 0xDF, 0x46, 0x29, 0x44, 0x80, 0xEA,
+ 0x10, 0xE4, 0x0F, 0x94, 0xA6, 0x52, 0x20, 0x06, 0x9C, 0x69,
+ 0x48, 0x1F, 0x45, 0x30, 0x4B, 0x21, 0x02, 0xE6, 0xF3, 0x44,
+ 0x35, 0xC1, 0xC8, 0xC9, 0x68, 0x6C, 0x43, 0xA4, 0x56, 0x07,
+ 0x36, 0x11, 0xFB, 0x6D, 0x8E, 0xF0, 0x62, 0x5A, 0x3C, 0x8B,
+ 0x23, 0xF1, 0x46, 0xE2, 0x76, 0x2A, 0x6F, 0xBB, 0x09, 0x24,
+ 0x18, 0x64, 0xE6, 0x5C, 0xD0, 0x85, 0x69, 0xF0, 0x4F, 0x66,
+ 0x97, 0x40, 0x01, 0x27, 0xD1, 0x41, 0xCC, 0xEB, 0x4D, 0xB7,
+ 0x04, 0xC4, 0x91, 0xE0, 0x95, 0x8A, 0x43, 0x26, 0x2D, 0x1F,
+ 0x88, 0xA0, 0xD8
+);
+
+START_TEST(test_bliss_signature_fail)
+{
+ bliss_param_set_t set2 = { .id = BLISS_B_II };
+ bliss_param_set_t *set;
+ bliss_signature_t *signature;
+ chunk_t encoding;
+ int k;
+
+ signature = bliss_signature_create(&set2);
+ ck_assert(signature);
+ encoding = signature->get_encoding(signature);
+ ck_assert(encoding.len == 0);
+ signature->destroy(signature);
+
+ signature = bliss_signature_create_from_data(&set2, data);
+ ck_assert(!signature);
+
+ set = bliss_param_set_get_by_id(BLISS_B_I);
+ ck_assert(set);
+
+ for (k = 0; k < data.len - 2; k++)
+ {
+ chunk_t fragment = { data.ptr, k };
+
+ signature = bliss_signature_create_from_data(set, fragment);
+ ck_assert(!signature);
+ }
+ signature = bliss_signature_create_from_data(set, data);
+ ck_assert(signature);
+ signature->destroy(signature);
+}
+END_TEST
+
+Suite *bliss_signature_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("bliss_signature");
+
+ tc = tcase_create("signature_fail");
+ tcase_add_test(tc, test_bliss_signature_fail);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 33e5958ed..f19616552 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 43bdf1fc5..ca7cadbe4 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 7c5674045..9e249399b 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/cmac/cmac.c b/src/libstrongswan/plugins/cmac/cmac.c
index c8cb7fbf2..4f222ff4e 100644
--- a/src/libstrongswan/plugins/cmac/cmac.c
+++ b/src/libstrongswan/plugins/cmac/cmac.c
@@ -247,6 +247,9 @@ METHOD(mac_t, set_key, bool,
{
chunk_t resized, iv, l;
+ memset(this->t, 0, this->b);
+ this->remaining_bytes = 0;
+
/* we support variable keys as defined in RFC 4615 */
if (key.len == this->b)
{
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 39469368c..2e623ad3b 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 62ccc7108..a0f4a7465 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -52,16 +52,67 @@ static bool check_pathlen(x509_t *issuer, int pathlen)
}
/**
- * Check if a FQDN/RFC822 constraint matches (suffix match)
+ * Check if a FQDN constraint matches
*/
-static bool suffix_matches(identification_t *constraint, identification_t *id)
+static bool fqdn_matches(identification_t *constraint, identification_t *id)
{
- chunk_t c, i;
+ chunk_t c, i, diff;
c = constraint->get_encoding(constraint);
i = id->get_encoding(id);
- return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len));
+ if (!c.len || i.len < c.len)
+ {
+ return FALSE;
+ }
+ diff = chunk_create(i.ptr, i.len - c.len);
+ if (!chunk_equals(c, chunk_skip(i, diff.len)))
+ {
+ return FALSE;
+ }
+ if (!diff.len)
+ {
+ return TRUE;
+ }
+ if (c.ptr[0] == '.' || diff.ptr[diff.len - 1] == '.')
+ {
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Check if a RFC822 constraint matches
+ */
+static bool email_matches(identification_t *constraint, identification_t *id)
+{
+ chunk_t c, i, diff;
+
+ c = constraint->get_encoding(constraint);
+ i = id->get_encoding(id);
+
+ if (!c.len || i.len < c.len)
+ {
+ return FALSE;
+ }
+ if (memchr(c.ptr, '@', c.len))
+ { /* constraint is a full email address */
+ return chunk_equals(c, i);
+ }
+ diff = chunk_create(i.ptr, i.len - c.len);
+ if (!diff.len || !chunk_equals(c, chunk_skip(i, diff.len)))
+ {
+ return FALSE;
+ }
+ if (c.ptr[0] == '.')
+ { /* constraint is domain, suffix match */
+ return TRUE;
+ }
+ if (diff.ptr[diff.len - 1] == '@')
+ { /* constraint is host specific, only username can be appended */
+ return TRUE;
+ }
+ return FALSE;
}
/**
@@ -121,8 +172,10 @@ static bool name_constraint_matches(identification_t *constraint,
switch (type)
{
case ID_FQDN:
+ matches = fqdn_matches(constraint, id);
+ break;
case ID_RFC822_ADDR:
- matches = suffix_matches(constraint, id);
+ matches = email_matches(constraint, id);
break;
case ID_DER_ASN1_DN:
matches = dn_matches(constraint, id);
@@ -151,7 +204,7 @@ static bool name_constraint_inherited(identification_t *constraint,
x509_t *x509, bool permitted)
{
enumerator_t *enumerator;
- identification_t *id;
+ identification_t *id, *a, *b;
bool inherited = FALSE;
id_type_t type;
@@ -166,28 +219,26 @@ static bool name_constraint_inherited(identification_t *constraint,
{
if (id->get_type(id) == type)
{
+ if (permitted)
+ { /* permitted constraint can be narrowed */
+ a = constraint;
+ b = id;
+ }
+ else
+ { /* excluded constraint can be widened */
+ a = id;
+ b = constraint;
+ }
switch (type)
{
case ID_FQDN:
+ inherited = fqdn_matches(a, b);
+ break;
case ID_RFC822_ADDR:
- if (permitted)
- { /* permitted constraint can be narrowed */
- inherited = suffix_matches(constraint, id);
- }
- else
- { /* excluded constraint can be widened */
- inherited = suffix_matches(id, constraint);
- }
+ inherited = email_matches(a, b);
break;
case ID_DER_ASN1_DN:
- if (permitted)
- {
- inherited = dn_matches(constraint, id);
- }
- else
- {
- inherited = dn_matches(id, constraint);
- }
+ inherited = dn_matches(a, b);
break;
default:
DBG1(DBG_CFG, "%N NameConstraint matching not implemented",
@@ -298,8 +349,7 @@ static bool has_policy(x509_t *issuer, chunk_t oid)
/**
* Check certificatePolicies.
*/
-static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
- auth_cfg_t *auth)
+static bool check_policy(x509_t *subject, x509_t *issuer)
{
certificate_t *cert = (certificate_t*)subject;
x509_policy_mapping_t *mapping;
@@ -323,33 +373,85 @@ static bool check_policy(x509_t *subject, x509_t *issuer, bool check,
}
enumerator->destroy(enumerator);
- if (check)
+ enumerator = subject->create_cert_policy_enumerator(subject);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ if (!has_policy(issuer, policy->oid))
+ {
+ oid = asn1_oid_to_string(policy->oid);
+ DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
+ oid, cert->get_issuer(cert));
+ free(oid);
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+/**
+ * Check if a given policy is valid under a trustchain
+ */
+static bool is_policy_valid(linked_list_t *chain, chunk_t oid)
+{
+ x509_policy_mapping_t *mapping;
+ x509_cert_policy_t *policy;
+ x509_t *issuer;
+ enumerator_t *issuers, *policies, *mappings;
+ bool found = TRUE;
+
+ issuers = chain->create_enumerator(chain);
+ while (issuers->enumerate(issuers, &issuer))
{
- enumerator = subject->create_cert_policy_enumerator(subject);
- while (enumerator->enumerate(enumerator, &policy))
+ int maxmap = 8;
+
+ while (found)
{
- if (!has_policy(issuer, policy->oid))
+ found = FALSE;
+
+ policies = issuer->create_cert_policy_enumerator(issuer);
+ while (policies->enumerate(policies, &policy))
{
- oid = asn1_oid_to_string(policy->oid);
- DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'",
- oid, cert->get_issuer(cert));
- free(oid);
- enumerator->destroy(enumerator);
- return FALSE;
+ if (chunk_equals(oid, policy->oid) ||
+ chunk_equals(any_policy, policy->oid))
+ {
+ found = TRUE;
+ break;
+ }
}
- if (auth)
+ policies->destroy(policies);
+ if (found)
{
- oid = asn1_oid_to_string(policy->oid);
- if (oid)
+ break;
+ }
+ /* fall back to a mapped policy */
+ mappings = issuer->create_policy_mapping_enumerator(issuer);
+ while (mappings->enumerate(mappings, &mapping))
+ {
+ if (chunk_equals(mapping->subject, oid))
{
- auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+ oid = mapping->issuer;
+ found = TRUE;
+ break;
}
}
+ mappings->destroy(mappings);
+ if (--maxmap == 0)
+ {
+ found = FALSE;
+ break;
+ }
+ }
+ if (!found)
+ {
+ break;
}
- enumerator->destroy(enumerator);
}
+ issuers->destroy(issuers);
- return TRUE;
+ return found;
}
/**
@@ -364,7 +466,7 @@ static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len)
enumerator = chain->create_enumerator(chain);
while (len-- > 0 && enumerator->enumerate(enumerator, &issuer))
{
- if (!check_policy(subject, issuer, TRUE, NULL))
+ if (!check_policy(subject, issuer))
{
valid = FALSE;
break;
@@ -450,6 +552,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
{
if (subject->get_type(subject) == CERT_X509)
{
+ x509_cert_policy_t *policy;
enumerator_t *enumerator;
linked_list_t *chain;
certificate_t *cert;
@@ -457,6 +560,7 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
x509_t *x509;
int len = 0;
u_int expl, inh;
+ char *oid;
/* prepare trustchain to validate */
chain = linked_list_create();
@@ -517,6 +621,31 @@ static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
}
enumerator->destroy(enumerator);
+ if (valid)
+ {
+ x509 = (x509_t*)subject;
+
+ enumerator = x509->create_cert_policy_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &policy))
+ {
+ oid = asn1_oid_to_string(policy->oid);
+ if (oid)
+ {
+ if (is_policy_valid(chain, policy->oid))
+ {
+ auth->add(auth, AUTH_RULE_CERT_POLICY, oid);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "certificate policy %s for '%Y' "
+ "not allowed by trustchain, ignored",
+ oid, subject->get_subject(subject));
+ free(oid);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
chain->destroy(chain);
}
}
@@ -543,12 +672,6 @@ METHOD(cert_validator_t, validate, bool,
subject);
return FALSE;
}
- if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth))
- {
- lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
- subject);
- return FALSE;
- }
if (anchor)
{
if (!check_policy_constraints((x509_t*)issuer, pathlen, auth))
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 4b397e85d..7b7231b85 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 2e221c8b4..d525eac02 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 0025a2b20..96b2f6055 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 0b30923a5..910289906 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/files/Makefile.am b/src/libstrongswan/plugins/files/Makefile.am
new file mode 100644
index 000000000..67767495c
--- /dev/null
+++ b/src/libstrongswan/plugins/files/Makefile.am
@@ -0,0 +1,16 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-files.la
+else
+plugin_LTLIBRARIES = libstrongswan-files.la
+endif
+
+libstrongswan_files_la_SOURCES = \
+ files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h
+
+libstrongswan_files_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
new file mode 100644
index 000000000..31dc4a3ac
--- /dev/null
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -0,0 +1,775 @@
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/files
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
+ $(top_srcdir)/depcomp
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_files_la_LIBADD =
+am_libstrongswan_files_la_OBJECTS = files_plugin.lo files_fetcher.lo
+libstrongswan_files_la_OBJECTS = $(am_libstrongswan_files_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_files_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_files_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+@MONOLITHIC_FALSE@am_libstrongswan_files_la_rpath = -rpath \
+@MONOLITHIC_FALSE@ $(plugindir)
+@MONOLITHIC_TRUE@am_libstrongswan_files_la_rpath =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_files_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_files_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-files.la
+@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-files.la
+libstrongswan_files_la_SOURCES = \
+ files_plugin.h files_plugin.c files_fetcher.c files_fetcher.h
+
+libstrongswan_files_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/files/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-files.la: $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_DEPENDENCIES) $(EXTRA_libstrongswan_files_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_files_la_LINK) $(am_libstrongswan_files_la_rpath) $(libstrongswan_files_la_OBJECTS) $(libstrongswan_files_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_fetcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/files_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/files/files_fetcher.c b/src/libstrongswan/plugins/files/files_fetcher.c
new file mode 100644
index 000000000..e0b7cbdb6
--- /dev/null
+++ b/src/libstrongswan/plugins/files/files_fetcher.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include <library.h>
+#include <utils/debug.h>
+
+#include "files_fetcher.h"
+
+typedef struct private_files_fetcher_t private_files_fetcher_t;
+
+/**
+ * private data of a files_fetcher_t object.
+ */
+struct private_files_fetcher_t {
+
+ /**
+ * Public data
+ */
+ files_fetcher_t public;
+
+ /**
+ * Callback function
+ */
+ fetcher_callback_t cb;
+};
+
+METHOD(fetcher_t, fetch, status_t,
+ private_files_fetcher_t *this, char *uri, void *userdata)
+{
+ chunk_t *data;
+ status_t status = FAILED;
+
+ if (this->cb == fetcher_default_callback)
+ {
+ *(chunk_t*)userdata = chunk_empty;
+ }
+ if (!strpfx(uri, "file://"))
+ {
+ return NOT_SUPPORTED;
+ }
+ uri = uri + strlen("file://");
+ data = chunk_map(uri, FALSE);
+ if (!data)
+ {
+ DBG1(DBG_LIB, " opening '%s' failed: %s", uri, strerror(errno));
+ return FAILED;
+ }
+ if (this->cb(userdata, *data))
+ {
+ status = SUCCESS;
+ }
+ chunk_unmap(data);
+ return status;
+}
+
+METHOD(fetcher_t, set_option, bool,
+ private_files_fetcher_t *this, fetcher_option_t option, ...)
+{
+ bool supported = TRUE;
+ va_list args;
+
+ va_start(args, option);
+ switch (option)
+ {
+ case FETCH_CALLBACK:
+ {
+ this->cb = va_arg(args, fetcher_callback_t);
+ break;
+ }
+ default:
+ supported = FALSE;
+ break;
+ }
+ va_end(args);
+ return supported;
+}
+
+METHOD(fetcher_t, destroy, void,
+ private_files_fetcher_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+files_fetcher_t *files_fetcher_create()
+{
+ private_files_fetcher_t *this;
+
+ INIT(this,
+ .public = {
+ .interface = {
+ .fetch = _fetch,
+ .set_option = _set_option,
+ .destroy = _destroy,
+ },
+ },
+ .cb = fetcher_default_callback,
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libstrongswan/plugins/files/files_fetcher.h
index 169292e9b..7fc4ec98e 100644
--- a/src/libcharon/plugins/unit_tester/tests.h
+++ b/src/libstrongswan/plugins/files/files_fetcher.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -14,17 +14,29 @@
*/
/**
- * @defgroup tests tests
- * @{ @ingroup unit_tester
+ * @defgroup files_fetcher files_fetcher
+ * @{ @ingroup files_p
*/
-DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
-DEFINE_TEST("CURL get", test_curl_get, FALSE)
-DEFINE_TEST("MySQL operations", test_mysql, FALSE)
-DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
-DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
-DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("IP pool", test_pool, FALSE)
-DEFINE_TEST("SSH agent", test_agent, FALSE)
+#ifndef FILES_FETCHER_H_
+#define FILES_FETCHER_H_
-/** @}*/
+typedef struct files_fetcher_t files_fetcher_t;
+
+/**
+ * Fetcher implementation loading local files
+ */
+struct files_fetcher_t {
+
+ /**
+ * Implements fetcher interface
+ */
+ fetcher_t interface;
+};
+
+/**
+ * Create a files_fetcher instance.
+ */
+files_fetcher_t *files_fetcher_create();
+
+#endif /** FILES_FETCHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/files/files_plugin.c b/src/libstrongswan/plugins/files/files_plugin.c
new file mode 100644
index 000000000..6ab735dab
--- /dev/null
+++ b/src/libstrongswan/plugins/files/files_plugin.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2015 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "files_plugin.h"
+#include "files_fetcher.h"
+
+#include <library.h>
+#include <utils/debug.h>
+
+typedef struct private_files_plugin_t private_files_plugin_t;
+
+/**
+ * private data of files_plugin
+ */
+struct private_files_plugin_t {
+
+ /**
+ * public functions
+ */
+ files_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_files_plugin_t *this)
+{
+ return "files";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_files_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_REGISTER(FETCHER, files_fetcher_create),
+ PLUGIN_PROVIDE(FETCHER, "file://"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_files_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *files_plugin_create()
+{
+ private_files_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/unit_tester/unit_tester.h b/src/libstrongswan/plugins/files/files_plugin.h
index 08784f6f4..c121b9652 100644
--- a/src/libcharon/plugins/unit_tester/unit_tester.h
+++ b/src/libstrongswan/plugins/files/files_plugin.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -14,31 +14,29 @@
*/
/**
- * @defgroup unit_tester unit_tester
- * @{ @ingroup cplugins
+ * @defgroup files_p files
+ * @ingroup plugins
+ *
+ * @defgroup files_plugin files_plugin
+ * @{ @ingroup files_p
*/
-#ifndef UNIT_TESTER_H_
-#define UNIT_TESTER_H_
+#ifndef FILES_PLUGIN_H_
+#define FILES_PLUGIN_H_
#include <plugins/plugin.h>
-typedef struct unit_tester_t unit_tester_t;
+typedef struct files_plugin_t files_plugin_t;
/**
- * Unit testing plugin.
- *
- * The unit testing plugin runs tests on plugin initialization. Tests are
- * defined in tests.h using the DEFINE_TEST macro. Implementation of the
- * tests is done in the tests folder. Each test has uses a function which
- * returns TRUE for success or FALSE for failure.
+ * Plugin implementing fetcher interface loading local files directly.
*/
-struct unit_tester_t {
+struct files_plugin_t {
/**
- * Implements the plugin interface.
+ * implements plugin interface
*/
plugin_t plugin;
};
-#endif /** UNIT_TESTER_H_ @}*/
+#endif /** FILES_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 64ae66559..b7ca1ce97 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c
index 23825078e..25accf996 100644
--- a/src/libstrongswan/plugins/fips_prf/fips_prf.c
+++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c
@@ -116,6 +116,12 @@ METHOD(prf_t, get_bytes, bool,
u_int8_t *xkey = this->key;
u_int8_t one[this->b];
+ if (!w)
+ {
+ /* append mode is not supported */
+ return FALSE;
+ }
+
memset(one, 0, this->b);
one[this->b - 1] = 0x01;
@@ -250,4 +256,3 @@ fips_prf_t *fips_prf_create(pseudo_random_function_t algo)
return &this->public;
}
-
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index 511bfc365..e125ab884 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 0c7d22d71..4ce7438fc 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
index f418b941d..744ec0bbf 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_dh.c
@@ -35,7 +35,7 @@ struct private_gcrypt_dh_t {
/**
* Diffie Hellman group number
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/*
* Generator value
@@ -73,12 +73,17 @@ struct private_gcrypt_dh_t {
size_t p_len;
};
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_gcrypt_dh_t *this, chunk_t value)
{
gcry_mpi_t p_min_1;
gcry_error_t err;
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
if (this->yb)
{
gcry_mpi_release(this->yb);
@@ -88,7 +93,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
if (err)
{
DBG1(DBG_LIB, "importing mpi yb failed: %s", gpg_strerror(err));
- return;
+ return FALSE;
}
p_min_1 = gcry_mpi_new(this->p_len * 8);
@@ -112,6 +117,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
" y < 2 || y > p - 1 ");
}
gcry_mpi_release(p_min_1);
+ return this->zz != NULL;
}
/**
@@ -132,21 +138,22 @@ static chunk_t export_mpi(gcry_mpi_t value, size_t len)
return chunk;
}
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_gcrypt_dh_t *this, chunk_t *value)
{
*value = export_mpi(this->ya, this->p_len);
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_gcrypt_dh_t *this, chunk_t *secret)
{
if (!this->zz)
{
- return FAILED;
+ return FALSE;
}
*secret = export_mpi(this->zz, this->p_len);
- return SUCCESS;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index eab4a0047..788cb931e 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
index b74d35169..4fcb168fa 100644
--- a/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
+++ b/src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c
@@ -42,7 +42,7 @@ struct private_gmp_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/*
* Generator value.
@@ -85,11 +85,16 @@ struct private_gmp_diffie_hellman_t {
bool computed;
};
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_gmp_diffie_hellman_t *this, chunk_t value)
{
mpz_t p_min_1;
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
mpz_init(p_min_1);
mpz_sub_ui(p_min_1, this->p, 1);
@@ -142,9 +147,10 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
" y < 2 || y > p - 1 ");
}
mpz_clear(p_min_1);
+ return this->computed;
}
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_gmp_diffie_hellman_t *this,chunk_t *value)
{
value->len = this->p_len;
@@ -153,22 +159,23 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
{
value->len = 0;
}
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_gmp_diffie_hellman_t *this, chunk_t *secret)
{
if (!this->computed)
{
- return FAILED;
+ return FALSE;
}
secret->len = this->p_len;
secret->ptr = mpz_export(NULL, NULL, 1, secret->len, 1, 0, this->zz);
if (secret->ptr == NULL)
{
- return FAILED;
+ return FALSE;
}
- return SUCCESS;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -245,7 +252,7 @@ static gmp_diffie_hellman_t *create_generic(diffie_hellman_group_t group,
*random.ptr &= 0x7F;
}
mpz_import(this->xa, random.len, 1, 1, 1, 0, random.ptr);
- chunk_free(&random);
+ chunk_clear(&random);
DBG2(DBG_LIB, "size of DH secret exponent: %u bits",
mpz_sizeinbase(this->xa, 2));
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index bf34e4c9f..a8c39cbab 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/hmac/hmac.c b/src/libstrongswan/plugins/hmac/hmac.c
index 44cb46b4d..96a14aed9 100644
--- a/src/libstrongswan/plugins/hmac/hmac.c
+++ b/src/libstrongswan/plugins/hmac/hmac.c
@@ -103,7 +103,8 @@ METHOD(mac_t, set_key, bool,
if (key.len > this->b)
{
/* if key is too long, it will be hashed */
- if (!this->h->get_hash(this->h, key, buffer))
+ if (!this->h->reset(this->h) ||
+ !this->h->get_hash(this->h, key, buffer))
{
return FALSE;
}
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 17faa569d..8f6a6f54d 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 332a587c9..5316323a4 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index 91fe8c45f..d5f9c6c81 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index ba6cb0cf6..1dd3892cd 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index bca4562d6..e2fb7e720 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index 0d15d7c2e..0b51ba5d8 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.am b/src/libstrongswan/plugins/ntru/Makefile.am
index b959afa8e..c9fcee982 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.am
+++ b/src/libstrongswan/plugins/ntru/Makefile.am
@@ -16,7 +16,6 @@ libstrongswan_ntru_la_SOURCES = \
ntru_convert.h ntru_convert.c \
ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
- ntru_mgf1.h ntru_mgf1.c \
ntru_param_set.h ntru_param_set.c \
ntru_poly.h ntru_poly.c \
ntru_public_key.h ntru_public_key.c \
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index e57a3673e..5636692ab 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -129,9 +129,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)"
LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
libstrongswan_ntru_la_LIBADD =
am_libstrongswan_ntru_la_OBJECTS = ntru_plugin.lo ntru_convert.lo \
- ntru_drbg.lo ntru_ke.lo ntru_mgf1.lo ntru_param_set.lo \
- ntru_poly.lo ntru_public_key.lo ntru_private_key.lo \
- ntru_trits.lo
+ ntru_drbg.lo ntru_ke.lo ntru_param_set.lo ntru_poly.lo \
+ ntru_public_key.lo ntru_private_key.lo ntru_trits.lo
libstrongswan_ntru_la_OBJECTS = $(am_libstrongswan_ntru_la_OBJECTS)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
@@ -229,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -438,7 +442,6 @@ libstrongswan_ntru_la_SOURCES = \
ntru_convert.h ntru_convert.c \
ntru_drbg.h ntru_drbg.c \
ntru_ke.h ntru_ke.c \
- ntru_mgf1.h ntru_mgf1.c \
ntru_param_set.h ntru_param_set.c \
ntru_poly.h ntru_poly.c \
ntru_public_key.h ntru_public_key.c \
@@ -539,7 +542,6 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_convert.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_drbg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_ke.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_mgf1.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_param_set.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_plugin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ntru_poly.Plo@am__quote@
diff --git a/src/libstrongswan/plugins/ntru/ntru_ke.c b/src/libstrongswan/plugins/ntru/ntru_ke.c
index abaa22336..3b5df81d9 100644
--- a/src/libstrongswan/plugins/ntru/ntru_ke.c
+++ b/src/libstrongswan/plugins/ntru/ntru_ke.c
@@ -56,7 +56,7 @@ struct private_ntru_ke_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* NTRU Parameter Set
@@ -106,10 +106,10 @@ struct private_ntru_ke_t {
/**
* Deterministic Random Bit Generator
*/
- ntru_drbg_t *drbg;
+ ntru_drbg_t *drbg;
};
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_ntru_ke_t *this, chunk_t *value)
{
*value = chunk_empty;
@@ -130,30 +130,30 @@ METHOD(diffie_hellman_t, get_my_public_value, void,
if (!this->privkey)
{
DBG1(DBG_LIB, "NTRU keypair generation failed");
- return;
+ return FALSE;
}
this->pubkey = this->privkey->get_public_key(this->privkey);
}
*value = chunk_clone(this->pubkey->get_encoding(this->pubkey));
DBG3(DBG_LIB, "NTRU public key: %B", value);
}
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_ntru_ke_t *this, chunk_t *secret)
{
if (!this->computed || !this->shared_secret.len)
{
*secret = chunk_empty;
- return FAILED;
+ return FALSE;
}
*secret = chunk_clone(this->shared_secret);
- return SUCCESS;
+ return TRUE;
}
-
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_ntru_ke_t *this, chunk_t value)
{
if (this->privkey)
@@ -162,15 +162,15 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
if (value.len == 0)
{
DBG1(DBG_LIB, "empty NTRU ciphertext");
- return;
+ return FALSE;
}
DBG3(DBG_LIB, "NTRU ciphertext: %B", &value);
/* decrypt the shared secret */
- if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
+ if (!this->privkey->decrypt(this->privkey, value, &this->shared_secret))
{
DBG1(DBG_LIB, "NTRU decryption of shared secret failed");
- return;
+ return FALSE;
}
this->computed = TRUE;
}
@@ -185,13 +185,13 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
pubkey = ntru_public_key_create_from_data(this->drbg, value);
if (!pubkey)
{
- return;
+ return FALSE;
}
if (pubkey->get_id(pubkey) != this->param_set->id)
{
DBG1(DBG_LIB, "received NTRU public key with wrong OUI");
pubkey->destroy(pubkey);
- return;
+ return FALSE;
}
this->pubkey = pubkey;
@@ -204,7 +204,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
{
DBG1(DBG_LIB, "generation of shared secret failed");
chunk_free(&this->shared_secret);
- return;
+ return FALSE;
}
this->computed = TRUE;
@@ -212,10 +212,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
if (!pubkey->encrypt(pubkey, this->shared_secret, &this->ciphertext))
{
DBG1(DBG_LIB, "NTRU encryption of shared secret failed");
- return;
+ return FALSE;
}
DBG3(DBG_LIB, "NTRU ciphertext: %B", &this->ciphertext);
}
+ return this->computed;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -301,10 +302,10 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
drbg = ntru_drbg_create(strength, chunk_from_str("IKE NTRU-KE"), entropy);
if (!drbg)
- {
+ {
DBG1(DBG_LIB, "could not instantiate DRBG at %u bit security", strength);
entropy->destroy(entropy);
- return NULL;
+ return NULL;
}
INIT(this,
@@ -326,4 +327,3 @@ ntru_ke_t *ntru_ke_create(diffie_hellman_group_t group, chunk_t g, chunk_t p)
return &this->public;
}
-
diff --git a/src/libstrongswan/plugins/ntru/ntru_poly.c b/src/libstrongswan/plugins/ntru/ntru_poly.c
index 77ab54a5c..cb11601cd 100644
--- a/src/libstrongswan/plugins/ntru/ntru_poly.c
+++ b/src/libstrongswan/plugins/ntru/ntru_poly.c
@@ -16,8 +16,8 @@
*/
#include "ntru_poly.h"
-#include "ntru_mgf1.h"
+#include <crypto/mgf1/mgf1_bitspender.h>
#include <utils/debug.h>
#include <utils/test.h>
@@ -297,22 +297,17 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
bool is_product_form)
{
private_ntru_poly_t *this;
- size_t hash_len, octet_count = 0, i;
- uint8_t octets[HASH_SIZE_SHA512], *used, num_left = 0, num_needed;
- uint16_t index, limit, left = 0;
int n, num_indices, index_i = 0;
- ntru_mgf1_t *mgf1;
+ uint32_t index, limit;
+ uint8_t *used;
+ mgf1_bitspender_t *bitspender;
- DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
- mgf1 = ntru_mgf1_create(alg, seed, TRUE);
- if (!mgf1)
+ bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+ if (!bitspender)
{
return NULL;
}
- i = hash_len = mgf1->get_hash_size(mgf1);
-
this = ntru_poly_create(N, q, indices_len_p, indices_len_m, is_product_form);
-
used = malloc(N);
limit = N * ((1 << c_bits) / N);
@@ -328,43 +323,12 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
/* generate a random candidate index with a size of c_bits */
do
{
- /* use any leftover bits first */
- index = num_left ? left << (c_bits - num_left) : 0;
-
- /* get the rest of the bits needed from new octets */
- num_needed = c_bits - num_left;
-
- while (num_needed)
+ if (!bitspender->get_bits(bitspender, c_bits, &index))
{
- if (i == hash_len)
- {
- /* get another block from MGF1 */
- if (!mgf1->get_mask(mgf1, hash_len, octets))
- {
- mgf1->destroy(mgf1);
- destroy(this);
- free(used);
- return NULL;
- }
- octet_count += hash_len;
- i = 0;
- }
- left = octets[i++];
-
- if (num_needed <= 8)
- {
- /* all bits needed to fill the index are in this octet */
- index |= left >> (8 - num_needed);
- num_left = 8 - num_needed;
- num_needed = 0;
- left &= 0xff >> (8 - num_left);
- }
- else
- {
- /* more than one octet will be needed */
- index |= left << (num_needed - 8);
- num_needed -= 8;
- }
+ bitspender->destroy(bitspender);
+ destroy(this);
+ free(used);
+ return NULL;
}
}
while (index >= limit);
@@ -380,9 +344,7 @@ ntru_poly_t *ntru_poly_create_from_seed(hash_algorithm_t alg, chunk_t seed,
}
}
- DBG2(DBG_LIB, "MGF1 generates %u octets to derive %u indices",
- octet_count, this->num_indices);
- mgf1->destroy(mgf1);
+ bitspender->destroy(bitspender);
free(used);
return &this->public;
diff --git a/src/libstrongswan/plugins/ntru/ntru_trits.c b/src/libstrongswan/plugins/ntru/ntru_trits.c
index 1abb7671c..57b3532ef 100644
--- a/src/libstrongswan/plugins/ntru/ntru_trits.c
+++ b/src/libstrongswan/plugins/ntru/ntru_trits.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -14,9 +14,9 @@
*/
#include "ntru_trits.h"
-#include "ntru_mgf1.h"
#include "ntru_convert.h"
+#include <crypto/mgf1/mgf1_bitspender.h>
#include <utils/debug.h>
#include <utils/test.h>
@@ -70,17 +70,15 @@ METHOD(ntru_trits_t, destroy, void,
ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
{
private_ntru_trits_t *this;
- uint8_t octets[HASH_SIZE_SHA512], buf[5], *trits;
- size_t hash_len, octet_count = 0, trits_needed, i;
- ntru_mgf1_t *mgf1;
+ uint8_t octet, buf[5], *trits;
+ size_t trits_needed;
+ mgf1_bitspender_t *bitspender;
- DBG2(DBG_LIB, "MGF1 is seeded with %u bytes", seed.len);
- mgf1 = ntru_mgf1_create(alg, seed, TRUE);
- if (!mgf1)
+ bitspender = mgf1_bitspender_create(alg, seed, TRUE);
+ if (!bitspender)
{
return NULL;
}
- i = hash_len = mgf1->get_hash_size(mgf1);
INIT(this,
.public = {
@@ -97,21 +95,15 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
while (trits_needed > 0)
{
- if (i == hash_len)
+ if (!bitspender->get_byte(bitspender, &octet))
{
- /* get another block from MGF1 */
- if (!mgf1->get_mask(mgf1, hash_len, octets))
- {
- mgf1->destroy(mgf1);
- destroy(this);
- return NULL;
- }
- octet_count += hash_len;
- i = 0;
+ bitspender->destroy(bitspender);
+ destroy(this);
+ return NULL;
}
- if (octets[i] < 243) /* 243 = 3^5 */
+ if (octet < 243) /* 243 = 3^5 */
{
- ntru_octet_2_trits(octets[i], (trits_needed < 5) ? buf : trits);
+ ntru_octet_2_trits(octet, (trits_needed < 5) ? buf : trits);
if (trits_needed < 5)
{
memcpy(trits, buf, trits_needed);
@@ -120,11 +112,8 @@ ntru_trits_t *ntru_trits_create(size_t len, hash_algorithm_t alg, chunk_t seed)
trits += 5;
trits_needed -= 5;
}
- i++;
}
- DBG2(DBG_LIB, "MGF1 generates %u octets to extract %u trits",
- octet_count, len);
- mgf1->destroy(mgf1);
+ bitspender->destroy(bitspender);
return &this->public;
}
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index ac0db0150..a667ca47e 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 07b96b320..c2478a4ed 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -135,7 +135,7 @@ METHOD(crypter_t, get_block_size, size_t,
METHOD(crypter_t, get_iv_size, size_t,
private_openssl_crypter_t *this)
{
- return this->cipher->block_size;
+ return this->cipher->iv_len;
}
METHOD(crypter_t, get_key_size, size_t,
diff --git a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
index ff3382473..2615d60a2 100644
--- a/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c
@@ -38,7 +38,7 @@ struct private_openssl_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Diffie Hellman object
@@ -61,36 +61,42 @@ struct private_openssl_diffie_hellman_t {
bool computed;
};
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_openssl_diffie_hellman_t *this, chunk_t *value)
{
*value = chunk_alloc(DH_size(this->dh));
memset(value->ptr, 0, value->len);
BN_bn2bin(this->dh->pub_key,
value->ptr + value->len - BN_num_bytes(this->dh->pub_key));
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_openssl_diffie_hellman_t *this, chunk_t *secret)
{
if (!this->computed)
{
- return FAILED;
+ return FALSE;
}
/* shared secret should requires a len according the DH group */
*secret = chunk_alloc(DH_size(this->dh));
memset(secret->ptr, 0, secret->len);
memcpy(secret->ptr + secret->len - this->shared_secret.len,
this->shared_secret.ptr, this->shared_secret.len);
- return SUCCESS;
+ return TRUE;
}
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_openssl_diffie_hellman_t *this, chunk_t value)
{
int len;
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
BN_bin2bn(value.ptr, value.len, this->pub_key);
chunk_clear(&this->shared_secret);
this->shared_secret.ptr = malloc(DH_size(this->dh));
@@ -99,10 +105,11 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
if (len < 0)
{
DBG1(DBG_LIB, "DH shared secret computation failed");
- return;
+ return FALSE;
}
this->shared_secret.len = len;
this->computed = TRUE;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index b487d59a5..550a5432f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -40,7 +40,7 @@ struct private_openssl_ec_diffie_hellman_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* EC private (public) key
@@ -216,40 +216,47 @@ error:
return ret;
}
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_openssl_ec_diffie_hellman_t *this, chunk_t value)
{
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
if (!chunk2ecp(this->ec_group, value, this->pub_key))
{
DBG1(DBG_LIB, "ECDH public value is malformed");
- return;
+ return FALSE;
}
chunk_clear(&this->shared_secret);
if (!compute_shared_key(this, &this->shared_secret)) {
DBG1(DBG_LIB, "ECDH shared secret computation failed");
- return;
+ return FALSE;
}
this->computed = TRUE;
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
{
ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_openssl_ec_diffie_hellman_t *this, chunk_t *secret)
{
if (!this->computed)
{
- return FAILED;
+ return FALSE;
}
*secret = chunk_clone(this->shared_secret);
- return SUCCESS;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 4bd958784..44603afb1 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index f9c5b9b52..4c982fdf5 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 62780c384..f0e508abf 100644
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -365,6 +365,29 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
}
/**
+ * Check if a blob looks like an ASN1 SEQUENCE or SET with BER indefinite length
+ */
+static bool is_ber_indefinite_length(chunk_t blob)
+{
+ if (blob.len >= 4)
+ {
+ switch (blob.ptr[0])
+ {
+ case ASN1_SEQUENCE:
+ case ASN1_SET:
+ /* BER indefinite length uses 0x80, and is terminated with
+ * end-of-content using 0x00,0x00 */
+ return blob.ptr[1] == 0x80 &&
+ blob.ptr[blob.len - 2] == 0 &&
+ blob.ptr[blob.len - 1] == 0;
+ default:
+ break;
+ }
+ }
+ return FALSE;
+}
+
+/**
* load the credential from a blob
*/
static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
@@ -374,7 +397,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
bool pgp = FALSE;
blob = chunk_clone(blob);
- if (!is_asn1(blob))
+ if (!is_ber_indefinite_length(blob) && !is_asn1(blob))
{
if (pem_to_bin(&blob, &pgp) != SUCCESS)
{
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index df4b77cc3..35ea3e885 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -53,6 +53,11 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
break;
}
}
+ if (cred_encoding_args(args, CRED_PART_BLISS_PUB_ASN1_DER,
+ &asn1, CRED_PART_END))
+ {
+ break;
+ }
return FALSE;
case PRIVKEY_PEM:
label ="RSA PRIVATE KEY";
@@ -86,6 +91,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
label ="EC PRIVATE KEY";
break;
}
+ if (cred_encoding_args(args, CRED_PART_BLISS_PRIV_ASN1_DER,
+ &asn1, CRED_PART_END))
+ {
+ label ="BLISS PRIVATE KEY";
+ break;
+ }
return FALSE;
case CERT_PEM:
if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER,
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index e7edd7b89..d5bcbb617 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -60,6 +60,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PRIVKEY, KEY_DSA),
PLUGIN_DEPENDS(PRIVKEY, KEY_DSA),
PLUGIN_SDEPEND(HASHER, HASH_MD5),
+ PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
+ PLUGIN_DEPENDS(PRIVKEY, KEY_BLISS),
/* public key PEM decoding */
PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
@@ -74,6 +77,8 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_DSA),
PLUGIN_DEPENDS(PUBKEY, KEY_DSA),
+ PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
/* certificate PEM decoding */
PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 8e351c273..4d4215bfe 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 445bc2d24..2a708364a 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index c6661fcda..767b3acf2 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -63,11 +63,18 @@ static public_key_t *parse_public_key(chunk_t blob)
}
else if (oid == OID_EC_PUBLICKEY)
{
- /* we need the whole subjectPublicKeyInfo for EC public keys */
+ /* Need the whole subjectPublicKeyInfo for EC public keys */
key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
KEY_ECDSA, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
goto end;
}
+ else if (oid == OID_BLISS_PUBLICKEY)
+ {
+ /* Need the whole subjectPublicKeyInfo for BLISS public keys */
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+ KEY_BLISS, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ goto end;
+ }
else
{
/* key type not supported */
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 34e8d0caa..de033a3fb 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
index 36cc284bf..c0033bd8e 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_dh.c
@@ -47,7 +47,7 @@ struct private_pkcs11_dh_t {
/**
* Diffie Hellman group number.
*/
- u_int16_t group;
+ diffie_hellman_group_t group;
/**
* Handle for own private value
@@ -81,7 +81,7 @@ struct private_pkcs11_dh_t {
*
* If this succeeds the shared secret is stored in this->secret.
*/
-static void derive_secret(private_pkcs11_dh_t *this, chunk_t other)
+static bool derive_secret(private_pkcs11_dh_t *this, chunk_t other)
{
CK_OBJECT_CLASS klass = CKO_SECRET_KEY;
CK_KEY_TYPE type = CKK_GENERIC_SECRET;
@@ -102,19 +102,25 @@ static void derive_secret(private_pkcs11_dh_t *this, chunk_t other)
if (rv != CKR_OK)
{
DBG1(DBG_CFG, "C_DeriveKey() error: %N", ck_rv_names, rv);
- return;
+ return FALSE;
}
if (!this->lib->get_ck_attribute(this->lib, this->session, secret,
CKA_VALUE, &this->secret))
{
chunk_free(&this->secret);
- return;
+ return FALSE;
}
+ return TRUE;
}
-METHOD(diffie_hellman_t, set_other_public_value, void,
+METHOD(diffie_hellman_t, set_other_public_value, bool,
private_pkcs11_dh_t *this, chunk_t value)
{
+ if (!diffie_hellman_verify_value(this->group, value))
+ {
+ return FALSE;
+ }
+
switch (this->group)
{
case ECP_192_BIT:
@@ -137,7 +143,7 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
if (!lib->settings->get_bool(lib->settings,
"%s.ecp_x_coordinate_only", TRUE, lib->ns))
{ /* we only get the x coordinate back */
- return;
+ return FALSE;
}
value = chunk_from_thing(params);
break;
@@ -145,24 +151,25 @@ METHOD(diffie_hellman_t, set_other_public_value, void,
default:
break;
}
- derive_secret(this, value);
+ return derive_secret(this, value);
}
-METHOD(diffie_hellman_t, get_my_public_value, void,
+METHOD(diffie_hellman_t, get_my_public_value, bool,
private_pkcs11_dh_t *this, chunk_t *value)
{
*value = chunk_clone(this->pub_key);
+ return TRUE;
}
-METHOD(diffie_hellman_t, get_shared_secret, status_t,
+METHOD(diffie_hellman_t, get_shared_secret, bool,
private_pkcs11_dh_t *this, chunk_t *secret)
{
if (!this->secret.ptr)
{
- return FAILED;
+ return FALSE;
}
*secret = chunk_clone(this->secret);
- return SUCCESS;
+ return TRUE;
}
METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
@@ -443,4 +450,3 @@ pkcs11_dh_t *pkcs11_dh_create(diffie_hellman_group_t group,
}
return NULL;
}
-
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
index 7661473b1..dc8a1f17a 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
@@ -21,6 +21,7 @@
#include <dlfcn.h>
#include <library.h>
+#include <asn1/asn1.h>
#include <utils/debug.h>
#include <threading/mutex.h>
#include <collections/linked_list.h>
@@ -641,10 +642,37 @@ static void free_attrs(object_enumerator_t *this)
}
/**
+ * CKA_EC_POINT is encodeed as ASN.1 octet string, we can't handle that and
+ * some tokens actually return them even unwrapped.
+ *
+ * Because ASN1_OCTET_STRING is 0x04 and uncompressed EC_POINTs also begin with
+ * 0x04 (compressed ones with 0x02 or 0x03) there will be an attempt to parse
+ * unwrapped uncompressed EC_POINTs. This will fail in most cases as the length
+ * will not be correct, however, there is a small chance that the key's first
+ * byte denotes the correct length. Checking the first byte of the key should
+ * further reduce the risk of false positives, though.
+ *
+ * The original memory is freed if the value is unwrapped.
+ */
+static void unwrap_ec_point(chunk_t *data)
+{
+ chunk_t wrapped, unwrapped;
+
+ wrapped = unwrapped = *data;
+ if (asn1_unwrap(&unwrapped, &unwrapped) == ASN1_OCTET_STRING &&
+ unwrapped.len && unwrapped.ptr[0] >= 0x02 && unwrapped.ptr[0] <= 0x04)
+ {
+ *data = chunk_clone(unwrapped);
+ free(wrapped.ptr);
+ }
+}
+
+/**
* Get attributes for a given object during enumeration
*/
static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
{
+ chunk_t data;
CK_RV rv;
int i;
@@ -677,6 +705,16 @@ static bool get_attributes(object_enumerator_t *this, CK_OBJECT_HANDLE object)
DBG1(DBG_CFG, "C_GetAttributeValue() error: %N", ck_rv_names, rv);
return FALSE;
}
+ for (i = 0; i < this->count; i++)
+ {
+ if (this->attr[i].type == CKA_EC_POINT)
+ {
+ data = chunk_create(this->attr[i].pValue, this->attr[i].ulValueLen);
+ unwrap_ec_point(&data);
+ this->attr[i].pValue = data.ptr;
+ this->attr[i].ulValueLen = data.len;
+ }
+ }
return TRUE;
}
@@ -887,6 +925,10 @@ METHOD(pkcs11_library_t, get_ck_attribute, bool,
chunk_free(data);
return FALSE;
}
+ if (attr.type == CKA_EC_POINT)
+ {
+ unwrap_ec_point(data);
+ }
return TRUE;
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
index bb9cc7a21..bfc545972 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
@@ -23,6 +23,7 @@
#include "pkcs11_public_key.h"
#include <utils/debug.h>
+#include <asn1/asn1.h>
typedef struct private_pkcs11_private_key_t private_pkcs11_private_key_t;
@@ -288,7 +289,23 @@ METHOD(private_key_t, sign, bool,
free(buf);
return FALSE;
}
- *signature = chunk_create(buf, len);
+ switch (scheme)
+ {
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ /* return an ASN.1 encoded sequence of integers r and s */
+ len /= 2;
+ *signature = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_integer("c", chunk_create(buf, len)),
+ asn1_integer("c", chunk_create(buf+len, len)));
+ free(buf);
+ break;
+ default:
+ *signature = chunk_create(buf, len);
+ break;
+ }
return TRUE;
}
diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
index 0302c0edd..6d5211657 100644
--- a/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
+++ b/src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Tobias Brunner
+ * Copyright (C) 2011-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
@@ -135,6 +135,7 @@ static const asn1Object_t pkinfoObjects[] = {
/**
* Extract the DER encoded Parameters and ECPoint from the given DER encoded
* subjectPublicKeyInfo.
+ * Memory for ecpoint is allocated.
*/
static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
chunk_t *ecpoint, size_t *keylen)
@@ -173,7 +174,9 @@ static bool parse_ecdsa_public_key(chunk_t blob, chunk_t *ecparams,
{ /* skip initial bit string octet defining 0 unused bits */
object = chunk_skip(object, 1);
}
- *ecpoint = object;
+ /* the correct way to encode an EC_POINT in PKCS#11 is as
+ * ASN.1 octet string */
+ *ecpoint = asn1_wrap(ASN1_OCTET_STRING, "c", object);
break;
}
}
@@ -205,7 +208,8 @@ METHOD(public_key_t, verify, bool,
CK_SESSION_HANDLE session;
CK_RV rv;
hash_algorithm_t hash_alg;
- chunk_t hash = chunk_empty;
+ chunk_t hash = chunk_empty, parse, r, s;
+ size_t len;
mechanism = pkcs11_signature_scheme_to_mech(scheme, this->type, this->k,
&hash_alg);
@@ -215,9 +219,37 @@ METHOD(public_key_t, verify, bool,
signature_scheme_names, scheme);
return FALSE;
}
- if (sig.len && sig.ptr[0] == 0)
- { /* trim leading zero byte in sig */
- sig = chunk_skip(sig, 1);
+ switch (scheme)
+ {
+ case SIGN_ECDSA_WITH_SHA1_DER:
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ /* PKCS#11 expects the ECDSA signatures as simple concatenation of
+ * r and s, so unwrap the ASN.1 encoded sequence */
+ parse = sig;
+ if (asn1_unwrap(&parse, &parse) != ASN1_SEQUENCE ||
+ asn1_unwrap(&parse, &r) != ASN1_INTEGER ||
+ asn1_unwrap(&parse, &s) != ASN1_INTEGER)
+ {
+ return FALSE;
+ }
+ r = chunk_skip_zero(r);
+ s = chunk_skip_zero(s);
+ len = (get_keysize(this) + 7) / 8;
+ if (r.len > len || s.len > len)
+ {
+ return FALSE;
+ }
+ /* concatenate r and s (forced to the defined length) */
+ sig = chunk_alloca(2*len);
+ memset(sig.ptr, 0, sig.len);
+ memcpy(sig.ptr + (len - r.len), r.ptr, r.len);
+ memcpy(sig.ptr + len + (len - s.len), s.ptr, s.len);
+ break;
+ default:
+ sig = chunk_skip_zero(sig);
+ break;
}
rv = this->lib->f->C_OpenSession(this->slot, CKF_SERIAL_SESSION, NULL, NULL,
&session);
@@ -776,11 +808,11 @@ pkcs11_public_key_t *pkcs11_public_key_load(key_type_t type, va_list args)
if (parse_ecdsa_public_key(blob, &ecparams, &ecpoint, &keylen))
{
this = find_ecdsa_key(ecparams, ecpoint, keylen);
- if (this)
+ if (!this)
{
- return &this->public;
+ this = create_ecdsa_key(ecparams, ecpoint, keylen);
}
- this = create_ecdsa_key(ecparams, ecpoint, keylen);
+ chunk_free(&ecpoint);
if (this)
{
return &this->public;
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index d90cd3532..3fa0a3890 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index f6534f087..3266e5d5f 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -230,6 +230,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -290,10 +291,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -367,6 +370,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 0756db856..2130c9c93 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 1fec1b3ea..f7ac347d2 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -380,7 +380,15 @@ static plugin_entry_t *load_plugin(private_plugin_loader_t *this, char *name,
return NULL;
}
}
- handle = dlopen(file, RTLD_LAZY);
+ handle = dlopen(file, RTLD_LAZY
+#ifdef RTLD_NODELETE
+ /* if supported, do not unload library when unloading a plugin. It really
+ * doesn't matter in productive systems, but causes many (dependency)
+ * library reloads during unit tests. Some libraries can't handle that,
+ * GnuTLS leaks file descriptors in its library load/unload functions. */
+ | RTLD_NODELETE
+#endif
+ );
if (handle == NULL)
{
DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror());
@@ -1283,9 +1291,9 @@ METHOD(plugin_loader_t, status, void,
if (this->stats.failed)
{
- dbg(DBG_LIB, level, "unable to load %d plugin feature%s (%d due to "
- "unmet dependencies)", this->stats.failed,
- this->stats.failed == 1 ? "" : "s", this->stats.depends);
+ DBG2(DBG_LIB, "unable to load %d plugin feature%s (%d due to unmet "
+ "dependencies)", this->stats.failed,
+ this->stats.failed == 1 ? "" : "s", this->stats.depends);
}
}
}
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index fcdbe9450..a9f3dd14c 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index fb6c9ae43..11a13463b 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index d84b1ba17..b81acef55 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 967e8625d..028464bf3 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 127482635..342c544d9 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 70a98b006..18771e4f9 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index f7d11beb1..6aaa06b20 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index ee96f08c2..02290b4a2 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index b9f949bcf..3e234f1ca 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index b66302e1a..a8d5a1020 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 8d7c667d8..8980ec46c 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -243,6 +243,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 02f4ccd8a..c84717bdc 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index fb87917a2..f8db1ffac 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -229,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -289,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -366,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 23a6b3ba3..b31bfbed1 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -228,6 +228,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +289,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +368,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index ed58377a6..bfc200421 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2002 Ueli Galizzi, Ariane Seiler
* Copyright (C) 2003 Martin Berner, Lukas Suter
- * Copyright (C) 2002-2009 Andreas Steffen
+ * Copyright (C) 2002-2014 Andreas Steffen
* Copyright (C) 2009 Martin Willi
*
* HSR Hochschule fuer Technik Rapperswil
@@ -557,7 +557,7 @@ static bool parse_certificate(private_x509_ac_t *this)
}
break;
case AC_OBJ_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index bdc8234c9..96280a033 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1465,7 +1465,7 @@ static bool parse_certificate(private_x509_cert_t *this)
}
break;
case X509_OBJ_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index d6057c30f..4d7e7bd10 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -347,7 +347,7 @@ static bool parse(private_x509_crl_t *this)
break;
}
case CRL_OBJ_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
@@ -451,6 +451,7 @@ METHOD(certificate_t, issued_by, bool,
signature_scheme_t scheme;
bool valid;
x509_t *x509 = (x509_t*)issuer;
+ chunk_t keyid = chunk_empty;
/* check if issuer is an X.509 CA certificate */
if (issuer->get_type(issuer) != CERT_X509)
@@ -462,21 +463,16 @@ METHOD(certificate_t, issued_by, bool,
return FALSE;
}
- /* get the public key of the issuer */
- key = issuer->get_public_key(issuer);
-
/* compare keyIdentifiers if available, otherwise use DNs */
- if (this->authKeyIdentifier.ptr && key)
+ if (this->authKeyIdentifier.ptr)
{
- chunk_t fingerprint;
-
- if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) ||
- !chunk_equals(fingerprint, this->authKeyIdentifier))
+ keyid = x509->get_subjectKeyIdentifier(x509);
+ if (keyid.len && !chunk_equals(keyid, this->authKeyIdentifier))
{
return FALSE;
}
}
- else
+ if (!keyid.len)
{
if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer)))
{
@@ -484,10 +480,13 @@ METHOD(certificate_t, issued_by, bool,
}
}
- /* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
-
- if (scheme == SIGN_UNKNOWN || key == NULL)
+ if (scheme == SIGN_UNKNOWN)
+ {
+ return FALSE;
+ }
+ key = issuer->get_public_key(issuer);
+ if (!key)
{
return FALSE;
}
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index ff0f0231f..eb5b01986 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
@@ -265,6 +265,10 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this,
oid = OID_ECDSA_WITH_SHA1;
scheme = SIGN_ECDSA_WITH_SHA1_DER;
break;
+ case KEY_BLISS:
+ oid = OID_BLISS_WITH_SHA512;
+ scheme = SIGN_BLISS_WITH_SHA512;
+ break;
default:
DBG1(DBG_LIB, "unable to sign OCSP request, %N signature not "
"supported", key_type_names, this->key->get_type(this->key));
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index ad04c7dea..60133fc7f 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -1,6 +1,6 @@
/**
* Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2007 Andreas Steffen
+ * Copyright (C) 2007-2014 Andreas Steffen
* Hochschule fuer Technik Rapperswil
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
*
@@ -537,7 +537,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
parser->get_level(parser)+1, NULL);
break;
case BASIC_RESPONSE_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
case BASIC_RESPONSE_CERTIFICATE:
{
diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index 024b4dba5..20561f7e2 100644
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -435,7 +435,7 @@ static bool parse_certificate_request(private_x509_pkcs10_t *this)
this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL);
break;
case PKCS10_SIGNATURE:
- this->signature = object;
+ this->signature = chunk_skip(object, 1);
break;
default:
break;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index ffcee547c..6c9901e6c 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libstrongswan/plugins/xcbc/xcbc.c b/src/libstrongswan/plugins/xcbc/xcbc.c
index 802c8a39f..d852a2932 100644
--- a/src/libstrongswan/plugins/xcbc/xcbc.c
+++ b/src/libstrongswan/plugins/xcbc/xcbc.c
@@ -219,6 +219,10 @@ METHOD(mac_t, set_key, bool,
{
chunk_t iv, k1, lengthened;
+ memset(this->e, 0, this->b);
+ this->remaining_bytes = 0;
+ this->zero = TRUE;
+
/* we support variable keys from RFC4434 */
if (key.len == this->b)
{
diff --git a/src/libstrongswan/processing/processor.h b/src/libstrongswan/processing/processor.h
index f96530e54..ee08870fb 100644
--- a/src/libstrongswan/processing/processor.h
+++ b/src/libstrongswan/processing/processor.h
@@ -23,6 +23,8 @@
#ifndef PROCESSOR_H_
#define PROCESSOR_H_
+#include <utils/utils.h>
+
typedef struct processor_t processor_t;
#include <stdlib.h>
diff --git a/src/libstrongswan/processing/scheduler.c b/src/libstrongswan/processing/scheduler.c
index 3f1598fc4..d90852561 100644
--- a/src/libstrongswan/processing/scheduler.c
+++ b/src/libstrongswan/processing/scheduler.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -300,16 +300,26 @@ METHOD(scheduler_t, schedule_job_ms, void,
schedule_job_tv(this, job, tv);
}
-METHOD(scheduler_t, destroy, void,
+METHOD(scheduler_t, flush, void,
private_scheduler_t *this)
{
event_t *event;
- this->condvar->destroy(this->condvar);
- this->mutex->destroy(this->mutex);
+
+ this->mutex->lock(this->mutex);
while ((event = remove_event(this)) != NULL)
{
event_destroy(event);
}
+ this->condvar->signal(this->condvar);
+ this->mutex->unlock(this->mutex);
+}
+
+METHOD(scheduler_t, destroy, void,
+ private_scheduler_t *this)
+{
+ flush(this);
+ this->condvar->destroy(this->condvar);
+ this->mutex->destroy(this->mutex);
free(this->heap);
free(this);
}
@@ -328,6 +338,7 @@ scheduler_t * scheduler_create()
.schedule_job = _schedule_job,
.schedule_job_ms = _schedule_job_ms,
.schedule_job_tv = _schedule_job_tv,
+ .flush = _flush,
.destroy = _destroy,
},
.heap_size = HEAP_SIZE_DEFAULT,
diff --git a/src/libstrongswan/processing/scheduler.h b/src/libstrongswan/processing/scheduler.h
index abbf74e2c..7f91fcc59 100644
--- a/src/libstrongswan/processing/scheduler.h
+++ b/src/libstrongswan/processing/scheduler.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009 Tobias Brunner
+ * Copyright (C) 2009-2015 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -115,6 +115,11 @@ struct scheduler_t {
u_int (*get_job_load) (scheduler_t *this);
/**
+ * Remove all scheduled jobs.
+ */
+ void (*flush)(scheduler_t *this);
+
+ /**
* Destroys a scheduler object.
*/
void (*destroy) (scheduler_t *this);
diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c
index d4de2a907..5b94208bf 100644
--- a/src/libstrongswan/processing/watcher.c
+++ b/src/libstrongswan/processing/watcher.c
@@ -24,9 +24,6 @@
#include <unistd.h>
#include <errno.h>
-#ifndef WIN32
-#include <sys/select.h>
-#endif
#include <fcntl.h>
typedef struct private_watcher_t private_watcher_t;
@@ -121,11 +118,7 @@ static void update(private_watcher_t *this)
this->pending = TRUE;
if (this->notify[1] != -1)
{
-#ifdef WIN32
- if (send(this->notify[1], buf, sizeof(buf), 0) == -1)
-#else
if (write(this->notify[1], buf, sizeof(buf)) == -1)
-#endif
{
DBG1(DBG_JOB, "notifying watcher failed: %s", strerror(errno));
}
@@ -245,23 +238,57 @@ static void activate_all(private_watcher_t *this)
}
/**
+ * Find flagged revents in a pollfd set by fd
+ */
+static int find_revents(struct pollfd *pfd, int count, int fd)
+{
+ int i;
+
+ for (i = 0; i < count; i++)
+ {
+ if (pfd[i].fd == fd)
+ {
+ return pfd[i].revents;
+ }
+ }
+ return 0;
+}
+
+/**
+ * Check if entry is waiting for a specific event, and if it got signaled
+ */
+static bool entry_ready(entry_t *entry, watcher_event_t event, int revents)
+{
+ if (entry->events & event)
+ {
+ switch (event)
+ {
+ case WATCHER_READ:
+ return (revents & (POLLIN | POLLHUP | POLLNVAL)) != 0;
+ case WATCHER_WRITE:
+ return (revents & (POLLOUT | POLLHUP | POLLNVAL)) != 0;
+ case WATCHER_EXCEPT:
+ return (revents & (POLLERR | POLLHUP | POLLNVAL)) != 0;
+ }
+ }
+ return FALSE;
+}
+
+/**
* Dispatching function
*/
static job_requeue_t watch(private_watcher_t *this)
{
enumerator_t *enumerator;
entry_t *entry;
- fd_set rd, wr, ex;
- int maxfd = 0, res;
+ struct pollfd *pfd;
+ int count = 0, res;
bool rebuild = FALSE;
- FD_ZERO(&rd);
- FD_ZERO(&wr);
- FD_ZERO(&ex);
-
this->mutex->lock(this->mutex);
- if (this->fds->get_count(this->fds) == 0)
+ count = this->fds->get_count(this->fds);
+ if (count == 0)
{
this->state = WATCHER_STOPPED;
this->mutex->unlock(this->mutex);
@@ -272,33 +299,34 @@ static job_requeue_t watch(private_watcher_t *this)
this->state = WATCHER_RUNNING;
}
- if (this->notify[0] != -1)
- {
- FD_SET(this->notify[0], &rd);
- maxfd = this->notify[0];
- }
+ pfd = alloca(sizeof(*pfd) * (count + 1));
+ pfd[0].fd = this->notify[0];
+ pfd[0].events = POLLIN;
+ count = 1;
enumerator = this->fds->create_enumerator(this->fds);
while (enumerator->enumerate(enumerator, &entry))
{
if (!entry->in_callback)
{
+ pfd[count].fd = entry->fd;
+ pfd[count].events = 0;
if (entry->events & WATCHER_READ)
{
DBG3(DBG_JOB, " watching %d for reading", entry->fd);
- FD_SET(entry->fd, &rd);
+ pfd[count].events |= POLLIN;
}
if (entry->events & WATCHER_WRITE)
{
DBG3(DBG_JOB, " watching %d for writing", entry->fd);
- FD_SET(entry->fd, &wr);
+ pfd[count].events |= POLLOUT;
}
if (entry->events & WATCHER_EXCEPT)
{
DBG3(DBG_JOB, " watching %d for exceptions", entry->fd);
- FD_SET(entry->fd, &ex);
+ pfd[count].events |= POLLERR;
}
- maxfd = max(maxfd, entry->fd);
+ count++;
}
}
enumerator->destroy(enumerator);
@@ -306,30 +334,27 @@ static job_requeue_t watch(private_watcher_t *this)
while (!rebuild)
{
+ int revents;
char buf[1];
bool old;
ssize_t len;
job_t *job;
- DBG2(DBG_JOB, "watcher going to select()");
+ DBG2(DBG_JOB, "watcher going to poll() %d fds", count);
thread_cleanup_push((void*)activate_all, this);
old = thread_cancelability(TRUE);
- res = select(maxfd + 1, &rd, &wr, &ex, NULL);
+ res = poll(pfd, count, -1);
thread_cancelability(old);
thread_cleanup_pop(FALSE);
if (res > 0)
{
- if (this->notify[0] != -1 && FD_ISSET(this->notify[0], &rd))
+ if (pfd[0].revents & POLLIN)
{
while (TRUE)
{
-#ifdef WIN32
- len = recv(this->notify[0], buf, sizeof(buf), 0);
-#else
len = read(this->notify[0], buf, sizeof(buf));
-#endif
if (len == -1)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
@@ -354,21 +379,25 @@ static job_requeue_t watch(private_watcher_t *this)
rebuild = TRUE;
break;
}
- if (FD_ISSET(entry->fd, &rd) && (entry->events & WATCHER_READ))
- {
- DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
- notify(this, entry, WATCHER_READ);
- }
- if (FD_ISSET(entry->fd, &wr) && (entry->events & WATCHER_WRITE))
- {
- DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
- notify(this, entry, WATCHER_WRITE);
- }
- if (FD_ISSET(entry->fd, &ex) && (entry->events & WATCHER_EXCEPT))
+ revents = find_revents(pfd, count, entry->fd);
+ if (entry_ready(entry, WATCHER_EXCEPT, revents))
{
DBG2(DBG_JOB, "watched FD %d has exception", entry->fd);
notify(this, entry, WATCHER_EXCEPT);
}
+ else
+ {
+ if (entry_ready(entry, WATCHER_READ, revents))
+ {
+ DBG2(DBG_JOB, "watched FD %d ready to read", entry->fd);
+ notify(this, entry, WATCHER_READ);
+ }
+ if (entry_ready(entry, WATCHER_WRITE, revents))
+ {
+ DBG2(DBG_JOB, "watched FD %d ready to write", entry->fd);
+ notify(this, entry, WATCHER_WRITE);
+ }
+ }
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
@@ -388,7 +417,7 @@ static job_requeue_t watch(private_watcher_t *this)
{
if (!this->pending && errno != EINTR)
{ /* complain only if no pending updates */
- DBG1(DBG_JOB, "watcher select() error: %s", strerror(errno));
+ DBG1(DBG_JOB, "watcher poll() error: %s", strerror(errno));
}
return JOB_REQUEUE_DIRECT;
}
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index 94b77467a..3b7f8c5a0 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -449,41 +449,9 @@ METHOD(traffic_selector_t, get_subset, traffic_selector_t*,
}
METHOD(traffic_selector_t, equals, bool,
- private_traffic_selector_t *this, traffic_selector_t *other_public)
+ private_traffic_selector_t *this, traffic_selector_t *other)
{
- private_traffic_selector_t *other;
-
- other = (private_traffic_selector_t*)other_public;
- if (this->type != other->type)
- {
- return FALSE;
- }
- if (!(this->from_port == other->from_port &&
- this->to_port == other->to_port &&
- this->protocol == other->protocol))
- {
- return FALSE;
- }
- switch (this->type)
- {
- case TS_IPV4_ADDR_RANGE:
- if (memeq(this->from4, other->from4, sizeof(this->from4)) &&
- memeq(this->to4, other->to4, sizeof(this->to4)))
- {
- return TRUE;
- }
- break;
- case TS_IPV6_ADDR_RANGE:
- if (memeq(this->from6, other->from6, sizeof(this->from6)) &&
- memeq(this->to6, other->to6, sizeof(this->to6)))
- {
- return TRUE;
- }
- break;
- default:
- break;
- }
- return FALSE;
+ return traffic_selector_cmp(&this->public, other, NULL) == 0;
}
METHOD(traffic_selector_t, get_from_address, chunk_t,
@@ -717,12 +685,96 @@ METHOD(traffic_selector_t, clone_, traffic_selector_t*,
}
}
+METHOD(traffic_selector_t, hash, u_int,
+ private_traffic_selector_t *this, u_int hash)
+{
+ return chunk_hash_inc(get_from_address(this),
+ chunk_hash_inc(get_to_address(this),
+ chunk_hash_inc(chunk_from_thing(this->from_port),
+ chunk_hash_inc(chunk_from_thing(this->to_port),
+ chunk_hash_inc(chunk_from_thing(this->protocol),
+ hash)))));
+}
+
METHOD(traffic_selector_t, destroy, void,
private_traffic_selector_t *this)
{
free(this);
}
+/**
+ * Compare two integers
+ */
+static int compare_int(int a, int b)
+{
+ return a - b;
+}
+
+/*
+ * See header
+ */
+int traffic_selector_cmp(traffic_selector_t *a_pub, traffic_selector_t *b_pub,
+ void *opts)
+{
+ private_traffic_selector_t *a, *b;
+ int res;
+
+ a = (private_traffic_selector_t*)a_pub;
+ b = (private_traffic_selector_t*)b_pub;
+
+ /* IPv4 before IPv6 */
+ res = compare_int(a->type, b->type);
+ if (res)
+ {
+ return res;
+ }
+ switch (a->type)
+ {
+ case TS_IPV4_ADDR_RANGE:
+ /* lower starting subnets first */
+ res = memcmp(a->from4, b->from4, sizeof(a->from4));
+ if (res)
+ {
+ return res;
+ }
+ /* larger subnets first */
+ res = memcmp(b->to4, a->to4, sizeof(a->to4));
+ if (res)
+ {
+ return res;
+ }
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ res = memcmp(a->from6, b->from6, sizeof(a->from6));
+ if (res)
+ {
+ return res;
+ }
+ res = memcmp(b->to6, a->to6, sizeof(a->to6));
+ if (res)
+ {
+ return res;
+ }
+ break;
+ default:
+ return 1;
+ }
+ /* lower protocols first */
+ res = compare_int(a->protocol, b->protocol);
+ if (res)
+ {
+ return res;
+ }
+ /* lower starting ports first */
+ res = compare_int(a->from_port, b->from_port);
+ if (res)
+ {
+ return res;
+ }
+ /* larger port ranges first */
+ return compare_int(b->to_port, a->to_port);
+}
+
/*
* see header
*/
@@ -933,6 +985,7 @@ static private_traffic_selector_t *traffic_selector_create(u_int8_t protocol,
.set_address = _set_address,
.to_subnet = _to_subnet,
.clone = _clone_,
+ .hash = _hash,
.destroy = _destroy,
},
.from_port = from_port,
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index ab6813acc..cf9a2861b 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -221,6 +221,14 @@ struct traffic_selector_t {
bool (*to_subnet) (traffic_selector_t *this, host_t **net, u_int8_t *mask);
/**
+ * Create a hash value for the traffic selector.
+ *
+ * @param inc optional value for incremental hashing
+ * @return calculated hash value for the traffic selector
+ */
+ u_int (*hash)(traffic_selector_t *this, u_int inc);
+
+ /**
* Destroys the ts object
*/
void (*destroy) (traffic_selector_t *this);
@@ -249,6 +257,17 @@ static inline u_int8_t traffic_selector_icmp_code(u_int16_t port)
}
/**
+ * Compare two traffic selectors, usable as sort function
+ *
+ * @param a first selector to compare
+ * @param b second selector to compare
+ * @param opts optional sort options, currently unused
+ * @return > 0 if a > b, 0 if a == b, < 0 if a < b
+ */
+int traffic_selector_cmp(traffic_selector_t *a, traffic_selector_t *b,
+ void *opts);
+
+/**
* Create a new traffic selector using human readable params.
*
* If protocol is ICMP or ICMPv6 the ports are interpreted as follows: If they
diff --git a/src/libstrongswan/settings/settings_lexer.c b/src/libstrongswan/settings/settings_lexer.c
index 76433012a..0d71a1d01 100644
--- a/src/libstrongswan/settings/settings_lexer.c
+++ b/src/libstrongswan/settings/settings_lexer.c
@@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
yyg->yy_c_buf_p = yy_cp;
/* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
-#define YY_NUM_RULES 25
-#define YY_END_OF_BUFFER 26
+#define YY_NUM_RULES 26
+#define YY_END_OF_BUFFER 27
/* This struct is not used in this scanner,
but its presence is necessary. */
struct yy_trans_info
@@ -465,31 +465,32 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
-static yyconst flex_int16_t yy_accept[50] =
+static yyconst flex_int16_t yy_accept[52] =
{ 0,
- 0, 0, 0, 0, 0, 0, 26, 9, 2, 3,
+ 0, 0, 0, 0, 0, 0, 27, 9, 2, 3,
8, 1, 6, 9, 4, 5, 14, 10, 11, 12,
- 24, 16, 15, 17, 9, 2, 1, 1, 3, 9,
- 14, 13, 24, 23, 21, 22, 18, 19, 20, 1,
- 9, 9, 9, 9, 9, 0, 7, 7, 0
+ 25, 16, 15, 17, 9, 2, 1, 1, 3, 9,
+ 14, 13, 25, 24, 23, 24, 21, 22, 18, 19,
+ 20, 1, 9, 9, 9, 9, 9, 0, 7, 7,
+ 0
} ;
static yyconst flex_int32_t yy_ec[256] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
+ 1, 1, 4, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 5, 1, 6, 7, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 4, 1, 5, 6, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 8, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 7, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 8, 1, 1, 1, 1, 1, 9, 10, 11,
+ 1, 9, 1, 1, 1, 1, 1, 10, 11, 12,
- 12, 13, 1, 1, 14, 1, 1, 15, 1, 16,
- 1, 1, 1, 17, 1, 18, 19, 1, 1, 1,
- 1, 1, 20, 1, 21, 1, 1, 1, 1, 1,
+ 13, 14, 1, 1, 15, 1, 1, 16, 1, 17,
+ 1, 1, 1, 18, 1, 19, 20, 1, 1, 1,
+ 1, 1, 21, 1, 22, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -506,88 +507,92 @@ static yyconst flex_int32_t yy_ec[256] =
1, 1, 1, 1, 1
} ;
-static yyconst flex_int32_t yy_meta[22] =
+static yyconst flex_int32_t yy_meta[23] =
{ 0,
- 1, 2, 3, 4, 5, 4, 6, 7, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 8,
- 4
+ 1, 2, 3, 1, 4, 5, 4, 6, 7, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 8, 4
} ;
-static yyconst flex_int16_t yy_base[60] =
+static yyconst flex_int16_t yy_base[62] =
{ 0,
- 0, 0, 20, 40, 24, 28, 63, 0, 33, 145,
- 145, 57, 145, 43, 145, 145, 0, 145, 145, 0,
- 0, 145, 145, 53, 0, 45, 0, 55, 145, 47,
- 0, 145, 0, 145, 145, 145, 145, 145, 145, 0,
- 41, 35, 23, 18, 36, 48, 145, 51, 145, 71,
- 79, 87, 94, 102, 107, 112, 120, 128, 136
+ 0, 0, 21, 42, 26, 28, 63, 0, 31, 155,
+ 155, 59, 155, 44, 155, 155, 0, 155, 155, 0,
+ 0, 155, 155, 62, 0, 48, 0, 57, 155, 47,
+ 0, 155, 0, 155, 155, 49, 155, 155, 155, 155,
+ 155, 0, 30, 21, 28, 12, 37, 52, 155, 54,
+ 155, 81, 89, 97, 104, 112, 117, 122, 130, 138,
+ 146
} ;
-static yyconst flex_int16_t yy_def[60] =
+static yyconst flex_int16_t yy_def[62] =
{ 0,
- 49, 1, 50, 50, 51, 51, 49, 52, 49, 49,
- 49, 53, 49, 52, 49, 49, 54, 49, 49, 55,
- 56, 49, 49, 57, 52, 49, 58, 53, 49, 52,
- 54, 49, 56, 49, 49, 49, 49, 49, 49, 58,
- 52, 52, 52, 52, 52, 59, 49, 59, 0, 49,
- 49, 49, 49, 49, 49, 49, 49, 49, 49
+ 51, 1, 52, 52, 53, 53, 51, 54, 51, 51,
+ 51, 55, 51, 54, 51, 51, 56, 51, 51, 57,
+ 58, 51, 51, 59, 54, 51, 60, 55, 51, 54,
+ 56, 51, 58, 51, 51, 51, 51, 51, 51, 51,
+ 51, 60, 54, 54, 54, 54, 54, 61, 51, 61,
+ 0, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+ 51
} ;
-static yyconst flex_int16_t yy_nxt[167] =
+static yyconst flex_int16_t yy_nxt[178] =
{ 0,
- 8, 9, 10, 9, 11, 12, 13, 8, 8, 8,
- 8, 8, 8, 14, 8, 8, 8, 8, 8, 15,
- 16, 18, 18, 18, 19, 18, 22, 20, 23, 45,
- 22, 24, 23, 44, 26, 24, 26, 46, 27, 46,
- 18, 18, 18, 18, 19, 18, 26, 20, 26, 48,
- 27, 48, 48, 43, 48, 42, 41, 29, 30, 29,
- 18, 35, 49, 49, 49, 36, 49, 49, 37, 38,
- 39, 17, 17, 17, 17, 17, 17, 17, 17, 21,
- 21, 21, 21, 21, 21, 21, 21, 25, 49, 49,
- 49, 49, 49, 25, 28, 28, 28, 28, 28, 28,
-
- 28, 28, 31, 49, 49, 49, 49, 31, 49, 31,
- 32, 32, 33, 33, 49, 33, 49, 33, 49, 33,
- 34, 34, 34, 34, 34, 34, 34, 34, 40, 40,
- 49, 40, 40, 40, 40, 40, 47, 47, 47, 47,
- 47, 49, 47, 47, 7, 49, 49, 49, 49, 49,
- 49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
- 49, 49, 49, 49, 49, 49
+ 8, 9, 10, 8, 9, 11, 12, 13, 8, 8,
+ 8, 8, 8, 8, 14, 8, 8, 8, 8, 8,
+ 15, 16, 18, 18, 47, 18, 19, 18, 22, 20,
+ 22, 23, 26, 23, 24, 26, 24, 27, 48, 46,
+ 45, 48, 18, 18, 18, 44, 18, 19, 18, 26,
+ 20, 35, 26, 50, 27, 50, 50, 43, 50, 29,
+ 30, 29, 51, 18, 35, 36, 51, 51, 51, 51,
+ 51, 37, 51, 51, 51, 38, 51, 51, 39, 40,
+ 41, 17, 17, 17, 17, 17, 17, 17, 17, 21,
+ 21, 21, 21, 21, 21, 21, 21, 25, 51, 51,
+
+ 51, 51, 51, 25, 28, 28, 28, 28, 28, 28,
+ 28, 28, 31, 51, 51, 51, 51, 31, 51, 31,
+ 32, 32, 33, 33, 51, 33, 51, 33, 51, 33,
+ 34, 34, 34, 34, 34, 34, 34, 34, 42, 42,
+ 51, 42, 42, 42, 42, 42, 49, 49, 49, 49,
+ 49, 51, 49, 49, 7, 51, 51, 51, 51, 51,
+ 51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+ 51, 51, 51, 51, 51, 51, 51
} ;
-static yyconst flex_int16_t yy_chk[167] =
+static yyconst flex_int16_t yy_chk[178] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 3, 3, 3, 3, 3, 5, 3, 5, 44,
- 6, 5, 6, 43, 9, 6, 9, 45, 9, 45,
- 3, 4, 4, 4, 4, 4, 26, 4, 26, 46,
- 26, 46, 48, 42, 48, 41, 30, 28, 14, 12,
- 4, 24, 7, 0, 0, 24, 0, 0, 24, 24,
- 24, 50, 50, 50, 50, 50, 50, 50, 50, 51,
- 51, 51, 51, 51, 51, 51, 51, 52, 0, 0,
- 0, 0, 0, 52, 53, 53, 53, 53, 53, 53,
-
- 53, 53, 54, 0, 0, 0, 0, 54, 0, 54,
- 55, 55, 56, 56, 0, 56, 0, 56, 0, 56,
- 57, 57, 57, 57, 57, 57, 57, 57, 58, 58,
- 0, 58, 58, 58, 58, 58, 59, 59, 59, 59,
- 59, 0, 59, 59, 49, 49, 49, 49, 49, 49,
- 49, 49, 49, 49, 49, 49, 49, 49, 49, 49,
- 49, 49, 49, 49, 49, 49
+ 1, 1, 3, 3, 46, 3, 3, 3, 5, 3,
+ 6, 5, 9, 6, 5, 9, 6, 9, 47, 45,
+ 44, 47, 3, 4, 4, 43, 4, 4, 4, 26,
+ 4, 36, 26, 48, 26, 50, 48, 30, 50, 28,
+ 14, 12, 7, 4, 24, 24, 0, 0, 0, 0,
+ 0, 24, 0, 0, 0, 24, 0, 0, 24, 24,
+ 24, 52, 52, 52, 52, 52, 52, 52, 52, 53,
+ 53, 53, 53, 53, 53, 53, 53, 54, 0, 0,
+
+ 0, 0, 0, 54, 55, 55, 55, 55, 55, 55,
+ 55, 55, 56, 0, 0, 0, 0, 56, 0, 56,
+ 57, 57, 58, 58, 0, 58, 0, 58, 0, 58,
+ 59, 59, 59, 59, 59, 59, 59, 59, 60, 60,
+ 0, 60, 60, 60, 60, 60, 61, 61, 61, 61,
+ 61, 0, 61, 61, 51, 51, 51, 51, 51, 51,
+ 51, 51, 51, 51, 51, 51, 51, 51, 51, 51,
+ 51, 51, 51, 51, 51, 51, 51
} ;
/* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[26] =
+static yyconst flex_int32_t yy_rule_can_match_eol[27] =
{ 0,
0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0,
- 0, 0, 0, 1, 0, 0, };
+ 0, 0, 0, 1, 0, 0, 0, };
-static yyconst flex_int16_t yy_rule_linenum[25] =
+static yyconst flex_int16_t yy_rule_linenum[26] =
{ 0,
59, 60, 61, 63, 64, 65, 67, 72, 77, 85,
105, 108, 111, 114, 120, 122, 123, 146, 147, 148,
- 149, 150, 151, 154
+ 149, 150, 151, 152, 153
} ;
/* The intent behind this definition is that it'll catch
@@ -635,7 +640,7 @@ static void include_files(parser_helper_t *ctx);
/* state used to scan quoted strings */
-#line 639 "settings/settings_lexer.c"
+#line 644 "settings/settings_lexer.c"
#define INITIAL 0
#define inc 1
@@ -947,7 +952,7 @@ YY_DECL
#line 57 "settings/settings_lexer.l"
-#line 951 "settings/settings_lexer.c"
+#line 956 "settings/settings_lexer.c"
yylval = yylval_param;
@@ -1012,13 +1017,13 @@ yy_match:
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 50 )
+ if ( yy_current_state >= 52 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 145 );
+ while ( yy_base[yy_current_state] != 155 );
yy_find_action:
/* %% [10.0] code to find the action number goes here */
@@ -1053,13 +1058,13 @@ do_action: /* This label is used only to access EOF actions. */
{
if ( yy_act == 0 )
fprintf( stderr, "--scanner backing up\n" );
- else if ( yy_act < 25 )
+ else if ( yy_act < 26 )
fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n",
(long)yy_rule_linenum[yy_act], yytext );
- else if ( yy_act == 25 )
+ else if ( yy_act == 26 )
fprintf( stderr, "--accepting default rule (\"%s\")\n",
yytext );
- else if ( yy_act == 26 )
+ else if ( yy_act == 27 )
fprintf( stderr, "--(end of buffer or a NUL)\n" );
else
fprintf( stderr, "--EOF (start condition %d)\n", YY_START );
@@ -1251,20 +1256,23 @@ case 23:
/* rule 23 can match eol */
YY_RULE_SETUP
#line 151 "settings/settings_lexer.l"
-{
- yyextra->string_add(yyextra, yytext+1);
- }
+/* merge lines that end with EOL characters */
YY_BREAK
case 24:
YY_RULE_SETUP
-#line 154 "settings/settings_lexer.l"
+#line 152 "settings/settings_lexer.l"
+yyextra->string_add(yyextra, yytext+1);
+ YY_BREAK
+case 25:
+YY_RULE_SETUP
+#line 153 "settings/settings_lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
YY_BREAK
case YY_STATE_EOF(INITIAL):
-#line 159 "settings/settings_lexer.l"
+#line 158 "settings/settings_lexer.l"
{
settings_parser_pop_buffer_state(yyscanner);
if (!settings_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1273,12 +1281,12 @@ case YY_STATE_EOF(INITIAL):
}
}
YY_BREAK
-case 25:
+case 26:
YY_RULE_SETUP
-#line 167 "settings/settings_lexer.l"
+#line 166 "settings/settings_lexer.l"
YY_FATAL_ERROR( "flex scanner jammed" );
YY_BREAK
-#line 1282 "settings/settings_lexer.c"
+#line 1290 "settings/settings_lexer.c"
case YY_END_OF_BUFFER:
{
@@ -1591,7 +1599,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 50 )
+ if ( yy_current_state >= 52 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -1625,11 +1633,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 50 )
+ if ( yy_current_state >= 52 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 49);
+ yy_is_jam = (yy_current_state == 51);
return yy_is_jam ? 0 : yy_current_state;
}
@@ -2646,7 +2654,7 @@ void settings_parser_free (void * ptr , yyscan_t yyscanner)
/* %ok-for-header */
-#line 167 "settings/settings_lexer.l"
+#line 166 "settings/settings_lexer.l"
diff --git a/src/libstrongswan/settings/settings_lexer.l b/src/libstrongswan/settings/settings_lexer.l
index c6546f464..176387f1f 100644
--- a/src/libstrongswan/settings/settings_lexer.l
+++ b/src/libstrongswan/settings/settings_lexer.l
@@ -148,9 +148,8 @@ static void include_files(parser_helper_t *ctx);
\\t yyextra->string_add(yyextra, "\t");
\\b yyextra->string_add(yyextra, "\b");
\\f yyextra->string_add(yyextra, "\f");
- \\(.|\n) {
- yyextra->string_add(yyextra, yytext+1);
- }
+ \\\r?\n /* merge lines that end with EOL characters */
+ \\. yyextra->string_add(yyextra, yytext+1);
[^\\\n"]+ {
yyextra->string_add(yyextra, yytext);
}
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index 7ecba19da..8c081c673 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -29,6 +29,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_enum.c \
suites/test_hashtable.c \
suites/test_identification.c \
+ suites/test_traffic_selector.c \
suites/test_threading.c \
suites/test_process.c \
suites/test_watcher.c \
@@ -40,6 +41,8 @@ tests_SOURCES = tests.h tests.c \
suites/test_array.c \
suites/test_ecdsa.c \
suites/test_rsa.c \
+ suites/test_certpolicy.c \
+ suites/test_certnames.c \
suites/test_host.c \
suites/test_hasher.c \
suites/test_crypter.c \
@@ -49,6 +52,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_asn1_parser.c \
suites/test_printf.c \
suites/test_test_rng.c \
+ suites/test_mgf1.c \
suites/test_ntru.c
tests_CFLAGS = \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 3268b5488..97e24bdb7 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -125,6 +125,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
suites/tests-test_enum.$(OBJEXT) \
suites/tests-test_hashtable.$(OBJEXT) \
suites/tests-test_identification.$(OBJEXT) \
+ suites/tests-test_traffic_selector.$(OBJEXT) \
suites/tests-test_threading.$(OBJEXT) \
suites/tests-test_process.$(OBJEXT) \
suites/tests-test_watcher.$(OBJEXT) \
@@ -136,6 +137,8 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
suites/tests-test_array.$(OBJEXT) \
suites/tests-test_ecdsa.$(OBJEXT) \
suites/tests-test_rsa.$(OBJEXT) \
+ suites/tests-test_certpolicy.$(OBJEXT) \
+ suites/tests-test_certnames.$(OBJEXT) \
suites/tests-test_host.$(OBJEXT) \
suites/tests-test_hasher.$(OBJEXT) \
suites/tests-test_crypter.$(OBJEXT) \
@@ -145,6 +148,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
suites/tests-test_asn1_parser.$(OBJEXT) \
suites/tests-test_printf.$(OBJEXT) \
suites/tests-test_test_rng.$(OBJEXT) \
+ suites/tests-test_mgf1.$(OBJEXT) \
suites/tests-test_ntru.$(OBJEXT)
tests_OBJECTS = $(am_tests_OBJECTS)
tests_DEPENDENCIES = \
@@ -260,6 +264,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -320,10 +325,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -397,6 +404,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -480,6 +489,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_enum.c \
suites/test_hashtable.c \
suites/test_identification.c \
+ suites/test_traffic_selector.c \
suites/test_threading.c \
suites/test_process.c \
suites/test_watcher.c \
@@ -491,6 +501,8 @@ tests_SOURCES = tests.h tests.c \
suites/test_array.c \
suites/test_ecdsa.c \
suites/test_rsa.c \
+ suites/test_certpolicy.c \
+ suites/test_certnames.c \
suites/test_host.c \
suites/test_hasher.c \
suites/test_crypter.c \
@@ -500,6 +512,7 @@ tests_SOURCES = tests.h tests.c \
suites/test_asn1_parser.c \
suites/test_printf.c \
suites/test_test_rng.c \
+ suites/test_mgf1.c \
suites/test_ntru.c
tests_CFLAGS = \
@@ -603,6 +616,8 @@ suites/tests-test_hashtable.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_identification.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_traffic_selector.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_threading.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_process.$(OBJEXT): suites/$(am__dirstamp) \
@@ -625,6 +640,10 @@ suites/tests-test_ecdsa.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_rsa.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_certpolicy.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \
@@ -643,6 +662,8 @@ suites/tests-test_printf.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_test_rng.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
@@ -667,6 +688,8 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certpolicy.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_chunk.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypter.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_crypto_factory.Po@am__quote@
@@ -680,6 +703,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_identification.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_linked_list_enumerator.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_mgf1.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_ntru.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_pen.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_printf.Po@am__quote@
@@ -689,6 +713,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_stream.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_test_rng.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_threading.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_traffic_selector.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_utils.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_vectors.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_watcher.Po@am__quote@
@@ -879,6 +904,20 @@ suites/tests-test_identification.obj: suites/test_identification.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_identification.obj `if test -f 'suites/test_identification.c'; then $(CYGPATH_W) 'suites/test_identification.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_identification.c'; fi`
+suites/tests-test_traffic_selector.o: suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.o -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.o `test -f 'suites/test_traffic_selector.c' || echo '$(srcdir)/'`suites/test_traffic_selector.c
+
+suites/tests-test_traffic_selector.obj: suites/test_traffic_selector.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_traffic_selector.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_traffic_selector.Tpo -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_traffic_selector.Tpo suites/$(DEPDIR)/tests-test_traffic_selector.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_traffic_selector.c' object='suites/tests-test_traffic_selector.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_traffic_selector.obj `if test -f 'suites/test_traffic_selector.c'; then $(CYGPATH_W) 'suites/test_traffic_selector.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_traffic_selector.c'; fi`
+
suites/tests-test_threading.o: suites/test_threading.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_threading.o -MD -MP -MF suites/$(DEPDIR)/tests-test_threading.Tpo -c -o suites/tests-test_threading.o `test -f 'suites/test_threading.c' || echo '$(srcdir)/'`suites/test_threading.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_threading.Tpo suites/$(DEPDIR)/tests-test_threading.Po
@@ -1033,6 +1072,34 @@ suites/tests-test_rsa.obj: suites/test_rsa.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_rsa.obj `if test -f 'suites/test_rsa.c'; then $(CYGPATH_W) 'suites/test_rsa.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_rsa.c'; fi`
+suites/tests-test_certpolicy.o: suites/test_certpolicy.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.o `test -f 'suites/test_certpolicy.c' || echo '$(srcdir)/'`suites/test_certpolicy.c
+
+suites/tests-test_certpolicy.obj: suites/test_certpolicy.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certpolicy.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certpolicy.Tpo -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certpolicy.Tpo suites/$(DEPDIR)/tests-test_certpolicy.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certpolicy.c' object='suites/tests-test_certpolicy.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certpolicy.obj `if test -f 'suites/test_certpolicy.c'; then $(CYGPATH_W) 'suites/test_certpolicy.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certpolicy.c'; fi`
+
+suites/tests-test_certnames.o: suites/test_certnames.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.o -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.o `test -f 'suites/test_certnames.c' || echo '$(srcdir)/'`suites/test_certnames.c
+
+suites/tests-test_certnames.obj: suites/test_certnames.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_certnames.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_certnames.Tpo -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_certnames.Tpo suites/$(DEPDIR)/tests-test_certnames.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_certnames.c' object='suites/tests-test_certnames.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_certnames.obj `if test -f 'suites/test_certnames.c'; then $(CYGPATH_W) 'suites/test_certnames.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_certnames.c'; fi`
+
suites/tests-test_host.o: suites/test_host.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_host.o -MD -MP -MF suites/$(DEPDIR)/tests-test_host.Tpo -c -o suites/tests-test_host.o `test -f 'suites/test_host.c' || echo '$(srcdir)/'`suites/test_host.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_host.Tpo suites/$(DEPDIR)/tests-test_host.Po
@@ -1159,6 +1226,20 @@ suites/tests-test_test_rng.obj: suites/test_test_rng.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_test_rng.obj `if test -f 'suites/test_test_rng.c'; then $(CYGPATH_W) 'suites/test_test_rng.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_test_rng.c'; fi`
+suites/tests-test_mgf1.o: suites/test_mgf1.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.o -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.o `test -f 'suites/test_mgf1.c' || echo '$(srcdir)/'`suites/test_mgf1.c
+
+suites/tests-test_mgf1.obj: suites/test_mgf1.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_mgf1.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_mgf1.Tpo -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_mgf1.Tpo suites/$(DEPDIR)/tests-test_mgf1.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_mgf1.c' object='suites/tests-test_mgf1.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_mgf1.obj `if test -f 'suites/test_mgf1.c'; then $(CYGPATH_W) 'suites/test_mgf1.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_mgf1.c'; fi`
+
suites/tests-test_ntru.o: suites/test_ntru.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ntru.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ntru.Tpo -c -o suites/tests-test_ntru.o `test -f 'suites/test_ntru.c' || echo '$(srcdir)/'`suites/test_ntru.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ntru.Tpo suites/$(DEPDIR)/tests-test_ntru.Po
diff --git a/src/libstrongswan/tests/suites/test_certnames.c b/src/libstrongswan/tests/suites/test_certnames.c
new file mode 100644
index 000000000..e30702864
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_certnames.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * RSA private key, so we don't have to generate one
+ */
+static char keydata[] = {
+ 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
+ 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
+ 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
+ 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
+ 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
+ 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
+ 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
+ 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
+ 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
+ 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
+ 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
+ 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
+ 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
+ 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
+ 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
+ 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
+ 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
+ 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
+ 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
+ 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
+ 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
+ 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
+ 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
+ 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
+ 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
+ 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
+ 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
+ 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
+ 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
+ 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
+ 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
+ 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
+ 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
+ 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
+ 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
+ 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
+ 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
+ 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
+ 0x49,0xe8,
+};
+
+/**
+ * Issue a certificate with permitted/excluded name constraints
+ */
+static certificate_t* create_cert(certificate_t *ca, char *subject, char *san,
+ x509_flag_t flags, identification_t *permitted,
+ identification_t *excluded)
+{
+ private_key_t *privkey;
+ public_key_t *pubkey;
+ certificate_t *cert;
+ identification_t *id;
+ linked_list_t *plist, *elist, *sans;
+
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
+ BUILD_END);
+ ck_assert(privkey);
+ pubkey = privkey->get_public_key(privkey);
+ ck_assert(pubkey);
+ plist = linked_list_create();
+ if (permitted)
+ {
+ plist->insert_last(plist, permitted);
+ }
+ elist = linked_list_create();
+ if (excluded)
+ {
+ elist->insert_last(elist, excluded);
+ }
+ sans = linked_list_create();
+ if (san)
+ {
+ id = identification_create_from_string(san);
+ sans->insert_last(sans, id);
+ }
+ id = identification_create_from_string(subject);
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_SIGNING_KEY, privkey,
+ BUILD_PUBLIC_KEY, pubkey,
+ BUILD_SUBJECT, id,
+ BUILD_X509_FLAG, flags,
+ BUILD_SIGNING_CERT, ca,
+ BUILD_SUBJECT_ALTNAMES, sans,
+ BUILD_PERMITTED_NAME_CONSTRAINTS, plist,
+ BUILD_EXCLUDED_NAME_CONSTRAINTS, elist,
+ BUILD_END);
+ ck_assert(cert);
+ id->destroy(id);
+ sans->destroy_offset(sans, offsetof(identification_t, destroy));
+ plist->destroy_offset(plist, offsetof(identification_t, destroy));
+ elist->destroy_offset(elist, offsetof(identification_t, destroy));
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+
+ return cert;
+}
+
+/**
+ * Check if a certificate with given subject has a valid trustchain
+ */
+static bool check_trust(identification_t *subject)
+{
+ enumerator_t *certs;
+ certificate_t *cert;
+ bool trusted;
+
+ certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+ subject, FALSE);
+ trusted = certs->enumerate(certs, &cert, NULL);
+ certs->destroy(certs);
+
+ return trusted;
+}
+
+static mem_cred_t *creds;
+
+START_SETUP(setup)
+{
+ creds = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown)
+{
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+ lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+}
+END_TEARDOWN
+
+static struct {
+ char *constraint;
+ char *subject;
+ bool good;
+} permitted_dn[] = {
+ { "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE },
+ { "C=CH, O=strongSwan", "C=CH, O=strong", FALSE },
+ { "C=CH, O=strongSwan", "C=CH, O=strong, CN=tester", FALSE },
+ { "C=CH, O=strongSwan", "C=CH, O=another, CN=tester", FALSE },
+ { "C=CH, O=strongSwan", "C=CH, CN=tester, O=strongSwan", FALSE },
+};
+
+START_TEST(test_permitted_dn)
+{
+ certificate_t *ca, *im, *sj;
+ identification_t *id;
+
+ id = identification_create_from_string(permitted_dn[_i].constraint);
+ ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL);
+ id = identification_create_from_string(permitted_dn[_i].constraint);
+ im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL);
+ sj = create_cert(im, permitted_dn[_i].subject, NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == permitted_dn[_i].good);
+}
+END_TEST
+
+static struct {
+ id_type_t ctype;
+ char *cdata;
+ char *subject;
+ bool good;
+} permitted_san[] = {
+ { ID_FQDN, ".strongswan.org", "test.strongswan.org", TRUE },
+ { ID_FQDN, "strongswan.org", "test.strongswan.org", TRUE },
+ { ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", TRUE },
+ { ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", FALSE },
+ { ID_FQDN, "strongswan.org", "strongswan.org.com", FALSE },
+ { ID_FQDN, ".strongswan.org", "strongswan.org", FALSE },
+ { ID_FQDN, "strongswan.org", "nostrongswan.org", FALSE },
+ { ID_FQDN, "strongswan.org", "swan.org", FALSE },
+ { ID_FQDN, "strongswan.org", "swan.org", FALSE },
+ { ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", TRUE },
+ { ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", FALSE },
+ { ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", TRUE },
+ { ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", FALSE },
+ { ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", TRUE },
+ { ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", FALSE },
+};
+
+START_TEST(test_permitted_san)
+{
+ certificate_t *ca, *sj;
+ identification_t *id;
+
+ id = identification_create_from_encoding(permitted_san[_i].ctype,
+ chunk_from_str(permitted_san[_i].cdata));
+ ca = create_cert(NULL, "CN=CA", NULL, X509_CA, id, NULL);
+ sj = create_cert(ca, "CN=SJ", permitted_san[_i].subject, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == permitted_san[_i].good);
+}
+END_TEST
+
+static struct {
+ char *constraint;
+ char *subject;
+ bool good;
+} excluded_dn[] = {
+ { "C=CH, O=another", "C=CH, O=strongSwan, CN=tester", TRUE },
+ { "C=CH, O=another", "C=CH, O=anot", TRUE },
+ { "C=CH, O=another", "C=CH, O=anot, CN=tester", TRUE },
+ { "C=CH, O=another", "C=CH, O=another, CN=tester", FALSE },
+ { "C=CH, O=another", "C=CH, CN=tester, O=another", TRUE },
+};
+
+START_TEST(test_excluded_dn)
+{
+ certificate_t *ca, *im, *sj;
+ identification_t *id;
+
+ id = identification_create_from_string(excluded_dn[_i].constraint);
+ ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id);
+ id = identification_create_from_string(excluded_dn[_i].constraint);
+ im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, NULL, id);
+ sj = create_cert(im, excluded_dn[_i].subject, NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == excluded_dn[_i].good);
+}
+END_TEST
+
+static struct {
+ id_type_t ctype;
+ char *cdata;
+ char *subject;
+ bool good;
+} excluded_san[] = {
+ { ID_FQDN, ".strongswan.org", "test.strongswan.org", FALSE },
+ { ID_FQDN, "strongswan.org", "test.strongswan.org", FALSE },
+ { ID_FQDN, "a.b.c.strongswan.org", "d.a.b.c.strongswan.org", FALSE },
+ { ID_FQDN, "a.b.c.strongswan.org", "a.b.c.d.strongswan.org", TRUE },
+ { ID_FQDN, "strongswan.org", "strongswan.org.com", TRUE },
+ { ID_FQDN, ".strongswan.org", "strongswan.org", TRUE },
+ { ID_FQDN, "strongswan.org", "nostrongswan.org", TRUE },
+ { ID_FQDN, "strongswan.org", "swan.org", TRUE },
+ { ID_FQDN, "strongswan.org", "swan.org", TRUE },
+ { ID_RFC822_ADDR, "tester@strongswan.org", "tester@strongswan.org", FALSE },
+ { ID_RFC822_ADDR, "tester@strongswan.org", "atester@strongswan.org", TRUE },
+ { ID_RFC822_ADDR, "strongswan.org", "tester@strongswan.org", FALSE },
+ { ID_RFC822_ADDR, "strongswan.org", "tester@test.strongswan.org", TRUE },
+ { ID_RFC822_ADDR, ".strongswan.org", "tester@test.strongswan.org", FALSE },
+ { ID_RFC822_ADDR, ".strongswan.org", "tester@strongswan.org", TRUE },
+};
+
+START_TEST(test_excluded_san)
+{
+ certificate_t *ca, *sj;
+ identification_t *id;
+
+ id = identification_create_from_encoding(excluded_san[_i].ctype,
+ chunk_from_str(excluded_san[_i].cdata));
+ ca = create_cert(NULL, "CN=CA", NULL, X509_CA, NULL, id);
+ sj = create_cert(ca, "CN=SJ", excluded_san[_i].subject, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == excluded_san[_i].good);
+}
+END_TEST
+
+static struct {
+ char *caconst;
+ char *imconst;
+ char *subject;
+ bool good;
+} permitted_dninh[] = {
+ { "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", TRUE },
+ { "C=CH", "C=DE, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE },
+ { "C=CH, O=strongSwan", "C=CH", "C=CH", FALSE },
+};
+
+START_TEST(test_permitted_dninh)
+{
+ certificate_t *ca, *im, *sj;
+ identification_t *id;
+
+ id = identification_create_from_string(permitted_dninh[_i].caconst);
+ ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, id, NULL);
+ id = identification_create_from_string(permitted_dninh[_i].imconst);
+ im = create_cert(ca, "C=CH, O=strongSwan, CN=IM", NULL, X509_CA, id, NULL);
+ sj = create_cert(im, permitted_dninh[_i].subject, NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == permitted_dninh[_i].good);
+}
+END_TEST
+
+static struct {
+ char *caconst;
+ char *imconst;
+ char *subject;
+ bool good;
+} excluded_dninh[] = {
+ { "C=CH, O=strongSwan", "C=CH", "C=DE", TRUE },
+ { "C=CH, O=strongSwan", "C=DE", "C=CH", FALSE },
+ { "C=CH", "C=CH, O=strongSwan", "C=CH, O=strongSwan, CN=tester", FALSE },
+};
+
+START_TEST(test_excluded_dninh)
+{
+ certificate_t *ca, *im, *sj;
+ identification_t *id;
+
+ id = identification_create_from_string(excluded_dninh[_i].caconst);
+ ca = create_cert(NULL, "C=CH, O=strongSwan, CN=CA", NULL, X509_CA, NULL, id);
+ id = identification_create_from_string(excluded_dninh[_i].imconst);
+ im = create_cert(ca, "C=DE, CN=IM", NULL, X509_CA, NULL, id);
+ sj = create_cert(im, excluded_dninh[_i].subject, NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_trust(sj->get_subject(sj)) == excluded_dninh[_i].good);
+}
+END_TEST
+
+Suite *certnames_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("certnames");
+
+ tc = tcase_create("permitted DN name constraints");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_permitted_dn, 0, countof(permitted_dn));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("permitted subjectAltName constraints");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_permitted_san, 0, countof(permitted_san));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("excluded DN constraints");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_excluded_dn, 0, countof(excluded_dn));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("excluded subjectAltName constraints");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_excluded_san, 0, countof(excluded_san));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("permitted DN name constraint inherit");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_permitted_dninh, 0, countof(permitted_dninh));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("excluded DN name constraint inherit");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_loop_test(tc, test_excluded_dninh, 0, countof(excluded_dninh));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_certpolicy.c b/src/libstrongswan/tests/suites/test_certpolicy.c
new file mode 100644
index 000000000..7501e1a8b
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_certpolicy.c
@@ -0,0 +1,637 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <asn1/asn1.h>
+#include <credentials/sets/mem_cred.h>
+#include <credentials/certificates/x509.h>
+
+/**
+ * RSA private key, so we don't have to generate one
+ */
+static char keydata[] = {
+ 0x30,0x82,0x02,0x5e,0x02,0x01,0x00,0x02,0x81,0x81,0x00,0xb1,0x9b,0xd4,0x51,0x24,
+ 0xfc,0x56,0x1d,0x3d,0xfb,0xa2,0xea,0x37,0x02,0x70,0x72,0x87,0x84,0x2f,0x3b,0x2d,
+ 0x6e,0x22,0xef,0x3f,0x37,0x04,0xb2,0x6f,0xb7,0xe7,0xd8,0x58,0x05,0xde,0x34,0xbf,
+ 0x99,0xe6,0x40,0x7a,0x56,0xa7,0x73,0xf5,0x98,0xcb,0xb0,0x37,0x90,0x5e,0xd1,0x3f,
+ 0xf4,0x73,0x50,0x7f,0x53,0x8e,0xf1,0x04,0x25,0xb4,0x77,0x22,0x4e,0x8a,0x9d,0x27,
+ 0x8f,0x6f,0xaf,0x59,0xbd,0xb0,0x0f,0xf0,0xaa,0x11,0x94,0x66,0x16,0x10,0x58,0xad,
+ 0x77,0xa1,0xac,0x58,0xb4,0xd0,0x0d,0xbc,0x11,0xe0,0xc0,0xe9,0x29,0xdc,0x42,0x63,
+ 0x01,0x23,0x4f,0x28,0x41,0x6d,0x34,0x9e,0x0c,0x4a,0xc8,0x62,0x83,0xb5,0x71,0x71,
+ 0x0b,0x51,0xc0,0x4c,0x37,0xd4,0x68,0x19,0x52,0x9a,0x8b,0x02,0x03,0x01,0x00,0x01,
+ 0x02,0x81,0x81,0x00,0x82,0xca,0x33,0x16,0xb2,0x3a,0xd4,0x1b,0x62,0x9a,0x9c,0xc5,
+ 0x07,0x4f,0x57,0x89,0x2f,0x7c,0x4a,0xdf,0xb4,0x3b,0xc7,0xa4,0x11,0x14,0x2d,0xf4,
+ 0x4c,0xca,0xcc,0x03,0x88,0x06,0x82,0x34,0xab,0xe7,0xe4,0x24,0x15,0x33,0x1c,0xcb,
+ 0x0a,0xcf,0xc3,0x27,0x78,0x33,0x6b,0x6f,0x82,0x3e,0x3c,0x70,0xc9,0xe2,0xb9,0x7f,
+ 0x88,0xc3,0x4f,0x59,0xb5,0x8e,0xa3,0x81,0xd9,0x88,0x1f,0xc0,0x38,0xbc,0xc8,0x93,
+ 0x40,0x0f,0x43,0xd8,0x72,0x12,0xb4,0xcc,0x6d,0x76,0x0a,0x6f,0x01,0x05,0xa8,0x88,
+ 0xf4,0x57,0x44,0xd2,0x05,0xc4,0x77,0xf5,0xfb,0x1b,0xf3,0xb2,0x0d,0x90,0xb8,0xb4,
+ 0x63,0x62,0x70,0x2c,0xe4,0x28,0xd8,0x20,0x10,0x85,0x4a,0x5e,0x63,0xa9,0xb0,0xdd,
+ 0xba,0xd0,0x32,0x49,0x02,0x41,0x00,0xdb,0x77,0xf1,0xdd,0x1a,0x12,0xc5,0xfb,0x2b,
+ 0x5b,0xb2,0xcd,0xb6,0xd0,0x4c,0xc4,0xe5,0x93,0xd6,0xf8,0x88,0xfc,0x18,0x40,0x21,
+ 0x9c,0xf7,0x2d,0x60,0x6f,0x91,0xf5,0x73,0x3c,0xf7,0x7f,0x67,0x1d,0x5b,0xb5,0xee,
+ 0x29,0xc1,0xd4,0xc6,0xdb,0x44,0x4c,0x40,0x05,0x63,0xaa,0x71,0x95,0x18,0x14,0xa7,
+ 0x23,0x9f,0x7a,0xee,0x7f,0xb5,0xc7,0x02,0x41,0x00,0xcf,0x2c,0x24,0x50,0x65,0xf4,
+ 0x94,0x7b,0xe9,0xf3,0x13,0x77,0xea,0x27,0x3c,0x6f,0x03,0x84,0xa7,0x7d,0xa2,0x54,
+ 0x40,0x97,0x82,0x0e,0xd9,0x09,0x9f,0x4a,0xa6,0x75,0xe5,0x66,0xe4,0x9c,0x59,0xd9,
+ 0x3a,0xe6,0xf7,0xd8,0x8b,0x68,0xb0,0x21,0x52,0x31,0xb3,0x4a,0xa0,0x2c,0x41,0xd7,
+ 0x1f,0x7b,0xe2,0x0f,0x15,0xc9,0x6e,0xc0,0xe5,0x1d,0x02,0x41,0x00,0x9c,0x1a,0x61,
+ 0x9f,0x89,0xc7,0x26,0xa9,0x33,0xba,0xe2,0xa0,0x6d,0xd3,0x15,0x77,0xcb,0x6f,0xef,
+ 0xad,0x12,0x0a,0x75,0xd9,0x4f,0xcf,0x4d,0x05,0x2a,0x9d,0xd1,0x2c,0xcb,0xcd,0xe6,
+ 0xa0,0xe9,0x20,0x39,0xb6,0x5a,0xf3,0xba,0x99,0xf4,0xe3,0xcb,0x5d,0x8d,0x00,0x08,
+ 0x57,0x18,0xb9,0x1a,0xca,0xbd,0xe3,0x99,0xb1,0x1f,0xe9,0x18,0xcb,0x02,0x40,0x65,
+ 0x35,0x1b,0x48,0x6b,0x86,0x60,0x43,0x68,0xb6,0xe6,0xfb,0xdd,0xd7,0xed,0x1e,0x0e,
+ 0x89,0xef,0x88,0xe0,0x94,0x68,0x39,0x9b,0xbf,0xc5,0x27,0x7e,0x39,0xe9,0xb8,0x0e,
+ 0xa9,0x85,0x65,0x1c,0x3f,0x93,0x16,0xe2,0x5d,0x57,0x3d,0x7d,0x4d,0xc9,0xe9,0x9d,
+ 0xbd,0x07,0x22,0x97,0xc7,0x90,0x09,0xe5,0x15,0x99,0x7f,0x1e,0x2b,0xfd,0xc1,0x02,
+ 0x41,0x00,0x92,0x78,0xfe,0x04,0xa0,0x53,0xed,0x36,0x97,0xbd,0x16,0xce,0x91,0x9b,
+ 0xbe,0x1f,0x8e,0x40,0x00,0x99,0x0c,0x49,0x15,0xca,0x59,0xd3,0xe3,0xd4,0xeb,0x71,
+ 0xcf,0xda,0xd7,0xc8,0x99,0x74,0xfc,0x6b,0xe8,0xfd,0xe5,0xe0,0x49,0x61,0xcb,0xda,
+ 0xe3,0xe7,0x8b,0x72,0xb5,0x69,0x73,0x2b,0x8b,0x54,0xcb,0xd9,0x48,0x6d,0x61,0x02,
+ 0x49,0xe8,
+};
+
+/**
+ * Issue a certificate fr given policy, including extended flags
+ */
+static certificate_t* create_cert_ext(certificate_t *ca, char *subject,
+ char *oid, x509_flag_t flags,
+ char *map_s, char *map_i,
+ u_int require_explicit,
+ u_int inhibit_mapping,
+ u_int inhibit_any)
+{
+ private_key_t *privkey;
+ public_key_t *pubkey;
+ certificate_t *cert;
+ identification_t *id;
+ linked_list_t *policies, *maps;
+ x509_cert_policy_t policy = {};
+ x509_policy_mapping_t map = {};
+
+ privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
+ BUILD_BLOB_ASN1_DER, chunk_from_thing(keydata),
+ BUILD_END);
+ ck_assert(privkey);
+ pubkey = privkey->get_public_key(privkey);
+ ck_assert(pubkey);
+ policies = linked_list_create();
+ if (oid)
+ {
+ policy.oid = asn1_oid_from_string(oid);
+ ck_assert(policy.oid.ptr);
+ policies->insert_last(policies, &policy);
+ }
+ maps = linked_list_create();
+ if (map_s && map_i)
+ {
+ map.subject = asn1_oid_from_string(map_s);
+ ck_assert(map.subject.ptr);
+ map.issuer = asn1_oid_from_string(map_i);
+ ck_assert(map.issuer.ptr);
+ maps->insert_last(maps, &map);
+ }
+ id = identification_create_from_string(subject);
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_SIGNING_KEY, privkey,
+ BUILD_PUBLIC_KEY, pubkey,
+ BUILD_SUBJECT, id,
+ BUILD_X509_FLAG, flags,
+ BUILD_CERTIFICATE_POLICIES, policies,
+ BUILD_POLICY_MAPPINGS, maps,
+ BUILD_SIGNING_CERT, ca,
+ BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit,
+ BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping,
+ BUILD_POLICY_INHIBIT_ANY, inhibit_any,
+ BUILD_END);
+ ck_assert(cert);
+ id->destroy(id);
+ policies->destroy(policies);
+ maps->destroy(maps);
+ privkey->destroy(privkey);
+ pubkey->destroy(pubkey);
+ free(policy.oid.ptr);
+ free(map.subject.ptr);
+ free(map.issuer.ptr);
+
+ return cert;
+}
+
+/**
+ * Issue a certificate with given certificate policy and flags
+ */
+static certificate_t* create_cert(certificate_t *ca, char *subject,
+ char *oid, x509_flag_t flags,
+ char *map_s, char *map_i)
+{
+ return create_cert_ext(ca, subject, oid, flags, map_s, map_i,
+ X509_NO_CONSTRAINT, X509_NO_CONSTRAINT,
+ X509_NO_CONSTRAINT);
+}
+
+/**
+ * Check if a certificate with given subject has an oid
+ */
+static bool check_oid(identification_t *subject, char *oid)
+{
+ enumerator_t *certs, *auths;
+ certificate_t *cert;
+ auth_cfg_t *auth;
+ bool found = FALSE;
+ auth_rule_t type;
+ char *current;
+
+ certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+ subject, FALSE);
+ if (!certs->enumerate(certs, &cert, &auth))
+ {
+ certs->destroy(certs);
+ ck_assert_msg(FALSE, "no trusted certificate found for %Y", subject);
+ }
+ auths = auth->create_enumerator(auth);
+ while (auths->enumerate(auths, &type, &current))
+ {
+ if (type == AUTH_RULE_CERT_POLICY)
+ {
+ if (streq(current, oid))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ }
+ auths->destroy(auths);
+ certs->destroy(certs);
+
+ return found;
+}
+
+/**
+ * Check if a certificate with given subject has a valid trustchain
+ */
+static bool check_trust(identification_t *subject)
+{
+ enumerator_t *certs;
+ certificate_t *cert;
+ bool trusted;
+
+ certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY,
+ subject, FALSE);
+ trusted = certs->enumerate(certs, &cert, NULL);
+ certs->destroy(certs);
+
+ return trusted;
+}
+
+static mem_cred_t *creds;
+
+static char *anyPolicy = "2.5.29.32.0";
+static char *extended = "2.23.140.1.1";
+static char *baseline = "2.23.140.1.2";
+
+START_SETUP(setup)
+{
+ creds = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &creds->set);
+}
+END_SETUP
+
+START_TEARDOWN(teardown)
+{
+ lib->credmgr->remove_set(lib->credmgr, &creds->set);
+ creds->destroy(creds);
+ lib->credmgr->flush_cache(lib->credmgr, CERT_ANY);
+}
+END_TEARDOWN
+
+START_TEST(test_valid_fixed)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_any1)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_any2)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_missing)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_wrong)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_invalid_any1)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", NULL, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_any2)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", anyPolicy, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_badchain_wrong)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+ ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_badchain_gap)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", NULL, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_badchain_any)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", extended, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), extended));
+}
+END_TEST
+
+START_TEST(test_valid_mapping)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_valid_mapping_twice)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", "2.23.140.1.3", X509_CA,
+ extended, "2.23.140.1.3");
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_loop)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, baseline);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_notallowed)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_invalid_mapping_nopolicy)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert(NULL, "CN=CA", baseline, X509_CA, NULL, NULL);
+ im = create_cert(ca, "CN=IM", "2.23.140.1.3", X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(!check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_mapping_good)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+ im = create_cert(ca, "CN=IM", extended, X509_CA, baseline, extended);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_mapping_bad)
+{
+ certificate_t *ca, *i1, *i2, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", extended, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, 1, X509_NO_CONSTRAINT);
+ i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
+ i2 = create_cert(i1, "CN=IM2", extended, X509_CA, baseline, extended);
+ sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, i1);
+ creds->add_cert(creds, FALSE, i2);
+ creds->add_cert(creds, FALSE, sj);
+
+ /* TODO: we currently reject the certificate completely, but should
+ * actually just invalidate the policy not mapped properly */
+ ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+START_TEST(test_inhibit_any_good)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
+ im = create_cert(ca, "CN=IM", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_inhibit_any_bad)
+{
+ certificate_t *ca, *i1, *i2, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+ X509_NO_CONSTRAINT, X509_NO_CONSTRAINT, 1);
+ i1 = create_cert(ca, "CN=IM1", anyPolicy, X509_CA, NULL, NULL);
+ i2 = create_cert(i1, "CN=IM2", anyPolicy, X509_CA, NULL, NULL);
+ sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, i1);
+ creds->add_cert(creds, FALSE, i2);
+ creds->add_cert(creds, FALSE, sj);
+
+ /* TODO: we currently reject the certificate completely, but should
+ * actually just invalidate the policy relying on inhibited anyPolicy */
+ ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+START_TEST(test_require_explicit_good)
+{
+ certificate_t *ca, *im, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+ 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
+ im = create_cert(ca, "CN=IM", baseline, X509_CA, NULL, NULL);
+ sj = create_cert(im, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, im);
+ creds->add_cert(creds, FALSE, sj);
+
+ ck_assert(check_oid(sj->get_subject(sj), baseline));
+}
+END_TEST
+
+START_TEST(test_require_explicit_bad)
+{
+ certificate_t *ca, *i1, *i2, *sj;
+
+ ca = create_cert_ext(NULL, "CN=CA", anyPolicy, X509_CA, NULL, NULL,
+ 1, X509_NO_CONSTRAINT, X509_NO_CONSTRAINT);
+ i1 = create_cert(ca, "CN=IM1", extended, X509_CA, NULL, NULL);
+ i2 = create_cert(i1, "CN=IM2", extended, X509_CA, NULL, NULL);
+ sj = create_cert(i2, "CN=SJ", baseline, 0, NULL, NULL);
+
+ creds->add_cert(creds, TRUE, ca);
+ creds->add_cert(creds, FALSE, i1);
+ creds->add_cert(creds, FALSE, i2);
+ creds->add_cert(creds, FALSE, sj);
+
+ /* TODO: we currently reject the certificate completely, but should
+ * actually just invalidate the policy violating requireExplicit */
+ ck_assert(!check_trust(sj->get_subject(sj)));
+}
+END_TEST
+
+Suite *certpolicy_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("certpolicy");
+
+ tc = tcase_create("policy valid");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_valid_fixed);
+ tcase_add_test(tc, test_valid_any1);
+ tcase_add_test(tc, test_valid_any2);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("policy invalid");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_invalid_missing);
+ tcase_add_test(tc, test_invalid_wrong);
+ tcase_add_test(tc, test_invalid_any1);
+ tcase_add_test(tc, test_invalid_any2);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("policy badchain");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_badchain_wrong);
+ tcase_add_test(tc, test_badchain_gap);
+ tcase_add_test(tc, test_badchain_any);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("policy valid mapping");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_valid_mapping);
+ tcase_add_test(tc, test_valid_mapping_twice);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("policy invalid mapping");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_invalid_mapping_loop);
+ tcase_add_test(tc, test_invalid_mapping_notallowed);
+ tcase_add_test(tc, test_invalid_mapping_nopolicy);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("inhibit policy mapping");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_inhibit_mapping_good);
+ tcase_add_test(tc, test_inhibit_mapping_bad);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("inhibit any policy");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_inhibit_any_good);
+ tcase_add_test(tc, test_inhibit_any_bad);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("require explicit policy");
+ tcase_add_checked_fixture(tc, setup, teardown);
+ tcase_add_test(tc, test_require_explicit_good);
+ tcase_add_test(tc, test_require_explicit_bad);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index d71e010a2..b5d23658d 100644
--- a/src/libstrongswan/tests/suites/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -787,6 +787,11 @@ END_TEST
* test for chunk_internet_checksum[_inc]()
*/
+static inline u_int16_t compensate_alignment(u_int16_t val)
+{
+ return ((val & 0xff) << 8) | (val >> 8);
+}
+
START_TEST(test_chunk_internet_checksum)
{
chunk_t chunk;
@@ -804,9 +809,9 @@ START_TEST(test_chunk_internet_checksum)
/* need to compensate for even/odd alignment */
sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9));
- sum = ntohs(sum);
+ sum = compensate_alignment(sum);
sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 11), sum);
- sum = ntohs(sum);
+ sum = compensate_alignment(sum);
ck_assert_int_eq(0x442e, ntohs(sum));
chunk = chunk_from_chars(0x45,0x00,0x00,0x30,0x44,0x22,0x40,0x00,0x80,0x06,
@@ -821,9 +826,9 @@ START_TEST(test_chunk_internet_checksum)
/* need to compensate for even/odd alignment */
sum = chunk_internet_checksum(chunk_create(chunk.ptr, 9));
- sum = ntohs(sum);
+ sum = compensate_alignment(sum);
sum = chunk_internet_checksum_inc(chunk_create(chunk.ptr+9, 10), sum);
- sum = ntohs(sum);
+ sum = compensate_alignment(sum);
ck_assert_int_eq(0x4459, ntohs(sum));
}
END_TEST
diff --git a/src/libstrongswan/tests/suites/test_enum.c b/src/libstrongswan/tests/suites/test_enum.c
index b48b51c0e..53ebd2931 100644
--- a/src/libstrongswan/tests/suites/test_enum.c
+++ b/src/libstrongswan/tests/suites/test_enum.c
@@ -58,6 +58,39 @@ ENUM_NEXT(test_enum_split_names, SPLIT5, SPLIT5, SPLIT4,
ENUM_END(test_enum_split_names, SPLIT5);
/*******************************************************************************
+ * enum flags
+ */
+enum {
+ FLAG1 = (1 << 0),
+ FLAG2 = (1 << 1),
+ FLAG3 = (1 << 2),
+ FLAG4 = (1 << 3),
+ FLAG5 = (1 << 4),
+ FLAG6 = (1 << 5),
+ FLAG7 = (1 << 6),
+ FLAG8 = (1 << 7),
+ FLAG9 = (1 << 8),
+ FLAG10 = (1 << 9),
+ FLAG11 = (1 << 10),
+ FLAG12 = (1 << 11),
+} test_enum_flags;
+
+ENUM_FLAGS(test_enum_flags_names, FLAG1, FLAG5,
+ "FLAG1", "FLAG2", "FLAG3", "FLAG4", "FLAG5");
+
+ENUM_FLAGS(test_enum_flags_incomplete_names, FLAG3, FLAG4,
+ "FLAG3", "FLAG4");
+
+ENUM_FLAGS(test_enum_flags_null_names, FLAG1, FLAG4,
+ "FLAG1", NULL, "FLAG3", NULL);
+
+ENUM_FLAGS(test_enum_flags_overflow_names, FLAG1, FLAG12,
+ "OVERFLOWFLAGLONGNAME1", "OVERFLOWFLAGLONGNAME2", "OVERFLOWFLAGLONGNAME3",
+ "OVERFLOWFLAGLONGNAME4", "OVERFLOWFLAGLONGNAME5", "OVERFLOWFLAGLONGNAME6",
+ "OVERFLOWFLAGLONGNAME7", "OVERFLOWFLAGLONGNAME8", "OVERFLOWFLAGLONGNAME9",
+ "OVERFLOWFLAGLONGNAME10", "OVERFLOWFLAGLONGNAME11", "OVERFLOWFLAGLONGNAME12");
+
+/*******************************************************************************
* enum_to_name
*/
@@ -198,11 +231,52 @@ static struct {
{256, "(256)"},
};
+/*******************************************************************************
+ * flag_to_name
+ */
+
+static struct {
+ int val;
+ char *str;
+} printf_tests_flags[] = {
+ {0, "(unset)"},
+ {FLAG1, "FLAG1"},
+ {FLAG2, "FLAG2"},
+ {FLAG3, "FLAG3"},
+ {FLAG4, "FLAG4"},
+ {FLAG5, "FLAG5"},
+ {FLAG1 | FLAG3, "FLAG1 | FLAG3"},
+ {FLAG1 | FLAG3 | 32, "FLAG1 | FLAG3 | (0x20)"},
+ {FLAG1 | FLAG3 | 32 | 64, "FLAG1 | FLAG3 | (0x20) | (0x40)"},
+ {0x20, "(0x20)"},
+ {0x80000000, "(0x80000000)"},
+ {0xFFFFF, "FLAG1 | FLAG2 | FLAG3 | FLAG4 | "
+ "FLAG5 | (0x20) | (0x40) | (0x80) | "
+ "(0x100) | (0x200) | (0x400) | (0x800) | "
+ "(0x1000) | (0x2000) | (0x4000) | (0x8000) | "
+ "(0x10000) | (0x20000) | (0x40000) | (0x80000)"},
+}, printf_tests_flags_incomplete[] = {
+ {FLAG1, "(0x1)"},
+ {FLAG1 | FLAG2 | FLAG3, "(0x1) | (0x2) | FLAG3"},
+ {FLAG3 | FLAG4 | FLAG5, "FLAG3 | FLAG4 | (0x10)"},
+}, printf_tests_flags_null[] = {
+ {FLAG1 | FLAG2 | FLAG3 | FLAG4, "FLAG1 | FLAG3"},
+}, printf_tests_flags_overflow[] = {
+ {0xFFFFFFFF, "(0xFFFFFFFF)"},
+}, printf_tests_flags_noflagenum[] = {
+ {-1, "(-1)"},
+ {6435, "(6435)"},
+}, enum_flags_to_string_tests[] = {
+ {-1, NULL},
+ {6435, NULL},
+};
+
START_TEST(test_enum_printf_hook_cont)
{
char buf[128];
- snprintf(buf, sizeof(buf), "%N", test_enum_cont_names, printf_tests_cont[_i].val);
+ snprintf(buf, sizeof(buf), "%N",
+ test_enum_cont_names, printf_tests_cont[_i].val);
ck_assert_str_eq(printf_tests_cont[_i].str, buf);
}
END_TEST
@@ -211,11 +285,89 @@ START_TEST(test_enum_printf_hook_split)
{
char buf[128];
- snprintf(buf, sizeof(buf), "%N", test_enum_split_names, printf_tests_split[_i].val);
+ snprintf(buf, sizeof(buf), "%N",
+ test_enum_split_names, printf_tests_split[_i].val);
ck_assert_str_eq(printf_tests_split[_i].str, buf);
}
END_TEST
+START_TEST(test_enum_printf_hook_flags)
+{
+ char buf[1024];
+
+ snprintf(buf, sizeof(buf), "%N", test_enum_flags_names,
+ printf_tests_flags[_i].val);
+ ck_assert_str_eq(printf_tests_flags[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_incomplete)
+{
+ char buf[1024];
+
+ snprintf(buf, sizeof(buf), "%N", test_enum_flags_incomplete_names,
+ printf_tests_flags_incomplete[_i].val);
+ ck_assert_str_eq(printf_tests_flags_incomplete[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_null)
+{
+ char buf[1024];
+
+ snprintf(buf, sizeof(buf), "%N", test_enum_flags_null_names,
+ printf_tests_flags_null[_i].val);
+ ck_assert_str_eq(printf_tests_flags_null[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_overflow)
+{
+ char buf[1024];
+
+ snprintf(buf, sizeof(buf), "%N", test_enum_flags_overflow_names,
+ printf_tests_flags_overflow[_i].val);
+ ck_assert_str_eq(printf_tests_flags_overflow[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_printf_hook_flags_noflagenum)
+{
+ char buf[1024];
+
+ snprintf(buf, sizeof(buf), "%N", test_enum_cont_names,
+ printf_tests_flags_noflagenum[_i].val);
+ ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf);
+}
+END_TEST
+
+START_TEST(test_enum_flags_to_string)
+{
+ char buf[1], *str;
+
+ str = enum_flags_to_string(test_enum_flags_names,
+ enum_flags_to_string_tests[_i].val, buf, sizeof(buf));
+ if (str)
+ {
+ ck_assert_str_eq(enum_flags_to_string_tests[_i].str, str);
+ }
+ else
+ {
+ ck_assert(str == enum_flags_to_string_tests[_i].str);
+ }
+}
+END_TEST
+
+START_TEST(test_enum_flags_to_string_noflagenum)
+{
+ char buf[1024];
+
+ enum_flags_to_string(test_enum_cont_names,
+ printf_tests_flags_noflagenum[_i].val, buf, sizeof(buf));
+ ck_assert_str_eq(printf_tests_flags_noflagenum[_i].str, buf);
+}
+END_TEST
+
START_TEST(test_enum_printf_hook_width)
{
char buf[128];
@@ -246,9 +398,19 @@ Suite *enum_suite_create()
tcase_add_loop_test(tc, test_enum_from_name_split, 0, countof(enum_tests_split));
suite_add_tcase(s, tc);
+ tc = tcase_create("enum_flags_to_string");
+ tcase_add_loop_test(tc, test_enum_flags_to_string, 0, countof(enum_flags_to_string_tests));
+ tcase_add_loop_test(tc, test_enum_flags_to_string_noflagenum, 0, countof(printf_tests_flags_noflagenum));
+ suite_add_tcase(s, tc);
+
tc = tcase_create("enum_printf_hook");
tcase_add_loop_test(tc, test_enum_printf_hook_cont, 0, countof(printf_tests_cont));
tcase_add_loop_test(tc, test_enum_printf_hook_split, 0, countof(printf_tests_split));
+ tcase_add_loop_test(tc, test_enum_printf_hook_flags, 0, countof(printf_tests_flags));
+ tcase_add_loop_test(tc, test_enum_printf_hook_flags_incomplete, 0, countof(printf_tests_flags_incomplete));
+ tcase_add_loop_test(tc, test_enum_printf_hook_flags_null, 0, countof(printf_tests_flags_null));
+ tcase_add_loop_test(tc, test_enum_printf_hook_flags_overflow, 0, countof(printf_tests_flags_overflow));
+ tcase_add_loop_test(tc, test_enum_printf_hook_flags_noflagenum, 0, countof(printf_tests_flags_noflagenum));
tcase_add_test(tc, test_enum_printf_hook_width);
suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index 41a9d64ef..14cc32122 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -48,6 +48,9 @@ static hasher_oid_t oids[] = {
{ OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA },
{ OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA },
{ OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA },
+ { OID_BLISS_WITH_SHA256, HASH_SHA256, KEY_BLISS },
+ { OID_BLISS_WITH_SHA384, HASH_SHA384, KEY_BLISS },
+ { OID_BLISS_WITH_SHA512, HASH_SHA512, KEY_BLISS },
{ OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }
};
diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c
index 63442083a..7161b2c5b 100644
--- a/src/libstrongswan/tests/suites/test_host.c
+++ b/src/libstrongswan/tests/suites/test_host.c
@@ -237,6 +237,48 @@ START_TEST(test_create_from_string_and_family_other)
END_TEST
/*******************************************************************************
+ * host_create_from_dns
+ */
+
+static void test_create_from_dns(int family, chunk_t addr)
+{
+ host_t *host;
+
+ host = host_create_from_dns("localhost", family, 500);
+ if (family != AF_INET6)
+ {
+ ck_assert(host != NULL);
+ }
+ if (host)
+ {
+ if (family != AF_UNSPEC)
+ {
+ verify_address(host, addr, family, 500);
+ }
+ host->destroy(host);
+ }
+}
+
+START_TEST(test_create_from_dns_any)
+{
+ test_create_from_dns(AF_UNSPEC, chunk_empty);
+}
+END_TEST
+
+START_TEST(test_create_from_dns_v4)
+{
+ test_create_from_dns(AF_INET, chunk_from_chars(127,0,0,1));
+}
+END_TEST
+
+START_TEST(test_create_from_dns_v6)
+{
+ test_create_from_dns(AF_INET6,
+ chunk_from_chars(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1));
+}
+END_TEST
+
+/*******************************************************************************
* host_create_from_sockaddr
*/
@@ -400,6 +442,90 @@ START_TEST(test_create_from_subnet_v6)
END_TEST
/*******************************************************************************
+ * host_create_from_range
+ */
+
+static const chunk_t addr_v4_to = chunk_from_chars(0xc0, 0xa8, 0x00, 0x05);
+static const chunk_t addr_v6_to = chunk_from_chars(0xfe, 0xc1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05);
+
+static void verify_range(char *str, int family, chunk_t from_addr,
+ chunk_t to_addr)
+{
+ host_t *from, *to;
+
+ if (!family)
+ {
+ ck_assert(!host_create_from_range(str, &from, &to));
+ }
+ else
+ {
+ ck_assert(host_create_from_range(str, &from, &to));
+ verify_address(from, from_addr, family, 0);
+ verify_address(to, to_addr, family, 0);
+ from->destroy(from);
+ to->destroy(to);
+ }
+}
+
+START_TEST(test_create_from_range_v4)
+{
+ host_t *from, *to;
+
+ ck_assert(host_create_from_range("0.0.0.0-0.0.0.0", &from, &to));
+ verify_any(from, AF_INET, 0);
+ verify_any(to, AF_INET, 0);
+ from->destroy(from);
+ to->destroy(to);
+
+ verify_range("192.168.0.1-192.168.0.1", AF_INET, addr_v4, addr_v4);
+ verify_range("192.168.0.1-192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+ verify_range("192.168.0.1- 192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+ verify_range("192.168.0.1 -192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+ verify_range("192.168.0.1 - 192.168.0.5", AF_INET, addr_v4, addr_v4_to);
+ verify_range("192.168.0.5-192.168.0.1", AF_INET, addr_v4_to, addr_v4);
+
+ verify_range("192.168.0.1", 0, chunk_empty, chunk_empty);
+ verify_range("192.168.0.1-", 0, chunk_empty, chunk_empty);
+ verify_range("-192.168.0.1", 0, chunk_empty, chunk_empty);
+ verify_range("192.168.0.1-192", 0, chunk_empty, chunk_empty);
+ verify_range("192.168.0.1-192.168", 0, chunk_empty, chunk_empty);
+ verify_range("192.168.0.1-192.168.0", 0, chunk_empty, chunk_empty);
+ verify_range("foo.b.a.r", 0, chunk_empty, chunk_empty);
+ verify_range("foo.b.a.r-b.a.r.f", 0, chunk_empty, chunk_empty);
+}
+END_TEST
+
+START_TEST(test_create_from_range_v6)
+{
+ host_t *from, *to;
+
+ ck_assert(host_create_from_range("::-::", &from, &to));
+ verify_any(from, AF_INET6, 0);
+ verify_any(to, AF_INET6, 0);
+ from->destroy(from);
+ to->destroy(to);
+
+ verify_range("fec1::1-fec1::1", AF_INET6, addr_v6, addr_v6);
+ verify_range("fec1::1-fec1::5", AF_INET6, addr_v6, addr_v6_to);
+ verify_range("fec1::1- fec1::5", AF_INET6, addr_v6, addr_v6_to);
+ verify_range("fec1::1 -fec1::5", AF_INET6, addr_v6, addr_v6_to);
+ verify_range("fec1::1 - fec1::5", AF_INET6, addr_v6, addr_v6_to);
+ verify_range("fec1::5-fec1::1", AF_INET6, addr_v6_to, addr_v6);
+
+ verify_range("fec1::1", 0, chunk_empty, chunk_empty);
+ verify_range("fec1::1-", 0, chunk_empty, chunk_empty);
+ verify_range("-fec1::1", 0, chunk_empty, chunk_empty);
+ verify_range("fec1::1-fec1", 0, chunk_empty, chunk_empty);
+ verify_range("foo::bar", 0, chunk_empty, chunk_empty);
+ verify_range("foo::bar-bar::foo", 0, chunk_empty, chunk_empty);
+
+ verify_range("fec1::1-192.168.0.1", 0, chunk_empty, chunk_empty);
+ verify_range("192.168.0.1-fec1::1", 0, chunk_empty, chunk_empty);
+}
+END_TEST
+
+/*******************************************************************************
* host_create_netmask
*/
@@ -610,6 +736,12 @@ Suite *host_suite_create()
tcase_add_test(tc, test_create_from_string_and_family_other);
suite_add_tcase(s, tc);
+ tc = tcase_create("host_create_from_dns");
+ tcase_add_test(tc, test_create_from_dns_any);
+ tcase_add_test(tc, test_create_from_dns_v4);
+ tcase_add_test(tc, test_create_from_dns_v6);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("host_create_from_sockaddr");
tcase_add_test(tc, test_create_from_sockaddr_v4);
tcase_add_test(tc, test_create_from_sockaddr_v6);
@@ -627,6 +759,11 @@ Suite *host_suite_create()
tcase_add_test(tc, test_create_from_subnet_v6);
suite_add_tcase(s, tc);
+ tc = tcase_create("host_create_from_range");
+ tcase_add_test(tc, test_create_from_range_v4);
+ tcase_add_test(tc, test_create_from_range_v6);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("host_create_netmask");
tcase_add_test(tc, test_create_netmask_v4);
tcase_add_test(tc, test_create_netmask_v6);
diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c
index 5de785710..de00e4afd 100644
--- a/src/libstrongswan/tests/suites/test_identification.c
+++ b/src/libstrongswan/tests/suites/test_identification.c
@@ -122,58 +122,68 @@ static struct {
} data;
} result;
} string_data[] = {
- {NULL, ID_ANY, { .type = ENC_CHUNK }},
- {"", ID_ANY, { .type = ENC_CHUNK }},
- {"%any", ID_ANY, { .type = ENC_CHUNK }},
- {"%any6", ID_ANY, { .type = ENC_CHUNK }},
- {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
- {"0::0", ID_ANY, { .type = ENC_CHUNK }},
- {"::", ID_ANY, { .type = ENC_CHUNK }},
- {"*", ID_ANY, { .type = ENC_CHUNK }},
- {"any", ID_FQDN, { .type = ENC_SIMPLE }},
- {"any6", ID_FQDN, { .type = ENC_SIMPLE }},
- {"0", ID_FQDN, { .type = ENC_SIMPLE }},
- {"**", ID_FQDN, { .type = ENC_SIMPLE }},
- {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0xc0, 0xa8, 0x01, 0x01) }},
- {"192.168.",ID_FQDN, { .type = ENC_SIMPLE }},
- {".", ID_FQDN, { .type = ENC_SIMPLE }},
- {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01) }},
- {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) }},
- {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
- {":", ID_KEY_ID, { .type = ENC_SIMPLE }},
- {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
- {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
- {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
- {"alice", ID_FQDN, { .type = ENC_SIMPLE }},
- {"@", ID_FQDN, { .type = ENC_CHUNK }},
- {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
- {"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
- .data.s = "strongswan.org" }},
- {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0xde, 0xad, 0xbe, 0xef) }},
- {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0x0d, 0xea, 0xdb, 0xee) }},
- {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
- {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
- {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
- {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0x30, 0x0b, 0x31, 0x09, 0x30, 0x07, 0x06,
- 0x03, 0x55, 0x04, 0x06, 0x13, 0x00)}},
- {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
- 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
- {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
- 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
- {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
- .data.c = chunk_from_chars(0x30, 0x0d, 0x31, 0x0b, 0x30, 0x09, 0x06,
- 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48)}},
- {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {NULL, ID_ANY, { .type = ENC_CHUNK }},
+ {"", ID_ANY, { .type = ENC_CHUNK }},
+ {"%any", ID_ANY, { .type = ENC_CHUNK }},
+ {"%any6", ID_ANY, { .type = ENC_CHUNK }},
+ {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }},
+ {"0::0", ID_ANY, { .type = ENC_CHUNK }},
+ {"::", ID_ANY, { .type = ENC_CHUNK }},
+ {"*", ID_ANY, { .type = ENC_CHUNK }},
+ {"any", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"any6", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"0", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"**", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+ {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }},
+ {".", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }},
+ {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }},
+ {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {":", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+ {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+ {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+ {"alice", ID_FQDN, { .type = ENC_SIMPLE }},
+ {"@", ID_FQDN, { .type = ENC_CHUNK }},
+ {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }},
+ {"@strongswan.org", ID_FQDN, { .type = ENC_STRING,
+ .data.s = "strongswan.org" }},
+ {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }},
+ {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }},
+ {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x00) }},
+ {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+ {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+ {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06,
+ 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }},
+ {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }},
+ {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+ { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING,
+ .data.s = "tester" }},
+ { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK,
+ .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }},
+ { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING,
+ .data.s = "tester" }},
+ { "{99}:somedata", 99, { .type = ENC_STRING,
+ .data.s = "somedata" }},
};
START_TEST(test_from_string)
diff --git a/src/libstrongswan/tests/suites/test_mgf1.c b/src/libstrongswan/tests/suites/test_mgf1.c
new file mode 100644
index 000000000..9388b95d4
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_mgf1.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (C) 2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/test_rng.h>
+#include <utils/test.h>
+#include <crypto/mgf1/mgf1.h>
+#include <crypto/mgf1/mgf1_bitspender.h>
+
+typedef struct {
+ hash_algorithm_t alg;
+ size_t hash_size;
+ size_t ml1, ml2, ml3, seed_len;
+ chunk_t seed;
+ chunk_t hashed_seed;
+ chunk_t mask;
+ uint32_t bits[22];
+} mgf1_test_t;
+
+/**
+ * MGF1 Mask Generation Function Test Vectors
+ */
+mgf1_test_t mgf1_tests[] = {
+ { HASH_SHA1, 20, 60, 20, 15, 24,
+ chunk_from_chars(
+ 0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
+ 0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
+ 0x8C, 0x9B, 0xD5, 0x63, 0x57, 0x38, 0x11, 0xC2,
+ 0xB5, 0xCA, 0xBF, 0x06, 0x43, 0x45, 0x19, 0xD5,
+ 0xE7, 0x36, 0xD0, 0x29, 0x21, 0xDA, 0x02, 0x20,
+ 0x45, 0xF6, 0x5F, 0x0F, 0x10, 0x04, 0x2A, 0xE3,
+ 0x6A, 0x1D, 0xD5, 0x9F, 0x1D, 0x66, 0x44, 0x8F,
+ 0xFA, 0xC6, 0xCA, 0xA4, 0x6E, 0x3B, 0x00, 0x66,
+ 0xA6, 0xC9, 0x80, 0x5C, 0xF5, 0x2D, 0xD7, 0x72,
+ 0xC6, 0xD4, 0x4F, 0x30, 0x72, 0xA2, 0xAD, 0xE0,
+ 0x33, 0xE8, 0x55, 0xD5, 0xE6, 0xD6, 0x00, 0x1D,
+ 0xA8, 0x68, 0xFF, 0x97, 0x36, 0x8A, 0xF4, 0xD6,
+ 0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
+ 0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
+ chunk_from_chars(
+ 0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
+ 0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
+ 0x21, 0xC4, 0x90, 0xB6),
+ chunk_from_chars(
+ 0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
+ 0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
+ 0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
+ 0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
+ 0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
+ 0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
+ 0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
+ 0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
+ 0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
+ 0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
+ 0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
+ 0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
+ 0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
+ 0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
+ 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
+ { 0, 0, 0, 4, 1, 1, 46, 103, 38, 411, 848, 57, 3540, 4058, 12403,
+ 0x63, 0x2B, 0xC9, 0x17, 0x56, 669409, 0xA407A43B },
+ },
+ { HASH_SHA256, 32, 64, 32, 33, 40,
+ chunk_from_chars(
+ 0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
+ 0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
+ 0xC5, 0x9D, 0xDE, 0xF6, 0xFC, 0xFA, 0x93, 0xCE,
+ 0x32, 0x52, 0x66, 0xF9, 0xC9, 0x97, 0xF6, 0x42,
+ 0x00, 0x2C, 0x64, 0xED, 0x1A, 0x6B, 0x14, 0x0A,
+ 0x4B, 0x04, 0xCF, 0x6D, 0x2D, 0x82, 0x0A, 0x07,
+ 0xA2, 0x3B, 0xDE, 0xCE, 0x19, 0x8A, 0x39, 0x43,
+ 0x16, 0x61, 0x29, 0x98, 0x68, 0xEA, 0xE5, 0xCC,
+ 0x0A, 0xF8, 0xE9, 0x71, 0x26, 0xF1, 0x07, 0x36,
+ 0x2C, 0x07, 0x1E, 0xEB, 0xE4, 0x28, 0xA2, 0xF4,
+ 0xA8, 0x12, 0xC0, 0xC8, 0x20, 0x37, 0xF8, 0xF2,
+ 0x6C, 0xAF, 0xDC, 0x6F, 0x2E, 0xD0, 0x62, 0x58,
+ 0xD2, 0x37, 0x03, 0x6D, 0xFA, 0x6E, 0x1A, 0xAC,
+ 0x9F, 0xCA, 0x56, 0xC6, 0xA4, 0x52, 0x41, 0xE8,
+ 0x0F, 0x1B, 0x0C, 0xB9, 0xE6, 0xBA, 0xDE, 0xE1,
+ 0x03, 0x5E, 0xC2, 0xE5, 0xF8, 0xF4, 0xF3, 0x46,
+ 0x3A, 0x12, 0xC0, 0x1F, 0x3A, 0x00, 0xD0, 0x91,
+ 0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
+ 0x54, 0xEE, 0x20, 0xF0, 0x80),
+ chunk_from_chars(
+ 0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
+ 0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
+ 0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
+ 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
+ chunk_from_chars(
+ 0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
+ 0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
+ 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
+ 0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
+ 0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
+ 0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
+ 0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
+ 0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
+ 0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
+ 0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
+ 0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
+ 0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
+ 0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
+ 0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
+ 0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
+ 0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
+ 0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
+ 0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
+ 0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
+ 0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
+ { 0, 1, 3, 4, 4, 12, 32, 36, 253, 331, 2, 1640, 503, 6924, 580,
+ 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 922950, 0x0DD1AA64 }
+ }
+};
+
+START_TEST(mgf1_test_mgf1)
+{
+ mgf1_t *mgf1;
+ chunk_t mask, mask1, mask2, mask3;
+
+ mask1 = mgf1_tests[_i].mask;
+ mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
+ mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
+ mask1.len = mgf1_tests[_i].ml1;
+ mask2.len = mgf1_tests[_i].ml2;
+ mask3.len = mgf1_tests[_i].ml3;
+
+ mgf1 = mgf1_create(HASH_UNKNOWN, mgf1_tests[_i].seed, TRUE);
+ ck_assert(mgf1 == NULL);
+
+ mgf1 = mgf1_create(mgf1_tests[_i].alg, chunk_empty, TRUE);
+ ck_assert(mgf1 == NULL);
+
+ /* return mask in allocated chunk */
+ mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+ ck_assert(mgf1);
+
+ /* check hash size */
+ ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
+
+ /* get zero number of octets */
+ ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
+ ck_assert(mask.len == 0 && mask.ptr == NULL);
+
+ /* get non-zero number of octets */
+ ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
+ ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+ mgf1->destroy(mgf1);
+
+ /* copy mask to pre-allocated buffer */
+ mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].seed, TRUE);
+ ck_assert(mgf1);
+ ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
+ ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
+ mgf1->destroy(mgf1);
+
+ /* get mask in batches without hashing the seed */
+ mgf1 = mgf1_create(mgf1_tests[_i].alg, mgf1_tests[_i].hashed_seed, FALSE);
+ ck_assert(mgf1);
+
+ /* first batch */
+ ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
+ mask.len = mask1.len;
+ ck_assert(chunk_equals(mask, mask1));
+
+ /* second batch */
+ ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
+ mask.len = mask2.len;
+ ck_assert(chunk_equals(mask, mask2));
+
+ /* third batch */
+ ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
+ mask.len = mask3.len;
+ ck_assert(chunk_equals(mask, mask3));
+
+ mgf1->destroy(mgf1);
+ chunk_free(&mask);
+}
+END_TEST
+
+START_TEST(mgf1_test_bitspender)
+{
+ mgf1_bitspender_t *bitspender;
+ uint32_t bits;
+ uint8_t byte;
+ int j;
+
+ bitspender = mgf1_bitspender_create(HASH_UNKNOWN,
+ mgf1_tests[_i].hashed_seed, FALSE);
+ ck_assert(bitspender == NULL);
+
+ bitspender = mgf1_bitspender_create(mgf1_tests[_i].alg,
+ mgf1_tests[_i].hashed_seed, FALSE);
+ ck_assert(bitspender);
+
+ for (j = 0; j < 15; j++)
+ {
+ ck_assert(bitspender->get_bits(bitspender, j, &bits));
+ DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j, mgf1_tests[_i].bits[j],
+ bits);
+ ck_assert(bits == mgf1_tests[_i].bits[j]);
+ }
+ ck_assert(!bitspender->get_bits(bitspender, 33, &bits));
+
+ for (j = 15; j < 20; j++)
+ {
+ ck_assert(bitspender->get_byte(bitspender, &byte));
+ DBG1(DBG_LIB, "bits[%d] = 0x%02x, byte = 0x%02x", j,
+ mgf1_tests[_i].bits[j], byte);
+ ck_assert(byte == mgf1_tests[_i].bits[j]);
+ }
+
+ j = 20; /* 23 remaining bits */
+ ck_assert(bitspender->get_bits(bitspender, 23, &bits));
+ DBG1(DBG_LIB, "bits[%d] = %u, bits = %u", j,
+ mgf1_tests[_i].bits[j], bits);
+ ck_assert(bits == mgf1_tests[_i].bits[j]);
+
+ j = 21; /* 32 aligned bits */
+ ck_assert(bitspender->get_bits(bitspender, 32, &bits));
+ DBG1(DBG_LIB, "bits[%d] = 0x%08x, bits = 0x%08x", j,
+ mgf1_tests[_i].bits[j], bits);
+ ck_assert(bits == mgf1_tests[_i].bits[j]);
+
+ bitspender->destroy(bitspender);
+}
+END_TEST
+
+
+Suite *mgf1_suite_create(char *name, int n)
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create(name);
+
+ tc = tcase_create("mgf1");
+ tcase_add_loop_test(tc, mgf1_test_mgf1, n, n + 1);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("bitspender");
+ tcase_add_loop_test(tc, mgf1_test_bitspender, n, n + 1);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
+
+Suite *mgf1_sha1_suite_create()
+{
+ return mgf1_suite_create("mgf1-sha1", 0);
+}
+
+Suite *mgf1_sha256_suite_create()
+{
+ return mgf1_suite_create("mgf1-sha256", 1);
+}
diff --git a/src/libstrongswan/tests/suites/test_ntru.c b/src/libstrongswan/tests/suites/test_ntru.c
index 7c0cb81bf..d209fa2bc 100644
--- a/src/libstrongswan/tests/suites/test_ntru.c
+++ b/src/libstrongswan/tests/suites/test_ntru.c
@@ -16,20 +16,17 @@
#include "test_suite.h"
#include <tests/utils/test_rng.h>
+#include <utils/test.h>
+#include <crypto/mgf1/mgf1.h>
#include <plugins/ntru/ntru_drbg.h>
-#include <plugins/ntru/ntru_mgf1.h>
#include <plugins/ntru/ntru_trits.h>
#include <plugins/ntru/ntru_poly.h>
#include <plugins/ntru/ntru_param_set.h>
#include <plugins/ntru/ntru_private_key.h>
-#include <utils/test.h>
IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_drbg_create, ntru_drbg_t*,
u_int32_t strength, chunk_t pers_str, rng_t *entropy)
-IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_mgf1_create, ntru_mgf1_t*,
- hash_algorithm_t alg, chunk_t seed, bool hash_seed)
-
IMPORT_FUNCTION_FOR_TESTS(ntru, ntru_trits_create, ntru_trits_t*,
size_t len, hash_algorithm_t alg, chunk_t seed)
@@ -334,13 +331,11 @@ typedef struct {
typedef struct {
hash_algorithm_t alg;
size_t hash_size;
- size_t ml1, ml2, ml3, seed_len;
+ size_t seed_len;
chunk_t seed;
- chunk_t hashed_seed;
- chunk_t mask;
chunk_t trits;
poly_test_t poly_test[2];
-} mgf1_test_t;
+} trits_test_t;
uint16_t indices_ees439ep1[] = {
367, 413, 16, 214, 114, 128, 42, 268, 346, 329, 119, 303, 208, 287, 150,
@@ -386,10 +381,10 @@ uint16_t indices_ees1171ep1[] = {
};
/**
- * MGF1 Mask Generation Function Test Vectors
+ * Trits and Polynomial Test Vectors
*/
-mgf1_test_t mgf1_tests[] = {
- { HASH_SHA1, 20, 60, 20, 15, 24,
+static trits_test_t trits_tests[] = {
+ { HASH_SHA1, 20, 24,
chunk_from_chars(
0xED, 0xA5, 0xC3, 0xBC, 0xAF, 0xB3, 0x20, 0x7D,
0x14, 0xA1, 0x54, 0xF7, 0x8B, 0x37, 0xF2, 0x8D,
@@ -406,26 +401,6 @@ mgf1_test_t mgf1_tests[] = {
0xF1, 0xB6, 0x7E, 0x1F, 0x06, 0xCB, 0x57, 0xCB,
0x35, 0x38, 0xF2, 0x2D, 0xF6, 0x20),
chunk_from_chars(
- 0xF3, 0x9B, 0x0B, 0xB4, 0x97, 0x50, 0xB5, 0xA7,
- 0xE6, 0xBD, 0xDA, 0xD0, 0x9A, 0x52, 0xBE, 0xA0,
- 0x21, 0xC4, 0x90, 0xB6),
- chunk_from_chars(
- 0x10, 0x43, 0x76, 0x72, 0x6C, 0xDE, 0xA0, 0x0E,
- 0x77, 0x51, 0xFB, 0x58, 0x39, 0x8A, 0x36, 0xE1,
- 0x63, 0x2B, 0xC9, 0x17, 0x56, 0x0C, 0x4B, 0x46,
- 0xA4, 0x07, 0xA4, 0x3B, 0x8E, 0x33, 0x4D, 0xD1,
- 0x65, 0xF1, 0xAC, 0xC8, 0x59, 0x21, 0x32, 0x16,
- 0x44, 0x2B, 0x7F, 0xB2, 0xA8, 0xA7, 0x26, 0x5D,
- 0xE8, 0x02, 0xBE, 0x8E, 0xDC, 0x34, 0xEB, 0x10,
- 0x76, 0x16, 0x8C, 0xDD, 0x90, 0x92, 0x3D, 0x29,
- 0x90, 0x98, 0x46, 0x11, 0x73, 0x53, 0x47, 0xB1,
- 0x2C, 0xD4, 0x83, 0x78, 0x9B, 0x93, 0x2F, 0x5B,
- 0xFC, 0x26, 0xFF, 0x42, 0x08, 0x1F, 0x70, 0x66,
- 0x40, 0x4B, 0xE7, 0x22, 0x3A, 0x56, 0x10, 0x6D,
- 0x4D, 0x29, 0x0B, 0xCE, 0xA6, 0x21, 0xB5, 0x5C,
- 0x71, 0x66, 0x2F, 0x70, 0x35, 0xD8, 0x8A, 0x92,
- 0x33, 0xF0, 0x16, 0xD4, 0x0E, 0x43, 0x8A, 0x14),
- chunk_from_chars(
1, 2, 1, 0, 0, 1, 1, 1, 2, 0, 1, 0, 1, 1, 1, 0, 2, 0, 1, 1,
0, 0, 0, 1, 1, 0, 2, 0, 2, 2, 1, 2, 2, 2, 1, 2, 1, 1, 0, 0,
2, 0, 1, 1, 1, 0, 0, 0, 0, 1, 1, 2, 0, 0, 1, 0, 1, 0, 2, 0,
@@ -457,7 +432,7 @@ mgf1_test_t mgf1_tests[] = {
}
}
},
- { HASH_SHA256, 32, 64, 32, 33, 40,
+ { HASH_SHA256, 32, 40,
chunk_from_chars(
0x52, 0xC5, 0xDD, 0x1E, 0xEF, 0x76, 0x1B, 0x53,
0x08, 0xE4, 0x86, 0x3F, 0x91, 0x12, 0x98, 0x69,
@@ -479,32 +454,6 @@ mgf1_test_t mgf1_tests[] = {
0x18, 0xDD, 0x53, 0xE4, 0x22, 0xF5, 0x26, 0xA4,
0x54, 0xEE, 0x20, 0xF0, 0x80),
chunk_from_chars(
- 0x76, 0x89, 0x8B, 0x1B, 0x60, 0xEC, 0x10, 0x9D,
- 0x8F, 0x13, 0xF2, 0xFE, 0xD9, 0x85, 0xC1, 0xAB,
- 0x7E, 0xEE, 0xB1, 0x31, 0xDD, 0xF7, 0x7F, 0x0C,
- 0x7D, 0xF9, 0x6B, 0x7B, 0x19, 0x80, 0xBD, 0x28),
- chunk_from_chars(
- 0xF1, 0x19, 0x02, 0x4F, 0xDA, 0x58, 0x05, 0x9A,
- 0x07, 0xDF, 0x61, 0x81, 0x22, 0x0E, 0x15, 0x46,
- 0xCB, 0x35, 0x3C, 0xDC, 0xAD, 0x20, 0xD9, 0x3F,
- 0x0D, 0xD1, 0xAA, 0x64, 0x66, 0x5C, 0xFA, 0x4A,
- 0xFE, 0xD6, 0x8F, 0x55, 0x57, 0x15, 0xB2, 0xA6,
- 0xA0, 0xE6, 0xA8, 0xC6, 0xBD, 0x28, 0xB4, 0xD5,
- 0x6E, 0x5B, 0x4B, 0xB0, 0x97, 0x09, 0xF5, 0xAC,
- 0x57, 0x65, 0x13, 0x97, 0x71, 0x2C, 0x45, 0x13,
- 0x3D, 0xEE, 0xFB, 0xBF, 0xFE, 0xAF, 0xBB, 0x4B,
- 0x0D, 0x5C, 0x45, 0xD4, 0x2F, 0x17, 0x92, 0x07,
- 0x66, 0x11, 0xF5, 0x46, 0xF8, 0x0C, 0x03, 0x92,
- 0xF5, 0xF5, 0xFF, 0xA4, 0xF3, 0x52, 0xF4, 0x08,
- 0x2C, 0x49, 0x32, 0x1A, 0x93, 0x51, 0x98, 0xB6,
- 0x94, 0x83, 0x39, 0xCF, 0x6B, 0x1F, 0x2F, 0xFC,
- 0x2B, 0xFF, 0x10, 0x71, 0x7D, 0x35, 0x6C, 0xEA,
- 0xC5, 0x66, 0xC7, 0x26, 0x7D, 0x9E, 0xAC, 0xDD,
- 0x35, 0xD7, 0x06, 0x3F, 0x40, 0x82, 0xDA, 0xC3,
- 0x2B, 0x3C, 0x91, 0x3A, 0x32, 0xF8, 0xB2, 0xC6,
- 0x44, 0x4D, 0xCD, 0xB6, 0x54, 0x5F, 0x81, 0x95,
- 0x59, 0xA1, 0xE5, 0x4E, 0xA5, 0x0A, 0x4A, 0x42),
- chunk_from_chars(
1, 2, 2, 2, 2, 1, 2, 2, 0, 0, 2, 0, 0, 0, 0, 1, 2, 2, 2, 0,
2, 0, 0, 2, 2, 1, 2, 0, 0, 1, 2, 1, 0, 0, 0, 1, 0, 2, 2, 1,
1, 2, 0, 0, 0, 1, 2, 0, 2, 2, 1, 2, 1, 0, 1, 0, 1, 2, 1, 1,
@@ -546,104 +495,34 @@ mgf1_test_t mgf1_tests[] = {
}
};
-START_TEST(test_ntru_mgf1)
-{
- ntru_mgf1_t *mgf1;
- chunk_t mask, mask1, mask2, mask3;
-
- mask1 = mgf1_tests[_i].mask;
- mask2 = chunk_skip(mask1, mgf1_tests[_i].ml1);
- mask3 = chunk_skip(mask2, mgf1_tests[_i].ml2);
- mask1.len = mgf1_tests[_i].ml1;
- mask2.len = mgf1_tests[_i].ml2;
- mask3.len = mgf1_tests[_i].ml3;
-
- mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, HASH_UNKNOWN,
- mgf1_tests[_i].seed, TRUE);
- ck_assert(mgf1 == NULL);
-
- mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
- chunk_empty, TRUE);
- ck_assert(mgf1 == NULL);
-
- /* return mask in allocated chunk */
- mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
- mgf1_tests[_i].seed, TRUE);
- ck_assert(mgf1);
-
- /* check hash size */
- ck_assert(mgf1->get_hash_size(mgf1) == mgf1_tests[_i].hash_size);
-
- /* get zero number of octets */
- ck_assert(mgf1->allocate_mask(mgf1, 0, &mask));
- ck_assert(mask.len == 0 && mask.ptr == NULL);
-
- /* get non-zero number of octets */
- ck_assert(mgf1->allocate_mask(mgf1, mgf1_tests[_i].mask.len, &mask));
- ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
- mgf1->destroy(mgf1);
-
- /* copy mask to pre-allocated buffer */
- mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
- mgf1_tests[_i].seed, TRUE);
- ck_assert(mgf1);
- ck_assert(mgf1->get_mask(mgf1, mgf1_tests[_i].mask.len, mask.ptr));
- ck_assert(chunk_equals(mask, mgf1_tests[_i].mask));
- mgf1->destroy(mgf1);
-
- /* get mask in batches without hashing the seed */
- mgf1 = TEST_FUNCTION(ntru, ntru_mgf1_create, mgf1_tests[_i].alg,
- mgf1_tests[_i].hashed_seed, FALSE);
- ck_assert(mgf1);
-
- /* first batch */
- ck_assert(mgf1->get_mask(mgf1, mask1.len, mask.ptr));
- mask.len = mask1.len;
- ck_assert(chunk_equals(mask, mask1));
-
- /* second batch */
- ck_assert(mgf1->get_mask(mgf1, mask2.len, mask.ptr));
- mask.len = mask2.len;
- ck_assert(chunk_equals(mask, mask2));
-
- /* third batch */
- ck_assert(mgf1->get_mask(mgf1, mask3.len, mask.ptr));
- mask.len = mask3.len;
- ck_assert(chunk_equals(mask, mask3));
-
- mgf1->destroy(mgf1);
- chunk_free(&mask);
-}
-END_TEST
-
START_TEST(test_ntru_trits)
{
ntru_trits_t *mask;
chunk_t trits;
- mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
- HASH_UNKNOWN, mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+ HASH_UNKNOWN, trits_tests[_i].seed);
ck_assert(mask == NULL);
- mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
- mgf1_tests[_i].alg, chunk_empty);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+ trits_tests[_i].alg, chunk_empty);
ck_assert(mask == NULL);
- mask = TEST_FUNCTION(ntru, ntru_trits_create, mgf1_tests[_i].trits.len,
- mgf1_tests[_i].alg, mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, trits_tests[_i].trits.len,
+ trits_tests[_i].alg, trits_tests[_i].seed);
ck_assert(mask);
trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
- ck_assert(chunk_equals(trits, mgf1_tests[_i].trits));
+ ck_assert(chunk_equals(trits, trits_tests[_i].trits));
mask->destroy(mask);
/* generate a multiple of 5 trits */
- mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, mgf1_tests[_i].alg,
- mgf1_tests[_i].seed);
+ mask = TEST_FUNCTION(ntru, ntru_trits_create, 10, trits_tests[_i].alg,
+ trits_tests[_i].seed);
ck_assert(mask);
trits = chunk_create(mask->get_trits(mask), mask->get_size(mask));
- ck_assert(chunk_equals(trits, chunk_create(mgf1_tests[_i].trits.ptr, 10)));
+ ck_assert(chunk_equals(trits, chunk_create(trits_tests[_i].trits.ptr, 10)));
mask->destroy(mask);
}
END_TEST
@@ -656,10 +535,10 @@ START_TEST(test_ntru_poly)
poly_test_t *p;
int j, n;
- seed = mgf1_tests[_i].seed;
- seed.len = mgf1_tests[_i].seed_len;
+ seed = trits_tests[_i].seed;
+ seed.len = trits_tests[_i].seed_len;
- p = &mgf1_tests[_i].poly_test[0];
+ p = &trits_tests[_i].poly_test[0];
poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed, HASH_UNKNOWN, seed,
p->c_bits, p->N, p->q, p->indices_len, p->indices_len,
p->is_product_form);
@@ -667,9 +546,9 @@ START_TEST(test_ntru_poly)
for (n = 0; n < 2; n++)
{
- p = &mgf1_tests[_i].poly_test[n];
+ p = &trits_tests[_i].poly_test[n];
poly = TEST_FUNCTION(ntru, ntru_poly_create_from_seed,
- mgf1_tests[_i].alg, seed, p->c_bits, p->N, p->q,
+ trits_tests[_i].alg, seed, p->c_bits, p->N, p->q,
p->indices_len, p->indices_len, p->is_product_form);
ck_assert(poly != NULL && poly->get_size(poly) == p->indices_size);
@@ -1182,7 +1061,6 @@ START_TEST(test_ntru_ke)
diffie_hellman_t *i_ntru, *r_ntru;
char buf[10];
int k, n, len;
- status_t status;
k = (_i) / countof(parameter_sets);
n = (_i) % countof(parameter_sets);
@@ -1199,23 +1077,21 @@ START_TEST(test_ntru_ke)
ck_assert(i_ntru != NULL);
ck_assert(i_ntru->get_dh_group(i_ntru) == params[k].group);
- i_ntru->get_my_public_value(i_ntru, &pub_key);
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
ck_assert(pub_key.len > 0);
r_ntru = lib->crypto->create_dh(lib->crypto, params[k].group);
ck_assert(r_ntru != NULL);
- r_ntru->set_other_public_value(r_ntru, pub_key);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
+ ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key));
+ ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
ck_assert(cipher_text.len > 0);
- status = r_ntru->get_shared_secret(r_ntru, &r_shared_secret);
- ck_assert(status == SUCCESS);
+ ck_assert(r_ntru->get_shared_secret(r_ntru, &r_shared_secret));
ck_assert(r_shared_secret.len > 0);
- i_ntru->set_other_public_value(i_ntru, cipher_text);
- status = i_ntru->get_shared_secret(i_ntru, &i_shared_secret);
- ck_assert(status == SUCCESS);
+ ck_assert(i_ntru->set_other_public_value(i_ntru, cipher_text));
+ ck_assert(i_ntru->get_shared_secret(i_ntru, &i_shared_secret));
ck_assert(chunk_equals(i_shared_secret, r_shared_secret));
chunk_clear(&i_shared_secret);
@@ -1233,8 +1109,8 @@ START_TEST(test_ntru_retransmission)
chunk_t pub_key1, pub_key2;
i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_256_BIT);
- i_ntru->get_my_public_value(i_ntru, &pub_key1);
- i_ntru->get_my_public_value(i_ntru, &pub_key2);
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key1));
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key2));
ck_assert(chunk_equals(pub_key1, pub_key2));
chunk_free(&pub_key1);
@@ -1260,8 +1136,8 @@ START_TEST(test_ntru_pubkey_oid)
chunk_t cipher_text;
r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
- r_ntru->set_other_public_value(r_ntru, oid_tests[_i]);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
+ ck_assert(!r_ntru->set_other_public_value(r_ntru, oid_tests[_i]));
+ ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
ck_assert(cipher_text.len == 0);
r_ntru->destroy(r_ntru);
}
@@ -1276,14 +1152,14 @@ START_TEST(test_ntru_wrong_set)
"libstrongswan.plugins.ntru.parameter_set",
"x9_98_bandwidth");
i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
- i_ntru->get_my_public_value(i_ntru, &pub_key);
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
lib->settings->set_str(lib->settings,
"libstrongswan.plugins.ntru.parameter_set",
"optimum");
r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_112_BIT);
- r_ntru->set_other_public_value(r_ntru, pub_key);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
+ ck_assert(!r_ntru->set_other_public_value(r_ntru, pub_key));
+ ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
ck_assert(cipher_text.len == 0);
chunk_free(&pub_key);
@@ -1314,9 +1190,9 @@ START_TEST(test_ntru_ciphertext)
for (i = 0; i < countof(test); i++)
{
i_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
- i_ntru->get_my_public_value(i_ntru, &pub_key);
- i_ntru->set_other_public_value(i_ntru, test[i]);
- ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key));
+ ck_assert(!i_ntru->set_other_public_value(i_ntru, test[i]));
+ ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret));
ck_assert(shared_secret.len == 0);
chunk_free(&pub_key);
@@ -1334,12 +1210,12 @@ START_TEST(test_ntru_wrong_ciphertext)
r_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
m_ntru = lib->crypto->create_dh(lib->crypto, NTRU_128_BIT);
- i_ntru->get_my_public_value(i_ntru, &pub_key_i);
- m_ntru->get_my_public_value(m_ntru, &pub_key_m);
- r_ntru->set_other_public_value(r_ntru, pub_key_m);
- r_ntru->get_my_public_value(r_ntru, &cipher_text);
- i_ntru->set_other_public_value(i_ntru, cipher_text);
- ck_assert(i_ntru->get_shared_secret(i_ntru, &shared_secret) != SUCCESS);
+ ck_assert(i_ntru->get_my_public_value(i_ntru, &pub_key_i));
+ ck_assert(m_ntru->get_my_public_value(m_ntru, &pub_key_m));
+ ck_assert(r_ntru->set_other_public_value(r_ntru, pub_key_m));
+ ck_assert(r_ntru->get_my_public_value(r_ntru, &cipher_text));
+ ck_assert(!i_ntru->set_other_public_value(i_ntru, cipher_text));
+ ck_assert(!i_ntru->get_shared_secret(i_ntru, &shared_secret));
ck_assert(shared_secret.len == 0);
chunk_free(&pub_key_i);
@@ -1370,16 +1246,12 @@ Suite *ntru_suite_create()
tcase_add_test(tc, test_ntru_drbg_reseed);
suite_add_tcase(s, tc);
- tc = tcase_create("mgf1");
- tcase_add_loop_test(tc, test_ntru_mgf1, 0, countof(mgf1_tests));
- suite_add_tcase(s, tc);
-
tc = tcase_create("trits");
- tcase_add_loop_test(tc, test_ntru_trits, 0, countof(mgf1_tests));
+ tcase_add_loop_test(tc, test_ntru_trits, 0, countof(trits_tests));
suite_add_tcase(s, tc);
tc = tcase_create("poly");
- tcase_add_loop_test(tc, test_ntru_poly, 0, countof(mgf1_tests));
+ tcase_add_loop_test(tc, test_ntru_poly, 0, countof(trits_tests));
suite_add_tcase(s, tc);
tc = tcase_create("ring_mult");
diff --git a/src/libstrongswan/tests/suites/test_settings.c b/src/libstrongswan/tests/suites/test_settings.c
index b9d429a24..9601a34a9 100644
--- a/src/libstrongswan/tests/suites/test_settings.c
+++ b/src/libstrongswan/tests/suites/test_settings.c
@@ -908,7 +908,7 @@ START_SETUP(setup_string_config)
"special = \"all { special } characters # can be used.\"\n"
"unterminated = \"is fine\n"
"but = produces a warning\n"
- "newlines = \"can either be encoded\\nor\\\n"
+ "newlines = \"can either be encoded\\nor \\\n"
"escaped\"\n"
"quotes = \"\\\"and\\\" slashes \\\\ can \\\\ be\" # escaped too\n"
"multiple = \"strings\" are \"combined\"\n"
@@ -922,7 +922,7 @@ START_TEST(test_strings)
verify_string("all { special } characters # can be used.", "special");
verify_string("is fine", "unterminated");
verify_string("produces a warning", "but");
- verify_string("can either be encoded\nor\nescaped", "newlines");
+ verify_string("can either be encoded\nor escaped", "newlines");
verify_string("\"and\" slashes \\ can \\ be", "quotes");
verify_string("strings are combined", "multiple");
}
diff --git a/src/libstrongswan/tests/suites/test_threading.c b/src/libstrongswan/tests/suites/test_threading.c
index 47e448484..55a4cd797 100644
--- a/src/libstrongswan/tests/suites/test_threading.c
+++ b/src/libstrongswan/tests/suites/test_threading.c
@@ -553,6 +553,49 @@ START_TEST(test_rwlock)
}
END_TEST
+static void *rwlock_try_run(void *param)
+{
+ if (rwlock->try_write_lock(rwlock))
+ {
+ rwlock->unlock(rwlock);
+ return param;
+ }
+ return NULL;
+}
+
+START_TEST(test_rwlock_try)
+{
+ uintptr_t magic = 0xcafebabe;
+ thread_t *thread;
+
+ rwlock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+
+ thread = thread_create(rwlock_try_run, (void*)magic);
+ ck_assert_int_eq((uintptr_t)thread->join(thread), magic);
+
+ rwlock->read_lock(rwlock);
+ thread = thread_create(rwlock_try_run, (void*)magic);
+ ck_assert(thread->join(thread) == NULL);
+ rwlock->unlock(rwlock);
+
+ rwlock->read_lock(rwlock);
+ rwlock->read_lock(rwlock);
+ rwlock->read_lock(rwlock);
+ thread = thread_create(rwlock_try_run, (void*)magic);
+ ck_assert(thread->join(thread) == NULL);
+ rwlock->unlock(rwlock);
+ rwlock->unlock(rwlock);
+ rwlock->unlock(rwlock);
+
+ rwlock->write_lock(rwlock);
+ thread = thread_create(rwlock_try_run, (void*)magic);
+ ck_assert(thread->join(thread) == NULL);
+ rwlock->unlock(rwlock);
+
+ rwlock->destroy(rwlock);
+}
+END_TEST
+
/**
* Rwlock condvar
*/
@@ -1132,6 +1175,191 @@ START_TEST(test_cancel_point)
}
END_TEST
+static void close_fd_ptr(void *fd)
+{
+ close(*(int*)fd);
+}
+
+static void cancellation_recv()
+{
+ int sv[2];
+ char buf[1];
+
+ ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+ thread_cleanup_push(close_fd_ptr, &sv[0]);
+ thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ ck_assert(recv(sv[0], buf, sizeof(buf), 0) == 1);
+ }
+}
+
+static void cancellation_read()
+{
+ int sv[2];
+ char buf[1];
+
+ ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+ thread_cleanup_push(close_fd_ptr, &sv[0]);
+ thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ ck_assert(read(sv[0], buf, sizeof(buf)) == 1);
+ }
+}
+
+static void cancellation_select()
+{
+ int sv[2];
+ fd_set set;
+
+ ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+ thread_cleanup_push(close_fd_ptr, &sv[0]);
+ thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+ FD_ZERO(&set);
+ FD_SET(sv[0], &set);
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ ck_assert(select(sv[0] + 1, &set, NULL, NULL, NULL) == 1);
+ }
+}
+
+static void cancellation_poll()
+{
+ int sv[2];
+ struct pollfd pfd;
+
+ ck_assert(socketpair(AF_UNIX, SOCK_STREAM, 0, sv) == 0);
+
+ thread_cleanup_push(close_fd_ptr, &sv[0]);
+ thread_cleanup_push(close_fd_ptr, &sv[1]);
+
+ pfd.fd = sv[0];
+ pfd.events = POLLIN;
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ ck_assert(poll(&pfd, 1, -1) == 1);
+ }
+}
+
+static void cancellation_accept()
+{
+ host_t *host;
+ int fd, c;
+
+ fd = socket(AF_INET, SOCK_STREAM, 0);
+ ck_assert(fd >= 0);
+ host = host_create_from_string("127.0.0.1", 0);
+ ck_assert_msg(bind(fd, host->get_sockaddr(host),
+ *host->get_sockaddr_len(host)) == 0, "%m");
+ host->destroy(host);
+ ck_assert(listen(fd, 5) == 0);
+
+ thread_cleanup_push(close_fd_ptr, &fd);
+
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ c = accept(fd, NULL, NULL);
+ ck_assert(c >= 0);
+ close(c);
+ }
+}
+
+static void cancellation_cond()
+{
+ mutex_t *mutex;
+ condvar_t *cond;
+
+ mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ cond = condvar_create(CONDVAR_TYPE_DEFAULT);
+ mutex->lock(mutex);
+
+ thread_cleanup_push((void*)mutex->destroy, mutex);
+ thread_cleanup_push((void*)cond->destroy, cond);
+
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ cond->wait(cond, mutex);
+ }
+}
+
+static void cancellation_rwcond()
+{
+ rwlock_t *lock;
+ rwlock_condvar_t *cond;
+
+ lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
+ cond = rwlock_condvar_create();
+ lock->write_lock(lock);
+
+ thread_cleanup_push((void*)lock->destroy, lock);
+ thread_cleanup_push((void*)cond->destroy, cond);
+
+ thread_cancelability(TRUE);
+ while (TRUE)
+ {
+ cond->wait(cond, lock);
+ }
+}
+
+static void (*cancellation_points[])() = {
+ cancellation_read,
+ cancellation_recv,
+ cancellation_select,
+ cancellation_poll,
+ cancellation_accept,
+ cancellation_cond,
+ cancellation_rwcond,
+};
+
+static void* run_cancellation_point(void (*fn)())
+{
+ fn();
+ return NULL;
+}
+
+static void* run_cancellation_point_pre(void (*fn)())
+{
+ usleep(5000);
+ fn();
+ return NULL;
+}
+
+START_TEST(test_cancellation_point)
+{
+ thread_t *thread;
+
+ thread = thread_create((void*)run_cancellation_point,
+ cancellation_points[_i]);
+ usleep(5000);
+ thread->cancel(thread);
+ thread->join(thread);
+}
+END_TEST
+
+START_TEST(test_cancellation_point_pre)
+{
+ thread_t *thread;
+
+ thread = thread_create((void*)run_cancellation_point_pre,
+ cancellation_points[_i]);
+ thread->cancel(thread);
+ thread->join(thread);
+}
+END_TEST
+
static void cleanup1(void *data)
{
uintptr_t *value = (uintptr_t*)data;
@@ -1423,6 +1651,7 @@ Suite *threading_suite_create()
tc = tcase_create("rwlock");
tcase_add_test(tc, test_rwlock);
+ tcase_add_test(tc, test_rwlock_try);
suite_add_tcase(s, tc);
tc = tcase_create("rwlock condvar");
@@ -1456,6 +1685,13 @@ Suite *threading_suite_create()
tcase_add_test(tc, test_cancel_point);
suite_add_tcase(s, tc);
+ tc = tcase_create("thread cancellation point");
+ tcase_add_loop_test(tc, test_cancellation_point,
+ 0, countof(cancellation_points));
+ tcase_add_loop_test(tc, test_cancellation_point_pre,
+ 0, countof(cancellation_points));
+ suite_add_tcase(s, tc);
+
tc = tcase_create("thread cleanup");
tcase_add_test(tc, test_cleanup);
tcase_add_test(tc, test_cleanup_exit);
diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c
new file mode 100644
index 000000000..4312c6ce1
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_traffic_selector.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <selectors/traffic_selector.h>
+
+
+static void verify(const char *str, const char *alt, traffic_selector_t *ts)
+{
+ char buf[512];
+
+ ck_assert(ts != NULL);
+ snprintf(buf, sizeof(buf), "%R", ts);
+ ts->destroy(ts);
+ if (!streq(buf, str) && !streq(buf, alt))
+ {
+ fail("%s != %s or %s", buf, str, alt);
+ }
+}
+
+START_TEST(test_create_from_string)
+{
+ verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]",
+ traffic_selector_create_from_string(IPPROTO_TCP, TS_IPV4_ADDR_RANGE,
+ "10.1.0.0", 80, "10.1.255.255", 80));
+ verify("10.1.0.1..10.1.0.99[udp/1234-1235]",
+ "10.1.0.1..10.1.0.99[17/1234-1235]",
+ traffic_selector_create_from_string(IPPROTO_UDP, TS_IPV4_ADDR_RANGE,
+ "10.1.0.1", 1234, "10.1.0.99", 1235));
+ verify("fec1::/64", NULL,
+ traffic_selector_create_from_string(0, TS_IPV6_ADDR_RANGE,
+ "fec1::", 0, "fec1::ffff:ffff:ffff:ffff", 65535));
+}
+END_TEST
+
+START_TEST(test_create_from_cidr)
+{
+ verify("10.1.0.0/16", NULL,
+ traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535));
+ verify("10.1.0.1/32[udp/1234-1235]", "10.1.0.1/32[17/1234-1235]",
+ traffic_selector_create_from_cidr("10.1.0.1/32", IPPROTO_UDP,
+ 1234, 1235));
+}
+END_TEST
+
+START_TEST(test_create_from_bytes)
+{
+ verify("10.1.0.0/16", NULL,
+ traffic_selector_create_from_bytes(0, TS_IPV4_ADDR_RANGE,
+ chunk_from_chars(0x0a,0x01,0x00,0x00), 0,
+ chunk_from_chars(0x0a,0x01,0xff,0xff), 65535));
+}
+END_TEST
+
+START_TEST(test_create_from_subnet)
+{
+ verify("10.1.0.0/16", NULL,
+ traffic_selector_create_from_subnet(
+ host_create_from_string("10.1.0.0", 0), 16, 0, 0, 65535));
+}
+END_TEST
+
+
+START_TEST(test_subset)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535);
+ b = traffic_selector_create_from_cidr("10.1.5.0/24", 0, 0, 65535);
+ verify("10.1.5.0/24", NULL, a->get_subset(a, b));
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_port)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.0.0.0/8", IPPROTO_TCP, 55, 60);
+ b = traffic_selector_create_from_cidr("10.2.7.16/30", 0, 0, 65535);
+ verify("10.2.7.16/30[tcp/55-60]", "10.2.7.16/30[6/55-60]",
+ a->get_subset(a, b));
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_equal)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80);
+ b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 80, 80);
+ verify("10.1.0.0/16[tcp/http]", "10.1.0.0/16[6/80]", a->get_subset(a, b));
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_nonet)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 65535);
+ b = traffic_selector_create_from_cidr("10.2.0.0/16", 0, 0, 65535);
+ ck_assert(a->get_subset(a, b) == NULL);
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_noport)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 0, 9999);
+ b = traffic_selector_create_from_cidr("10.1.0.0/16", 0, 10000, 65535);
+ ck_assert(a->get_subset(a, b) == NULL);
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_noproto)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_TCP, 0, 65535);
+ b = traffic_selector_create_from_cidr("10.1.0.0/16", IPPROTO_UDP, 0, 65535);
+ ck_assert(a->get_subset(a, b) == NULL);
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+START_TEST(test_subset_nofamily)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+ b = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
+ ck_assert(a->get_subset(a, b) == NULL);
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+struct {
+ char *net;
+ char *host;
+ bool inc;
+} include_tests[] = {
+ { "0.0.0.0/0", "192.168.1.2", TRUE },
+ { "::/0", "fec2::1", TRUE },
+ { "fec2::/64", "fec2::afaf", TRUE },
+ { "10.1.0.0/16", "10.1.0.1", TRUE },
+ { "10.5.6.7/32", "10.5.6.7", TRUE },
+ { "0.0.0.0/0", "fec2::1", FALSE },
+ { "::/0", "1.2.3.4", FALSE },
+ { "10.0.0.0/16", "10.1.0.0", FALSE },
+ { "fec2::/64", "fec2:0:0:1::afaf", FALSE },
+};
+
+START_TEST(test_includes)
+{
+ traffic_selector_t *ts;
+ host_t *h;
+
+ ts = traffic_selector_create_from_cidr(include_tests[_i].net, 0, 0, 65535);
+ h = host_create_from_string(include_tests[_i].host, 0);
+ ck_assert(ts->includes(ts, h) == include_tests[_i].inc);
+ ts->destroy(ts);
+ h->destroy(h);
+}
+END_TEST
+
+struct {
+ int res;
+ struct {
+ char *net;
+ u_int8_t proto;
+ u_int16_t from_port;
+ u_int16_t to_port;
+ } a, b;
+} cmp_tests[] = {
+ { 0, { "10.0.0.0/8", 0, 0, 65535 }, { "10.0.0.0/8", 0, 0, 65535 }, },
+ { 0, { "10.0.0.0/8", 17, 123, 456 }, { "10.0.0.0/8", 17, 123, 456 }, },
+ { 0, { "fec2::/64", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, },
+ { 0, { "fec2::/64", 4, 0, 65535 }, { "fec2::/64", 4, 0, 65535 }, },
+
+ { -1, { "1.0.0.0/8", 0, 0, 65535 }, { "2.0.0.0/8", 0, 0, 65535 }, },
+ { 1, { "2.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, },
+ { -1, { "1.0.0.0/8", 0, 0, 65535 }, { "1.0.0.0/16", 0, 0, 65535 }, },
+ { 1, { "1.0.0.0/16", 0, 0, 65535 }, { "1.0.0.0/8", 0, 0, 65535 }, },
+
+ { -1, { "10.0.0.0/8", 0, 0, 65535 }, { "fec2::/64", 0, 0, 65535 }, },
+ { 1, { "fec2::/64", 0, 0, 65535 }, { "10.0.0.0/8", 0, 0, 65535 }, },
+
+ { -1, { "10.0.0.0/8", 16, 123, 456 }, { "10.0.0.0/8", 17, 123, 456 }, },
+ { 1, { "fec2::/64", 5, 0, 65535 }, { "fec2::/64", 4, 0, 65535 }, },
+
+ { -1, { "10.0.0.0/8", 17, 111, 456 }, { "10.0.0.0/8", 17, 222, 456 }, },
+ { 1, { "fec2::/64", 17, 555, 65535 }, { "fec2::/64", 17, 444, 65535 },},
+
+ { -1, { "10.0.0.0/8", 17, 55, 65535 }, { "10.0.0.0/8", 17, 55, 666 }, },
+ { 1, { "fec2::/64", 17, 55, 111 }, { "fec2::/64", 17, 55, 4567 }, },
+
+};
+
+START_TEST(test_cmp)
+{
+ traffic_selector_t *a, *b;
+
+ a = traffic_selector_create_from_cidr(
+ cmp_tests[_i].a.net, cmp_tests[_i].a.proto,
+ cmp_tests[_i].a.from_port, cmp_tests[_i].a.to_port);
+ b = traffic_selector_create_from_cidr(
+ cmp_tests[_i].b.net, cmp_tests[_i].b.proto,
+ cmp_tests[_i].b.from_port, cmp_tests[_i].b.to_port);
+ switch (cmp_tests[_i].res)
+ {
+ case 0:
+ ck_assert(traffic_selector_cmp(a, b, NULL) == 0);
+ break;
+ case 1:
+ ck_assert(traffic_selector_cmp(a, b, NULL) > 0);
+ break;
+ case -1:
+ ck_assert(traffic_selector_cmp(a, b, NULL) < 0);
+ break;
+ }
+ a->destroy(a);
+ b->destroy(b);
+}
+END_TEST
+
+Suite *traffic_selector_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("traffic selector");
+
+ tc = tcase_create("create");
+ tcase_add_test(tc, test_create_from_string);
+ tcase_add_test(tc, test_create_from_cidr);
+ tcase_add_test(tc, test_create_from_bytes);
+ tcase_add_test(tc, test_create_from_subnet);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("subset");
+ tcase_add_test(tc, test_subset);
+ tcase_add_test(tc, test_subset_port);
+ tcase_add_test(tc, test_subset_equal);
+ tcase_add_test(tc, test_subset_nonet);
+ tcase_add_test(tc, test_subset_noport);
+ tcase_add_test(tc, test_subset_noproto);
+ tcase_add_test(tc, test_subset_nofamily);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("includes");
+ tcase_add_loop_test(tc, test_includes, 0, countof(include_tests));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("cmp");
+ tcase_add_loop_test(tc, test_cmp, 0, countof(cmp_tests));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_utils.c b/src/libstrongswan/tests/suites/test_utils.c
index abca4620e..85a854456 100644
--- a/src/libstrongswan/tests/suites/test_utils.c
+++ b/src/libstrongswan/tests/suites/test_utils.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Tobias Brunner
+ * Copyright (C) 2013-2015 Tobias Brunner
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -18,6 +18,7 @@
#include <library.h>
#include <utils/utils.h>
#include <ipsec/ipsec_types.h>
+#include <credentials/keys/public_key.h>
#include <time.h>
@@ -695,6 +696,44 @@ START_TEST(test_mark_from_string)
}
END_TEST
+/*******************************************************************************
+ * signature_schemes_for_key
+ */
+
+static struct {
+ key_type_t type;
+ int size;
+ signature_scheme_t expected[4];
+} scheme_data[] = {
+ {KEY_RSA, 1024, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+ {KEY_RSA, 2048, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+ {KEY_RSA, 4096, { SIGN_RSA_EMSA_PKCS1_SHA384, SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+ {KEY_RSA, 8192, { SIGN_RSA_EMSA_PKCS1_SHA512, SIGN_UNKNOWN }},
+ {KEY_ECDSA, 256, { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+ {KEY_ECDSA, 384, { SIGN_ECDSA_WITH_SHA384_DER, SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+ {KEY_ECDSA, 512, { SIGN_ECDSA_WITH_SHA512_DER, SIGN_UNKNOWN }},
+ {KEY_BLISS, 128, { SIGN_BLISS_WITH_SHA256, SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+ {KEY_BLISS, 192, { SIGN_BLISS_WITH_SHA384, SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+ {KEY_BLISS, 256, { SIGN_BLISS_WITH_SHA512, SIGN_UNKNOWN }},
+};
+
+START_TEST(test_signature_schemes_for_key)
+{
+ enumerator_t *enumerator;
+ signature_scheme_t scheme;
+ int i;
+
+ enumerator = signature_schemes_for_key(scheme_data[_i].type, scheme_data[_i].size);
+ for (i = 0; scheme_data[_i].expected[i] != SIGN_UNKNOWN; i++)
+ {
+ ck_assert(enumerator->enumerate(enumerator, &scheme));
+ ck_assert_int_eq(scheme_data[_i].expected[i], scheme);
+ }
+ ck_assert(!enumerator->enumerate(enumerator, &scheme));
+ enumerator->destroy(enumerator);
+}
+END_TEST
+
Suite *utils_suite_create()
{
Suite *s;
@@ -777,5 +816,9 @@ Suite *utils_suite_create()
tcase_add_loop_test(tc, test_mark_from_string, 0, countof(mark_data));
suite_add_tcase(s, tc);
+ tc = tcase_create("signature_schemes_for_key");
+ tcase_add_loop_test(tc, test_signature_schemes_for_key, 0, countof(scheme_data));
+ suite_add_tcase(s, tc);
+
return s;
}
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index 586227800..e1d8ca4ba 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -23,6 +23,7 @@ TEST_SUITE(linked_list_enumerator_suite_create)
TEST_SUITE(hashtable_suite_create)
TEST_SUITE(array_suite_create)
TEST_SUITE(identification_suite_create)
+TEST_SUITE(traffic_selector_suite_create)
TEST_SUITE(threading_suite_create)
TEST_SUITE(process_suite_create)
TEST_SUITE(watcher_suite_create)
@@ -32,6 +33,8 @@ TEST_SUITE(settings_suite_create)
TEST_SUITE(vectors_suite_create)
TEST_SUITE_DEPEND(ecdsa_suite_create, PRIVKEY_GEN, KEY_ECDSA)
TEST_SUITE_DEPEND(rsa_suite_create, PRIVKEY_GEN, KEY_RSA)
+TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509)
+TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509)
TEST_SUITE(host_suite_create)
TEST_SUITE(printf_suite_create)
TEST_SUITE(hasher_suite_create)
@@ -41,5 +44,7 @@ TEST_SUITE(pen_suite_create)
TEST_SUITE(asn1_suite_create)
TEST_SUITE(asn1_parser_suite_create)
TEST_SUITE(test_rng_suite_create)
+TEST_SUITE_DEPEND(mgf1_sha1_suite_create, HASHER, HASH_SHA1)
+TEST_SUITE_DEPEND(mgf1_sha256_suite_create, HASHER, HASH_SHA256)
TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
diff --git a/src/libstrongswan/threading/semaphore.h b/src/libstrongswan/threading/semaphore.h
index 34d814971..d3ab0f3d9 100644
--- a/src/libstrongswan/threading/semaphore.h
+++ b/src/libstrongswan/threading/semaphore.h
@@ -21,10 +21,7 @@
#ifndef THREADING_SEMAPHORE_H_
#define THREADING_SEMAPHORE_H_
-#ifdef __APPLE__
-/* Mach uses a semaphore_create() call, use a different name for ours */
-#define semaphore_create(x) strongswan_semaphore_create(x)
-#endif /* __APPLE__ */
+#include <utils/utils.h>
typedef struct semaphore_t semaphore_t;
@@ -87,4 +84,3 @@ struct semaphore_t {
semaphore_t *semaphore_create(u_int value);
#endif /** THREADING_SEMAPHORE_H_ @} */
-
diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h
index 6abb83411..38275541e 100644
--- a/src/libstrongswan/threading/thread.h
+++ b/src/libstrongswan/threading/thread.h
@@ -21,40 +21,9 @@
#ifndef THREADING_THREAD_H_
#define THREADING_THREAD_H_
-typedef struct thread_t thread_t;
-
-#ifdef __APPLE__
-/* thread_create is a syscall used to create Mach kernel threads and although
- * there are no errors or warnings during compilation or linkage the dynamic
- * linker does not use our implementation, therefore we rename it here
- */
-#define thread_create(main, arg) strongswan_thread_create(main, arg)
+#include <utils/utils.h>
-/* on Mac OS X 10.5 several system calls we use are no cancellation points.
- * fortunately, select isn't one of them, so we wrap some of the others with
- * calls to select(2).
- */
-#include <sys/socket.h>
-#include <sys/select.h>
-
-#define WRAP_WITH_SELECT(func, socket, ...)\
- fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
- if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
- return func(socket, __VA_ARGS__)
-
-static inline int cancellable_accept(int socket, struct sockaddr *address,
- socklen_t *address_len)
-{
- WRAP_WITH_SELECT(accept, socket, address, address_len);
-}
-#define accept cancellable_accept
-static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
- int flags, struct sockaddr *address, socklen_t *address_len)
-{
- WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
-}
-#define recvfrom cancellable_recvfrom
-#endif /* __APPLE__ */
+typedef struct thread_t thread_t;
/**
* Main function of a thread.
@@ -189,32 +158,4 @@ void threads_init();
*/
void threads_deinit();
-
-#ifdef __APPLE__
-
-/*
- * While select() is a cancellation point, it seems that OS X does not honor
- * pending cancellation points when entering the function. We manually test for
- * and honor pending cancellation requests, but this obviously can't prevent
- * some race conditions where the the cancellation happens after the check,
- * but before the select.
- */
-static inline int precancellable_select(int nfds, fd_set *restrict readfds,
- fd_set *restrict writefds, fd_set *restrict errorfds,
- struct timeval *restrict timeout)
-{
- if (thread_cancelability(TRUE))
- {
- thread_cancellation_point();
- }
- else
- {
- thread_cancelability(FALSE);
- }
- return select(nfds, readfds, writefds, errorfds, timeout);
-}
-#define select precancellable_select
-
-#endif /* __APPLE__ */
-
#endif /** THREADING_THREAD_H_ @} */
diff --git a/src/libstrongswan/threading/windows/rwlock.c b/src/libstrongswan/threading/windows/rwlock.c
index 0de57f713..fc0d6d864 100644
--- a/src/libstrongswan/threading/windows/rwlock.c
+++ b/src/libstrongswan/threading/windows/rwlock.c
@@ -85,8 +85,6 @@ METHOD(rwlock_t, write_lock, void,
METHOD(rwlock_t, try_write_lock, bool,
private_rwlock_t *this)
{
- /* TODO: causes random failures and segfaults. Bug? */
- return FALSE;
return TryAcquireSRWLockExclusive(&this->srw);
}
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 4b24b37c2..c4471be70 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -992,7 +992,7 @@ u_int32_t chunk_hash_static(chunk_t chunk)
*/
u_int16_t chunk_internet_checksum_inc(chunk_t data, u_int16_t checksum)
{
- u_int32_t sum = ntohs(~checksum);
+ u_int32_t sum = ntohs((u_int16_t)~checksum);
while (data.len > 1)
{
diff --git a/src/libstrongswan/utils/compat/apple.h b/src/libstrongswan/utils/compat/apple.h
new file mode 100644
index 000000000..61afb9d9e
--- /dev/null
+++ b/src/libstrongswan/utils/compat/apple.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup apple apple
+ * @{ @ingroup compat
+ */
+
+#ifndef APPLE_H_
+#define APPLE_H_
+
+#include <poll.h>
+#include <sys/socket.h>
+#include <sys/select.h>
+
+/* thread_create is a syscall used to create Mach kernel threads and although
+ * there are no errors or warnings during compilation or linkage the dynamic
+ * linker does not use our implementation, therefore we rename it here
+ */
+#define thread_create(main, arg) strongswan_thread_create(main, arg)
+
+/* Mach uses a semaphore_create() call, use a different name for ours */
+#define semaphore_create(x) strongswan_semaphore_create(x)
+
+/* Since OS X 10.10 XPC includes some additional conflicting Mach types */
+#define host_t strongswan_host_t
+#define processor_t strongswan_processor_t
+#define task_t strongswan_task_t
+#define thread_t strongswan_thread_t
+
+/* forward declaration, see below */
+static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds,
+ int timeout);
+
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+
+#define WRAP_WITH_POLL(func, socket, ...) \
+ struct pollfd pfd = { \
+ .fd = socket, \
+ .events = POLLIN, \
+ }; \
+ if (precancellable_poll(&pfd, 1, -1) <= 0) \
+ {\
+ return -1; \
+ }\
+ return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+ socklen_t *address_len)
+{
+ WRAP_WITH_POLL(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+ int flags, struct sockaddr *address, socklen_t *address_len)
+{
+ WRAP_WITH_POLL(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+
+#include <threading/thread.h>
+
+/*
+ * While select() is a cancellation point, it seems that OS X does not honor
+ * pending cancellation points when entering the function. We manually test for
+ * and honor pending cancellation requests, but this obviously can't prevent
+ * some race conditions where the the cancellation happens after the check,
+ * but before the select.
+ */
+static inline int precancellable_select(int nfds, fd_set *restrict readfds,
+ fd_set *restrict writefds, fd_set *restrict errorfds,
+ struct timeval *restrict timeout)
+{
+ if (thread_cancelability(TRUE))
+ {
+ thread_cancellation_point();
+ }
+ else
+ {
+ thread_cancelability(FALSE);
+ }
+ return select(nfds, readfds, writefds, errorfds, timeout);
+}
+#define select precancellable_select
+
+/*
+ * The same as to select(2) applies to poll(2)
+ */
+static inline int precancellable_poll(struct pollfd fds[], nfds_t nfds,
+ int timeout)
+{
+ if (thread_cancelability(TRUE))
+ {
+ thread_cancellation_point();
+ }
+ else
+ {
+ thread_cancelability(FALSE);
+ }
+ return poll(fds, nfds, timeout);
+}
+#define poll precancellable_poll
+
+#endif /** APPLE_H_ @}*/
diff --git a/src/libstrongswan/utils/windows.c b/src/libstrongswan/utils/compat/windows.c
index 8820287b1..1f22ffa02 100644
--- a/src/libstrongswan/utils/windows.c
+++ b/src/libstrongswan/utils/compat/windows.c
@@ -13,7 +13,10 @@
* for more details.
*/
-#include "utils.h"
+/* WSAPoll() */
+#define _WIN32_WINNT 0x0600
+
+#include <utils/utils.h>
#include <errno.h>
@@ -639,3 +642,43 @@ ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags,
}
return outlen;
}
+
+/**
+ * See header
+ */
+#undef read
+ssize_t windows_read(int fd, void *buf, size_t count)
+{
+ ssize_t ret;
+
+ ret = wserr(recv(fd, buf, count, 0));
+ if (ret == -1 && errno == ENOTSOCK)
+ {
+ ret = read(fd, buf, count);
+ }
+ return ret;
+}
+
+/**
+ * See header
+ */
+#undef write
+ssize_t windows_write(int fd, void *buf, size_t count)
+{
+ ssize_t ret;
+
+ ret = wserr(send(fd, buf, count, 0));
+ if (ret == -1 && errno == ENOTSOCK)
+ {
+ ret = write(fd, buf, count);
+ }
+ return ret;
+}
+
+/**
+ * See header
+ */
+int poll(struct pollfd *fds, int nfds, int timeout)
+{
+ return wserr(WSAPoll(fds, nfds, timeout));
+}
diff --git a/src/libstrongswan/utils/windows.h b/src/libstrongswan/utils/compat/windows.h
index 3761e10ab..fd4f1f196 100644
--- a/src/libstrongswan/utils/windows.h
+++ b/src/libstrongswan/utils/compat/windows.h
@@ -15,7 +15,7 @@
/**
* @defgroup windows windows
- * @{ @ingroup utils
+ * @{ @ingroup compat
*/
#ifndef WINDOWS_H_
@@ -363,6 +363,49 @@ ssize_t windows_sendto(int sockfd, const void *buf, size_t len, int flags,
const struct sockaddr *dest_addr, socklen_t addrlen);
/**
+ * read(2) working on files and sockets, cancellable on sockets only
+ *
+ * On Windows, there does not seem to be a way how a cancellable read can
+ * be implemented on Low level I/O functions for files, _pipe()s or stdio.
+ */
+#define read windows_read
+ssize_t windows_read(int fd, void *buf, size_t count);
+
+/**
+ * write(2) working on files and sockets
+ */
+#define write windows_write
+ssize_t windows_write(int fd, void *buf, size_t count);
+
+#if _WIN32_WINNT < 0x0600
+/**
+ * Define pollfd and flags on our own if not specified
+ */
+struct pollfd {
+ SOCKET fd;
+ short events;
+ short revents;
+};
+enum {
+ POLLERR = 0x0001,
+ POLLHUP = 0x0002,
+ POLLNVAL = 0x0004,
+ POLLWRNORM = 0x0010,
+ POLLWRBAND = 0x0020,
+ POLLPRI = 0x0400,
+ POLLRDNORM = 0x0100,
+ POLLRDBAND = 0x0200,
+ POLLIN = POLLRDNORM | POLLRDBAND,
+ POLLOUT = POLLWRNORM,
+};
+#endif /* _WIN32_WINNT < 0x0600 */
+
+/**
+ * poll(2), implemented using Winsock2 WSAPoll()
+ */
+int poll(struct pollfd *fds, int nfds, int timeout);
+
+/**
* Declaration missing on older WinGW
*/
_CRTIMP errno_t strerror_s(char *buf, size_t size, int errnum);
diff --git a/src/libstrongswan/utils/enum.c b/src/libstrongswan/utils/enum.c
index f96fe2989..089bebb79 100644
--- a/src/libstrongswan/utils/enum.c
+++ b/src/libstrongswan/utils/enum.c
@@ -60,20 +60,103 @@ bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val)
}
/**
+ * Get the position of a flag name using offset calculation
+ */
+static int find_flag_pos(u_int val, u_int first)
+{
+ int offset = 0;
+
+ while (val != 0x01)
+ {
+ val = val >> 1;
+ offset++;
+ }
+ return first - offset;
+}
+
+/**
* Described in header.
*/
+char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len)
+{
+ char *pos = buf, *delim = "";
+ int i, wr;
+
+ if (e->next != ENUM_FLAG_MAGIC)
+ {
+ if (snprintf(buf, len, "(%d)", (int)val) >= len)
+ {
+ return NULL;
+ }
+ return buf;
+ }
+
+ if (snprintf(buf, len, "(unset)") >= len)
+ {
+ return NULL;
+ }
+
+ for (i = 0; val; i++)
+ {
+ u_int flag = 1 << i;
+
+ if (val & flag)
+ {
+ char *name = NULL, hex[32];
+
+ if (flag >= (u_int)e->first && flag <= (u_int)e->last)
+ {
+ name = e->names[find_flag_pos(e->first, i)];
+ }
+ else
+ {
+ snprintf(hex, sizeof(hex), "(0x%X)", flag);
+ name = hex;
+ }
+ if (name)
+ {
+ wr = snprintf(pos, len, "%s%s", delim, name);
+ if (wr >= len)
+ {
+ return NULL;
+ }
+ len -= wr;
+ pos += wr;
+ delim = " | ";
+ }
+ val &= ~flag;
+ }
+ }
+ return buf;
+}
+
+/**
+ * See header.
+ */
int enum_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
const void *const *args)
{
enum_name_t *ed = *((enum_name_t**)(args[0]));
int val = *((int*)(args[1]));
- char *name, buf[32];
+ char *name, buf[512];
- name = enum_to_name(ed, val);
- if (name == NULL)
+ if (ed->next == ENUM_FLAG_MAGIC)
+ {
+ name = enum_flags_to_string(ed, val, buf, sizeof(buf));
+ if (name == NULL)
+ {
+ snprintf(buf, sizeof(buf), "(0x%X)", val);
+ name = buf;
+ }
+ }
+ else
{
- snprintf(buf, sizeof(buf), "(%d)", val);
- name = buf;
+ name = enum_to_name(ed, val);
+ if (name == NULL)
+ {
+ snprintf(buf, sizeof(buf), "(%d)", val);
+ name = buf;
+ }
}
if (spec->minus)
{
diff --git a/src/libstrongswan/utils/enum.h b/src/libstrongswan/utils/enum.h
index 3c03c2a7b..928f4079a 100644
--- a/src/libstrongswan/utils/enum.h
+++ b/src/libstrongswan/utils/enum.h
@@ -27,6 +27,11 @@
typedef struct enum_name_t enum_name_t;
/**
+ * Magic enum_name_t pointer indicating this is an enum name for flags
+ */
+#define ENUM_FLAG_MAGIC ((enum_name_t*)~(uintptr_t)0)
+
+/**
* Struct to store names for enums.
*
* To print the string representation of enumeration values, the strings
@@ -58,7 +63,7 @@ struct enum_name_t {
int first;
/** value of the last enum string */
int last;
- /** next enum_name_t in list */
+ /** next enum_name_t in list, or ENUM_FLAG_MAGIC */
enum_name_t *next;
/** array of strings containing names from first to last */
char *names[];
@@ -107,6 +112,23 @@ struct enum_name_t {
#define ENUM(name, first, last, ...) ENUM_BEGIN(name, first, last, __VA_ARGS__); ENUM_END(name, last)
/**
+ * Define a enum name with only one range for flags.
+ *
+ * Using an enum list for flags would be overkill. Hence we use a single
+ * range with all values in range. The next pointer is abused to mark
+ * that the enum name is for flags only. Use NULL if a particular flag
+ * is not meant to be printed.
+ *
+ * @param name name of the enum_name list
+ * @param first enum value of the first enum string
+ * @param last enum value of the last enum string
+ * @param ... a list of strings
+ */
+#define ENUM_FLAGS(name, first, last, ...) \
+ static enum_name_t name##last = {first, last, ENUM_FLAG_MAGIC, { __VA_ARGS__ }}; \
+ ENUM_END(name, last)
+
+/**
* Convert a enum value to its string representation.
*
* @param e enum names for this enum value
@@ -146,6 +168,17 @@ char *enum_to_name(enum_name_t *e, int val);
bool enum_from_name_as_int(enum_name_t *e, const char *name, int *val);
/**
+ * Convert a enum value containing flags to its string representation.
+ *
+ * @param e enum names for this enum value suitable for flags
+ * @param val enum value to get string for
+ * @param buf buffer to write flag string to
+ * @param len buffer size
+ * @return buf, NULL if buffer too small
+ */
+char *enum_flags_to_string(enum_name_t *e, u_int val, char *buf, size_t len);
+
+/**
* printf hook function for enum_names_t.
*
* Arguments are:
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 46ac7e890..b69adf399 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -17,6 +17,7 @@
#include <string.h>
#include <stdio.h>
+#include <errno.h>
#include "identification.h"
@@ -927,6 +928,82 @@ static private_identification_t *identification_create(id_type_t type)
return this;
}
+/**
+ * Create an identity for a specific type, determined by prefix
+ */
+static private_identification_t* create_from_string_with_prefix_type(char *str)
+{
+ struct {
+ const char *str;
+ id_type_t type;
+ } prefixes[] = {
+ { "ipv4:", ID_IPV4_ADDR },
+ { "ipv6:", ID_IPV6_ADDR },
+ { "rfc822:", ID_RFC822_ADDR },
+ { "email:", ID_RFC822_ADDR },
+ { "userfqdn:", ID_USER_FQDN },
+ { "fqdn:", ID_FQDN },
+ { "dns:", ID_FQDN },
+ { "asn1dn:", ID_DER_ASN1_DN },
+ { "asn1gn:", ID_DER_ASN1_GN },
+ { "keyid:", ID_KEY_ID },
+ };
+ private_identification_t *this;
+ int i;
+
+ for (i = 0; i < countof(prefixes); i++)
+ {
+ if (strcasepfx(str, prefixes[i].str))
+ {
+ this = identification_create(prefixes[i].type);
+ str += strlen(prefixes[i].str);
+ if (*str == '#')
+ {
+ this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL);
+ }
+ else
+ {
+ this->encoded = chunk_clone(chunk_from_str(str));
+ }
+ return this;
+ }
+ }
+ return NULL;
+}
+
+/**
+ * Create an identity for a specific type, determined by a numerical prefix
+ *
+ * The prefix is of the form "{x}:", where x denotes the numerical identity
+ * type.
+ */
+static private_identification_t* create_from_string_with_num_type(char *str)
+{
+ private_identification_t *this;
+ u_long type;
+
+ if (*str++ != '{')
+ {
+ return NULL;
+ }
+ errno = 0;
+ type = strtoul(str, &str, 0);
+ if (errno || *str++ != '}' || *str++ != ':')
+ {
+ return NULL;
+ }
+ this = identification_create(type);
+ if (*str == '#')
+ {
+ this->encoded = chunk_from_hex(chunk_from_str(str + 1), NULL);
+ }
+ else
+ {
+ this->encoded = chunk_clone(chunk_from_str(str));
+ }
+ return this;
+}
+
/*
* Described in header.
*/
@@ -939,6 +1016,16 @@ identification_t *identification_create_from_string(char *string)
{
string = "%any";
}
+ this = create_from_string_with_prefix_type(string);
+ if (this)
+ {
+ return &this->public;
+ }
+ this = create_from_string_with_num_type(string);
+ if (this)
+ {
+ return &this->public;
+ }
if (strchr(string, '=') != NULL)
{
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index e62446879..e6a9fe1c6 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -302,6 +302,15 @@ struct identification_t {
* N, G, I, dnQualifier, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
* unstructuredName, TCGID.
*
+ * To skip automatic type detection the following prefixes may be used to
+ * enforce a specific type: ipv4:, ipv6:, rfc822:, email:, userfqdn:, fqdn:,
+ * dns:, asn1dn:, asn1gn: and keyid:. If a # follows the :, the remaining data
+ * is interpreted as hex encoded binary data for that ID, otherwise the raw
+ * string following the prefix is used as identity data, without conversion.
+ * To specify a non-standard ID type, the numerical type may be prefixed
+ * between curly backets, building a prefix. For instance the "{1}:" prefix
+ * defines an ID_IPV4_ADDR type.
+ *
* This constructor never returns NULL. If it does not find a suitable
* conversion function, it will copy the string to an ID_KEY_ID.
*
diff --git a/src/libstrongswan/utils/utils.h b/src/libstrongswan/utils/utils.h
index da253cc35..7c48d949f 100644
--- a/src/libstrongswan/utils/utils.h
+++ b/src/libstrongswan/utils/utils.h
@@ -29,7 +29,7 @@
#include <string.h>
#ifdef WIN32
-# include "windows.h"
+# include "compat/windows.h"
#else
# define _GNU_SOURCE
# include <arpa/inet.h>
@@ -37,6 +37,7 @@
# include <netdb.h>
# include <netinet/in.h>
# include <sched.h>
+# include <poll.h>
#endif
/**
@@ -96,6 +97,9 @@
#include "enum.h"
#include "utils/strerror.h"
+#ifdef __APPLE__
+# include "compat/apple.h"
+#endif
/**
* Directory separator character in paths on this platform
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index 426d8bcb3..e6c23d970 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -278,6 +278,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -338,10 +339,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -415,6 +418,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 2e44fb4a5..7d5b3771c 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -223,6 +223,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index 6a8d5030c..08a06f5ef 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -415,6 +415,12 @@ METHOD(tls_t, get_eap_msk, chunk_t,
return this->crypto->get_eap_msk(this->crypto);
}
+METHOD(tls_t, get_auth, auth_cfg_t*,
+ private_tls_t *this)
+{
+ return this->handshake->get_auth(this->handshake);
+}
+
METHOD(tls_t, destroy, void,
private_tls_t *this)
{
@@ -465,6 +471,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
.get_purpose = _get_purpose,
.is_complete = _is_complete,
.get_eap_msk = _get_eap_msk,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
.is_server = is_server,
@@ -487,7 +494,7 @@ tls_t *tls_create(bool is_server, identification_t *server,
this->alert, peer, server)->handshake;
}
this->fragmentation = tls_fragmentation_create(this->handshake, this->alert,
- this->application);
+ this->application, purpose);
this->compression = tls_compression_create(this->fragmentation, this->alert);
this->protection = tls_protection_create(this->compression, this->alert);
this->crypto->set_protection(this->crypto, this->protection);
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index fc1d9b9fd..f3dc198cf 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -252,6 +252,13 @@ struct tls_t {
chunk_t (*get_eap_msk)(tls_t *this);
/**
+ * Get the authentication details after completing the handshake.
+ *
+ * @return authentication details, internal data
+ */
+ auth_cfg_t* (*get_auth)(tls_t *this);
+
+ /**
* Destroy a tls_t.
*/
void (*destroy)(tls_t *this);
diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c
index ebe5bc3a8..12d5aed53 100644
--- a/src/libtls/tls_eap.c
+++ b/src/libtls/tls_eap.c
@@ -426,6 +426,12 @@ METHOD(tls_eap_t, set_identifier, void,
this->identifier = identifier;
}
+METHOD(tls_eap_t, get_auth, auth_cfg_t*,
+ private_tls_eap_t *this)
+{
+ return this->tls->get_auth(this->tls);
+}
+
METHOD(tls_eap_t, destroy, void,
private_tls_eap_t *this)
{
@@ -453,6 +459,7 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
.get_msk = _get_msk,
.get_identifier = _get_identifier,
.set_identifier = _set_identifier,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
.type = type,
diff --git a/src/libtls/tls_eap.h b/src/libtls/tls_eap.h
index f3fbba078..df41fc4d7 100644
--- a/src/libtls/tls_eap.h
+++ b/src/libtls/tls_eap.h
@@ -77,6 +77,13 @@ struct tls_eap_t {
void (*set_identifier) (tls_eap_t *this, uint8_t identifier);
/**
+ * Get the authentication details after completing the handshake.
+ *
+ * @return authentication details, internal data
+ */
+ auth_cfg_t* (*get_auth)(tls_eap_t *this);
+
+ /**
* Destroy a tls_eap_t.
*/
void (*destroy)(tls_eap_t *this);
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 6e4347e3c..a97ca1eaa 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -96,9 +96,32 @@ struct private_tls_fragmentation_t {
* Upper layer application data protocol
*/
tls_application_t *application;
+
+ /**
+ * Type of context this TLS instance runs in
+ */
+ tls_purpose_t purpose;
};
/**
+ * Check if we should send a close notify once the application finishes
+ */
+static bool send_close_notify(private_tls_fragmentation_t *this)
+{
+ switch (this->purpose)
+ {
+ case TLS_PURPOSE_EAP_TLS:
+ case TLS_PURPOSE_EAP_TTLS:
+ case TLS_PURPOSE_EAP_PEAP:
+ /* not for TLS-in-EAP, as we indicate completion with EAP-SUCCCESS.
+ * Windows does not like close notifies, and hangs/disconnects. */
+ return FALSE;
+ default:
+ return TRUE;
+ }
+}
+
+/**
* Process a TLS alert
*/
static status_t process_alert(private_tls_fragmentation_t *this,
@@ -223,6 +246,10 @@ static status_t process_application(private_tls_fragmentation_t *this,
continue;
case SUCCESS:
this->application_finished = TRUE;
+ if (!send_close_notify(this))
+ {
+ return SUCCESS;
+ }
/* FALL */
case FAILED:
default:
@@ -368,6 +395,10 @@ static status_t build_application(private_tls_fragmentation_t *this)
break;
case SUCCESS:
this->application_finished = TRUE;
+ if (!send_close_notify(this))
+ {
+ break;
+ }
/* FALL */
case FAILED:
default:
@@ -463,7 +494,8 @@ METHOD(tls_fragmentation_t, destroy, void,
* See header
*/
tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
- tls_alert_t *alert, tls_application_t *application)
+ tls_alert_t *alert, tls_application_t *application,
+ tls_purpose_t purpose)
{
private_tls_fragmentation_t *this;
@@ -478,6 +510,7 @@ tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
.alert = alert,
.state = ALERT_NONE,
.application = application,
+ .purpose = purpose,
);
return &this->public;
diff --git a/src/libtls/tls_fragmentation.h b/src/libtls/tls_fragmentation.h
index f650e7be8..a49f27b20 100644
--- a/src/libtls/tls_fragmentation.h
+++ b/src/libtls/tls_fragmentation.h
@@ -80,9 +80,11 @@ struct tls_fragmentation_t {
* @param handshake upper layer handshake protocol
* @param alert TLS alert handler
* @param application upper layer application data or NULL
+ * @param purpose type of context this TLS stack is running in
* @return TLS fragmentation layer
*/
tls_fragmentation_t *tls_fragmentation_create(tls_handshake_t *handshake,
- tls_alert_t *alert, tls_application_t *application);
+ tls_alert_t *alert, tls_application_t *application,
+ tls_purpose_t purpose);
#endif /** TLS_FRAGMENTATION_H_ @}*/
diff --git a/src/libtls/tls_handshake.h b/src/libtls/tls_handshake.h
index 7fa660c58..7edb49ba0 100644
--- a/src/libtls/tls_handshake.h
+++ b/src/libtls/tls_handshake.h
@@ -98,6 +98,13 @@ struct tls_handshake_t {
identification_t* (*get_server_id)(tls_handshake_t *this);
/**
+ * Get the peers authentication information after completing the handshake.
+ *
+ * @return authentication data, internal data
+ */
+ auth_cfg_t* (*get_auth)(tls_handshake_t *this);
+
+ /**
* Destroy a tls_handshake_t.
*/
void (*destroy)(tls_handshake_t *this);
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index a95b40f55..e6be36b7b 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this,
static public_key_t *find_public_key(private_tls_peer_t *this)
{
public_key_t *public = NULL, *current;
- certificate_t *cert;
+ certificate_t *cert, *found;
enumerator_t *enumerator;
auth_cfg_t *auth;
@@ -323,8 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
KEY_ANY, cert->get_subject(cert), this->server_auth);
while (enumerator->enumerate(enumerator, &current, &auth))
{
- public = current->get_ref(current);
- break;
+ found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (found && cert->equals(cert, found))
+ {
+ public = current->get_ref(current);
+ this->server_auth->merge(this->server_auth, auth, FALSE);
+ break;
+ }
}
enumerator->destroy(enumerator);
}
@@ -379,7 +384,12 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
return NEED_MORE;
}
- this->dh->set_other_public_value(this->dh, pub);
+ if (!this->dh->set_other_public_value(this->dh, pub))
+ {
+ DBG1(DBG_TLS, "applying DH public value failed");
+ this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+ return NEED_MORE;
+ }
this->state = STATE_KEY_EXCHANGE_RECEIVED;
return NEED_MORE;
@@ -489,7 +499,12 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
return NEED_MORE;
}
- this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1));
+ if (!this->dh->set_other_public_value(this->dh, chunk_skip(pub, 1)))
+ {
+ DBG1(DBG_TLS, "applying DH public value failed");
+ this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+ return NEED_MORE;
+ }
this->state = STATE_KEY_EXCHANGE_RECEIVED;
return NEED_MORE;
@@ -968,7 +983,7 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this,
{
chunk_t premaster, pub;
- if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+ if (!this->dh->get_shared_secret(this->dh, &premaster))
{
DBG1(DBG_TLS, "calculating premaster from DH failed");
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
@@ -985,7 +1000,11 @@ static status_t send_key_exchange_dhe(private_tls_peer_t *this,
}
chunk_clear(&premaster);
- this->dh->get_my_public_value(this->dh, &pub);
+ if (!this->dh->get_my_public_value(this->dh, &pub))
+ {
+ this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+ return NEED_MORE;
+ }
if (this->dh->get_dh_group(this->dh) == MODP_CUSTOM)
{
writer->write_data16(writer, pub);
@@ -1153,6 +1172,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*,
return this->server;
}
+METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
+ private_tls_peer_t *this)
+{
+ return this->server_auth;
+}
+
METHOD(tls_handshake_t, destroy, void,
private_tls_peer_t *this)
{
@@ -1186,6 +1211,7 @@ tls_peer_t *tls_peer_create(tls_t *tls, tls_crypto_t *crypto, tls_alert_t *alert
.finished = _finished,
.get_peer_id = _get_peer_id,
.get_server_id = _get_server_id,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libtls/tls_protection.c b/src/libtls/tls_protection.c
index b016db21f..e73fedc5d 100644
--- a/src/libtls/tls_protection.c
+++ b/src/libtls/tls_protection.c
@@ -101,14 +101,13 @@ METHOD(tls_protection_t, build, status_t,
status_t status;
status = this->compression->build(this->compression, type, data);
- if (*type == TLS_CHANGE_CIPHER_SPEC)
- {
- this->seq_out = 0;
- return status;
- }
-
if (status == NEED_MORE)
{
+ if (*type == TLS_CHANGE_CIPHER_SPEC)
+ {
+ this->seq_out = 0;
+ return status;
+ }
if (this->aead_out)
{
if (!this->aead_out->encrypt(this->aead_out, this->version,
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index aeb5a714f..b1a214f7f 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -494,8 +494,13 @@ static status_t process_key_exchange_dhe(private_tls_server_t *this,
}
pub = chunk_skip(pub, 1);
}
- this->dh->set_other_public_value(this->dh, pub);
- if (this->dh->get_shared_secret(this->dh, &premaster) != SUCCESS)
+ if (!this->dh->set_other_public_value(this->dh, pub))
+ {
+ DBG1(DBG_TLS, "applying DH public value failed");
+ this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+ return NEED_MORE;
+ }
+ if (!this->dh->get_shared_secret(this->dh, &premaster))
{
DBG1(DBG_TLS, "calculating premaster from DH failed");
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
@@ -551,6 +556,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
sig->destroy(sig);
if (verified)
{
+ this->peer_auth->merge(this->peer_auth, auth, FALSE);
break;
}
DBG1(DBG_TLS, "signature verification failed, trying another key");
@@ -914,7 +920,11 @@ static status_t send_server_key_exchange(private_tls_server_t *this,
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
return NEED_MORE;
}
- this->dh->get_my_public_value(this->dh, &chunk);
+ if (!this->dh->get_my_public_value(this->dh, &chunk))
+ {
+ this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
+ return NEED_MORE;
+ }
if (params)
{
writer->write_data16(writer, chunk);
@@ -1073,6 +1083,12 @@ METHOD(tls_handshake_t, get_server_id, identification_t*,
return this->server;
}
+METHOD(tls_handshake_t, get_auth, auth_cfg_t*,
+ private_tls_server_t *this)
+{
+ return this->peer_auth;
+}
+
METHOD(tls_handshake_t, destroy, void,
private_tls_server_t *this)
{
@@ -1107,6 +1123,7 @@ tls_server_t *tls_server_create(tls_t *tls,
.finished = _finished,
.get_peer_id = _get_peer_id,
.get_server_id = _get_server_id,
+ .get_auth = _get_auth,
.destroy = _destroy,
},
},
diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 648771e75..2ccd97571 100644
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -291,25 +291,24 @@ METHOD(tls_socket_t, splice, bool,
private_tls_socket_t *this, int rfd, int wfd)
{
char buf[PLAIN_BUF_SIZE], *pos;
- fd_set set;
ssize_t in, out;
bool old, plain_eof = FALSE, crypto_eof = FALSE;
+ struct pollfd pfd[] = {
+ { .fd = this->fd, .events = POLLIN, },
+ { .fd = rfd, .events = POLLIN, },
+ };
while (!plain_eof && !crypto_eof)
{
- FD_ZERO(&set);
- FD_SET(rfd, &set);
- FD_SET(this->fd, &set);
-
old = thread_cancelability(TRUE);
- in = select(max(rfd, this->fd) + 1, &set, NULL, NULL, NULL);
+ in = poll(pfd, countof(pfd), -1);
thread_cancelability(old);
if (in == -1)
{
DBG1(DBG_TLS, "TLS select error: %s", strerror(errno));
return FALSE;
}
- while (!plain_eof && FD_ISSET(this->fd, &set))
+ while (!plain_eof && pfd[0].revents & (POLLIN | POLLHUP | POLLNVAL))
{
in = read_(this, buf, sizeof(buf), FALSE);
switch (in)
@@ -342,7 +341,7 @@ METHOD(tls_socket_t, splice, bool,
}
break;
}
- if (!crypto_eof && FD_ISSET(rfd, &set))
+ if (!crypto_eof && pfd[1].revents & (POLLIN | POLLHUP | POLLNVAL))
{
in = read(rfd, buf, sizeof(buf));
switch (in)
diff --git a/src/libtnccs/Android.mk b/src/libtnccs/Android.mk
index 68f85c252..e37973202 100644
--- a/src/libtnccs/Android.mk
+++ b/src/libtnccs/Android.mk
@@ -22,7 +22,7 @@ endif
LOCAL_SRC_FILES += $(call add_plugin, tnc-tnccs)
LOCAL_SRC_FILES += $(call add_plugin, tnccs-20)
-LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/tcg state_machine)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, tnccs-20, batch messages messages/ietf messages/ita messages/tcg state_machine)
ifneq ($(call plugin_enabled, tnccs-20),)
LOCAL_C_INCLUDES += $(LOCAL_PATH)/plugins/tnccs_20/
endif
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index b0bfdf20d..dc8c1b8cc 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -283,6 +283,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -343,10 +344,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -420,6 +423,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index 2b76aabe6..3641bdf5b 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
index 859dded79..ce5b48133 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.c
@@ -44,6 +44,7 @@ METHOD(plugin_t, get_features, int,
PLUGIN_CALLBACK(tnc_manager_register, tnc_imc_manager_create),
PLUGIN_PROVIDE(CUSTOM, "imc-manager"),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+ PLUGIN_SDEPEND(CUSTOM, "imv-manager"),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
};
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
index 8c5521cb2..8cbc70367 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnc_imc tnc_imc
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnc_imc_plugin tnc_imc_plugin
* @{ @ingroup tnc_imc
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 06e7b0480..c4b1bee23 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
index afeee2ea2..5786bbaab 100644
--- a/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnc_imv tnc_imv
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnc_imv_plugin tnc_imv_plugin
* @{ @ingroup tnc_imv
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 8910fe761..5b01e317a 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
index b8683f78c..30e505246 100644
--- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void,
METHOD(tnccs_manager_t, create_instance, tnccs_t*,
private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
- identification_t *server, identification_t *peer, tnc_ift_type_t transport,
- tnccs_cb_t cb)
+ identification_t *server_id, identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb)
{
enumerator_t *enumerator;
tnccs_entry_t *entry;
@@ -182,7 +182,8 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
{
if (type == entry->type)
{
- protocol = entry->constructor(is_server, server, peer, transport, cb);
+ protocol = entry->constructor(is_server, server_id, peer_id,
+ server_ip, peer_ip, transport, cb);
if (protocol)
{
break;
@@ -716,7 +717,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
case TNC_ATTRIBUTEID_AR_IDENTITIES:
{
linked_list_t *list;
- identification_t *peer;
+ identification_t *peer_id;
+ host_t *peer_ip;
tnccs_t *tnccs;
tncif_identity_t *tnc_id;
u_int32_t id_type, subject_type;
@@ -726,10 +728,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
list = linked_list_create();
tnccs = entry->tnccs;
- peer = tnccs->tls.get_peer_id(&tnccs->tls);
- if (peer)
+
+ peer_id = tnccs->tls.get_peer_id(&tnccs->tls);
+ if (peer_id)
{
- switch (peer->get_type(peer))
+ switch (peer_id->get_type(peer_id))
{
case ID_IPV4_ADDR:
id_type = TNC_ID_IPV4_ADDR;
@@ -756,7 +759,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
subject_type = TNC_SUBJECT_UNKNOWN;
}
if (id_type != TNC_ID_UNKNOWN &&
- asprintf(&id_str, "%Y", peer) >= 0)
+ asprintf(&id_str, "%Y", peer_id) >= 0)
{
id_value = chunk_from_str(id_str);
tnc_id = tncif_identity_create(
@@ -767,6 +770,33 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
list->insert_last(list, tnc_id);
}
}
+
+ peer_ip = tnccs->get_peer_ip(tnccs);
+ if (peer_ip)
+ {
+ switch (peer_ip->get_family(peer_ip))
+ {
+ case AF_INET:
+ id_type = TNC_ID_IPV4_ADDR;
+ break;
+ case AF_INET6:
+ id_type = TNC_ID_IPV6_ADDR;
+ break;
+ default:
+ id_type = TNC_ID_UNKNOWN;
+ }
+
+ if (id_type != TNC_ID_UNKNOWN &&
+ asprintf(&id_str, "%H", peer_ip) >= 0)
+ {
+ id_value = chunk_from_str(id_str);
+ tnc_id = tncif_identity_create(
+ pen_type_create(PEN_TCG, id_type), id_value,
+ pen_type_create(PEN_TCG, TNC_SUBJECT_MACHINE),
+ pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+ list->insert_last(list, tnc_id);
+ }
+ }
result = identity_attribute(buffer_len, buffer, value_len, list);
list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
return result;
diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
index f935fa462..c99d5e7c8 100644
--- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
+++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnc_tnccs tnc_tnccs
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnc_tnccs_plugin tnc_tnccs_plugin
* @{ @ingroup tnc_tnccs
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index ea6ac5546..e0c039af9 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -241,6 +241,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -301,10 +302,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -378,6 +381,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
index 28c5e52b7..0918a2bad 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -54,12 +54,22 @@ struct private_tnccs_11_t {
/**
* Server identity
*/
- identification_t *server;
+ identification_t *server_id;
/**
* Client identity
*/
- identification_t *peer;
+ identification_t *peer_id;
+
+ /**
+ * Server IP address
+ */
+ host_t *server_ip;
+
+ /**
+ * Client IP address
+ */
+ host_t *peer_ip;
/**
* Underlying TNC IF-T transport protocol
@@ -527,20 +537,20 @@ METHOD(tls_t, is_server, bool,
METHOD(tls_t, get_server_id, identification_t*,
private_tnccs_11_t *this)
{
- return this->server;
+ return this->server_id;
}
METHOD(tls_t, set_peer_id, void,
private_tnccs_11_t *this, identification_t *id)
{
- DESTROY_IF(this->peer);
- this->peer = id->clone(id);
+ DESTROY_IF(this->peer_id);
+ this->peer_id = id->clone(id);
}
METHOD(tls_t, get_peer_id, identification_t*,
private_tnccs_11_t *this)
{
- return this->peer;
+ return this->peer_id;
}
METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -578,14 +588,28 @@ METHOD(tls_t, destroy, void,
{
tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
this->is_server);
- this->server->destroy(this->server);
- this->peer->destroy(this->peer);
+ this->server_id->destroy(this->server_id);
+ this->peer_id->destroy(this->peer_id);
+ this->server_ip->destroy(this->server_ip);
+ this->peer_ip->destroy(this->peer_ip);
this->mutex->destroy(this->mutex);
DESTROY_IF(this->batch);
free(this);
}
}
+METHOD(tnccs_t, get_server_ip, host_t*,
+ private_tnccs_11_t *this)
+{
+ return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+ private_tnccs_11_t *this)
+{
+ return this->peer_ip;
+}
+
METHOD(tnccs_t, get_transport, tnc_ift_type_t,
private_tnccs_11_t *this)
{
@@ -628,9 +652,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
/**
* See header
*/
-tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb)
{
private_tnccs_11_t *this;
@@ -648,6 +673,8 @@ tnccs_t* tnccs_11_create(bool is_server,
.get_eap_msk = _get_eap_msk,
.destroy = _destroy,
},
+ .get_server_ip = _get_server_ip,
+ .get_peer_ip = _get_peer_ip,
.get_transport = _get_transport,
.set_transport = _set_transport,
.get_auth_type = _get_auth_type,
@@ -656,8 +683,10 @@ tnccs_t* tnccs_11_create(bool is_server,
.get_ref = _get_ref,
},
.is_server = is_server,
- .server = server->clone(server),
- .peer = peer->clone(peer),
+ .server_id = server_id->clone(server_id),
+ .peer_id = peer_id->clone(peer_id),
+ .server_ip = server_ip->clone(server_ip),
+ .peer_ip = peer_ip->clone(peer_ip),
.transport = transport,
.callback = cb,
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
index e805df8bb..60d5518bc 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
* Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
*
* @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @param server Server identity
- * @param peer Client identity
+ * @param server_id Server identity
+ * @param peer_id Client identity
+ * @param server_ip Server IP address
+ * @param peer_ip Client IP address
* @param transport Underlying IF-T transport protocol
* @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 1.1 protocol stack
*/
-tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb);
#endif /** TNCCS_11_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
index 619a073ad..73ea5759b 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnccs_11 tnccs_11
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnccs_11_plugin tnccs_11_plugin
* @{ @ingroup tnccs_11
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.am b/src/libtnccs/plugins/tnccs_20/Makefile.am
index 2aefecd26..7d1cdded1 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.am
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.am
@@ -18,6 +18,8 @@ endif
libstrongswan_tnccs_20_la_SOURCES = \
tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+ tnccs_20_handler.h \
+ tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \
batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \
@@ -28,6 +30,8 @@ libstrongswan_tnccs_20_la_SOURCES = \
messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \
messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
+ messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+ messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 90c804710..17d997f76 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -132,8 +132,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
@MONOLITHIC_FALSE@ $(top_builddir)/src/libtnccs/libtnccs.la
am__dirstamp = $(am__leading_dot)dirstamp
am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
- batch/pb_tnc_batch.lo messages/pb_tnc_msg.lo \
- messages/ietf/pb_experimental_msg.lo \
+ tnccs_20_server.lo tnccs_20_client.lo batch/pb_tnc_batch.lo \
+ messages/pb_tnc_msg.lo messages/ietf/pb_experimental_msg.lo \
messages/ietf/pb_pa_msg.lo \
messages/ietf/pb_assessment_result_msg.lo \
messages/ietf/pb_access_recommendation_msg.lo \
@@ -141,6 +141,8 @@ am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \
messages/ietf/pb_language_preference_msg.lo \
messages/ietf/pb_reason_string_msg.lo \
messages/ietf/pb_remediation_parameters_msg.lo \
+ messages/ita/pb_mutual_capability_msg.lo \
+ messages/ita/pb_noskip_test_msg.lo \
messages/tcg/pb_pdp_referral_msg.lo \
state_machine/pb_tnc_state_machine.lo
libstrongswan_tnccs_20_la_OBJECTS = \
@@ -242,6 +244,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -302,10 +305,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -379,6 +384,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -454,6 +461,8 @@ AM_CFLAGS = \
libstrongswan_tnccs_20_la_SOURCES = \
tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \
+ tnccs_20_handler.h \
+ tnccs_20_server.h tnccs_20_server.c tnccs_20_client.h tnccs_20_client.c \
batch/pb_tnc_batch.h batch/pb_tnc_batch.c \
messages/pb_tnc_msg.h messages/pb_tnc_msg.c \
messages/ietf/pb_experimental_msg.h messages/ietf/pb_experimental_msg.c \
@@ -464,6 +473,8 @@ libstrongswan_tnccs_20_la_SOURCES = \
messages/ietf/pb_language_preference_msg.h messages/ietf/pb_language_preference_msg.c \
messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
+ messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+ messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
@@ -590,6 +601,17 @@ messages/ietf/pb_reason_string_msg.lo: messages/ietf/$(am__dirstamp) \
messages/ietf/pb_remediation_parameters_msg.lo: \
messages/ietf/$(am__dirstamp) \
messages/ietf/$(DEPDIR)/$(am__dirstamp)
+messages/ita/$(am__dirstamp):
+ @$(MKDIR_P) messages/ita
+ @: > messages/ita/$(am__dirstamp)
+messages/ita/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) messages/ita/$(DEPDIR)
+ @: > messages/ita/$(DEPDIR)/$(am__dirstamp)
+messages/ita/pb_mutual_capability_msg.lo: \
+ messages/ita/$(am__dirstamp) \
+ messages/ita/$(DEPDIR)/$(am__dirstamp)
+messages/ita/pb_noskip_test_msg.lo: messages/ita/$(am__dirstamp) \
+ messages/ita/$(DEPDIR)/$(am__dirstamp)
messages/tcg/$(am__dirstamp):
@$(MKDIR_P) messages/tcg
@: > messages/tcg/$(am__dirstamp)
@@ -618,6 +640,8 @@ mostlyclean-compile:
-rm -f messages/*.lo
-rm -f messages/ietf/*.$(OBJEXT)
-rm -f messages/ietf/*.lo
+ -rm -f messages/ita/*.$(OBJEXT)
+ -rm -f messages/ita/*.lo
-rm -f messages/tcg/*.$(OBJEXT)
-rm -f messages/tcg/*.lo
-rm -f state_machine/*.$(OBJEXT)
@@ -627,7 +651,9 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_client.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_server.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@batch/$(DEPDIR)/pb_tnc_batch.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@messages/$(DEPDIR)/pb_tnc_msg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@
@@ -638,6 +664,8 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_pa_msg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@messages/ietf/$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_mutual_capability_msg.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@messages/ita/$(DEPDIR)/pb_noskip_test_msg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@messages/tcg/$(DEPDIR)/pb_pdp_referral_msg.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@state_machine/$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@
@@ -673,6 +701,7 @@ clean-libtool:
-rm -rf batch/.libs batch/_libs
-rm -rf messages/.libs messages/_libs
-rm -rf messages/ietf/.libs messages/ietf/_libs
+ -rm -rf messages/ita/.libs messages/ita/_libs
-rm -rf messages/tcg/.libs messages/tcg/_libs
-rm -rf state_machine/.libs state_machine/_libs
@@ -797,6 +826,8 @@ distclean-generic:
-rm -f messages/$(am__dirstamp)
-rm -f messages/ietf/$(DEPDIR)/$(am__dirstamp)
-rm -f messages/ietf/$(am__dirstamp)
+ -rm -f messages/ita/$(DEPDIR)/$(am__dirstamp)
+ -rm -f messages/ita/$(am__dirstamp)
-rm -f messages/tcg/$(DEPDIR)/$(am__dirstamp)
-rm -f messages/tcg/$(am__dirstamp)
-rm -f state_machine/$(DEPDIR)/$(am__dirstamp)
@@ -811,7 +842,7 @@ clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
clean-pluginLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -857,7 +888,7 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
+ -rm -rf ./$(DEPDIR) batch/$(DEPDIR) messages/$(DEPDIR) messages/ietf/$(DEPDIR) messages/ita/$(DEPDIR) messages/tcg/$(DEPDIR) state_machine/$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
index 228c08255..faad02b9b 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -85,7 +85,7 @@ struct private_pb_tnc_batch_t {
pb_tnc_batch_t public;
/**
- * TNCC if TRUE, TNCS if FALSE
+ * from TNC server if TRUE, from TNC client if FALSE
*/
bool is_server;
@@ -166,6 +166,9 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
case PEN_TCG:
msg_type_names = pb_tnc_tcg_msg_type_names;
break;
+ case PEN_ITA:
+ msg_type_names = pb_tnc_ita_msg_type_names;
+ break;
}
DBG2(DBG_TNC, "adding %N/%N message", pen_names, msg_type.vendor_id,
msg_type_names, msg_type.type);
@@ -176,6 +179,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
METHOD(pb_tnc_batch_t, build, void,
private_pb_tnc_batch_t *this)
{
+ u_int8_t version;
u_int32_t msg_len;
chunk_t msg_value;
enumerator_t *enumerator;
@@ -184,9 +188,14 @@ METHOD(pb_tnc_batch_t, build, void,
pb_tnc_msg_info_t *msg_infos;
bio_writer_t *writer;
+ /* Set wrong PB-TNC version for testing purposes to force a PB-TNC error */
+ version = lib->settings->get_int(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_version",
+ PB_TNC_VERSION, lib->ns);
+
/* build PB-TNC batch header */
writer = bio_writer_create(this->batch_len);
- writer->write_uint8 (writer, PB_TNC_VERSION);
+ writer->write_uint8 (writer, version);
writer->write_uint8 (writer, this->is_server ?
PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
writer->write_uint16(writer, this->type);
@@ -211,6 +220,9 @@ METHOD(pb_tnc_batch_t, build, void,
case PEN_TCG:
msg_infos = pb_tnc_tcg_msg_infos;
break;
+ case PEN_ITA:
+ msg_infos = pb_tnc_ita_msg_infos;
+ break;
}
if (msg_infos[msg_type.type].has_noskip_flag)
{
@@ -228,15 +240,15 @@ METHOD(pb_tnc_batch_t, build, void,
writer->destroy(writer);
}
-static status_t process_batch_header(private_pb_tnc_batch_t *this,
- pb_tnc_state_machine_t *state_machine)
+METHOD(pb_tnc_batch_t, process_header, status_t,
+ private_pb_tnc_batch_t *this, bool directionality, bool is_server,
+ bool *from_server)
{
bio_reader_t *reader;
pb_tnc_msg_t *msg;
pb_error_msg_t *err_msg;
u_int8_t version, flags, reserved, type;
u_int32_t batch_len;
- bool directionality;
if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE)
{
@@ -267,13 +279,14 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
}
/* Directionality */
- directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
- if (directionality == this->is_server)
+ *from_server = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
+
+ if (directionality & (*from_server == is_server))
{
DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s",
- directionality ? "server" : "client");
+ is_server ? "server" : "client");
msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
- PB_ERROR_INVALID_PARAMETER, 1);
+ PB_ERROR_INVALID_PARAMETER, 1);
goto fatal;
}
@@ -287,17 +300,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
goto fatal;
}
- if (!state_machine->receive_batch(state_machine, this->type))
- {
- DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
- pb_tnc_batch_type_names, this->type);
- msg = pb_error_msg_create(TRUE, PEN_IETF,
- PB_ERROR_UNEXPECTED_BATCH_TYPE);
- goto fatal;
- }
- DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
- this->type);
-
/* Batch Length */
if (this->encoding.len != batch_len)
{
@@ -310,12 +312,6 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this,
this->offset = PB_TNC_BATCH_HEADER_SIZE;
- /* Register an empty CDATA batch with the state machine */
- if (this->type == PB_BATCH_CDATA)
- {
- state_machine->set_empty_cdata(state_machine,
- this->offset == this->encoding.len);
- }
return SUCCESS;
fatal:
@@ -395,11 +391,18 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
msg_type_names = pb_tnc_msg_type_names;
msg_infos = pb_tnc_msg_infos;
}
- else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF)
+ else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF &&
+ msg_type > PB_TCG_MSG_RESERVED)
{
msg_type_names = pb_tnc_tcg_msg_type_names;
msg_infos = pb_tnc_tcg_msg_infos;
}
+ else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF &&
+ msg_type > PB_ITA_MSG_NOSKIP_TEST)
+ {
+ msg_type_names = pb_tnc_ita_msg_type_names;
+ msg_infos = pb_tnc_ita_msg_infos;
+ }
else
{
if (msg_len < PB_TNC_MSG_HEADER_SIZE)
@@ -413,7 +416,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
if (noskip_flag)
{
- DBG1(DBG_TNC, "reject PB-TNC message 0x%06x/0x%08x)",
+ DBG1(DBG_TNC, "reject PB-TNC message (0x%06x/0x%08x)",
vendor_id, msg_type);
msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
@@ -421,7 +424,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
}
else
{
- DBG1(DBG_TNC, "ignore PB-TNC message 0x%06x/0x%08x)",
+ DBG1(DBG_TNC, "ignore PB-TNC message (0x%06x/0x%08x)",
vendor_id, msg_type);
this->offset += msg_len;
return SUCCESS;
@@ -502,14 +505,26 @@ fatal:
METHOD(pb_tnc_batch_t, process, status_t,
private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine)
{
- status_t status;
+ pb_tnc_msg_t *msg;
+ status_t status = SUCCESS;
- status = process_batch_header(this, state_machine);
- if (status != SUCCESS)
+ if (!state_machine->receive_batch(state_machine, this->type))
{
+ DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
+ pb_tnc_batch_type_names, this->type);
+ msg = pb_error_msg_create(TRUE, PEN_IETF,
+ PB_ERROR_UNEXPECTED_BATCH_TYPE);
+ this->errors->insert_last(this->errors, msg);
return FAILED;
}
+ /* Register an empty CDATA batch with the state machine */
+ if (this->type == PB_BATCH_CDATA)
+ {
+ state_machine->set_empty_cdata(state_machine,
+ this->offset == this->encoding.len);
+ }
+
while (this->offset < this->encoding.len)
{
switch (process_tnc_msg(this))
@@ -585,7 +600,7 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
/**
* See header
*/
-pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data)
{
private_pb_tnc_batch_t *this;
@@ -595,12 +610,12 @@ pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
.get_encoding = _get_encoding,
.add_msg = _add_msg,
.build = _build,
+ .process_header = _process_header,
.process = _process,
.create_msg_enumerator = _create_msg_enumerator,
.create_error_enumerator = _create_error_enumerator,
.destroy = _destroy,
},
- .is_server = is_server,
.messages = linked_list_create(),
.errors = linked_list_create(),
.encoding = chunk_clone(data),
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
index 106c5578c..6089c7d2e 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2012 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -84,10 +84,21 @@ struct pb_tnc_batch_t {
void (*build)(pb_tnc_batch_t *this);
/**
+ * Process the PB-TNC Batch header
+ *
+ * @param directionality TRUE if no mutual TNC measurements
+ * @param is_server TRUE if called by TNC server
+ * @param from_server TRUE if sent by TNC server
+ * @return return processing status
+ */
+ status_t (*process_header)(pb_tnc_batch_t *this, bool directionality,
+ bool is_server, bool *from_server);
+
+ /**
* Process the PB-TNC Batch
*
- * @param PB-TNC state machine
- * @return return processing status
+ * @param state_machine PB-TNC state machine
+ * @return return processing status
*/
status_t (*process)(pb_tnc_batch_t *this,
pb_tnc_state_machine_t *state_machine);
@@ -95,14 +106,14 @@ struct pb_tnc_batch_t {
/**
* Enumerates over all PB-TNC Messages
*
- * @return return message enumerator
+ * @return return message enumerator
*/
enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this);
/**
* Enumerates over all parsing errors
*
- * @return return error enumerator
+ * @return return error enumerator
*/
enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this);
@@ -115,9 +126,9 @@ struct pb_tnc_batch_t {
/**
* Create an empty PB-TNC Batch of a given type
*
- * @param is_server TRUE if server, FALSE if client
- * @param type PB-TNC batch type
- * @param max_batch_len maximum size the PB-TNC batch
+ * @param is_server TRUE if server, FALSE if client
+ * @param type PB-TNC batch type
+ * @param max_batch_len maximum size the PB-TNC batch
*/
pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
size_t max_batch_len);
@@ -125,9 +136,8 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type,
/**
* Create an unprocessed PB-TNC Batch from data
*
- * @param is_server TRUE if server, FALSE if client
* @param data encoded PB-TNC batch
*/
-pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data);
+pb_tnc_batch_t* pb_tnc_batch_create_from_data(chunk_t data);
#endif /** PB_TNC_BATCH_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c
new file mode 100644
index 000000000..1f35cae6b
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_mutual_capability_msg.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <utils/debug.h>
+
+ENUM(pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX,
+ PB_MUTUAL_FULL_DUPLEX,
+ "half duplex",
+ "full duplex"
+);
+
+typedef struct private_pb_mutual_capability_msg_t private_pb_mutual_capability_msg_t;
+
+/**
+ * PB-Mutual-Capability message
+ *
+ * 0 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |H|F| Reserved |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+# define MUTUAL_CAPABILITY_HEADER_SIZE 4
+
+/**
+ * Private data of a pb_mutual_capability_msg_t object.
+ *
+ */
+struct private_pb_mutual_capability_msg_t {
+ /**
+ * Public pb_mutual_capability_msg_t interface.
+ */
+ pb_mutual_capability_msg_t public;
+
+ /**
+ * PB-TNC message type
+ */
+ pen_type_t type;
+
+ /**
+ * PB-TNC mutual protocols
+ */
+ uint32_t protocols;
+
+ /**
+ * Encoded message
+ */
+ chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+ private_pb_mutual_capability_msg_t *this)
+{
+ return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+ private_pb_mutual_capability_msg_t *this)
+{
+ return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+ private_pb_mutual_capability_msg_t *this)
+{
+ bio_writer_t *writer;
+
+ if (this->encoding.ptr)
+ {
+ return;
+ }
+ writer = bio_writer_create(MUTUAL_CAPABILITY_HEADER_SIZE);
+ writer->write_uint32(writer, this->protocols);
+
+ this->encoding = writer->get_buf(writer);
+ this->encoding = chunk_clone(this->encoding);
+ writer->destroy(writer);
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+ private_pb_mutual_capability_msg_t *this, u_int32_t *offset)
+{
+ bio_reader_t *reader;
+
+ *offset = 0;
+
+ /* process message */
+ reader = bio_reader_create(this->encoding);
+ reader->read_uint32(reader, &this->protocols);
+ reader->destroy(reader);
+
+ return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+ private_pb_mutual_capability_msg_t *this)
+{
+ free(this->encoding.ptr);
+ free(this);
+}
+
+METHOD(pb_mutual_capability_msg_t, get_protocols, uint32_t,
+ private_pb_mutual_capability_msg_t *this)
+{
+ return this->protocols;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols)
+{
+ private_pb_mutual_capability_msg_t *this;
+
+ INIT(this,
+ .public = {
+ .pb_interface = {
+ .get_type = _get_type,
+ .get_encoding = _get_encoding,
+ .build = _build,
+ .process = _process,
+ .destroy = _destroy,
+ },
+ .get_protocols = _get_protocols,
+ },
+ .type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY },
+ .protocols = protocols,
+ );
+
+ return &this->public.pb_interface;
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_mutual_capability_msg_create_from_data(chunk_t data)
+{
+ private_pb_mutual_capability_msg_t *this;
+
+ INIT(this,
+ .public = {
+ .pb_interface = {
+ .get_type = _get_type,
+ .get_encoding = _get_encoding,
+ .build = _build,
+ .process = _process,
+ .destroy = _destroy,
+ },
+ .get_protocols = _get_protocols,
+ },
+ .type = { PEN_ITA, PB_ITA_MSG_MUTUAL_CAPABILITY },
+ .encoding = chunk_clone(data),
+ );
+
+ return &this->public.pb_interface;
+}
+
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h
new file mode 100644
index 000000000..db810a012
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_mutual_capability_msg.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_mutual_capability_msg pb_mutual_capability_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_MUTUAL_CAPABILITY_MSG_H_
+#define PB_MUTUAL_CAPABILITY_MSG_H_
+
+typedef enum pb_tnc_mutual_protocol_type_t pb_tnc_mutual_protocol_type_t;
+typedef struct pb_mutual_capability_msg_t pb_mutual_capability_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * PB-TNC mutual protocol types
+ */
+enum pb_tnc_mutual_protocol_type_t {
+ PB_MUTUAL_HALF_DUPLEX = (1 << 31),
+ PB_MUTUAL_FULL_DUPLEX = (1 << 30)
+};
+
+/**
+ * enum name for pb_mutual_protocol_type_t.
+ */
+extern enum_name_t *pb_tnc_mutual_protocol_type_names;
+
+/**
+ * Class representing the PB-Mutual-Capabilities message type.
+ */
+struct pb_mutual_capability_msg_t {
+
+ /**
+ * PB-TNC Message interface
+ */
+ pb_tnc_msg_t pb_interface;
+
+ /**
+ * Get the PB-TNC mutual protocol types
+ *
+ * @return PB-TNC mutual protocol types
+ */
+ uint32_t(*get_protocols)(pb_mutual_capability_msg_t *this);
+
+};
+
+/**
+ * Create a PB-Mutual-Capability message
+ *
+ * @param protocols Supported PB-TNC mutual protocols
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create(uint32_t protocols);
+
+/**
+ * Create an unprocessed PB-Mutual-Capability message from raw data
+ *
+ * @param data PB-Mutual-Capability message data
+ */
+pb_tnc_msg_t* pb_mutual_capability_msg_create_from_data(chunk_t data);
+
+#endif /** PB_MUTUAL_CAPABILITY_MSG_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
new file mode 100644
index 000000000..c95222e3a
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_noskip_test_msg.h"
+
+typedef struct private_pb_noskip_test_msg_t private_pb_noskip_test_msg_t;
+
+/**
+ * Private data of a pb_noskip_test_msg_t object.
+ *
+ */
+struct private_pb_noskip_test_msg_t {
+ /**
+ * Public pb_noskip_test_msg_t interface.
+ */
+ pb_noskip_test_msg_t public;
+
+ /**
+ * PB-TNC message type
+ */
+ pen_type_t type;
+
+ /**
+ * Encoded message
+ */
+ chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+ private_pb_noskip_test_msg_t *this)
+{
+ return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+ private_pb_noskip_test_msg_t *this)
+{
+ return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+ private_pb_noskip_test_msg_t *this)
+{
+ /* nothing to do since the message is empty */
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+ private_pb_noskip_test_msg_t *this, u_int32_t *offset)
+{
+ return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+ private_pb_noskip_test_msg_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_noskip_test_msg_create(void)
+{
+ private_pb_noskip_test_msg_t *this;
+
+ INIT(this,
+ .public = {
+ .pb_interface = {
+ .get_type = _get_type,
+ .get_encoding = _get_encoding,
+ .build = _build,
+ .process = _process,
+ .destroy = _destroy,
+ },
+ },
+ .type = { PEN_ITA, PB_ITA_MSG_NOSKIP_TEST },
+ );
+
+ return &this->public.pb_interface;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
new file mode 100644
index 000000000..6325582da
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_noskip_test_msg pb_noskip_test_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_NOSKIP_TEST_MSG_H_
+#define PB_NOSKIP_TEST_MSG_H_
+
+typedef struct pb_noskip_test_msg_t pb_noskip_test_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Noskip-Test message type.
+ */
+struct pb_noskip_test_msg_t {
+
+ /**
+ * PB-TNC Message interface
+ */
+ pb_tnc_msg_t pb_interface;
+};
+
+/**
+ * Create a PB-Noskip-Test message from parameters
+ */
+pb_tnc_msg_t* pb_noskip_test_msg_create(void);
+
+#endif /** PB_NOSKIP_TEST_MSG_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
index ec43490f4..b46c776e4 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
@@ -22,6 +22,7 @@
#include "ietf/pb_access_recommendation_msg.h"
#include "ietf/pb_remediation_parameters_msg.h"
#include "ietf/pb_reason_string_msg.h"
+#include "ita/pb_mutual_capability_msg.h"
#include "tcg/pb_pdp_referral_msg.h"
#include <library.h>
@@ -37,10 +38,17 @@ ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING,
"PB-Reason-String"
);
-ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL, PB_TCG_MSG_PDP_REFERRAL,
+ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL,
+ PB_TCG_MSG_PDP_REFERRAL,
"PB-PDP-Referral"
);
+ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_NOSKIP_TEST,
+ PB_ITA_MSG_MUTUAL_CAPABILITY,
+ "PB-Noskip-Test",
+ "PB-Mutual-Capability"
+);
+
pb_tnc_msg_info_t pb_tnc_msg_infos[] = {
{ 12, FALSE, FALSE, TRUE_OR_FALSE },
{ 24, FALSE, FALSE, TRUE },
@@ -57,6 +65,11 @@ pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[] = {
{ 20, FALSE, FALSE, FALSE },
};
+pb_tnc_msg_info_t pb_tnc_ita_msg_infos[] = {
+ { 12, TRUE, FALSE, TRUE },
+ { 16, FALSE, FALSE, FALSE },
+};
+
/**
* See header
*/
@@ -91,5 +104,12 @@ pb_tnc_msg_t* pb_tnc_msg_create_from_data(pen_type_t msg_type, chunk_t value)
return pb_pdp_referral_msg_create_from_data(value);
}
}
+ else if (msg_type.vendor_id == PEN_ITA)
+ {
+ if (msg_type.type == PB_ITA_MSG_MUTUAL_CAPABILITY)
+ {
+ return pb_mutual_capability_msg_create_from_data(value);
+ }
+ }
return NULL;
}
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
index 6eeed5156..35b0b7c26 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -54,6 +54,7 @@ extern enum_name_t *pb_tnc_msg_type_names;
* PB-TNC Message Type defined in the TCG namespace
*/
enum pb_tnc_tcg_msg_type_t {
+ PB_TCG_MSG_RESERVED = 0,
PB_TCG_MSG_PDP_REFERRAL = 1,
PB_TCG_MSG_ROOF = 1
};
@@ -64,6 +65,20 @@ enum pb_tnc_tcg_msg_type_t {
extern enum_name_t *pb_tnc_tcg_msg_type_names;
/**
+ * PB-TNC Message Type defined in the ITA namespace
+ */
+enum pb_tnc_ita_msg_type_t {
+ PB_ITA_MSG_NOSKIP_TEST = 0,
+ PB_ITA_MSG_MUTUAL_CAPABILITY = 1,
+ PB_ITA_MSG_ROOF = 1
+};
+
+/**
+ * enum name for pb_tnc_tcg_msg_type_t.
+ */
+extern enum_name_t *pb_tnc_ita_msg_type_names;
+
+/**
* Information entry describing a PB-TNC Message Type
*/
struct pb_tnc_msg_info_t {
@@ -86,6 +101,11 @@ extern pb_tnc_msg_info_t pb_tnc_msg_infos[];
extern pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[];
/**
+ * Information on PB-TNC ITA Message Types
+ */
+extern pb_tnc_msg_info_t pb_tnc_ita_msg_infos[];
+
+/**
* Generic interface for all PB-TNC message types.
*
* To handle all messages in a generic way, this interface
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index dc4da51c6..a1a95733f 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,30 +15,17 @@
*/
#include "tnccs_20.h"
+#include "tnccs_20_handler.h"
+#include "tnccs_20_server.h"
+#include "tnccs_20_client.h"
#include "batch/pb_tnc_batch.h"
#include "messages/pb_tnc_msg.h"
#include "messages/ietf/pb_pa_msg.h"
-#include "messages/ietf/pb_error_msg.h"
-#include "messages/ietf/pb_assessment_result_msg.h"
-#include "messages/ietf/pb_access_recommendation_msg.h"
-#include "messages/ietf/pb_remediation_parameters_msg.h"
-#include "messages/ietf/pb_reason_string_msg.h"
-#include "messages/ietf/pb_language_preference_msg.h"
-#include "messages/tcg/pb_pdp_referral_msg.h"
-#include "state_machine/pb_tnc_state_machine.h"
#include <tncif_names.h>
#include <tncif_pa_subtypes.h>
-#include <tnc/tnc.h>
-#include <tnc/tnccs/tnccs_manager.h>
-#include <tnc/imc/imc_manager.h>
-#include <tnc/imv/imv_manager.h>
-
-#include <threading/mutex.h>
#include <utils/debug.h>
-#include <collections/linked_list.h>
-#include <pen/pen.h>
typedef struct private_tnccs_20_t private_tnccs_20_t;
@@ -60,77 +47,72 @@ struct private_tnccs_20_t {
/**
* Server identity
*/
- identification_t *server;
+ identification_t *server_id;
/**
* Client identity
*/
- identification_t *peer;
+ identification_t *peer_id;
/**
- * Underlying TNC IF-T transport protocol
+ * Server IP address
*/
- tnc_ift_type_t transport;
+ host_t *server_ip;
/**
- * Type of TNC client authentication
+ * Client IP address
*/
- u_int32_t auth_type;
+ host_t *peer_ip;
/**
- * PB-TNC State Machine
+ * Underlying TNC IF-T transport protocol
*/
- pb_tnc_state_machine_t *state_machine;
+ tnc_ift_type_t transport;
/**
- * Connection ID assigned to this TNCCS connection
+ * TNC IF-T transport protocol for EAP methods
*/
- TNC_ConnectionID connection_id;
+ bool eap_transport;
/**
- * PB-TNC messages to be sent
+ * Type of TNC client authentication
*/
- linked_list_t *messages;
+ u_int32_t auth_type;
/**
- * Type of PB-TNC batch being constructed
+ * Mutual PB-TNC protocol enabled
*/
- pb_tnc_batch_type_t batch_type;
+ bool mutual;
/**
- * Maximum PB-TNC batch size
+ * Direction the next batch will go to
*/
- size_t max_batch_len;
+ bool to_server;
/**
- * Maximum PA-TNC message size
+ * TNC Server
*/
- size_t max_msg_len;
+ tnccs_20_handler_t *tnc_server;
/**
- * Mutex locking the batch in construction
+ * TNC Client
*/
- mutex_t *mutex;
+ tnccs_20_handler_t *tnc_client;
/**
- * Flag set while processing
+ * Active TNCSS handler
*/
- bool fatal_error;
+ tnccs_20_handler_t *tnccs_handler;
/**
- * Flag set by IMC/IMV RequestHandshakeRetry() function
+ * Maximum PB-TNC batch size
*/
- bool request_handshake_retry;
-
- /**
- * SendMessage() by IMC/IMV only allowed if flag is set
- */
- bool send_msg;
+ size_t max_batch_len;
/**
- * Set of IMV recommendations (TNC Server only)
+ * Maximum PA-TNC message size
*/
- recommendations_t *recs;
+ size_t max_msg_len;
/**
* Callback function to communicate recommendation (TNC Server only)
@@ -138,69 +120,30 @@ struct private_tnccs_20_t {
tnccs_cb_t callback;
/**
- * Data to pass to callback function (TNC Server only)
- */
- void *cb_data;
-
- /**
- * PDP server FQDN
- */
- chunk_t pdp_server;
-
- /**
- * PDP server port
- */
- u_int16_t pdp_port;
-
- /**
* reference count
*/
refcount_t ref;
};
-/**
- * If the batch type changes then delete all accumulated PB-TNC messages
- */
-void change_batch_type(private_tnccs_20_t *this, pb_tnc_batch_type_t batch_type)
-{
- pb_tnc_msg_t *msg;
-
- if (batch_type != this->batch_type)
- {
- if (this->batch_type != PB_BATCH_NONE)
- {
- DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
- pb_tnc_batch_type_names, this->batch_type);
-
- while (this->messages->remove_last(this->messages,
- (void**)&msg) == SUCCESS)
- {
- msg->destroy(msg);
- }
- }
- this->batch_type = batch_type;
- }
-}
-
METHOD(tnccs_t, send_msg, TNC_Result,
private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
- TNC_UInt32 msg_flags,
+ TNC_UInt32 msg_flags,
TNC_BufferReference msg,
TNC_UInt32 msg_len,
- TNC_VendorID msg_vid,
- TNC_MessageSubtype msg_subtype)
+ TNC_VendorID msg_vid,
+ TNC_MessageSubtype msg_subtype)
{
pb_tnc_msg_t *pb_tnc_msg;
- pb_tnc_batch_type_t batch_type;
enum_name_t *pa_subtype_names;
bool excl;
- if (!this->send_msg)
+ if (!this->tnccs_handler->get_send_flag(this->tnccs_handler))
{
DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()",
- this->is_server ? "IMV" : "IMC",
- this->is_server ? imv_id : imc_id);
+ this->to_server ? "IMC" : "IMV",
+ this->to_server ? imc_id : imv_id);
+
return TNC_RESULT_ILLEGAL_OPERATION;
}
excl = (msg_flags & TNC_MESSAGE_FLAGS_EXCLUSIVE) != 0;
@@ -220,698 +163,169 @@ METHOD(tnccs_t, send_msg, TNC_Result,
DBG2(DBG_TNC, "creating PB-PA message type '%N' 0x%06x/0x%08x",
pen_names, msg_vid, msg_vid, msg_subtype);
}
+ this->tnccs_handler->add_msg(this->tnccs_handler, pb_tnc_msg);
- /* adding PA message to SDATA or CDATA batch only */
- batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA;
- this->mutex->lock(this->mutex);
- if (this->batch_type == PB_BATCH_NONE)
- {
- this->batch_type = batch_type;
- }
- if (this->batch_type == batch_type)
- {
- this->messages->insert_last(this->messages, pb_tnc_msg);
- }
- else
- {
- pb_tnc_msg->destroy(pb_tnc_msg);
- }
- this->mutex->unlock(this->mutex);
return TNC_RESULT_SUCCESS;
}
-/**
- * Handle a single PB-TNC IETF standard message according to its type
- */
-static void handle_ietf_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
- pen_type_t msg_type = msg->get_type(msg);
-
- switch (msg_type.type)
- {
- case PB_MSG_EXPERIMENTAL:
- /* nothing to do */
- break;
- case PB_MSG_PA:
- {
- pb_pa_msg_t *pa_msg;
- pen_type_t msg_subtype;
- u_int16_t imc_id, imv_id;
- chunk_t msg_body;
- bool excl;
- enum_name_t *pa_subtype_names;
-
- pa_msg = (pb_pa_msg_t*)msg;
- msg_subtype = pa_msg->get_subtype(pa_msg);
- msg_body = pa_msg->get_body(pa_msg);
- imc_id = pa_msg->get_collector_id(pa_msg);
- imv_id = pa_msg->get_validator_id(pa_msg);
- excl = pa_msg->get_exclusive_flag(pa_msg);
-
- pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
- if (pa_subtype_names)
- {
- DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
- pen_names, msg_subtype.vendor_id, pa_subtype_names,
- msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
- }
- else
- {
- DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
- pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
- msg_subtype.type);
- }
-
- this->send_msg = TRUE;
- if (this->is_server)
- {
- tnc->imvs->receive_message(tnc->imvs, this->connection_id,
- excl, msg_body.ptr, msg_body.len,
- msg_subtype.vendor_id,
- msg_subtype.type, imc_id, imv_id);
- }
- else
- {
- tnc->imcs->receive_message(tnc->imcs, this->connection_id,
- excl, msg_body.ptr, msg_body.len,
- msg_subtype.vendor_id,
- msg_subtype.type, imv_id, imc_id);
- }
- this->send_msg = FALSE;
- break;
- }
- case PB_MSG_ASSESSMENT_RESULT:
- {
- pb_assessment_result_msg_t *assess_msg;
- u_int32_t result;
-
- assess_msg = (pb_assessment_result_msg_t*)msg;
- result = assess_msg->get_assessment_result(assess_msg);
- DBG1(DBG_TNC, "PB-TNC assessment result is '%N'",
- TNC_IMV_Evaluation_Result_names, result);
- break;
- }
- case PB_MSG_ACCESS_RECOMMENDATION:
- {
- pb_access_recommendation_msg_t *rec_msg;
- pb_access_recommendation_code_t rec;
- TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
-
- rec_msg = (pb_access_recommendation_msg_t*)msg;
- rec = rec_msg->get_access_recommendation(rec_msg);
- DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'",
- pb_access_recommendation_code_names, rec);
- switch (rec)
- {
- case PB_REC_ACCESS_ALLOWED:
- state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
- break;
- case PB_REC_ACCESS_DENIED:
- state = TNC_CONNECTION_STATE_ACCESS_NONE;
- break;
- case PB_REC_QUARANTINED:
- state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
- }
- tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
- state);
- break;
- }
- case PB_MSG_REMEDIATION_PARAMETERS:
- {
- pb_remediation_parameters_msg_t *rem_msg;
- pen_type_t parameters_type;
- chunk_t parameters, string, lang_code;
-
- rem_msg = (pb_remediation_parameters_msg_t*)msg;
- parameters_type = rem_msg->get_parameters_type(rem_msg);
- parameters = rem_msg->get_parameters(rem_msg);
-
- if (parameters_type.vendor_id == PEN_IETF)
- {
- switch (parameters_type.type)
- {
- case PB_REMEDIATION_URI:
- DBG1(DBG_TNC, "remediation uri: %.*s",
- parameters.len, parameters.ptr);
- break;
- case PB_REMEDIATION_STRING:
- string = rem_msg->get_string(rem_msg, &lang_code);
- DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
- lang_code.len, lang_code.ptr,
- string.len, string.ptr);
- break;
- default:
- DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
- }
- }
- else
- {
- DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
- }
- break;
- }
- case PB_MSG_ERROR:
- {
- pb_error_msg_t *err_msg;
- bool fatal;
- u_int32_t vendor_id;
- u_int16_t error_code;
-
- err_msg = (pb_error_msg_t*)msg;
- fatal = err_msg->get_fatal_flag(err_msg);
- vendor_id = err_msg->get_vendor_id(err_msg);
- error_code = err_msg->get_error_code(err_msg);
-
- if (fatal)
- {
- this->fatal_error = TRUE;
- }
-
- if (vendor_id == PEN_IETF)
- {
- switch (error_code)
- {
- case PB_ERROR_INVALID_PARAMETER:
- case PB_ERROR_UNSUPPORTED_MANDATORY_MSG:
- DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
- "(offset %u bytes)",
- fatal ? "fatal" : "non-fatal",
- pb_tnc_error_code_names, error_code,
- err_msg->get_offset(err_msg));
- break;
- case PB_ERROR_VERSION_NOT_SUPPORTED:
- DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
- "caused by bad version 0x%02x",
- fatal ? "fatal" : "non-fatal",
- pb_tnc_error_code_names, error_code,
- err_msg->get_bad_version(err_msg));
- break;
- case PB_ERROR_UNEXPECTED_BATCH_TYPE:
- case PB_ERROR_LOCAL_ERROR:
- default:
- DBG1(DBG_TNC, "received %s PB-TNC error '%N'",
- fatal ? "fatal" : "non-fatal",
- pb_tnc_error_code_names, error_code);
- break;
- }
- }
- else
- {
- DBG1(DBG_TNC, "received %s PB-TNC error (%u) "
- "with Vendor ID 0x%06x",
- fatal ? "fatal" : "non-fatal",
- error_code, vendor_id);
- }
- break;
- }
- case PB_MSG_LANGUAGE_PREFERENCE:
- {
- pb_language_preference_msg_t *lang_msg;
- chunk_t lang;
-
- lang_msg = (pb_language_preference_msg_t*)msg;
- lang = lang_msg->get_language_preference(lang_msg);
-
- if (this->recs)
- {
- DBG2(DBG_TNC, "setting language preference to '%.*s'",
- (int)lang.len, lang.ptr);
- this->recs->set_preferred_language(this->recs, lang);
- }
- break;
- }
- case PB_MSG_REASON_STRING:
- {
- pb_reason_string_msg_t *reason_msg;
- chunk_t reason_string, language_code;
-
- reason_msg = (pb_reason_string_msg_t*)msg;
- reason_string = reason_msg->get_reason_string(reason_msg);
- language_code = reason_msg->get_language_code(reason_msg);
- DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
- (int)reason_string.len, reason_string.ptr,
- (int)language_code.len, language_code.ptr);
- break;
- }
- default:
- break;
- }
-}
-
-/**
- * Handle a single PB-TNC TCG standard message according to its type
- */
-static void handle_tcg_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
- pen_type_t msg_type = msg->get_type(msg);
-
- switch (msg_type.type)
- {
- case PB_TCG_MSG_PDP_REFERRAL:
- {
- pb_pdp_referral_msg_t *pdp_msg;
- pen_type_t pdp_id_type;
- u_int8_t pdp_protocol;
-
- pdp_msg = (pb_pdp_referral_msg_t*)msg;
- pdp_id_type = pdp_msg->get_identifier_type(pdp_msg);
-
- if (pdp_id_type.vendor_id == PEN_TCG &&
- pdp_id_type.type == PB_PDP_ID_FQDN)
- {
- this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg,
- &pdp_protocol, &this->pdp_port));
- if (pdp_protocol != 0)
- {
- DBG1(DBG_TNC, "unsupported PDP transport protocol");
- break;
- }
- DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u",
- this->pdp_server.len, this->pdp_server.ptr,
- this->pdp_port);
- }
- break;
- }
- default:
- break;
- }
-}
-
-/**
- * Handle a single PB-TNC message according to its type
- */
-static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg)
-{
- pen_type_t msg_type = msg->get_type(msg);
-
- switch (msg_type.vendor_id)
- {
- case PEN_IETF:
- handle_ietf_message(this, msg);
- break;
- case PEN_TCG:
- handle_tcg_message(this, msg);
- break;
- default:
- break;
- }
-}
-
-/**
- * Build a CRETRY or SRETRY batch
- */
-static void build_retry_batch(private_tnccs_20_t *this)
-{
- pb_tnc_batch_type_t batch_retry_type;
-
- batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY;
- if (this->batch_type == batch_retry_type)
- {
- /* retry batch has already been selected */
- return;
- }
-
- change_batch_type(this, batch_retry_type);
-
- if (this->is_server)
- {
- this->recs->clear_recommendation(this->recs);
- tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
- TNC_CONNECTION_STATE_HANDSHAKE);
- }
-}
-
METHOD(tls_t, process, status_t,
private_tnccs_20_t *this, void *buf, size_t buflen)
{
- chunk_t data;
pb_tnc_batch_t *batch;
- pb_tnc_msg_t *msg;
- enumerator_t *enumerator;
- identification_t *pdp_server;
- u_int16_t *pdp_port;
+ bool from_server, fatal_header_error = FALSE;
status_t status;
+ chunk_t data;
- if (this->is_server && !this->connection_id)
+ /* On arrival of first batch from TNC client create TNC server */
+ if (this->is_server && !this->tnc_server)
{
- this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
- TNCCS_2_0, (tnccs_t*)this, _send_msg,
- &this->request_handshake_retry,
- this->max_msg_len, &this->recs);
- if (!this->connection_id)
+ this->tnc_server = tnccs_20_server_create(&this->public, _send_msg,
+ this->max_batch_len, this->max_msg_len,
+ this->eap_transport);
+ if (!this->tnc_server)
{
return FAILED;
}
- tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
- TNC_CONNECTION_STATE_CREATE);
- tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
- TNC_CONNECTION_STATE_HANDSHAKE);
-
- /* Send a PB-TNC TCG PDP Referral message if PDP is known */
- pdp_server = (identification_t*)lib->get(lib, "pt-tls-server");
- pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port");
-
- if ((this->transport == TNC_IFT_EAP_1_1 ||
- this->transport == TNC_IFT_EAP_2_0) && pdp_server && pdp_port)
- {
- msg = pb_pdp_referral_msg_create_from_fqdn(
- pdp_server->get_encoding(pdp_server), *pdp_port);
- this->messages->insert_last(this->messages, msg);
- }
-
+ this->tnccs_handler = this->tnc_server;
+ this->tnccs_handler->begin_handshake(this->tnccs_handler, FALSE);
}
data = chunk_create(buf, buflen);
- DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u",
- data.len, this->connection_id);
+ DBG1(DBG_TNC, "received TNCCS batch (%u bytes)", data.len);
DBG3(DBG_TNC, "%B", &data);
- batch = pb_tnc_batch_create_from_data(this->is_server, data);
- status = batch->process(batch, this->state_machine);
- if (status != FAILED)
+ /* Parse the header of the received PB-TNC batch */
+ batch = pb_tnc_batch_create_from_data(data);
+ status = batch->process_header(batch, !this->mutual, this->is_server,
+ &from_server);
+ if (status == FAILED)
{
- enumerator_t *enumerator;
- pb_tnc_msg_t *msg;
- pb_tnc_batch_type_t batch_type;
- bool empty = TRUE;
-
- batch_type = batch->get_type(batch);
-
- if (batch_type == PB_BATCH_CRETRY)
- {
- /* Send an SRETRY batch in response */
- this->mutex->lock(this->mutex);
- build_retry_batch(this);
- this->mutex->unlock(this->mutex);
- }
- else if (batch_type == PB_BATCH_SRETRY)
- {
- /* Restart the measurements */
- tnc->imcs->notify_connection_change(tnc->imcs,
- this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
- this->send_msg = TRUE;
- tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
- this->send_msg = FALSE;
- }
-
- enumerator = batch->create_msg_enumerator(batch);
- while (enumerator->enumerate(enumerator, &msg))
- {
- handle_message(this, msg);
- empty = FALSE;
- }
- enumerator->destroy(enumerator);
+ fatal_header_error = TRUE;
+ status = VERIFY_ERROR;
+ }
+ this->to_server = this->mutual ? from_server : !this->is_server;
- /* received an empty CLOSE batch from PB-TNC client */
- if (this->is_server && batch_type == PB_BATCH_CLOSE && empty)
+ /* In the mutual case, first batch from TNC server requires a TNC client */
+ if (this->to_server && !this->tnc_client)
+ {
+ this->tnc_client = tnccs_20_client_create(&this->public, _send_msg,
+ this->max_batch_len, this->max_msg_len);
+ if (!this->tnc_client)
{
batch->destroy(batch);
- if (this->fatal_error)
- {
- DBG1(DBG_TNC, "a fatal PB-TNC error occurred, "
- "terminating connection");
- return FAILED;
- }
- else
- {
- return SUCCESS;
- }
- }
-
- this->send_msg = TRUE;
- if (this->is_server)
- {
- tnc->imvs->batch_ending(tnc->imvs, this->connection_id);
- }
- else
- {
- tnc->imcs->batch_ending(tnc->imcs, this->connection_id);
+ return FAILED;
}
- this->send_msg = FALSE;
+ this->tnccs_handler = this->tnc_client;
+ this->tnccs_handler->begin_handshake(this->tnccs_handler, this->mutual);
}
+ else
+ {
+ /* Set active TNCCS handler for processing */
+ this->tnccs_handler = this->to_server ? this->tnc_client :
+ this->tnc_server;
+ }
+ DBG2(DBG_TNC, "TNC %s is handling inbound connection",
+ this->to_server ? "client" : "server");
- switch (status)
+ if (status == SUCCESS)
{
- case FAILED:
- this->fatal_error = TRUE;
- this->mutex->lock(this->mutex);
- change_batch_type(this, PB_BATCH_CLOSE);
- this->mutex->unlock(this->mutex);
- /* fall through to add error messages to outbound batch */
- case VERIFY_ERROR:
- enumerator = batch->create_error_enumerator(batch);
- while (enumerator->enumerate(enumerator, &msg))
- {
- this->mutex->lock(this->mutex);
- this->messages->insert_last(this->messages, msg->get_ref(msg));
- this->mutex->unlock(this->mutex);
- }
- enumerator->destroy(enumerator);
- break;
- case SUCCESS:
- default:
- break;
+ status = this->tnccs_handler->process(this->tnccs_handler, batch);
+ }
+ if (status == VERIFY_ERROR)
+ {
+ this->tnccs_handler->handle_errors(this->tnccs_handler, batch,
+ fatal_header_error);
+ status = NEED_MORE;
}
batch->destroy(batch);
- return NEED_MORE;
-}
+ /* Has a mutual connection been established? */
+ this->mutual = this->is_server ?
+ this->tnc_server->get_mutual(this->tnc_server) :
+ this->tnc_client->get_mutual(this->tnc_client);
-/**
- * Build a RESULT batch if a final recommendation is available
- */
-static void check_and_build_recommendation(private_tnccs_20_t *this)
-{
- TNC_IMV_Action_Recommendation rec;
- TNC_IMV_Evaluation_Result eval;
- TNC_ConnectionState state;
- TNC_IMVID id;
- chunk_t reason, language;
- enumerator_t *enumerator;
- pb_tnc_msg_t *msg;
- pb_access_recommendation_code_t pb_rec;
-
- if (!this->recs->have_recommendation(this->recs, &rec, &eval))
- {
- tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id);
- }
- if (this->recs->have_recommendation(this->recs, &rec, &eval))
+ if (this->mutual && !this->is_server)
{
- this->batch_type = PB_BATCH_RESULT;
+ pb_tnc_state_t client_state, server_state;
- msg = pb_assessment_result_msg_create(eval);
- this->messages->insert_last(this->messages, msg);
+ client_state = !this->tnc_client ? PB_STATE_INIT :
+ this->tnc_client->get_state(this->tnc_client);
+ server_state = !this->tnc_server ? PB_STATE_INIT :
+ this->tnc_server->get_state(this->tnc_server);
- /**
- * Map IMV Action Recommendation codes to PB Access Recommendation codes
- * and communicate Access Recommendation to IMVs
- */
- switch (rec)
+ /* In half-duplex mutual mode toggle the direction on the client side */
+ if ((!this->to_server && client_state != PB_STATE_DECIDED) ||
+ ( this->to_server && server_state != PB_STATE_END))
{
- case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
- pb_rec = PB_REC_ACCESS_ALLOWED;
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
- pb_rec = PB_REC_QUARANTINED;
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
- case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
- default:
- state = TNC_CONNECTION_STATE_ACCESS_NONE;
- pb_rec = PB_REC_ACCESS_DENIED;
+ this->to_server = !this->to_server;
+ }
+ else if (client_state == PB_STATE_DECIDED &&
+ server_state == PB_STATE_END)
+ {
+ /* Cause the final CLOSE batch to be sent to the TNC server */
+ this->to_server = TRUE;
}
- tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
- state);
-
- msg = pb_access_recommendation_msg_create(pb_rec);
- this->messages->insert_last(this->messages, msg);
- enumerator = this->recs->create_reason_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &id, &reason, &language))
+ /* Suppress a successful CLOSE batch coming from the TNC server */
+ if (status == SUCCESS)
{
- msg = pb_reason_string_msg_create(reason, language);
- this->messages->insert_last(this->messages, msg);
+ status = NEED_MORE;
}
- enumerator->destroy(enumerator);
}
+
+ return status;
}
METHOD(tls_t, build, status_t,
private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen)
{
- status_t status;
- pb_tnc_state_t state;
-
- /* Initialize the connection */
- if (!this->is_server && !this->connection_id)
- {
- pb_tnc_msg_t *msg;
- char *pref_lang;
-
- this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
- TNCCS_2_0, (tnccs_t*)this, _send_msg,
- &this->request_handshake_retry,
- this->max_msg_len, NULL);
- if (!this->connection_id)
- {
- return FAILED;
- }
-
- /* Create PB-TNC Language Preference message */
- pref_lang = tnc->imcs->get_preferred_language(tnc->imcs);
- msg = pb_language_preference_msg_create(chunk_create(pref_lang,
- strlen(pref_lang)));
- this->mutex->lock(this->mutex);
- this->batch_type = PB_BATCH_CDATA;
- this->messages->insert_last(this->messages, msg);
- this->mutex->unlock(this->mutex);
-
- tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
- TNC_CONNECTION_STATE_CREATE);
- tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
- TNC_CONNECTION_STATE_HANDSHAKE);
- this->send_msg = TRUE;
- tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
- this->send_msg = FALSE;
- }
-
- state = this->state_machine->get_state(this->state_machine);
-
- if (this->fatal_error && state == PB_STATE_END)
- {
- DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
- return FAILED;
- }
-
- /* Do not allow any asynchronous IMCs or IMVs to add additional messages */
- this->mutex->lock(this->mutex);
-
- if (this->request_handshake_retry)
- {
- if (state != PB_STATE_INIT)
- {
- build_retry_batch(this);
- }
-
- /* Reset the flag for the next handshake retry request */
- this->request_handshake_retry = FALSE;
- }
-
- if (this->is_server && state == PB_STATE_SERVER_WORKING &&
- this->recs->have_recommendation(this->recs, NULL, NULL))
+ if (this->to_server)
{
- check_and_build_recommendation(this);
- }
+ DBG2(DBG_TNC, "TNC client is handling outbound connection");
- if (this->batch_type == PB_BATCH_NONE)
- {
- if (this->is_server)
+ /* Before sending the first PB-TNC batch create TNC client */
+ if (this->tnc_client)
{
- if (state == PB_STATE_SERVER_WORKING)
- {
- if (this->state_machine->get_empty_cdata(this->state_machine))
- {
- check_and_build_recommendation(this);
- }
- else
- {
- DBG2(DBG_TNC, "no recommendation available yet, "
- "sending empty PB-TNC SDATA batch");
- this->batch_type = PB_BATCH_SDATA;
- }
- }
+ this->tnccs_handler = this->tnc_client;
}
else
{
- switch (state)
+ this->tnc_client = tnccs_20_client_create(&this->public, _send_msg,
+ this->max_batch_len,
+ this->max_msg_len);
+ if (!this->tnc_client)
{
- case PB_STATE_CLIENT_WORKING:
- DBG2(DBG_TNC, "no client data to send, "
- "sending empty PB-TNC CDATA batch");
- this->batch_type = PB_BATCH_CDATA;
- break;
- case PB_STATE_DECIDED:
- /**
- * In the DECIDED state and if no CRETRY is under way,
- * a PB-TNC client replies with an empty CLOSE batch.
- */
- this->batch_type = PB_BATCH_CLOSE;
- break;
- default:
- break;
+ return FAILED;
}
+ this->tnccs_handler = this->tnc_client;
+ this->tnccs_handler->begin_handshake(this->tnccs_handler,
+ this->mutual);
}
}
-
- if (this->batch_type != PB_BATCH_NONE)
+ else
{
- pb_tnc_batch_t *batch;
- pb_tnc_msg_t *msg;
- chunk_t data;
- int msg_count;
- enumerator_t *enumerator;
+ DBG2(DBG_TNC, "TNC server is handling outbound connection");
- if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+ /* Before sending the first PB-TNC batch create TNC server */
+ if (this->tnc_server)
{
- batch = pb_tnc_batch_create(this->is_server, this->batch_type,
- min(this->max_batch_len, *buflen));
-
- enumerator = this->messages->create_enumerator(this->messages);
- while (enumerator->enumerate(enumerator, &msg))
- {
- if (batch->add_msg(batch, msg))
- {
- this->messages->remove_at(this->messages, enumerator);
- }
- else
- {
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- batch->build(batch);
- data = batch->get_encoding(batch);
- DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
- pb_tnc_batch_type_names, this->batch_type, data.len,
- this->connection_id);
- DBG3(DBG_TNC, "%B", &data);
-
- *buflen = data.len;
- *msglen = 0;
- memcpy(buf, data.ptr, *buflen);
- batch->destroy(batch);
-
- msg_count = this->messages->get_count(this->messages);
- if (msg_count)
- {
- DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
- msg_count, (msg_count == 1) ? "" : "s",
- pb_tnc_batch_type_names, this->batch_type);
- }
- else
- {
- this->batch_type = PB_BATCH_NONE;
- }
-
- status = ALREADY_DONE;
+ this->tnccs_handler = this->tnc_server;
}
else
{
- change_batch_type(this, PB_BATCH_NONE);
- status = INVALID_STATE;
+ this->tnc_server = tnccs_20_server_create(&this->public, _send_msg,
+ this->max_batch_len, this->max_msg_len,
+ this->eap_transport);
+ if (!this->tnc_server)
+ {
+ return FAILED;
+ }
+ this->tnccs_handler = this->tnc_server;
+ this->tnccs_handler->begin_handshake(this->tnccs_handler,
+ this->mutual);
}
}
- else
- {
- DBG1(DBG_TNC, "no PB-TNC batch to send");
- status = INVALID_STATE;
- }
- this->mutex->unlock(this->mutex);
-
- return status;
+ return this->tnccs_handler->build(this->tnccs_handler, buf, buflen, msglen);
}
METHOD(tls_t, is_server, bool,
@@ -923,20 +337,20 @@ METHOD(tls_t, is_server, bool,
METHOD(tls_t, get_server_id, identification_t*,
private_tnccs_20_t *this)
{
- return this->server;
+ return this->server_id;
}
METHOD(tls_t, set_peer_id, void,
private_tnccs_20_t *this, identification_t *id)
{
- DESTROY_IF(this->peer);
- this->peer = id->clone(id);
+ DESTROY_IF(this->peer_id);
+ this->peer_id = id->clone(id);
}
METHOD(tls_t, get_peer_id, identification_t*,
private_tnccs_20_t *this)
{
- return this->peer;
+ return this->peer_id;
}
METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -951,14 +365,17 @@ METHOD(tls_t, is_complete, bool,
TNC_IMV_Action_Recommendation rec;
TNC_IMV_Evaluation_Result eval;
- if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
+ if (this->tnc_server)
{
- return this->callback ? this->callback(rec, eval) : TRUE;
- }
- else
- {
- return FALSE;
+ tnccs_20_server_t *tnc_server;
+
+ tnc_server = (tnccs_20_server_t*)this->tnc_server;
+ if (tnc_server->have_recommendation(tnc_server, &rec, &eval))
+ {
+ return this->callback ? this->callback(rec, eval) : TRUE;
+ }
}
+ return FALSE;
}
METHOD(tls_t, get_eap_msk, chunk_t,
@@ -972,19 +389,28 @@ METHOD(tls_t, destroy, void,
{
if (ref_put(&this->ref))
{
- tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
- this->is_server);
- this->server->destroy(this->server);
- this->peer->destroy(this->peer);
- this->state_machine->destroy(this->state_machine);
- this->mutex->destroy(this->mutex);
- this->messages->destroy_offset(this->messages,
- offsetof(pb_tnc_msg_t, destroy));
- free(this->pdp_server.ptr);
+ DESTROY_IF(this->tnc_server);
+ DESTROY_IF(this->tnc_client);
+ this->server_id->destroy(this->server_id);
+ this->peer_id->destroy(this->peer_id);
+ this->server_ip->destroy(this->server_ip);
+ this->peer_ip->destroy(this->peer_ip);
free(this);
}
}
+METHOD(tnccs_t, get_server_ip, host_t*,
+ private_tnccs_20_t *this)
+{
+ return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+ private_tnccs_20_t *this)
+{
+ return this->peer_ip;
+}
+
METHOD(tnccs_t, get_transport, tnc_ift_type_t,
private_tnccs_20_t *this)
{
@@ -1012,9 +438,19 @@ METHOD(tnccs_t, set_auth_type, void,
METHOD(tnccs_t, get_pdp_server, chunk_t,
private_tnccs_20_t *this, u_int16_t *port)
{
- *port = this->pdp_port;
+ if (this->tnc_client)
+ {
+ tnccs_20_client_t *tnc_client;
+
+ tnc_client = (tnccs_20_client_t*)this->tnc_client;
- return this->pdp_server;
+ return tnc_client->get_pdp_server(tnc_client, port);
+ }
+ else
+ {
+ *port = 0;
+ return chunk_empty;
+ }
}
METHOD(tnccs_t, get_ref, tnccs_t*,
@@ -1027,9 +463,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
/**
* See header
*/
-tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb)
{
private_tnccs_20_t *this;
size_t max_batch_size, default_max_batch_size;
@@ -1079,6 +516,8 @@ tnccs_t* tnccs_20_create(bool is_server,
.get_eap_msk = _get_eap_msk,
.destroy = _destroy,
},
+ .get_server_ip = _get_server_ip,
+ .get_peer_ip = _get_peer_ip,
.get_transport = _get_transport,
.set_transport = _set_transport,
.get_auth_type = _get_auth_type,
@@ -1087,13 +526,15 @@ tnccs_t* tnccs_20_create(bool is_server,
.get_ref = _get_ref,
},
.is_server = is_server,
- .server = server->clone(server),
- .peer = peer->clone(peer),
+ .to_server = !is_server,
+ .server_id = server_id->clone(server_id),
+ .peer_id = peer_id->clone(peer_id),
+ .server_ip = server_ip->clone(server_ip),
+ .peer_ip = peer_ip->clone(peer_ip),
.transport = transport,
+ .eap_transport = transport == TNC_IFT_EAP_1_1 ||
+ transport == TNC_IFT_EAP_2_0,
.callback = cb,
- .state_machine = pb_tnc_state_machine_create(is_server),
- .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .messages = linked_list_create(),
.max_batch_len = max_batch_size,
.max_msg_len = max_message_size,
.ref = 1,
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
index 2857b1408..010cbecdc 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
* Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
*
* @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @param server Server identity
- * @param peer Client identity
+ * @param server_id Server identity
+ * @param peer_id Client identity
+ * @param server_ip Server IP address
+ * @param peer_ip Client IP address
* @param transport Underlying IF-T transport protocol
* @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 2.0 protocol stack
*/
-tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb);
#endif /** TNCCS_20_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
new file mode 100644
index 000000000..4ba8221d0
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
@@ -0,0 +1,820 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_client.h"
+#include "messages/pb_tnc_msg.h"
+#include "messages/ietf/pb_pa_msg.h"
+#include "messages/ietf/pb_error_msg.h"
+#include "messages/ietf/pb_assessment_result_msg.h"
+#include "messages/ietf/pb_access_recommendation_msg.h"
+#include "messages/ietf/pb_remediation_parameters_msg.h"
+#include "messages/ietf/pb_reason_string_msg.h"
+#include "messages/ietf/pb_language_preference_msg.h"
+#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
+#include "messages/tcg/pb_pdp_referral_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <tnc/tnc.h>
+#include <tnc/tnccs/tnccs_manager.h>
+#include <tnc/imc/imc_manager.h>
+
+#include <threading/mutex.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+
+typedef struct private_tnccs_20_client_t private_tnccs_20_client_t;
+
+/**
+ * Private data of a tnccs_20_client_t object.
+ */
+struct private_tnccs_20_client_t {
+
+ /**
+ * Public tnccs_20_client_t interface.
+ */
+ tnccs_20_client_t public;
+
+ /**
+ * PB-TNC State Machine
+ */
+ pb_tnc_state_machine_t *state_machine;
+
+ /**
+ * Connection ID assigned to this TNCCS connection
+ */
+ TNC_ConnectionID connection_id;
+
+ /**
+ * PB-TNC messages to be sent
+ */
+ linked_list_t *messages;
+
+ /**
+ * Type of PB-TNC batch being constructed
+ */
+ pb_tnc_batch_type_t batch_type;
+
+ /**
+ * Maximum PB-TNC batch size
+ */
+ size_t max_batch_len;
+
+ /**
+ * Mutex locking the batch in construction
+ */
+ mutex_t *mutex;
+
+ /**
+ * Flag set while processing
+ */
+ bool fatal_error;
+
+ /**
+ * Flag set by IMC RequestHandshakeRetry() function
+ */
+ bool request_handshake_retry;
+
+ /**
+ * SendMessage() by IMC only allowed if flag is set
+ */
+ bool send_msg;
+
+ /**
+ * PDP server FQDN
+ */
+ chunk_t pdp_server;
+
+ /**
+ * PDP server port
+ */
+ u_int16_t pdp_port;
+
+ /**
+ * Mutual PB-TNC protocol enabled
+ */
+ bool mutual;
+
+ /**
+ * Mutual Capability message sent
+ */
+ bool sent_mutual_capability;
+
+};
+
+/**
+ * The following two functions are shared with the tnccs_20_server class
+ */
+void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg, bool *fatal_error)
+{
+ pb_error_msg_t *err_msg;
+ u_int32_t vendor_id;
+ u_int16_t error_code;
+ bool fatal;
+
+ err_msg = (pb_error_msg_t*)msg;
+ fatal = err_msg->get_fatal_flag(err_msg);
+ vendor_id = err_msg->get_vendor_id(err_msg);
+ error_code = err_msg->get_error_code(err_msg);
+
+ if (fatal)
+ {
+ *fatal_error = TRUE;
+ }
+
+ if (vendor_id == PEN_IETF)
+ {
+ switch (error_code)
+ {
+ case PB_ERROR_INVALID_PARAMETER:
+ case PB_ERROR_UNSUPPORTED_MANDATORY_MSG:
+ DBG1(DBG_TNC, "received %s PB-TNC error '%N' (offset %u bytes)",
+ fatal ? "fatal" : "non-fatal",
+ pb_tnc_error_code_names, error_code,
+ err_msg->get_offset(err_msg));
+ break;
+ case PB_ERROR_VERSION_NOT_SUPPORTED:
+ DBG1(DBG_TNC, "received %s PB-TNC error '%N' "
+ "caused by bad version 0x%02x",
+ fatal ? "fatal" : "non-fatal",
+ pb_tnc_error_code_names, error_code,
+ err_msg->get_bad_version(err_msg));
+ break;
+ case PB_ERROR_UNEXPECTED_BATCH_TYPE:
+ case PB_ERROR_LOCAL_ERROR:
+ default:
+ DBG1(DBG_TNC, "received %s PB-TNC error '%N'",
+ fatal ? "fatal" : "non-fatal",
+ pb_tnc_error_code_names, error_code);
+ break;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "received %s PB-TNC error (%u) with Vendor ID 0x%06x",
+ fatal ? "fatal" : "non-fatal", error_code, vendor_id);
+ }
+}
+
+bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg)
+{
+ pb_mutual_capability_msg_t *mutual_msg;
+ uint32_t protocols;
+
+ if (!lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.mutual", FALSE, lib->ns))
+ {
+ /* PB-TNC mutual capability disabled, ignore message */
+ return FALSE;
+ }
+
+ mutual_msg = (pb_mutual_capability_msg_t*)msg;
+ protocols = mutual_msg->get_protocols(mutual_msg);
+
+ if (protocols & PB_MUTUAL_HALF_DUPLEX)
+ {
+ DBG1(DBG_TNC, "activating mutual PB-TNC %N protocol",
+ pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX);
+ return TRUE;
+ }
+
+ return FALSE;
+}
+
+/**
+ * If the batch type changes then delete all accumulated PB-TNC messages
+ */
+static void change_batch_type(private_tnccs_20_client_t *this,
+ pb_tnc_batch_type_t batch_type)
+{
+ pb_tnc_msg_t *msg;
+
+ if (batch_type != this->batch_type)
+ {
+ if (this->batch_type != PB_BATCH_NONE)
+ {
+ DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+ pb_tnc_batch_type_names, this->batch_type);
+
+ while (this->messages->remove_last(this->messages,
+ (void**)&msg) == SUCCESS)
+ {
+ msg->destroy(msg);
+ }
+ }
+ this->batch_type = batch_type;
+ }
+}
+
+/**
+ * Handle a single PB-TNC IETF standard message according to its type
+ */
+static void handle_ietf_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.type)
+ {
+ case PB_MSG_EXPERIMENTAL:
+ /* nothing to do */
+ break;
+ case PB_MSG_PA:
+ {
+ pb_pa_msg_t *pa_msg;
+ pen_type_t msg_subtype;
+ u_int16_t imc_id, imv_id;
+ chunk_t msg_body;
+ bool excl;
+ enum_name_t *pa_subtype_names;
+
+ pa_msg = (pb_pa_msg_t*)msg;
+ msg_subtype = pa_msg->get_subtype(pa_msg);
+ msg_body = pa_msg->get_body(pa_msg);
+ imc_id = pa_msg->get_collector_id(pa_msg);
+ imv_id = pa_msg->get_validator_id(pa_msg);
+ excl = pa_msg->get_exclusive_flag(pa_msg);
+
+ pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
+ if (pa_subtype_names)
+ {
+ DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
+ pen_names, msg_subtype.vendor_id, pa_subtype_names,
+ msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
+ }
+ else
+ {
+ DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
+ pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
+ msg_subtype.type);
+ }
+ this->send_msg = TRUE;
+ tnc->imcs->receive_message(tnc->imcs, this->connection_id,
+ excl, msg_body.ptr, msg_body.len,
+ msg_subtype.vendor_id,
+ msg_subtype.type, imv_id, imc_id);
+ this->send_msg = FALSE;
+ break;
+ }
+ case PB_MSG_ASSESSMENT_RESULT:
+ {
+ pb_assessment_result_msg_t *assess_msg;
+ u_int32_t result;
+
+ assess_msg = (pb_assessment_result_msg_t*)msg;
+ result = assess_msg->get_assessment_result(assess_msg);
+ DBG1(DBG_TNC, "PB-TNC assessment result is '%N'",
+ TNC_IMV_Evaluation_Result_names, result);
+ break;
+ }
+ case PB_MSG_ACCESS_RECOMMENDATION:
+ {
+ pb_access_recommendation_msg_t *rec_msg;
+ pb_access_recommendation_code_t rec;
+ TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
+
+ rec_msg = (pb_access_recommendation_msg_t*)msg;
+ rec = rec_msg->get_access_recommendation(rec_msg);
+ DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'",
+ pb_access_recommendation_code_names, rec);
+ switch (rec)
+ {
+ case PB_REC_ACCESS_ALLOWED:
+ state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+ break;
+ case PB_REC_ACCESS_DENIED:
+ state = TNC_CONNECTION_STATE_ACCESS_NONE;
+ break;
+ case PB_REC_QUARANTINED:
+ state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+ }
+ tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+ state);
+ break;
+ }
+ case PB_MSG_REMEDIATION_PARAMETERS:
+ {
+ pb_remediation_parameters_msg_t *rem_msg;
+ pen_type_t parameters_type;
+ chunk_t parameters, string, lang_code;
+
+ rem_msg = (pb_remediation_parameters_msg_t*)msg;
+ parameters_type = rem_msg->get_parameters_type(rem_msg);
+ parameters = rem_msg->get_parameters(rem_msg);
+
+ if (parameters_type.vendor_id == PEN_IETF)
+ {
+ switch (parameters_type.type)
+ {
+ case PB_REMEDIATION_URI:
+ DBG1(DBG_TNC, "remediation uri: %.*s",
+ parameters.len, parameters.ptr);
+ break;
+ case PB_REMEDIATION_STRING:
+ string = rem_msg->get_string(rem_msg, &lang_code);
+ DBG1(DBG_TNC, "remediation string: [%.*s]\n%.*s",
+ lang_code.len, lang_code.ptr,
+ string.len, string.ptr);
+ break;
+ default:
+ DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "remediation parameters: %B", &parameters);
+ }
+ break;
+ }
+ case PB_MSG_ERROR:
+ tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error);
+ break;
+ case PB_MSG_REASON_STRING:
+ {
+ pb_reason_string_msg_t *reason_msg;
+ chunk_t reason_string, language_code;
+
+ reason_msg = (pb_reason_string_msg_t*)msg;
+ reason_string = reason_msg->get_reason_string(reason_msg);
+ language_code = reason_msg->get_language_code(reason_msg);
+ DBG1(DBG_TNC, "reason string is '%.*s' [%.*s]",
+ (int)reason_string.len, reason_string.ptr,
+ (int)language_code.len, language_code.ptr);
+ break;
+ }
+ default:
+ break;
+ }
+}
+
+/**
+ * Handle a single PB-TNC TCG standard message according to its type
+ */
+static void handle_tcg_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.type)
+ {
+ case PB_TCG_MSG_PDP_REFERRAL:
+ {
+ pb_pdp_referral_msg_t *pdp_msg;
+ pen_type_t pdp_id_type;
+ u_int8_t pdp_protocol;
+
+ pdp_msg = (pb_pdp_referral_msg_t*)msg;
+ pdp_id_type = pdp_msg->get_identifier_type(pdp_msg);
+
+ if (pdp_id_type.vendor_id == PEN_TCG &&
+ pdp_id_type.type == PB_PDP_ID_FQDN)
+ {
+ this->pdp_server = chunk_clone(pdp_msg->get_fqdn(pdp_msg,
+ &pdp_protocol, &this->pdp_port));
+ if (pdp_protocol != 0)
+ {
+ DBG1(DBG_TNC, "unsupported PDP transport protocol");
+ break;
+ }
+ DBG1(DBG_TNC, "PDP server '%.*s' is listening on port %u",
+ this->pdp_server.len, this->pdp_server.ptr,
+ this->pdp_port);
+ }
+ break;
+ }
+ default:
+ break;
+ }
+}
+
+/**
+ * Handle a single PB-TNC ITA standard message according to its type
+ */
+static void handle_ita_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.type)
+ {
+ case PB_ITA_MSG_MUTUAL_CAPABILITY:
+ this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg);
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Handle a single PB-TNC message according to its type
+ */
+static void handle_message(private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.vendor_id)
+ {
+ case PEN_IETF:
+ handle_ietf_message(this, msg);
+ break;
+ case PEN_TCG:
+ handle_tcg_message(this, msg);
+ break;
+ case PEN_ITA:
+ handle_ita_message(this, msg);
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Build a CRETRY batch
+ */
+static void build_retry_batch(private_tnccs_20_client_t *this)
+{
+ if (this->batch_type == PB_BATCH_CRETRY)
+ {
+ /* retry batch has already been selected */
+ return;
+ }
+ change_batch_type(this, PB_BATCH_CRETRY);
+}
+
+METHOD(tnccs_20_handler_t, process, status_t,
+ private_tnccs_20_client_t *this, pb_tnc_batch_t *batch)
+{
+ pb_tnc_batch_type_t batch_type;
+ status_t status;
+
+ batch_type = batch->get_type(batch);
+
+ DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d",
+ pb_tnc_batch_type_names, batch_type, this->connection_id);
+
+ status = batch->process(batch, this->state_machine);
+
+ if (status != FAILED)
+ {
+ enumerator_t *enumerator;
+ pb_tnc_msg_t *msg;
+ bool empty = TRUE;
+
+ if (batch_type == PB_BATCH_SRETRY)
+ {
+ /* Restart the measurements */
+ tnc->imcs->notify_connection_change(tnc->imcs,
+ this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE);
+ this->send_msg = TRUE;
+ tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
+ this->send_msg = FALSE;
+ }
+
+ enumerator = batch->create_msg_enumerator(batch);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ handle_message(this, msg);
+ empty = FALSE;
+ }
+ enumerator->destroy(enumerator);
+
+ /* received a CLOSE batch from PB-TNC server */
+ if (batch_type == PB_BATCH_CLOSE)
+ {
+ return empty ? SUCCESS : FAILED;
+ }
+
+ this->send_msg = TRUE;
+ tnc->imcs->batch_ending(tnc->imcs, this->connection_id);
+ this->send_msg = FALSE;
+ }
+
+ switch (status)
+ {
+ case FAILED:
+ this->fatal_error = TRUE;
+ status = VERIFY_ERROR;
+ break;
+ case VERIFY_ERROR:
+ break;
+ case SUCCESS:
+ default:
+ status = NEED_MORE;
+ break;
+ }
+
+ return status;
+}
+
+METHOD(tnccs_20_handler_t, build, status_t,
+ private_tnccs_20_client_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+ status_t status;
+ pb_tnc_state_t state;
+
+ state = this->state_machine->get_state(this->state_machine);
+
+ if (this->fatal_error && state == PB_STATE_END)
+ {
+ DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
+ return FAILED;
+ }
+
+ /* Do not allow any asynchronous IMCs to add additional messages */
+ this->mutex->lock(this->mutex);
+
+ if (this->request_handshake_retry)
+ {
+ if (state != PB_STATE_INIT)
+ {
+ build_retry_batch(this);
+ }
+
+ /* Reset the flag for the next handshake retry request */
+ this->request_handshake_retry = FALSE;
+ }
+
+ if (this->batch_type == PB_BATCH_NONE)
+ {
+ switch (state)
+ {
+ case PB_STATE_CLIENT_WORKING:
+ DBG2(DBG_TNC, "no client data to send, "
+ "sending empty PB-TNC CDATA batch");
+ this->batch_type = PB_BATCH_CDATA;
+ break;
+ case PB_STATE_DECIDED:
+ /**
+ * In the DECIDED state and if no CRETRY is under way,
+ * a PB-TNC client replies with an empty CLOSE batch.
+ */
+ this->batch_type = PB_BATCH_CLOSE;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (this->batch_type != PB_BATCH_NONE)
+ {
+ pb_tnc_batch_t *batch;
+ pb_tnc_msg_t *msg;
+ chunk_t data;
+ int msg_count;
+ enumerator_t *enumerator;
+
+ if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+ {
+ batch = pb_tnc_batch_create(FALSE, this->batch_type,
+ min(this->max_batch_len, *buflen));
+
+ enumerator = this->messages->create_enumerator(this->messages);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ if (batch->add_msg(batch, msg))
+ {
+ this->messages->remove_at(this->messages, enumerator);
+ }
+ else
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ batch->build(batch);
+ data = batch->get_encoding(batch);
+ DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
+ pb_tnc_batch_type_names, this->batch_type, data.len,
+ this->connection_id);
+ DBG3(DBG_TNC, "%B", &data);
+
+ *buflen = data.len;
+ *msglen = 0;
+ memcpy(buf, data.ptr, *buflen);
+ batch->destroy(batch);
+
+ msg_count = this->messages->get_count(this->messages);
+ if (msg_count)
+ {
+ DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
+ msg_count, (msg_count == 1) ? "" : "s",
+ pb_tnc_batch_type_names, this->batch_type);
+ }
+ else
+ {
+ this->batch_type = PB_BATCH_NONE;
+ }
+
+ status = ALREADY_DONE;
+ }
+ else
+ {
+ change_batch_type(this, PB_BATCH_NONE);
+ status = INVALID_STATE;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "no PB-TNC batch to send");
+ status = INVALID_STATE;
+ }
+ this->mutex->unlock(this->mutex);
+
+ return status;
+}
+
+METHOD(tnccs_20_handler_t, begin_handshake, void,
+ private_tnccs_20_client_t *this, bool mutual)
+{
+ pb_tnc_msg_t *msg;
+ char *pref_lang;
+
+ tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+ TNC_CONNECTION_STATE_HANDSHAKE);
+
+ /* Announce PB-TNC Mutual Capability if activated */
+ this->sent_mutual_capability = mutual;
+
+ if (!mutual && lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.mutual", FALSE, lib->ns))
+ {
+ pb_tnc_mutual_protocol_type_t protocols;
+
+ protocols = PB_MUTUAL_HALF_DUPLEX;
+ DBG2(DBG_TNC, "proposing PB-TNC mutual %N protocol",
+ pb_tnc_mutual_protocol_type_names, PB_MUTUAL_HALF_DUPLEX);
+ msg = pb_mutual_capability_msg_create(protocols);
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ this->sent_mutual_capability = TRUE;
+ }
+
+ /* Create PB-TNC Language Preference message */
+ pref_lang = tnc->imcs->get_preferred_language(tnc->imcs);
+ msg = pb_language_preference_msg_create(chunk_create(pref_lang,
+ strlen(pref_lang)));
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+
+ this->send_msg = TRUE;
+ tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
+ this->send_msg = FALSE;
+
+ /* Send a PB-Noskip-Test message for testing purposes */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+ {
+ msg = pb_noskip_test_msg_create();
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ }
+}
+
+METHOD(tnccs_20_handler_t, get_send_flag, bool,
+ private_tnccs_20_client_t *this)
+{
+ return this->send_msg;
+}
+
+METHOD(tnccs_20_handler_t, get_mutual, bool,
+ private_tnccs_20_client_t *this)
+{
+ return this->mutual;
+}
+
+METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t,
+ private_tnccs_20_client_t *this)
+{
+ return this->state_machine->get_state(this->state_machine);
+}
+
+METHOD(tnccs_20_handler_t, add_msg, void,
+ private_tnccs_20_client_t *this, pb_tnc_msg_t *msg)
+{
+ /* adding PA message to CDATA batch only */
+ this->mutex->lock(this->mutex);
+ if (this->batch_type == PB_BATCH_NONE)
+ {
+ this->batch_type = PB_BATCH_CDATA;
+ }
+ if (this->batch_type == PB_BATCH_CDATA)
+ {
+ this->messages->insert_last(this->messages, msg);
+ }
+ else
+ {
+ msg->destroy(msg);
+ }
+ this->mutex->unlock(this->mutex);
+}
+
+METHOD(tnccs_20_handler_t, handle_errors, void,
+ private_tnccs_20_client_t *this, pb_tnc_batch_t *batch,
+ bool fatal_header_error)
+{
+ pb_tnc_msg_t *msg;
+ enumerator_t *enumerator;
+
+ if (fatal_header_error || this->fatal_error)
+ {
+ this->mutex->lock(this->mutex);
+ change_batch_type(this, PB_BATCH_CLOSE);
+ this->mutex->unlock(this->mutex);
+ }
+
+ enumerator = batch->create_error_enumerator(batch);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg->get_ref(msg));
+ this->mutex->unlock(this->mutex);
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(tnccs_20_handler_t, destroy, void,
+ private_tnccs_20_client_t *this)
+{
+ if (this->connection_id)
+ {
+ tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, FALSE);
+ }
+ this->state_machine->destroy(this->state_machine);
+ this->mutex->destroy(this->mutex);
+ this->messages->destroy_offset(this->messages,
+ offsetof(pb_tnc_msg_t, destroy));
+ free(this->pdp_server.ptr);
+ free(this);
+}
+
+METHOD(tnccs_20_client_t, get_pdp_server, chunk_t,
+ private_tnccs_20_client_t *this, u_int16_t *port)
+{
+ *port = this->pdp_port;
+
+ return this->pdp_server;
+}
+
+/**
+ * See header
+ */
+tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs,
+ tnccs_send_message_t send_msg,
+ size_t max_batch_len,
+ size_t max_msg_len)
+{
+ private_tnccs_20_client_t *this;
+
+ INIT(this,
+ .public = {
+ .handler = {
+ .process = _process,
+ .build = _build,
+ .begin_handshake = _begin_handshake,
+ .get_send_flag = _get_send_flag,
+ .get_mutual = _get_mutual,
+ .get_state = _get_state,
+ .add_msg = _add_msg,
+ .handle_errors = _handle_errors,
+ .destroy = _destroy,
+ },
+ .get_pdp_server = _get_pdp_server,
+ },
+ .state_machine = pb_tnc_state_machine_create(FALSE),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .messages = linked_list_create(),
+ .batch_type = PB_BATCH_CDATA,
+ .max_batch_len = max_batch_len,
+ );
+
+ this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
+ TNCCS_2_0, tnccs, send_msg,
+ &this->request_handshake_retry,
+ max_msg_len, NULL);
+ if (!this->connection_id)
+ {
+ destroy(this);
+ return NULL;
+ }
+ tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
+ TNC_CONNECTION_STATE_CREATE);
+
+ return &this->public.handler;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h
new file mode 100644
index 000000000..7a5f33ebc
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_client_h tnccs_20_client
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_CLIENT_H_
+#define TNCCS_20_CLIENT_H_
+
+#include <library.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "tnccs_20_handler.h"
+
+typedef struct tnccs_20_client_t tnccs_20_client_t;
+
+/**
+ * Interface for a TNC client
+ */
+struct tnccs_20_client_t {
+
+ /**
+ * IF-TNCCS 2.0 protocol handler interface
+ */
+ tnccs_20_handler_t handler;
+
+ /**
+ * Get PDP server information if available
+ *
+ * @param port PT-TLS port of the PDP server
+ * @return FQDN of PDP server
+ */
+ chunk_t (*get_pdp_server)(tnccs_20_client_t *this, u_int16_t *port);
+
+};
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 client-side protocol handler.
+ *
+ * @param tnccs TNC IF-TNCCS 2.0 stack
+ * @param send_msg TNF IF-TNCCS 2.0 send message callback function
+ * @param max_batch_len Maximum PB-TNC batch size
+ * @param max_msg_len Maximum PA-TNC message size
+ */
+tnccs_20_handler_t* tnccs_20_client_create(tnccs_t *tnccs,
+ tnccs_send_message_t send_msg,
+ size_t max_batch_len,
+ size_t max_msg_len);
+
+#endif /** TNCCS_20_CLIENT_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h
new file mode 100644
index 000000000..5c4d7a7b4
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_handler.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_handler_h tnccs_20_handler
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_HANDLER_H_
+#define TNCCS_20_HANDLER_H_
+
+#include <library.h>
+
+#include "batch/pb_tnc_batch.h"
+#include "messages/pb_tnc_msg.h"
+
+typedef struct tnccs_20_handler_t tnccs_20_handler_t;
+
+/**
+ * Interface for an IF-TNCCS 2.0 protocol handler
+ */
+struct tnccs_20_handler_t {
+
+ /**
+ * Process content of received PB-TNC batch
+ *
+ * @param batch PB-TNC batch to be processed
+ * @return status
+ */
+ status_t (*process)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch);
+
+ /**
+ * Build PB-TNC batch to be sent
+ *
+ * @param buf buffer to write PB-TNC batch to
+ * @param buflen size of buffer, receives bytes written
+ * @param msglen receives size of all PB-TNCH batch
+ * @return status
+ */
+ status_t (*build)(tnccs_20_handler_t *this, void *buf, size_t *buflen,
+ size_t *msglen);
+
+ /**
+ * Put the IMCs or IMVs into the handshake state
+ *
+ * @param mutual TRUE if PB-TNC mutual mode is already established
+ */
+ void (*begin_handshake)(tnccs_20_handler_t *this, bool mutual);
+
+ /**
+ * Indicates if IMCs or IMVs are allowed to send PA-TNC messages
+ *
+ * @return TRUE if allowed to send
+ */
+ bool (*get_send_flag)(tnccs_20_handler_t *this);
+
+ /**
+ * Indicates if the PB-TNC mutual protocol has been enabled
+ *
+ * @return TRUE if enabled
+ */
+ bool (*get_mutual)(tnccs_20_handler_t *this);
+
+ /**
+ * Get state of the PB-TNC protocol
+ *
+ * @return PB-TNC state
+ */
+ pb_tnc_state_t (*get_state)(tnccs_20_handler_t *this);
+
+ /**
+ * Add a PB-PA message to the handler's message queue
+ *
+ * @param msg PB-PA message to be added
+ */
+ void (*add_msg)(tnccs_20_handler_t *this, pb_tnc_msg_t *msg);
+
+ /**
+ * Handle errors that occurred during PB-TNC batch header processing
+ *
+ * @param batch batch where a fatal error occurred
+ * @param fatal_header_error TRUE if fatal error in batch header
+ */
+ void (*handle_errors)(tnccs_20_handler_t *this, pb_tnc_batch_t *batch,
+ bool fatal_header_error);
+
+ /**
+ * Destroys a tnccs_20_handler_t object.
+ */
+ void (*destroy)(tnccs_20_handler_t *this);
+};
+
+#endif /** TNCCS_20_HANDLER_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
index 1c4ecf4c9..5073fbe7c 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnccs_20 tnccs_20
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnccs_20_plugin tnccs_20_plugin
* @{ @ingroup tnccs_20
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
new file mode 100644
index 000000000..038fc178b
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
@@ -0,0 +1,693 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnccs_20_server.h"
+#include "messages/pb_tnc_msg.h"
+#include "messages/ietf/pb_pa_msg.h"
+#include "messages/ietf/pb_error_msg.h"
+#include "messages/ietf/pb_assessment_result_msg.h"
+#include "messages/ietf/pb_access_recommendation_msg.h"
+#include "messages/ietf/pb_remediation_parameters_msg.h"
+#include "messages/ietf/pb_reason_string_msg.h"
+#include "messages/ietf/pb_language_preference_msg.h"
+#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
+#include "messages/tcg/pb_pdp_referral_msg.h"
+#include "state_machine/pb_tnc_state_machine.h"
+
+#include <tncif_names.h>
+#include <tncif_pa_subtypes.h>
+
+#include <tnc/tnc.h>
+#include <tnc/tnccs/tnccs_manager.h>
+#include <tnc/imv/imv_manager.h>
+
+#include <threading/mutex.h>
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <pen/pen.h>
+
+typedef struct private_tnccs_20_server_t private_tnccs_20_server_t;
+
+/**
+ * Private data of a tnccs_20_server_t object.
+ */
+struct private_tnccs_20_server_t {
+
+ /**
+ * Public tnccs_20_server_t interface.
+ */
+ tnccs_20_server_t public;
+
+ /**
+ * PB-TNC State Machine
+ */
+ pb_tnc_state_machine_t *state_machine;
+
+ /**
+ * Connection ID assigned to this TNCCS connection
+ */
+ TNC_ConnectionID connection_id;
+
+ /**
+ * PB-TNC messages to be sent
+ */
+ linked_list_t *messages;
+
+ /**
+ * Type of PB-TNC batch being constructed
+ */
+ pb_tnc_batch_type_t batch_type;
+
+ /**
+ * Maximum PB-TNC batch size
+ */
+ size_t max_batch_len;
+
+ /**
+ * Mutex locking the batch in construction
+ */
+ mutex_t *mutex;
+
+ /**
+ * Flag set while processing
+ */
+ bool fatal_error;
+
+ /**
+ * Flag set by IMC/IMV RequestHandshakeRetry() function
+ */
+ bool request_handshake_retry;
+
+ /**
+ * SendMessage() by IMV only allowed if flag is set
+ */
+ bool send_msg;
+
+ /**
+ * Set of IMV recommendations
+ */
+ recommendations_t *recs;
+
+ /**
+ * TNC IF-T transport protocol for EAP methods
+ */
+ bool eap_transport;
+
+ /**
+ * Mutual PB-TNC protocol enabled
+ */
+ bool mutual;
+
+ /**
+ * Mutual Capability message sent
+ */
+ bool sent_mutual_capability;
+
+};
+
+/**
+ * The following two functions are shared with the tnccs_20_server class
+ */
+extern void tnccs_20_handle_ietf_error_msg(pb_tnc_msg_t *msg,
+ bool *fatal_error);
+extern bool tnccs_20_handle_ita_mutual_capability_msg(pb_tnc_msg_t *msg);
+
+/**
+ * If the batch type changes then delete all accumulated PB-TNC messages
+ */
+static void change_batch_type(private_tnccs_20_server_t *this,
+ pb_tnc_batch_type_t batch_type)
+{
+ pb_tnc_msg_t *msg;
+
+ if (batch_type != this->batch_type)
+ {
+ if (this->batch_type != PB_BATCH_NONE)
+ {
+ DBG1(DBG_TNC, "cancelling PB-TNC %N batch",
+ pb_tnc_batch_type_names, this->batch_type);
+
+ while (this->messages->remove_last(this->messages,
+ (void**)&msg) == SUCCESS)
+ {
+ msg->destroy(msg);
+ }
+ }
+ this->batch_type = batch_type;
+ }
+}
+
+/**
+ * Handle a single PB-TNC IETF standard message according to its type
+ */
+static void handle_ietf_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.type)
+ {
+ case PB_MSG_EXPERIMENTAL:
+ /* nothing to do */
+ break;
+ case PB_MSG_PA:
+ {
+ pb_pa_msg_t *pa_msg;
+ pen_type_t msg_subtype;
+ u_int16_t imc_id, imv_id;
+ chunk_t msg_body;
+ bool excl;
+ enum_name_t *pa_subtype_names;
+
+ pa_msg = (pb_pa_msg_t*)msg;
+ msg_subtype = pa_msg->get_subtype(pa_msg);
+ msg_body = pa_msg->get_body(pa_msg);
+ imc_id = pa_msg->get_collector_id(pa_msg);
+ imv_id = pa_msg->get_validator_id(pa_msg);
+ excl = pa_msg->get_exclusive_flag(pa_msg);
+
+ pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id);
+ if (pa_subtype_names)
+ {
+ DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x",
+ pen_names, msg_subtype.vendor_id, pa_subtype_names,
+ msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type);
+ }
+ else
+ {
+ DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x",
+ pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id,
+ msg_subtype.type);
+ }
+ this->send_msg = TRUE;
+ tnc->imvs->receive_message(tnc->imvs, this->connection_id,
+ excl, msg_body.ptr, msg_body.len,
+ msg_subtype.vendor_id,
+ msg_subtype.type, imc_id, imv_id);
+ this->send_msg = FALSE;
+ break;
+ }
+ case PB_MSG_ERROR:
+ tnccs_20_handle_ietf_error_msg(msg, &this->fatal_error);
+ break;
+ case PB_MSG_LANGUAGE_PREFERENCE:
+ {
+ pb_language_preference_msg_t *lang_msg;
+ chunk_t lang;
+
+ lang_msg = (pb_language_preference_msg_t*)msg;
+ lang = lang_msg->get_language_preference(lang_msg);
+ DBG2(DBG_TNC, "setting language preference to '%.*s'",
+ (int)lang.len, lang.ptr);
+ this->recs->set_preferred_language(this->recs, lang);
+ break;
+ }
+ default:
+ break;
+ }
+}
+
+/**
+ * Handle a single PB-TNC ITA standard message according to its type
+ */
+static void handle_ita_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.type)
+ {
+ case PB_ITA_MSG_MUTUAL_CAPABILITY:
+ this->mutual = tnccs_20_handle_ita_mutual_capability_msg(msg);
+
+ /* Respond with PB-TNC Mutual Capability message if necessary */
+ if (this->mutual && !this->sent_mutual_capability)
+ {
+ msg = pb_mutual_capability_msg_create(PB_MUTUAL_HALF_DUPLEX);
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ this->sent_mutual_capability = TRUE;
+ }
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Handle a single PB-TNC message according to its type
+ */
+static void handle_message(private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+ pen_type_t msg_type = msg->get_type(msg);
+
+ switch (msg_type.vendor_id)
+ {
+ case PEN_IETF:
+ handle_ietf_message(this, msg);
+ break;
+ case PEN_ITA:
+ handle_ita_message(this, msg);
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Build an SRETRY batch
+ */
+static void build_retry_batch(private_tnccs_20_server_t *this)
+{
+ if (this->batch_type == PB_BATCH_SRETRY)
+ {
+ /* retry batch has already been selected */
+ return;
+ }
+ change_batch_type(this, PB_BATCH_SRETRY);
+
+ this->recs->clear_recommendation(this->recs);
+ tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+ TNC_CONNECTION_STATE_HANDSHAKE);
+}
+
+METHOD(tnccs_20_handler_t, process, status_t,
+ private_tnccs_20_server_t *this, pb_tnc_batch_t *batch)
+{
+ pb_tnc_batch_type_t batch_type;
+ status_t status;
+
+ batch_type = batch->get_type(batch);
+
+ DBG1(DBG_TNC, "processing PB-TNC %N batch for Connection ID %d",
+ pb_tnc_batch_type_names, batch_type, this->connection_id);
+ status = batch->process(batch, this->state_machine);
+
+ if (status != FAILED)
+ {
+ enumerator_t *enumerator;
+ pb_tnc_msg_t *msg;
+ bool empty = TRUE;
+
+ if (batch_type == PB_BATCH_CRETRY)
+ {
+ /* Send an SRETRY batch in response */
+ this->mutex->lock(this->mutex);
+ build_retry_batch(this);
+ this->mutex->unlock(this->mutex);
+ }
+
+ enumerator = batch->create_msg_enumerator(batch);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ handle_message(this, msg);
+ empty = FALSE;
+ }
+ enumerator->destroy(enumerator);
+
+ /* received a CLOSE batch from PB-TNC client */
+ if (batch_type == PB_BATCH_CLOSE)
+ {
+ return empty ? SUCCESS : FAILED;
+ }
+
+ this->send_msg = TRUE;
+ tnc->imvs->batch_ending(tnc->imvs, this->connection_id);
+ this->send_msg = FALSE;
+ }
+
+ switch (status)
+ {
+ case FAILED:
+ this->fatal_error = TRUE;
+ status = VERIFY_ERROR;
+ break;
+ case VERIFY_ERROR:
+ break;
+ case SUCCESS:
+ default:
+ status = NEED_MORE;
+ break;
+ }
+
+ return status;
+}
+
+/**
+ * Build a RESULT batch if a final recommendation is available
+ */
+static void check_and_build_recommendation(private_tnccs_20_server_t *this)
+{
+ TNC_IMV_Action_Recommendation rec;
+ TNC_IMV_Evaluation_Result eval;
+ TNC_ConnectionState state;
+ TNC_IMVID id;
+ chunk_t reason, language;
+ enumerator_t *enumerator;
+ pb_tnc_msg_t *msg;
+ pb_access_recommendation_code_t pb_rec;
+
+ if (!this->recs->have_recommendation(this->recs, &rec, &eval))
+ {
+ tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id);
+ }
+ if (this->recs->have_recommendation(this->recs, &rec, &eval))
+ {
+ this->batch_type = PB_BATCH_RESULT;
+
+ msg = pb_assessment_result_msg_create(eval);
+ this->messages->insert_last(this->messages, msg);
+
+ /**
+ * Map IMV Action Recommendation codes to PB Access Recommendation codes
+ * and communicate Access Recommendation to IMVs
+ */
+ switch (rec)
+ {
+ case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+ state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
+ pb_rec = PB_REC_ACCESS_ALLOWED;
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+ state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
+ pb_rec = PB_REC_QUARANTINED;
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+ default:
+ state = TNC_CONNECTION_STATE_ACCESS_NONE;
+ pb_rec = PB_REC_ACCESS_DENIED;
+ }
+ tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+ state);
+
+ msg = pb_access_recommendation_msg_create(pb_rec);
+ this->messages->insert_last(this->messages, msg);
+
+ enumerator = this->recs->create_reason_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &id, &reason, &language))
+ {
+ msg = pb_reason_string_msg_create(reason, language);
+ this->messages->insert_last(this->messages, msg);
+ }
+ enumerator->destroy(enumerator);
+ }
+}
+
+METHOD(tnccs_20_handler_t, build, status_t,
+ private_tnccs_20_server_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+ status_t status;
+ pb_tnc_state_t state;
+
+ state = this->state_machine->get_state(this->state_machine);
+
+ if (this->fatal_error && state == PB_STATE_END)
+ {
+ DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection");
+ return FAILED;
+ }
+
+ /* Do not allow any asynchronous IMVs to add additional messages */
+ this->mutex->lock(this->mutex);
+
+ if (this->request_handshake_retry)
+ {
+ if (state != PB_STATE_INIT)
+ {
+ build_retry_batch(this);
+ }
+
+ /* Reset the flag for the next handshake retry request */
+ this->request_handshake_retry = FALSE;
+ }
+
+ if (state == PB_STATE_SERVER_WORKING &&
+ this->recs->have_recommendation(this->recs, NULL, NULL))
+ {
+ check_and_build_recommendation(this);
+ }
+
+ if (this->batch_type == PB_BATCH_NONE)
+ {
+ if (state == PB_STATE_SERVER_WORKING)
+ {
+ if (this->state_machine->get_empty_cdata(this->state_machine))
+ {
+ check_and_build_recommendation(this);
+ }
+ else
+ {
+ DBG2(DBG_TNC, "no recommendation available yet, "
+ "sending empty PB-TNC SDATA batch");
+ this->batch_type = PB_BATCH_SDATA;
+ }
+ }
+ }
+
+ if (this->batch_type != PB_BATCH_NONE)
+ {
+ pb_tnc_batch_t *batch;
+ pb_tnc_msg_t *msg;
+ chunk_t data;
+ int msg_count;
+ enumerator_t *enumerator;
+
+ if (this->state_machine->send_batch(this->state_machine, this->batch_type))
+ {
+ batch = pb_tnc_batch_create(TRUE, this->batch_type,
+ min(this->max_batch_len, *buflen));
+
+ enumerator = this->messages->create_enumerator(this->messages);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ if (batch->add_msg(batch, msg))
+ {
+ this->messages->remove_at(this->messages, enumerator);
+ }
+ else
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ batch->build(batch);
+ data = batch->get_encoding(batch);
+ DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u",
+ pb_tnc_batch_type_names, this->batch_type, data.len,
+ this->connection_id);
+ DBG3(DBG_TNC, "%B", &data);
+
+ *buflen = data.len;
+ *msglen = 0;
+ memcpy(buf, data.ptr, *buflen);
+ batch->destroy(batch);
+
+ msg_count = this->messages->get_count(this->messages);
+ if (msg_count)
+ {
+ DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch",
+ msg_count, (msg_count == 1) ? "" : "s",
+ pb_tnc_batch_type_names, this->batch_type);
+ }
+ else
+ {
+ this->batch_type = PB_BATCH_NONE;
+ }
+
+ status = ALREADY_DONE;
+ }
+ else
+ {
+ change_batch_type(this, PB_BATCH_NONE);
+ status = INVALID_STATE;
+ }
+ }
+ else
+ {
+ DBG1(DBG_TNC, "no PB-TNC batch to send");
+ status = INVALID_STATE;
+ }
+ this->mutex->unlock(this->mutex);
+
+ return status;
+}
+
+METHOD(tnccs_20_handler_t, begin_handshake, void,
+ private_tnccs_20_server_t *this, bool mutual)
+{
+ pb_tnc_msg_t *msg;
+ identification_t *pdp_server;
+ u_int16_t *pdp_port;
+
+ tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+ TNC_CONNECTION_STATE_HANDSHAKE);
+
+ /* Send a PB-TNC TCG PDP Referral message if PDP is known */
+ pdp_server = (identification_t*)lib->get(lib, "pt-tls-server");
+ pdp_port = (u_int16_t*)lib->get(lib, "pt-tls-port");
+
+ if (this->eap_transport && pdp_server && pdp_port)
+ {
+ msg = pb_pdp_referral_msg_create_from_fqdn(
+ pdp_server->get_encoding(pdp_server), *pdp_port);
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ }
+
+ /* Send a PB-Noskip-Test message for testing purposes */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+ {
+ msg = pb_noskip_test_msg_create();
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ }
+}
+
+METHOD(tnccs_20_handler_t, get_send_flag, bool,
+ private_tnccs_20_server_t *this)
+{
+ return this->send_msg;
+}
+
+METHOD(tnccs_20_handler_t, get_mutual, bool,
+ private_tnccs_20_server_t *this)
+{
+ return this->mutual;
+}
+
+METHOD(tnccs_20_handler_t, get_state, pb_tnc_state_t,
+ private_tnccs_20_server_t *this)
+{
+ return this->state_machine->get_state(this->state_machine);
+}
+
+METHOD(tnccs_20_handler_t, add_msg, void,
+ private_tnccs_20_server_t *this, pb_tnc_msg_t *msg)
+{
+ /* adding PA message to SDATA batch only */
+ this->mutex->lock(this->mutex);
+ if (this->batch_type == PB_BATCH_NONE)
+ {
+ this->batch_type = PB_BATCH_SDATA;
+ }
+ if (this->batch_type == PB_BATCH_SDATA)
+ {
+ this->messages->insert_last(this->messages, msg);
+ }
+ else
+ {
+ msg->destroy(msg);
+ }
+ this->mutex->unlock(this->mutex);
+}
+
+METHOD(tnccs_20_handler_t, handle_errors, void,
+ private_tnccs_20_server_t *this, pb_tnc_batch_t *batch,
+ bool fatal_header_error)
+{
+ pb_tnc_msg_t *msg;
+ enumerator_t *enumerator;
+
+ if (fatal_header_error || this->fatal_error)
+ {
+ this->mutex->lock(this->mutex);
+ change_batch_type(this, PB_BATCH_CLOSE);
+ this->mutex->unlock(this->mutex);
+ }
+
+ enumerator = batch->create_error_enumerator(batch);
+ while (enumerator->enumerate(enumerator, &msg))
+ {
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg->get_ref(msg));
+ this->mutex->unlock(this->mutex);
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(tnccs_20_handler_t, destroy, void,
+ private_tnccs_20_server_t *this)
+{
+ if (this->connection_id)
+ {
+ tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, TRUE);
+ }
+ this->state_machine->destroy(this->state_machine);
+ this->mutex->destroy(this->mutex);
+ this->messages->destroy_offset(this->messages,
+ offsetof(pb_tnc_msg_t, destroy));
+ free(this);
+}
+
+METHOD(tnccs_20_server_t, have_recommendation, bool,
+ private_tnccs_20_server_t *this, TNC_IMV_Action_Recommendation *rec,
+ TNC_IMV_Evaluation_Result *eval)
+{
+ return this->recs->have_recommendation(this->recs, rec, eval);
+}
+
+/**
+ * See header
+ */
+tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs,
+ tnccs_send_message_t send_msg,
+ size_t max_batch_len,
+ size_t max_msg_len,
+ bool eap_transport)
+{
+ private_tnccs_20_server_t *this;
+
+ INIT(this,
+ .public = {
+ .handler = {
+ .process = _process,
+ .build = _build,
+ .begin_handshake = _begin_handshake,
+ .get_send_flag = _get_send_flag,
+ .get_mutual = _get_mutual,
+ .get_state = _get_state,
+ .add_msg = _add_msg,
+ .handle_errors = _handle_errors,
+ .destroy = _destroy,
+ },
+ .have_recommendation = _have_recommendation,
+ },
+ .state_machine = pb_tnc_state_machine_create(TRUE),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .messages = linked_list_create(),
+ .batch_type = PB_BATCH_SDATA,
+ .max_batch_len = max_batch_len,
+ .eap_transport = eap_transport,
+ );
+
+ this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
+ TNCCS_2_0, tnccs, send_msg,
+ &this->request_handshake_retry,
+ max_msg_len, &this->recs);
+ if (!this->connection_id)
+ {
+ destroy(this);
+ return NULL;
+ }
+ tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
+ TNC_CONNECTION_STATE_CREATE);
+
+ return &this->public.handler;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h
new file mode 100644
index 000000000..5833d1132
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnccs_20_server_h tnccs_20_server
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef TNCCS_20_SERVER_H_
+#define TNCCS_20_SERVER_H_
+
+#include <library.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "tnccs_20_handler.h"
+
+typedef struct tnccs_20_server_t tnccs_20_server_t;
+
+/**
+ * Interface for a TNC server
+ */
+struct tnccs_20_server_t {
+
+ /**
+ * IF-TNCCS 2.0 protocol handler interface
+ */
+ tnccs_20_handler_t handler;
+
+ /**
+ * Check if an Action Recommendation is already available
+ *
+ * @param rec TNC Action Recommendation
+ * @param eval TNC Evaluation Result
+ * @return TRUE if Action Recommendation is
+ */
+ bool (*have_recommendation)(tnccs_20_server_t *this,
+ TNC_IMV_Action_Recommendation *rec,
+ TNC_IMV_Evaluation_Result *eval);
+
+};
+
+/**
+ * Create an instance of the TNC IF-TNCCS 2.0 server-side protocol handler.
+ *
+ * @param tnccs TNC IF-TNCCS 2.0 stack
+ * @param send_msg TNF IF-TNCCS 2.0 send message callback function
+ * @param max_batch_len Maximum PB-TNC batch size
+ * @param max_msg_len Maximum PA-TNC message size
+ * @param eap_transport TRUE if IF-T for EAP methods
+ */
+tnccs_20_handler_t* tnccs_20_server_create(tnccs_t *tnccs,
+ tnccs_send_message_t send_msg,
+ size_t max_batch_len,
+ size_t max_msg_len,
+ bool eap_transport);
+
+
+#endif /** TNCCS_20_SERVER_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 6a03df994..3f21a22d4 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -231,6 +231,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -291,10 +292,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -368,6 +371,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
index e08236eb7..44b804fb2 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -34,12 +34,22 @@ struct private_tnccs_dynamic_t {
/**
* Server identity
*/
- identification_t *server;
+ identification_t *server_id;
/**
* Client identity
*/
- identification_t *peer;
+ identification_t *peer_id;
+
+ /**
+ * Server IP address
+ */
+ host_t *server_ip;
+
+ /**
+ * Client IP address
+ */
+ host_t *peer_ip;
/**
* Detected TNC IF-TNCCS stack
@@ -109,8 +119,8 @@ METHOD(tls_t, process, status_t,
DBG1(DBG_TNC, "%N protocol detected dynamically",
tnccs_type_names, type);
tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
- this->server, this->peer, this->transport,
- this->callback);
+ this->server_id, this->peer_id, this->server_ip,
+ this->peer_ip, this->transport, this->callback);
if (!tnccs)
{
DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
@@ -137,14 +147,14 @@ METHOD(tls_t, is_server, bool,
METHOD(tls_t, get_server_id, identification_t*,
private_tnccs_dynamic_t *this)
{
- return this->server;
+ return this->server_id;
}
METHOD(tls_t, set_peer_id, void,
private_tnccs_dynamic_t *this, identification_t *id)
{
- DESTROY_IF(this->peer);
- this->peer = id->clone(id);
+ DESTROY_IF(this->peer_id);
+ this->peer_id = id->clone(id);
if (this->tls)
{
this->tls->set_peer_id(this->tls, id);
@@ -154,7 +164,7 @@ METHOD(tls_t, set_peer_id, void,
METHOD(tls_t, get_peer_id, identification_t*,
private_tnccs_dynamic_t *this)
{
- return this->peer;
+ return this->peer_id;
}
METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -181,12 +191,26 @@ METHOD(tls_t, destroy, void,
if (ref_put(&this->ref))
{
DESTROY_IF(this->tls);
- this->server->destroy(this->server);
- this->peer->destroy(this->peer);
+ this->server_id->destroy(this->server_id);
+ this->peer_id->destroy(this->peer_id);
+ this->server_ip->destroy(this->server_ip);
+ this->peer_ip->destroy(this->peer_ip);
free(this);
}
}
+METHOD(tnccs_t, get_server_ip, host_t*,
+ private_tnccs_dynamic_t *this)
+{
+ return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+ private_tnccs_dynamic_t *this)
+{
+ return this->peer_ip;
+}
+
METHOD(tnccs_t, get_transport, tnc_ift_type_t,
private_tnccs_dynamic_t *this)
{
@@ -229,9 +253,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
/**
* See header
*/
-tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb)
{
private_tnccs_dynamic_t *this;
@@ -249,6 +274,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
.get_eap_msk = _get_eap_msk,
.destroy = _destroy,
},
+ .get_server_ip = _get_server_ip,
+ .get_peer_ip = _get_peer_ip,
.get_transport = _get_transport,
.set_transport = _set_transport,
.get_auth_type = _get_auth_type,
@@ -256,8 +283,10 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
.get_pdp_server = _get_pdp_server,
.get_ref = _get_ref,
},
- .server = server->clone(server),
- .peer = peer->clone(peer),
+ .server_id = server_id->clone(server_id),
+ .peer_id = peer_id->clone(peer_id),
+ .server_ip = server_ip->clone(server_ip),
+ .peer_ip = peer_ip->clone(peer_ip),
.transport = transport,
.callback = cb,
.ref = 1,
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
index cbdc80b83..2e1141780 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -29,14 +29,17 @@
* Create an instance of a dynamic TNC IF-TNCCS protocol handler.
*
* @param is_server TRUE to act as TNC Server, FALSE for TNC Client
- * @param server Server identity
- * @param peer Client identity
+ * @param server_id Server identity
+ * @param peer_id Client identity
+ * @param server_ip Server IP address
+ * @param peer_ip Client IP address
* @param transport Underlying IF-T transport protocol
* @param cb Callback function if TNC Server, NULL if TNC Client
* @return dynamic TNC IF-TNCCS protocol stack
*/
-tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb);
#endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
index b518e1278..97dd0df43 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h
@@ -15,7 +15,7 @@
/**
* @defgroup tnccs_dynamic tnccs_dynamic
- * @ingroup cplugins
+ * @ingroup tplugins
*
* @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin
* @{ @ingroup tnccs_dynamic
diff --git a/src/libtnccs/tnc/imc/imc.h b/src/libtnccs/tnc/imc/imc.h
index 3ff7d5194..6d13f6bc5 100644
--- a/src/libtnccs/tnc/imc/imc.h
+++ b/src/libtnccs/tnc/imc/imc.h
@@ -15,7 +15,7 @@
/**
* @defgroup imc imc
- * @ingroup tnc
+ * @ingroup libtnccs
*
* @defgroup imct imc
* @{ @ingroup imc
diff --git a/src/libtnccs/tnc/imv/imv.h b/src/libtnccs/tnc/imv/imv.h
index 3716532d6..fbc26a1e7 100644
--- a/src/libtnccs/tnc/imv/imv.h
+++ b/src/libtnccs/tnc/imv/imv.h
@@ -15,7 +15,7 @@
/**
* @defgroup imv imv
- * @ingroup tnc
+ * @ingroup libtnccs
*
* @defgroup imvt imv
* @{ @ingroup imv
diff --git a/src/libtnccs/tnc/tnc.h b/src/libtnccs/tnc/tnc.h
index e5a4a2959..7bf8c84b7 100644
--- a/src/libtnccs/tnc/tnc.h
+++ b/src/libtnccs/tnc/tnc.h
@@ -14,9 +14,12 @@
*/
/**
- * @defgroup tnc tnc
+ * @defgroup libtnccs libtnccs
*
- * @addtogroup tnc
+ * @defgroup tplugins plugins
+ * @ingroup libtnccs
+ *
+ * @addtogroup libtnccs
* @{
*/
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index eefd5565d..8ff295bcc 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -15,7 +15,7 @@
/**
* @defgroup tnccs tnccs
- * @ingroup tnc
+ * @ingroup libtnccs
*
* @defgroup tnccst tnccs
* @{ @ingroup tnccs
@@ -87,6 +87,20 @@ struct tnccs_t {
tls_t tls;
/**
+ * Get server IP address
+ *
+ * @return Server IP address
+ */
+ host_t* (*get_server_ip)(tnccs_t *this);
+
+ /**
+ * Get peer IP address
+ *
+ * @return Peer IP address
+ */
+ host_t* (*get_peer_ip)(tnccs_t *this);
+
+ /**
* Get underlying TNC IF-T transport protocol
*
* @return TNC IF-T transport protocol
@@ -135,15 +149,19 @@ struct tnccs_t {
* Constructor definition for a pluggable TNCCS protocol implementation.
*
* @param is_server TRUE if TNC Server, FALSE if TNC Client
- * @param server Server identity
- * @param peer Client identity
+ * @param server_id Server identity
+ * @param peer_id Client identity
+ * @param server_ip Server IP address
+ * @param peer_ip Client IP address
* @param transport Underlying TNC IF-T transport protocol used
* @param cb Callback function if TNC Server, NULL if TNC Client
* @return implementation of the tnccs_t interface
*/
typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
- identification_t *server,
- identification_t *peer,
+ identification_t *server_id,
+ identification_t *peer_id,
+ host_t *server_ip,
+ host_t *peer_ip,
tnc_ift_type_t transport,
tnccs_cb_t cb);
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index 791336ee1..b5c85f3c0 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -56,16 +56,19 @@ struct tnccs_manager_t {
*
* @param type type of the TNCCS protocol
* @param is_server TRUE if TNC Server, FALSE if TNC Client
- * @param server Server identity
- * @param peer Client identity
+ * @param server_id Server identity
+ * @param peer_id Client identity
+ * @param server_ip Server IP address
+ * @param peer_ip Client IP address
* @param transport Underlying TNC IF-T transport protocol used
* @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNCCS protocol instance, NULL if no constructor found
*/
tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
- bool is_server, identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport, tnccs_cb_t cb);
+ bool is_server, identification_t *server_id,
+ identification_t *peer_id, host_t *server_ip,
+ host_t *peer_ip, tnc_ift_type_t transport,
+ tnccs_cb_t cb);
/**
* Create a TNCCS connection and assign a unique connection ID as well a
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index efa06b927..010fadc42 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -193,6 +193,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -253,10 +254,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -330,6 +333,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c
index ac948c8ba..b348c548e 100644
--- a/src/libtncif/tncif_names.c
+++ b/src/libtncif/tncif_names.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -46,6 +46,18 @@ ENUM(TNC_IMV_Evaluation_Result_names,
"don't know"
);
+ENUM(TNC_Identity_names,
+ TNC_ID_UNKNOWN,
+ TNC_ID_X500_DN,
+ "unknown",
+ "IPv4 address",
+ "IPv6 address",
+ "FQDN",
+ "email address",
+ "username",
+ "X.500 DN"
+);
+
ENUM(TNC_Subject_names,
TNC_SUBJECT_UNKNOWN,
TNC_SUBJECT_USER,
diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h
index 75458f960..64dd14fc2 100644
--- a/src/libtncif/tncif_names.h
+++ b/src/libtncif/tncif_names.h
@@ -1,5 +1,6 @@
/*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -30,6 +31,7 @@
extern enum_name_t *TNC_Connection_State_names;
extern enum_name_t *TNC_IMV_Action_Recommendation_names;
extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Identity_names;
extern enum_name_t *TNC_Subject_names;
extern enum_name_t *TNC_Authentication_names;
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 79ee9c7b8..500220a3a 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -245,6 +245,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -305,10 +306,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -382,6 +385,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index 3de9153cf..7265457f1 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -234,6 +234,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -294,10 +295,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -371,6 +374,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am
index 266802cf7..ab407e021 100644
--- a/src/pki/Makefile.am
+++ b/src/pki/Makefile.am
@@ -13,6 +13,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
commands/signcrl.c \
commands/acert.c \
commands/pkcs7.c \
+ commands/pkcs12.c \
commands/verify.c
pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index 5f7a1bc26..4205469fc 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -108,7 +108,7 @@ am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) \
commands/req.$(OBJEXT) commands/self.$(OBJEXT) \
commands/print.$(OBJEXT) commands/signcrl.$(OBJEXT) \
commands/acert.$(OBJEXT) commands/pkcs7.$(OBJEXT) \
- commands/verify.$(OBJEXT)
+ commands/pkcs12.$(OBJEXT) commands/verify.$(OBJEXT)
pki_OBJECTS = $(am_pki_OBJECTS)
pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la
AM_V_lt = $(am__v_lt_@AM_V@)
@@ -243,6 +243,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -303,10 +304,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -380,6 +383,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -450,6 +455,7 @@ pki_SOURCES = pki.c pki.h command.c command.h \
commands/signcrl.c \
commands/acert.c \
commands/pkcs7.c \
+ commands/pkcs12.c \
commands/verify.c
pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -566,6 +572,8 @@ commands/acert.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
commands/pkcs7.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
+commands/pkcs12.$(OBJEXT): commands/$(am__dirstamp) \
+ commands/$(DEPDIR)/$(am__dirstamp)
commands/verify.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
@@ -586,6 +594,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/gen.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/issue.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/keyid.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs12.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pkcs7.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/print.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@commands/$(DEPDIR)/pub.Po@am__quote@
diff --git a/src/pki/command.h b/src/pki/command.h
index 9cf036bf2..d49adda09 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -24,7 +24,7 @@
/**
* Maximum number of commands (+1).
*/
-#define MAX_COMMANDS 12
+#define MAX_COMMANDS 13
/**
* Maximum number of options in a command (+3)
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 185aa40b4..7099977f2 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -31,7 +32,7 @@
static int acert()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -161,6 +162,10 @@ static int acert()
error = "loading issuer private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "issuer private key does not match issuer certificate";
@@ -286,7 +291,7 @@ static void __attribute__ ((constructor))reg()
{"not-before", 'F', 1, "date/time the validity of the AC starts"},
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index ce28a0971..8b11854ad 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -43,6 +44,10 @@ static int gen()
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = KEY_BLISS;
+ }
else
{
return command_usage("invalid key type");
@@ -96,6 +101,9 @@ static int gen()
case KEY_ECDSA:
size = 384;
break;
+ case KEY_BLISS:
+ size = 1;
+ break;
default:
break;
}
@@ -151,12 +159,12 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
gen, 'g', "gen", "generate a new private key",
- {" [--type rsa|ecdsa] [--size bits] [--safe-primes]",
+ {" [--type rsa|ecdsa|bliss] [--size bits] [--safe-primes]",
"[--shares n] [--threshold l] [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"type", 't', 1, "type of key, default: rsa"},
- {"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+ {"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384, bliss 1"},
{"safe-primes", 'p', 0, "generate rsa safe primes"},
{"shares", 'n', 1, "number of private rsa key shares"},
{"threshold", 'l', 1, "minimum number of participating rsa key shares"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index aaa2c2ff7..6a2d09d78 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -59,7 +60,7 @@ static void destroy_cdp(x509_cdp_t *this)
static int issue()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -287,6 +288,7 @@ static int issue()
}
break;
}
+
if (!cacert)
{
error = "--cacert is required";
@@ -355,6 +357,10 @@ static int issue()
error = "loading CA private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -589,7 +595,7 @@ static void __attribute__ ((constructor))reg()
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index c3ac0c288..3bc62e74d 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -52,6 +52,11 @@ static int keyid()
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "bliss-priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_BLISS;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -164,7 +169,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ keyid, 'k', "keyid",
"calculate key identifiers of a key/certificate",
- {"[--in file] [--type rsa-priv|ecdsa-priv|pub|pkcs10|x509]"},
+ {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pkcs12.c b/src/pki/commands/pkcs12.c
new file mode 100644
index 000000000..dcd1496ba
--- /dev/null
+++ b/src/pki/commands/pkcs12.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2014 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <errno.h>
+
+#include "pki.h"
+
+#include <credentials/certificates/x509.h>
+#include <credentials/containers/pkcs12.h>
+
+/**
+ * Show info about PKCS#12 container
+ */
+static int show(pkcs12_t *pkcs12)
+{
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ private_key_t *key;
+ int index = 1;
+
+ printf("Certificates:\n");
+ enumerator = pkcs12->create_cert_enumerator(pkcs12);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ x509_t *x509 = (x509_t*)cert;
+
+ if (x509->get_flags(x509) & X509_CA)
+ {
+ printf("[%2d] \"%Y\" (CA)\n", index++, cert->get_subject(cert));
+ }
+ else
+ {
+ printf("[%2d] \"%Y\"\n", index++, cert->get_subject(cert));
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ printf("Private keys:\n");
+ enumerator = pkcs12->create_key_enumerator(pkcs12);
+ while (enumerator->enumerate(enumerator, &key))
+ {
+ printf("[%2d] %N %d bits\n", index++, key_type_names,
+ key->get_type(key), key->get_keysize(key));
+ }
+ enumerator->destroy(enumerator);
+ return 0;
+}
+
+static int export(pkcs12_t *pkcs12, int index, char *outform)
+{
+ cred_encoding_type_t form;
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ private_key_t *key;
+ chunk_t encoding;
+ int i = 1;
+
+ enumerator = pkcs12->create_cert_enumerator(pkcs12);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ if (i++ == index)
+ {
+ form = CERT_ASN1_DER;
+ if (outform && !get_form(outform, &form, CRED_CERTIFICATE))
+ {
+ enumerator->destroy(enumerator);
+ return command_usage("invalid output format");
+ }
+ if (cert->get_encoding(cert, form, &encoding))
+ {
+ set_file_mode(stdout, form);
+ if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1)
+ {
+ free(encoding.ptr);
+ enumerator->destroy(enumerator);
+ return 0;
+ }
+ free(encoding.ptr);
+ }
+ fprintf(stderr, "certificate export failed\n");
+ enumerator->destroy(enumerator);
+ return 1;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = pkcs12->create_key_enumerator(pkcs12);
+ while (enumerator->enumerate(enumerator, &key))
+ {
+ if (i++ == index)
+ {
+ form = PRIVKEY_ASN1_DER;
+ if (outform && !get_form(outform, &form, CRED_PRIVATE_KEY))
+ {
+ enumerator->destroy(enumerator);
+ return command_usage("invalid output format");
+ }
+ if (key->get_encoding(key, form, &encoding))
+ {
+ set_file_mode(stdout, form);
+ if (fwrite(encoding.ptr, encoding.len, 1, stdout) == 1)
+ {
+ free(encoding.ptr);
+ enumerator->destroy(enumerator);
+ return 0;
+ }
+ free(encoding.ptr);
+ }
+ fprintf(stderr, "private key export failed\n");
+ enumerator->destroy(enumerator);
+ return 0;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ fprintf(stderr, "invalid index %d\n", index);
+ return 1;
+}
+
+
+/**
+ * Handle PKCs#12 containers
+ */
+static int pkcs12()
+{
+ char *arg, *file = NULL, *outform = NULL;
+ pkcs12_t *p12 = NULL;
+ int res = 1, index = 0;
+ enum {
+ OP_NONE,
+ OP_LIST,
+ OP_EXPORT,
+ } op = OP_NONE;
+
+ while (TRUE)
+ {
+ switch (command_getopt(&arg))
+ {
+ case 'h':
+ return command_usage(NULL);
+ case 'i':
+ file = arg;
+ continue;
+ case 'l':
+ if (op != OP_NONE)
+ {
+ goto invalid;
+ }
+ op = OP_LIST;
+ continue;
+ case 'e':
+ if (op != OP_NONE)
+ {
+ goto invalid;
+ }
+ op = OP_EXPORT;
+ index = atoi(arg);
+ continue;
+ case 'f':
+ outform = arg;
+ continue;
+ case EOF:
+ break;
+ default:
+ invalid:
+ return command_usage("invalid --pkcs12 option");
+ }
+ break;
+ }
+
+ if (file)
+ {
+ p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+ BUILD_FROM_FILE, file, BUILD_END);
+ }
+ else
+ {
+ chunk_t chunk;
+
+ set_file_mode(stdin, CERT_ASN1_DER);
+ if (!chunk_from_fd(0, &chunk))
+ {
+ fprintf(stderr, "reading input failed: %s\n", strerror(errno));
+ return 1;
+ }
+ p12 = lib->creds->create(lib->creds, CRED_CONTAINER, CONTAINER_PKCS12,
+ BUILD_BLOB, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
+
+ if (!p12)
+ {
+ fprintf(stderr, "reading input failed!\n");
+ goto end;
+ }
+
+ switch (op)
+ {
+ case OP_LIST:
+ res = show(p12);
+ break;
+ case OP_EXPORT:
+ res = export(p12, index, outform);
+ break;
+ default:
+ p12->container.destroy(&p12->container);
+ return command_usage(NULL);
+ }
+
+end:
+ if (p12)
+ {
+ p12->container.destroy(&p12->container);
+ }
+ return res;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+ command_register((command_t) {
+ pkcs12, 'u', "pkcs12", "PKCS#12 functions",
+ {"--export index|--list [--in file]",
+ "[--outform der|pem]"},
+ {
+ {"help", 'h', 0, "show usage information"},
+ {"in", 'i', 1, "input file, default: stdin"},
+ {"list", 'l', 0, "list certificates and keys"},
+ {"export", 'e', 1, "export the credential with the given index"},
+ {"outform", 'f', 1, "encoding of exported credentials, default: der"},
+ }
+ });
+}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index fb07169bf..fa69de133 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -32,9 +32,12 @@
static void print_pubkey(public_key_t *key)
{
chunk_t chunk;
+ key_type_t type;
+
+ type = key->get_type(key);
+ printf("pubkey: %N %d bits%s\n", key_type_names, type,
+ key->get_keysize(key), (type == KEY_BLISS) ? " strength" : "");
- printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key),
- key->get_keysize(key));
if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk))
{
printf("keyid: %#B\n", &chunk);
@@ -66,6 +69,22 @@ static void print_key(private_key_t *key)
}
/**
+ * Get a prefix for a named constraint identity type
+ */
+static char* get_type_pfx(identification_t *id)
+{
+ switch (id->get_type(id))
+ {
+ case ID_RFC822_ADDR:
+ return "email:";
+ case ID_FQDN:
+ return "dns:";
+ default:
+ return "";
+ }
+}
+
+/**
* Print X509 specific certificate information
*/
static void print_x509(x509_t *x509)
@@ -202,7 +221,7 @@ static void print_x509(x509_t *x509)
printf("Permitted NameConstraints:\n");
first = FALSE;
}
- printf(" %Y\n", id);
+ printf(" %s%Y\n", get_type_pfx(id), id);
}
enumerator->destroy(enumerator);
first = TRUE;
@@ -214,7 +233,7 @@ static void print_x509(x509_t *x509)
printf("Excluded NameConstraints:\n");
first = FALSE;
}
- printf(" %Y\n", id);
+ printf(" %s%Y\n", get_type_pfx(id), id);
}
enumerator->destroy(enumerator);
@@ -580,6 +599,11 @@ static int print()
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "bliss-priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_BLISS;
+ }
else
{
return command_usage( "invalid input type");
@@ -652,7 +676,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509|crl|ac]"},
+ {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index b8d2f701d..ccc3c4251 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -53,6 +54,11 @@ static int pub()
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_BLISS;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -183,7 +189,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
pub, 'p', "pub",
"extract the public key from a private key/certificate",
- {"[--in file|--keyid hex] [--type rsa|ecdsa|pub|pkcs10|x509]",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
"[--outform der|pem|dnskey|sshkey]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 023683569..da991b505 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2009 Andreas Steffen
+ * Copyright (C) 2009-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* HSR Hochschule fuer Technik Rapperswil
*
@@ -30,7 +31,7 @@ static int req()
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
char *file = NULL, *dn = NULL, *error = NULL;
@@ -57,6 +58,10 @@ static int req()
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = KEY_BLISS;
+ }
else
{
error = "invalid input type";
@@ -134,6 +139,10 @@ static int req()
error = "parsing private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_PKCS10_REQUEST,
BUILD_SIGNING_KEY, private,
BUILD_SUBJECT, id,
@@ -185,7 +194,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file] [--type rsa|ecdsa] --dn distinguished-name",
+ {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"},
{
@@ -195,7 +204,7 @@ static void __attribute__ ((constructor))reg()
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
{"password",'p', 1, "challengePassword to include in cert request"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated request, default: der"},
}
});
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index daefcdc10..a785c2a0c 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -49,7 +50,7 @@ static int self()
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -57,7 +58,8 @@ static int self()
identification_t *id = NULL;
linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
- int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
+ int inhibit_mapping = X509_NO_CONSTRAINT;
+ int require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
chunk_t encoding = chunk_empty;
time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
@@ -88,6 +90,10 @@ static int self()
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "bliss"))
+ {
+ type = KEY_BLISS;
+ }
else
{
error = "invalid input type";
@@ -308,6 +314,10 @@ static int self()
error = "loading private key failed";
goto end;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
public = private->get_public_key(private);
if (!public)
{
@@ -407,7 +417,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa]",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -441,7 +451,7 @@ static void __attribute__ ((constructor))reg()
{"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index e5f49efe2..720dfd8a9 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -117,7 +117,7 @@ static int sign_crl()
certificate_t *ca = NULL, *crl = NULL;
crl_t *lastcrl = NULL;
x509_t *x509;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_UNKNOWN;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
char *basecrl = NULL;
char serial[512], *keyid = NULL;
@@ -330,6 +330,10 @@ static int sign_crl()
error = "loading CA private key failed";
goto error;
}
+ if (digest == HASH_UNKNOWN)
+ {
+ digest = get_default_digest(private);
+ }
if (!private->belongs_to(private, public))
{
error = "CA private key does not match CA certificate";
@@ -465,7 +469,7 @@ static void __attribute__ ((constructor))reg()
{"serial", 's', 1, "hex encoded certificate serial number to revoke"},
{"reason", 'r', 1, "reason for certificate revocation"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: key-specific"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index c288015de..45355bacd 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -81,10 +81,11 @@ subdir = src/pki/man
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(srcdir)/pki.1.in $(srcdir)/pki---gen.1.in \
$(srcdir)/pki---issue.1.in $(srcdir)/pki---keyid.1.in \
- $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---print.1.in \
- $(srcdir)/pki---pub.1.in $(srcdir)/pki---req.1.in \
- $(srcdir)/pki---self.1.in $(srcdir)/pki---signcrl.1.in \
- $(srcdir)/pki---acert.1.in $(srcdir)/pki---verify.1.in
+ $(srcdir)/pki---pkcs7.1.in $(srcdir)/pki---pkcs12.1.in \
+ $(srcdir)/pki---print.1.in $(srcdir)/pki---pub.1.in \
+ $(srcdir)/pki---req.1.in $(srcdir)/pki---self.1.in \
+ $(srcdir)/pki---signcrl.1.in $(srcdir)/pki---acert.1.in \
+ $(srcdir)/pki---verify.1.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
$(top_srcdir)/m4/config/ltoptions.m4 \
@@ -101,8 +102,9 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES = pki.1 pki---gen.1 pki---issue.1 pki---keyid.1 \
- pki---pkcs7.1 pki---print.1 pki---pub.1 pki---req.1 \
- pki---self.1 pki---signcrl.1 pki---acert.1 pki---verify.1
+ pki---pkcs7.1 pki---pkcs12.1 pki---print.1 pki---pub.1 \
+ pki---req.1 pki---self.1 pki---signcrl.1 pki---acert.1 \
+ pki---verify.1
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -181,6 +183,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -241,10 +244,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -318,6 +323,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -434,6 +441,8 @@ pki---keyid.1: $(top_builddir)/config.status $(srcdir)/pki---keyid.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
pki---pkcs7.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs7.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
+pki---pkcs12.1: $(top_builddir)/config.status $(srcdir)/pki---pkcs12.1.in
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
pki---print.1: $(top_builddir)/config.status $(srcdir)/pki---print.1.in
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@
pki---pub.1: $(top_builddir)/config.status $(srcdir)/pki---pub.1.in
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index ec1d8be6e..d7460fd1f 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -99,8 +99,8 @@ Serial number in hex. It is randomly allocated by default.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 375cb2fe4..3a89059c8 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -122,8 +122,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
@@ -147,10 +147,22 @@ times.
Set path length constraint.
.TP
.BI "\-n, \-\-nc-permitted " name
-Add permitted NameConstraint extension to certificate.
+Add permitted NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
.TP
.BI "\-N, \-\-nc-excluded " name
-Add excluded NameConstraint extension to certificate.
+Add excluded NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
diff --git a/src/pki/man/pki---pkcs12.1.in b/src/pki/man/pki---pkcs12.1.in
new file mode 100644
index 000000000..470a66389
--- /dev/null
+++ b/src/pki/man/pki---pkcs12.1.in
@@ -0,0 +1,62 @@
+.TH "PKI \-\-PKCS12" 1 "2014-10-17" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-pkcs12 \- Provides PKCS#12 functions
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-pkcs12
+.BR \-\-list
+.OP \-\-in file
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs12
+.BI \-\-export\~ index
+.OP \-\-in file
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-pkcs12
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-pkcs12"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+provides functions to work with PKCS#12 containers.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-l, \-\-list"
+List certificates and keys contained in a PKCS#12 container.
+.TP
+.BI "\-e, \-\-export " index
+Export the credential with the given \fIindex\fR. Use \fI\-\-list\fR to
+determine the index of certificates and keys.
+.TP
+.BI "\-i, \-\-in " file
+PKCS#12 input file. If not given the input is read from \fISTDIN\fR.
+.
+.SH "SEE ALSO"
+.
+.BR pki (1) \ No newline at end of file
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index ab144ce2a..a6f6a480a 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -62,8 +62,8 @@ The challengePassword to include in the certificate request.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 5e6e78bd0..53f53f816 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -109,8 +109,8 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
@@ -127,10 +127,22 @@ times.
Set path length constraint.
.TP
.BI "\-n, \-\-nc-permitted " name
-Add permitted NameConstraint extension to certificate.
+Add permitted NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
.TP
.BI "\-N, \-\-nc-excluded " name
-Add excluded NameConstraint extension to certificate.
+Add excluded NameConstraint extension to certificate. For DNS or email
+constraints, the identity type is not always detectable by the given name. Use
+the
+.B dns:
+or
+.B email:
+prefix to force a constraint type.
.TP
.BI "\-M, \-\-policy-mapping " issuer-oid:subject-oid
Add policyMapping from issuer to subject OID.
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index bd6cba547..b930bfa3c 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -98,8 +98,8 @@ Freshest delta CRL URI to include in CRL. Can be used multiple times.
.TP
.BI "\-g, \-\-digest " digest
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
-\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
-\fIsha1\fR.
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. The default is
+determined based on the type and size of the signature key.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 434287de6..472704945 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2012-2014 Tobias Brunner
* Copyright (C) 2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -22,6 +23,7 @@
#include <fcntl.h>
#include <utils/debug.h>
+#include <credentials/sets/mem_cred.h>
#include <credentials/sets/callback_cred.h>
/**
@@ -235,12 +237,40 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc)
#endif
}
+/*
+ * Described in header
+ */
+hash_algorithm_t get_default_digest(private_key_t *private)
+{
+ enumerator_t *enumerator;
+ signature_scheme_t scheme;
+ hash_algorithm_t alg = HASH_UNKNOWN;
+
+ enumerator = signature_schemes_for_key(private->get_type(private),
+ private->get_keysize(private));
+ if (enumerator->enumerate(enumerator, &scheme))
+ {
+ alg = hasher_from_signature_scheme(scheme);
+ }
+ enumerator->destroy(enumerator);
+
+ /* default to SHA-256 */
+ return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
+}
+
/**
* Callback credential set pki uses
*/
static callback_cred_t *cb_set;
/**
+ * Credential set to cache entered secrets
+ */
+static mem_cred_t *cb_creds;
+
+static shared_key_type_t prompted;
+
+/**
* Callback function to receive credentials
*/
static shared_key_t* cb(void *data, shared_key_type_t type,
@@ -248,7 +278,12 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
id_match_t *match_me, id_match_t *match_other)
{
char buf[64], *label, *secret = NULL;
+ shared_key_t *shared;
+ if (prompted == type)
+ {
+ return NULL;
+ }
switch (type)
{
case SHARED_PIN:
@@ -266,6 +301,7 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
#endif
if (secret && strlen(secret))
{
+ prompted = type;
if (match_me)
{
*match_me = ID_MATCH_PERFECT;
@@ -274,8 +310,10 @@ static shared_key_t* cb(void *data, shared_key_type_t type,
{
*match_other = ID_MATCH_NONE;
}
- return shared_key_create(type,
- chunk_clone(chunk_create(secret, strlen(secret))));
+ shared = shared_key_create(type, chunk_clone(chunk_from_str(secret)));
+ /* cache password in case it is required more than once */
+ cb_creds->add_shared(cb_creds, shared, NULL);
+ return shared->get_ref(shared);
}
return NULL;
}
@@ -287,6 +325,8 @@ static void add_callback()
{
cb_set = callback_cred_create_shared(cb, NULL);
lib->credmgr->add_set(lib->credmgr, &cb_set->set);
+ cb_creds = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &cb_creds->set);
}
/**
@@ -294,6 +334,8 @@ static void add_callback()
*/
static void remove_callback()
{
+ lib->credmgr->remove_set(lib->credmgr, &cb_creds->set);
+ cb_creds->destroy(cb_creds);
lib->credmgr->remove_set(lib->credmgr, &cb_set->set);
cb_set->destroy(cb_set);
}
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 1f0827733..017e61df6 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -55,4 +55,12 @@ bool calculate_lifetime(char *format, char *nbstr, char *nastr, time_t span,
*/
void set_file_mode(FILE *stream, cred_encoding_type_t enc);
+/**
+ * Select default digest for signatures with the given key
+ *
+ * @param private private key
+ * @return hash algorithm
+ */
+hash_algorithm_t get_default_digest(private_key_t *private);
+
#endif /** PKI_H_ @}*/
diff --git a/src/pool/Makefile.am b/src/pool/Makefile.am
index b8d662e57..5ae624b88 100644
--- a/src/pool/Makefile.am
+++ b/src/pool/Makefile.am
@@ -11,11 +11,13 @@ pool.o : $(top_builddir)/config.status
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libhydra \
+ -I$(top_srcdir)/src/libcharon \
-DPLUGINS=\""${pool_plugins}\""
pool_LDADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(top_builddir)/src/libhydra/libhydra.la
+ $(top_builddir)/src/libhydra/libhydra.la \
+ $(top_builddir)/src/libcharon/libcharon.la
endif USE_ATTR_SQL
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 4f753a0bb..b9557547a 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -109,7 +109,8 @@ am__pool_SOURCES_DIST = pool.c pool_attributes.c pool_attributes.h \
@USE_ATTR_SQL_TRUE@ pool_usage.$(OBJEXT)
pool_OBJECTS = $(am_pool_OBJECTS)
@USE_ATTR_SQL_TRUE@pool_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la \
+@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libcharon/libcharon.la
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
@@ -228,6 +229,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -288,10 +290,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -365,6 +369,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -430,11 +436,13 @@ xml_LIBS = @xml_LIBS@
@USE_ATTR_SQL_TRUE@AM_CPPFLAGS = \
@USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libstrongswan \
@USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libhydra \
+@USE_ATTR_SQL_TRUE@ -I$(top_srcdir)/src/libcharon \
@USE_ATTR_SQL_TRUE@ -DPLUGINS=\""${pool_plugins}\""
@USE_ATTR_SQL_TRUE@pool_LDADD = \
@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libstrongswan/libstrongswan.la \
-@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la
+@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libhydra/libhydra.la \
+@USE_ATTR_SQL_TRUE@ $(top_builddir)/src/libcharon/libcharon.la
templatesdir = $(pkgdatadir)/templates/database/sql
dist_templates_DATA = mysql.sql sqlite.sql
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index 7ee25c007..a02db98f2 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -198,6 +198,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -258,10 +259,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -335,6 +338,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index a8d45b54f..3a179af17 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2010-2013 Martin Willi, revosec AG
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
* HSR Hochschule für Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -54,32 +54,44 @@ static int client(char *address, u_int16_t port, char *identity)
{
pt_tls_client_t *assessment;
tls_t *tnccs;
- identification_t *server, *client;
- host_t *host;
+ identification_t *server_id, *client_id;
+ host_t *server_ip, *client_ip;
status_t status;
- host = host_create_from_dns(address, AF_UNSPEC, port);
- if (!host)
+ server_ip = host_create_from_dns(address, AF_UNSPEC, port);
+ if (!server_ip)
{
return 1;
}
- server = identification_create_from_string(address);
- client = identification_create_from_string(identity);
+
+ client_ip = host_create_any(server_ip->get_family(server_ip));
+ if (!client_ip)
+ {
+ server_ip->destroy(server_ip);
+ return 1;
+ }
+ server_id = identification_create_from_string(address);
+ client_id = identification_create_from_string(identity);
+
tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
- server, client, TNC_IFT_TLS_2_0, NULL);
+ server_id, client_id, server_ip, client_ip,
+ TNC_IFT_TLS_2_0, NULL);
+ client_ip->destroy(client_ip);
+
if (!tnccs)
{
fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
- host->destroy(host);
- server->destroy(server);
- client->destroy(client);
+ server_ip->destroy(server_ip);
+ server_id->destroy(server_id);
+ client_id->destroy(client_id);
return 1;
}
- assessment = pt_tls_client_create(host, server, client);
+ assessment = pt_tls_client_create(server_ip, server_id, client_id);
status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
assessment->destroy(assessment);
tnccs->destroy(tnccs);
- return status;
+
+ return (status != SUCCESS);
}
@@ -258,6 +270,7 @@ int main(int argc, char *argv[])
{"port", required_argument, NULL, 'p' },
{"cert", required_argument, NULL, 'x' },
{"key", required_argument, NULL, 'k' },
+ {"mutual", no_argument, NULL, 'm' },
{"quiet", no_argument, NULL, 'q' },
{"debug", required_argument, NULL, 'd' },
{"optionsfrom", required_argument, NULL, '+' },
@@ -299,6 +312,10 @@ int main(int argc, char *argv[])
case 'p': /* --port <port> */
port = atoi(optarg);
continue;
+ case 'm': /* --mutual */
+ lib->settings->set_bool(lib->settings,
+ "%s.plugins.tnccs-20.mutual", TRUE, lib->ns);
+ continue;
case 'q': /* --quiet */
log_to_stderr = FALSE;
continue;
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 6a947efa6..bcc70cb1b 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 88d362f6c..ee68adc21 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -271,6 +271,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -331,10 +332,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -408,6 +411,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/starter/cmp.c b/src/starter/cmp.c
index cea864a4a..aee55d94c 100644
--- a/src/starter/cmp.c
+++ b/src/starter/cmp.c
@@ -45,7 +45,7 @@ bool starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2)
VARCMP(mark_in.value);
VARCMP(mark_in.mask);
VARCMP(mark_out.value);
- VARCMP(mark_in.mask);
+ VARCMP(mark_out.mask);
VARCMP(tfc);
VARCMP(sa_keying_tries);
diff --git a/src/starter/parser/lexer.c b/src/starter/parser/lexer.c
index 157b89c31..cebf5a06c 100644
--- a/src/starter/parser/lexer.c
+++ b/src/starter/parser/lexer.c
@@ -456,8 +456,8 @@ static void yy_fatal_error (yyconst char msg[] ,yyscan_t yyscanner );
yyg->yy_c_buf_p = yy_cp;
/* %% [4.0] data tables for the DFA and the user's section 1 definitions go here */
-#define YY_NUM_RULES 28
-#define YY_END_OF_BUFFER 29
+#define YY_NUM_RULES 29
+#define YY_END_OF_BUFFER 30
/* This struct is not used in this scanner,
but its presence is necessary. */
struct yy_trans_info
@@ -465,34 +465,35 @@ struct yy_trans_info
flex_int32_t yy_verify;
flex_int32_t yy_nxt;
};
-static yyconst flex_int16_t yy_accept[81] =
+static yyconst flex_int16_t yy_accept[83] =
{ 0,
- 0, 0, 0, 0, 0, 0, 29, 12, 3, 5,
+ 0, 0, 0, 0, 0, 0, 30, 12, 3, 5,
11, 4, 6, 12, 12, 2, 12, 12, 17, 13,
- 14, 15, 27, 19, 18, 20, 12, 3, 4, 4,
- 0, 12, 2, 0, 9, 12, 12, 17, 16, 27,
- 26, 24, 25, 21, 22, 23, 12, 0, 12, 12,
- 12, 0, 12, 8, 12, 12, 0, 12, 12, 12,
- 0, 12, 12, 12, 0, 0, 12, 0, 0, 0,
- 12, 0, 1, 10, 10, 0, 0, 0, 7, 0
+ 14, 15, 28, 19, 18, 20, 12, 3, 4, 4,
+ 0, 12, 2, 0, 9, 12, 12, 17, 16, 28,
+ 27, 26, 27, 24, 25, 21, 22, 23, 12, 0,
+ 12, 12, 12, 0, 12, 8, 12, 12, 0, 12,
+ 12, 12, 0, 12, 12, 12, 0, 0, 12, 0,
+ 0, 0, 12, 0, 1, 10, 10, 0, 0, 0,
+ 7, 0
} ;
static yyconst flex_int32_t yy_ec[256] =
{ 0,
1, 1, 1, 1, 1, 1, 1, 1, 2, 3,
+ 1, 1, 4, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 5, 1, 6, 7, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 4, 1, 5, 6, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 8, 1, 1, 9, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 7, 1, 1, 8, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 9, 1, 1, 1, 1, 10, 11, 12, 13,
+ 1, 10, 1, 1, 1, 1, 11, 12, 13, 14,
- 14, 15, 16, 1, 17, 1, 1, 18, 1, 19,
- 20, 21, 1, 22, 23, 24, 25, 26, 1, 1,
- 1, 1, 1, 1, 27, 1, 1, 1, 1, 1,
+ 15, 16, 17, 1, 18, 1, 1, 19, 1, 20,
+ 21, 22, 1, 23, 24, 25, 26, 27, 1, 1,
+ 1, 1, 1, 1, 28, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
@@ -509,106 +510,110 @@ static yyconst flex_int32_t yy_ec[256] =
1, 1, 1, 1, 1
} ;
-static yyconst flex_int32_t yy_meta[28] =
+static yyconst flex_int32_t yy_meta[29] =
{ 0,
- 1, 2, 3, 2, 4, 2, 5, 1, 6, 1,
+ 1, 2, 3, 1, 2, 4, 2, 5, 1, 6,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1
+ 1, 1, 1, 1, 1, 1, 1, 1
} ;
-static yyconst flex_int16_t yy_base[92] =
+static yyconst flex_int16_t yy_base[94] =
{ 0,
- 0, 16, 41, 49, 6, 7, 141, 0, 23, 172,
- 172, 0, 172, 134, 120, 30, 20, 120, 0, 172,
- 172, 33, 0, 172, 172, 50, 0, 60, 0, 0,
- 0, 118, 69, 115, 0, 109, 105, 0, 172, 0,
- 172, 172, 172, 172, 172, 172, 76, 71, 16, 69,
- 66, 67, 72, 0, 71, 74, 69, 69, 64, 69,
- 62, 77, 61, 55, 60, 54, 94, 66, 64, 49,
- 100, 46, 172, 172, 74, 24, 16, 5, 172, 172,
- 107, 113, 119, 125, 131, 137, 142, 147, 153, 159,
- 165
+ 0, 17, 43, 52, 7, 26, 102, 0, 9, 189,
+ 189, 0, 189, 93, 79, 36, 10, 83, 0, 189,
+ 189, 59, 0, 189, 189, 85, 0, 32, 0, 0,
+ 0, 83, 65, 80, 0, 74, 70, 0, 189, 0,
+ 189, 189, 88, 189, 189, 189, 189, 189, 71, 63,
+ 31, 61, 58, 59, 64, 0, 63, 66, 61, 61,
+ 56, 60, 53, 64, 41, 10, 40, 32, 109, 66,
+ 49, 27, 116, 37, 189, 189, 71, 8, 2, 5,
+ 189, 189, 124, 130, 136, 142, 148, 154, 159, 164,
+ 170, 176, 182
} ;
-static yyconst flex_int16_t yy_def[92] =
+static yyconst flex_int16_t yy_def[94] =
{ 0,
- 81, 81, 82, 82, 83, 83, 80, 84, 80, 80,
- 80, 85, 80, 84, 84, 80, 84, 84, 86, 80,
- 80, 80, 87, 80, 80, 88, 84, 80, 85, 85,
- 84, 84, 80, 80, 84, 84, 84, 86, 80, 87,
- 80, 80, 80, 80, 80, 80, 84, 80, 84, 84,
- 84, 80, 84, 84, 84, 84, 80, 84, 84, 84,
- 80, 84, 84, 84, 80, 80, 89, 90, 91, 80,
- 89, 91, 80, 80, 90, 80, 80, 80, 80, 0,
- 80, 80, 80, 80, 80, 80, 80, 80, 80, 80,
- 80
+ 83, 83, 84, 84, 85, 85, 82, 86, 82, 82,
+ 82, 87, 82, 86, 86, 82, 86, 86, 88, 82,
+ 82, 82, 89, 82, 82, 90, 86, 82, 87, 87,
+ 86, 86, 82, 82, 86, 86, 86, 88, 82, 89,
+ 82, 82, 82, 82, 82, 82, 82, 82, 86, 82,
+ 86, 86, 86, 82, 86, 86, 86, 86, 82, 86,
+ 86, 86, 82, 86, 86, 86, 82, 82, 91, 92,
+ 93, 82, 91, 93, 82, 82, 92, 82, 82, 82,
+ 82, 0, 82, 82, 82, 82, 82, 82, 82, 82,
+ 82, 82, 82
} ;
-static yyconst flex_int16_t yy_nxt[200] =
+static yyconst flex_int16_t yy_nxt[218] =
{ 0,
- 80, 9, 10, 9, 11, 12, 13, 14, 24, 24,
- 25, 25, 80, 80, 26, 26, 15, 16, 10, 16,
- 11, 12, 13, 14, 28, 79, 28, 17, 29, 35,
- 53, 33, 15, 33, 54, 29, 39, 39, 39, 36,
- 78, 18, 20, 20, 20, 21, 20, 77, 73, 22,
- 20, 20, 20, 21, 20, 34, 68, 22, 68, 39,
- 42, 28, 76, 28, 43, 29, 73, 75, 44, 75,
- 33, 45, 33, 46, 29, 75, 70, 75, 69, 67,
- 66, 65, 64, 63, 62, 61, 60, 59, 58, 57,
- 56, 55, 52, 51, 34, 72, 73, 72, 72, 72,
-
- 72, 72, 73, 72, 72, 72, 72, 8, 8, 8,
- 8, 8, 8, 19, 19, 19, 19, 19, 19, 23,
- 23, 23, 23, 23, 23, 27, 50, 49, 48, 47,
- 27, 30, 30, 37, 30, 30, 30, 38, 32, 31,
- 80, 38, 40, 40, 80, 80, 40, 41, 41, 41,
- 41, 41, 41, 71, 71, 71, 71, 71, 71, 74,
- 74, 74, 74, 80, 74, 72, 72, 72, 72, 72,
- 72, 7, 80, 80, 80, 80, 80, 80, 80, 80,
- 80, 80, 80, 80, 80, 80, 80, 80, 80, 80,
- 80, 80, 80, 80, 80, 80, 80, 80, 80
-
+ 82, 9, 10, 82, 9, 11, 12, 13, 14, 24,
+ 28, 70, 25, 28, 70, 29, 26, 15, 16, 10,
+ 35, 16, 11, 12, 13, 14, 81, 80, 24, 17,
+ 36, 25, 79, 28, 15, 26, 28, 33, 29, 75,
+ 33, 78, 29, 18, 20, 20, 55, 20, 21, 20,
+ 56, 75, 22, 20, 20, 72, 20, 21, 20, 71,
+ 69, 22, 34, 39, 39, 39, 33, 77, 68, 33,
+ 77, 29, 77, 67, 66, 77, 65, 64, 63, 62,
+ 61, 60, 59, 58, 57, 54, 39, 42, 43, 53,
+ 42, 34, 52, 51, 50, 49, 44, 37, 32, 31,
+
+ 45, 82, 82, 82, 46, 82, 82, 47, 82, 48,
+ 74, 75, 82, 74, 74, 74, 74, 74, 75, 82,
+ 74, 74, 74, 74, 8, 8, 8, 8, 8, 8,
+ 19, 19, 19, 19, 19, 19, 23, 23, 23, 23,
+ 23, 23, 27, 82, 82, 82, 82, 27, 30, 30,
+ 82, 30, 30, 30, 38, 82, 82, 82, 38, 40,
+ 40, 82, 82, 40, 41, 41, 41, 41, 41, 41,
+ 73, 73, 73, 73, 73, 73, 76, 76, 76, 76,
+ 82, 76, 74, 74, 74, 74, 74, 74, 7, 82,
+ 82, 82, 82, 82, 82, 82, 82, 82, 82, 82,
+
+ 82, 82, 82, 82, 82, 82, 82, 82, 82, 82,
+ 82, 82, 82, 82, 82, 82, 82
} ;
-static yyconst flex_int16_t yy_chk[200] =
+static yyconst flex_int16_t yy_chk[218] =
{ 0,
- 0, 1, 1, 1, 1, 1, 1, 1, 5, 6,
- 5, 6, 0, 0, 5, 6, 1, 2, 2, 2,
- 2, 2, 2, 2, 9, 78, 9, 2, 9, 17,
- 49, 16, 2, 16, 49, 16, 22, 22, 22, 17,
- 77, 2, 3, 3, 3, 3, 3, 76, 72, 3,
- 4, 4, 4, 4, 4, 16, 64, 4, 64, 22,
- 26, 28, 70, 28, 26, 28, 69, 68, 26, 68,
- 33, 26, 33, 26, 33, 75, 66, 75, 65, 63,
- 62, 61, 60, 59, 58, 57, 56, 55, 53, 52,
- 51, 50, 48, 47, 33, 67, 67, 67, 67, 67,
-
- 67, 71, 71, 71, 71, 71, 71, 81, 81, 81,
- 81, 81, 81, 82, 82, 82, 82, 82, 82, 83,
- 83, 83, 83, 83, 83, 84, 37, 36, 34, 32,
- 84, 85, 85, 18, 85, 85, 85, 86, 15, 14,
- 7, 86, 87, 87, 0, 0, 87, 88, 88, 88,
- 88, 88, 88, 89, 89, 89, 89, 89, 89, 90,
- 90, 90, 90, 0, 90, 91, 91, 91, 91, 91,
- 91, 80, 80, 80, 80, 80, 80, 80, 80, 80,
- 80, 80, 80, 80, 80, 80, 80, 80, 80, 80,
- 80, 80, 80, 80, 80, 80, 80, 80, 80
-
+ 0, 1, 1, 0, 1, 1, 1, 1, 1, 5,
+ 9, 66, 5, 9, 66, 9, 5, 1, 2, 2,
+ 17, 2, 2, 2, 2, 2, 80, 79, 6, 2,
+ 17, 6, 78, 28, 2, 6, 28, 16, 28, 74,
+ 16, 72, 16, 2, 3, 3, 51, 3, 3, 3,
+ 51, 71, 3, 4, 4, 68, 4, 4, 4, 67,
+ 65, 4, 16, 22, 22, 22, 33, 70, 64, 33,
+ 70, 33, 77, 63, 62, 77, 61, 60, 59, 58,
+ 57, 55, 54, 53, 52, 50, 22, 26, 26, 49,
+ 43, 33, 37, 36, 34, 32, 26, 18, 15, 14,
+
+ 26, 7, 0, 0, 26, 0, 0, 26, 0, 26,
+ 69, 69, 0, 69, 69, 69, 69, 73, 73, 0,
+ 73, 73, 73, 73, 83, 83, 83, 83, 83, 83,
+ 84, 84, 84, 84, 84, 84, 85, 85, 85, 85,
+ 85, 85, 86, 0, 0, 0, 0, 86, 87, 87,
+ 0, 87, 87, 87, 88, 0, 0, 0, 88, 89,
+ 89, 0, 0, 89, 90, 90, 90, 90, 90, 90,
+ 91, 91, 91, 91, 91, 91, 92, 92, 92, 92,
+ 0, 92, 93, 93, 93, 93, 93, 93, 82, 82,
+ 82, 82, 82, 82, 82, 82, 82, 82, 82, 82,
+
+ 82, 82, 82, 82, 82, 82, 82, 82, 82, 82,
+ 82, 82, 82, 82, 82, 82, 82
} ;
/* Table of booleans, true if rule could match eol. */
-static yyconst flex_int32_t yy_rule_can_match_eol[29] =
+static yyconst flex_int32_t yy_rule_can_match_eol[30] =
{ 0,
0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 1,
- 1, 0, 0, 0, 0, 0, 1, 0, 0, };
+ 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, };
-static yyconst flex_int16_t yy_rule_linenum[28] =
+static yyconst flex_int16_t yy_rule_linenum[29] =
{ 0,
60, 61, 62, 63, 65, 67, 68, 69, 70, 72,
77, 82, 90, 109, 112, 115, 118, 124, 126, 127,
- 150, 151, 152, 153, 154, 155, 158
+ 150, 151, 152, 153, 154, 155, 156, 157
} ;
/* The intent behind this definition is that it'll catch
@@ -657,7 +662,7 @@ static void include_files(parser_helper_t *ctx);
/* state used to scan quoted strings */
-#line 661 "parser/lexer.c"
+#line 666 "parser/lexer.c"
#define INITIAL 0
#define inc 1
@@ -972,7 +977,7 @@ YY_DECL
#line 58 "parser/lexer.l"
-#line 976 "parser/lexer.c"
+#line 981 "parser/lexer.c"
yylval = yylval_param;
@@ -1038,13 +1043,13 @@ yy_match:
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 81 )
+ if ( yy_current_state >= 83 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
++yy_cp;
}
- while ( yy_base[yy_current_state] != 172 );
+ while ( yy_base[yy_current_state] != 189 );
yy_find_action:
/* %% [10.0] code to find the action number goes here */
@@ -1079,13 +1084,13 @@ do_action: /* This label is used only to access EOF actions. */
{
if ( yy_act == 0 )
fprintf( stderr, "--scanner backing up\n" );
- else if ( yy_act < 28 )
+ else if ( yy_act < 29 )
fprintf( stderr, "--accepting rule at line %ld (\"%s\")\n",
(long)yy_rule_linenum[yy_act], yytext );
- else if ( yy_act == 28 )
+ else if ( yy_act == 29 )
fprintf( stderr, "--accepting default rule (\"%s\")\n",
yytext );
- else if ( yy_act == 29 )
+ else if ( yy_act == 30 )
fprintf( stderr, "--(end of buffer or a NUL)\n" );
else
fprintf( stderr, "--EOF (start condition %d)\n", YY_START );
@@ -1300,20 +1305,23 @@ case 26:
/* rule 26 can match eol */
YY_RULE_SETUP
#line 155 "parser/lexer.l"
-{
- yyextra->string_add(yyextra, yytext+1);
- }
+/* merge lines that end with EOL characters */
YY_BREAK
case 27:
YY_RULE_SETUP
-#line 158 "parser/lexer.l"
+#line 156 "parser/lexer.l"
+yyextra->string_add(yyextra, yytext+1);
+ YY_BREAK
+case 28:
+YY_RULE_SETUP
+#line 157 "parser/lexer.l"
{
yyextra->string_add(yyextra, yytext);
}
YY_BREAK
case YY_STATE_EOF(INITIAL):
-#line 163 "parser/lexer.l"
+#line 162 "parser/lexer.l"
{
conf_parser_pop_buffer_state(yyscanner);
if (!conf_parser_open_next_file(yyextra) && !YY_CURRENT_BUFFER)
@@ -1322,12 +1330,12 @@ case YY_STATE_EOF(INITIAL):
}
}
YY_BREAK
-case 28:
+case 29:
YY_RULE_SETUP
-#line 171 "parser/lexer.l"
+#line 170 "parser/lexer.l"
YY_FATAL_ERROR( "flex scanner jammed" );
YY_BREAK
-#line 1331 "parser/lexer.c"
+#line 1339 "parser/lexer.c"
case YY_END_OF_BUFFER:
{
@@ -1641,7 +1649,7 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 81 )
+ if ( yy_current_state >= 83 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
@@ -1675,11 +1683,11 @@ static int yy_get_next_buffer (yyscan_t yyscanner)
while ( yy_chk[yy_base[yy_current_state] + yy_c] != yy_current_state )
{
yy_current_state = (int) yy_def[yy_current_state];
- if ( yy_current_state >= 81 )
+ if ( yy_current_state >= 83 )
yy_c = yy_meta[(unsigned int) yy_c];
}
yy_current_state = yy_nxt[yy_base[yy_current_state] + (unsigned int) yy_c];
- yy_is_jam = (yy_current_state == 80);
+ yy_is_jam = (yy_current_state == 82);
return yy_is_jam ? 0 : yy_current_state;
}
@@ -2697,7 +2705,7 @@ void conf_parser_free (void * ptr , yyscan_t yyscanner)
/* %ok-for-header */
-#line 171 "parser/lexer.l"
+#line 170 "parser/lexer.l"
diff --git a/src/starter/parser/lexer.l b/src/starter/parser/lexer.l
index a88cbe809..d967e745b 100644
--- a/src/starter/parser/lexer.l
+++ b/src/starter/parser/lexer.l
@@ -152,9 +152,8 @@ static void include_files(parser_helper_t *ctx);
\\t yyextra->string_add(yyextra, "\t");
\\b yyextra->string_add(yyextra, "\b");
\\f yyextra->string_add(yyextra, "\f");
- \\(.|\n) {
- yyextra->string_add(yyextra, yytext+1);
- }
+ \\\r?\n /* merge lines that end with EOL characters */
+ \\. yyextra->string_add(yyextra, yytext+1);
[^\\\n"]+ {
yyextra->string_add(yyextra, yytext);
}
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 1e305db8b..6e1f1605d 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -35,10 +35,16 @@ static char* push_string(stroke_msg_t *msg, char *string)
{
unsigned long string_start = msg->length;
- if (string == NULL || msg->length + strlen(string) >= sizeof(stroke_msg_t))
+ if (string == NULL)
{
return NULL;
}
+ else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t))
+ {
+ /* set invalid length to fail during message send */
+ msg->length = ~0;
+ return NULL;
+ }
else
{
msg->length += strlen(string) + 1;
@@ -53,6 +59,12 @@ static int send_stroke_msg (stroke_msg_t *msg)
char *uri, buffer[64];
int count;
+ if (msg->length > sizeof(stroke_msg_t))
+ {
+ DBG1(DBG_APP, "stroke message exceeds buffer size");
+ return -1;
+ }
+
/* starter is not called from commandline, and therefore absolutely silent */
msg->output_verbosity = -1;
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index d42a0d286..b26125501 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -223,6 +223,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -283,10 +284,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -360,6 +363,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 9c041dfbf..c32ebf905 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -197,6 +197,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -257,10 +258,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -334,6 +337,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 60886cf7f..c2b923f6d 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -32,7 +32,7 @@
*/
#define STROKE_SOCKET IPSEC_PIDDIR "/charon.ctl"
-#define STROKE_BUF_LEN 2048
+#define STROKE_BUF_LEN 4096
typedef enum list_flag_t list_flag_t;
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index b84d70587..f4f9fdf7e 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -65,4 +65,5 @@ install-data-local: swanctl.conf
test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
+ test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index 649e6d8ae..f981bb1f3 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -238,6 +238,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -298,10 +299,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -375,6 +378,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
@@ -991,6 +996,7 @@ install-data-local: swanctl.conf
test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
test -e "$(DESTDIR)$(swanctldir)/pkcs8" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs8" || true
+ test -e "$(DESTDIR)$(swanctldir)/pkcs12" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/pkcs12" || true
test -e "$(DESTDIR)$(swanctldir)/swanctl.conf" || $(INSTALL) -m 640 $(srcdir)/swanctl.conf $(DESTDIR)$(swanctldir)/swanctl.conf || true
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/src/swanctl/commands/list_conns.c b/src/swanctl/commands/list_conns.c
index 31ab9c40a..019c88888 100644
--- a/src/swanctl/commands/list_conns.c
+++ b/src/swanctl/commands/list_conns.c
@@ -103,7 +103,7 @@ CALLBACK(conn_sn, int,
{
return vici_parse_cb(res, children_sn, NULL, NULL, NULL);
}
- if (streq(name, "local") || streq(name, "remote"))
+ if (strpfx(name, "local") || strpfx(name, "remote"))
{
hashtable_t *auth;
@@ -112,7 +112,8 @@ CALLBACK(conn_sn, int,
if (ret == 0)
{
printf(" %s %s authentication:\n",
- name, auth->get(auth, "class") ?: "unspecified");
+ strpfx(name, "local") ? "local" : "remote",
+ auth->get(auth, "class") ?: "unspecified");
if (auth->get(auth, "id"))
{
printf(" id: %s\n", auth->get(auth, "id"));
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index 35e7469a9..81e1b7cca 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -86,8 +86,8 @@ CALLBACK(child_sas, int,
ret = vici_parse_cb(res, NULL, sa_values, sa_list, child);
if (ret == 0)
{
- printf(" %s: #%s, %s, %s%s, %s:",
- name, child->get(child, "reqid"),
+ printf(" %s: #%s, reqid %s, %s, %s%s, %s:",
+ name, child->get(child, "uniqueid"), child->get(child, "reqid"),
child->get(child, "state"), child->get(child, "mode"),
child->get(child, "encap") ? "-in-UDP" : "",
child->get(child, "protocol"));
@@ -122,7 +122,7 @@ CALLBACK(child_sas, int,
}
if (child->get(child, "esn"))
{
- printf("/%s", child->get(child, "esn"));
+ printf("/ESN");
}
printf("\n");
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index de30d8eb4..6ee8b8785 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -93,11 +93,12 @@ static void add_list_key(vici_req_t *req, char *key, char *value)
/**
* Add a vici list of blobs from a comma separated file list
*/
-static void add_file_list_key(vici_req_t *req, char *key, char *value)
+static bool add_file_list_key(vici_req_t *req, char *key, char *value)
{
enumerator_t *enumerator;
chunk_t *map;
char *token, buf[PATH_MAX];
+ bool ret = TRUE;
vici_begin_list(req, key);
enumerator = enumerator_create_token(value, ",", " ");
@@ -127,21 +128,26 @@ static void add_file_list_key(vici_req_t *req, char *key, char *value)
}
else
{
- fprintf(stderr, "loading certificate '%s' failed: %s\n",
- token, strerror(errno));
+ fprintf(stderr, "loading %s certificate '%s' failed: %s\n",
+ key, token, strerror(errno));
+ ret = FALSE;
+ break;
}
}
enumerator->destroy(enumerator);
vici_end_list(req);
+
+ return ret;
}
/**
* Translate setting key/values from a section into vici key-values/lists
*/
-static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
{
enumerator_t *enumerator;
char *key, *value;
+ bool ret = TRUE;
enumerator = cfg->create_key_value_enumerator(cfg, section);
while (enumerator->enumerate(enumerator, &key, &value))
@@ -152,34 +158,51 @@ static void add_key_values(vici_req_t *req, settings_t *cfg, char *section)
}
else if (is_file_list_key(key))
{
- add_file_list_key(req, key, value);
+ ret = add_file_list_key(req, key, value);
}
else
{
vici_add_key_valuef(req, key, "%s", value);
}
+ if (!ret)
+ {
+ break;
+ }
}
enumerator->destroy(enumerator);
+
+ return ret;
}
/**
* Translate a settings section to a vici section
*/
-static void add_sections(vici_req_t *req, settings_t *cfg, char *section)
+static bool add_sections(vici_req_t *req, settings_t *cfg, char *section)
{
enumerator_t *enumerator;
char *name, buf[256];
+ bool ret = TRUE;
enumerator = cfg->create_section_enumerator(cfg, section);
while (enumerator->enumerate(enumerator, &name))
{
vici_begin_section(req, name);
snprintf(buf, sizeof(buf), "%s.%s", section, name);
- add_key_values(req, cfg, buf);
- add_sections(req, cfg, buf);
+ ret = add_key_values(req, cfg, buf);
+ if (!ret)
+ {
+ break;
+ }
+ ret = add_sections(req, cfg, buf);
+ if (!ret)
+ {
+ break;
+ }
vici_end_section(req);
}
enumerator->destroy(enumerator);
+
+ return ret;
}
/**
@@ -198,8 +221,12 @@ static bool load_conn(vici_conn_t *conn, settings_t *cfg,
req = vici_begin("load-conn");
vici_begin_section(req, section);
- add_key_values(req, cfg, buf);
- add_sections(req, cfg, buf);
+ if (!add_key_values(req, cfg, buf) ||
+ !add_sections(req, cfg, buf))
+ {
+ vici_free_req(req);
+ return FALSE;
+ }
vici_end_section(req);
res = vici_submit(req, conn);
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 86ee3c179..d2ebc22eb 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -25,6 +25,7 @@
#include <credentials/sets/mem_cred.h>
#include <credentials/sets/callback_cred.h>
+#include <credentials/containers/pkcs12.h>
/**
* Load a single certificate over vici
@@ -60,7 +61,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
}
else
{
- printf("loaded %s certificate '%s'\n", type, dir);
+ printf("loaded %s certificate from '%s'\n", type, dir);
}
vici_free_res(res);
return ret;
@@ -113,7 +114,14 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
req = vici_begin("load-key");
- vici_add_key_valuef(req, "type", "%s", type);
+ if (streq(type, "pkcs8"))
+ { /* as used by vici */
+ vici_add_key_valuef(req, "type", "any");
+ }
+ else
+ {
+ vici_add_key_valuef(req, "type", "%s", type);
+ }
vici_add_key_value(req, "data", data.ptr, data.len);
res = vici_submit(req, conn);
@@ -135,20 +143,59 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
}
else
{
- printf("loaded %s key '%s'\n", type, dir);
+ printf("loaded %s key from '%s'\n", type, dir);
}
vici_free_res(res);
return ret;
}
/**
+ * Load a private key of any type to vici
+ */
+static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
+ char *path, private_key_t *private)
+{
+ bool loaded = FALSE;
+ chunk_t encoding;
+
+ if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
+ {
+ fprintf(stderr, "encoding private key from '%s' failed\n", path);
+ return FALSE;
+ }
+ switch (private->get_type(private))
+ {
+ case KEY_RSA:
+ loaded = load_key(conn, format, path, "rsa", encoding);
+ break;
+ case KEY_ECDSA:
+ loaded = load_key(conn, format, path, "ecdsa", encoding);
+ break;
+ default:
+ fprintf(stderr, "unsupported key type in '%s'\n", path);
+ break;
+ }
+ chunk_clear(&encoding);
+ return loaded;
+}
+
+/**
+ * Data passed to password callback
+ */
+typedef struct {
+ char prompt[128];
+ mem_cred_t *cache;
+} cb_data_t;
+
+/**
* Callback function to prompt for private key passwords
*/
CALLBACK(password_cb, shared_key_t*,
- char *prompt, shared_key_type_t type,
+ cb_data_t *data, shared_key_type_t type,
identification_t *me, identification_t *other,
id_match_t *match_me, id_match_t *match_other)
{
+ shared_key_t *shared;
char *pwd = NULL;
if (type != SHARED_PRIVATE_KEY_PASS)
@@ -156,7 +203,7 @@ CALLBACK(password_cb, shared_key_t*,
return NULL;
}
#ifdef HAVE_GETPASS
- pwd = getpass(prompt);
+ pwd = getpass(data->prompt);
#endif
if (!pwd || strlen(pwd) == 0)
{
@@ -170,65 +217,94 @@ CALLBACK(password_cb, shared_key_t*,
{
*match_other = ID_MATCH_PERFECT;
}
- return shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+ shared = shared_key_create(type, chunk_clone(chunk_from_str(pwd)));
+ /* cache secret if it is required more than once (PKCS#12) */
+ data->cache->add_shared(data->cache, shared, NULL);
+ return shared->get_ref(shared);
}
/**
- * Try to parse a potentially encrypted private key using password prompt
+ * Determine credential type and subtype from a type string
*/
-static private_key_t* decrypt_key(char *name, char *type, chunk_t encoding)
+static bool determine_credtype(char *type, credential_type_t *credtype,
+ int *subtype)
{
- key_type_t kt = KEY_ANY;
- private_key_t *private;
- callback_cred_t *cb;
- char buf[128];
+ struct {
+ char *type;
+ credential_type_t credtype;
+ int subtype;
+ } map[] = {
+ { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, },
+ { "rsa", CRED_PRIVATE_KEY, KEY_RSA, },
+ { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, },
+ { "pkcs12", CRED_CONTAINER, CONTAINER_PKCS12, },
+ };
+ int i;
- if (streq(type, "rsa"))
+ for (i = 0; i < countof(map); i++)
{
- kt = KEY_RSA;
+ if (streq(map[i].type, type))
+ {
+ *credtype = map[i].credtype;
+ *subtype = map[i].subtype;
+ return TRUE;
+ }
}
- else if (streq(type, "ecdsa"))
+ return FALSE;
+}
+
+/**
+ * Try to parse a potentially encrypted credential using password prompt
+ */
+static void* decrypt(char *name, char *type, chunk_t encoding)
+{
+ credential_type_t credtype;
+ int subtype;
+ void *cred;
+ callback_cred_t *cb;
+ cb_data_t data;
+
+ if (!determine_credtype(type, &credtype, &subtype))
{
- kt = KEY_ECDSA;
+ return NULL;
}
- snprintf(buf, sizeof(buf), "Password for '%s': ", name);
+ snprintf(data.prompt, sizeof(data.prompt), "Password for %s file '%s': ",
+ type, name);
- cb = callback_cred_create_shared(password_cb, buf);
+ data.cache = mem_cred_create();
+ lib->credmgr->add_set(lib->credmgr, &data.cache->set);
+ cb = callback_cred_create_shared(password_cb, &data);
lib->credmgr->add_set(lib->credmgr, &cb->set);
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
- BUILD_BLOB_PEM, encoding, BUILD_END);
+ cred = lib->creds->create(lib->creds, credtype, subtype,
+ BUILD_BLOB_PEM, encoding, BUILD_END);
+ lib->credmgr->remove_set(lib->credmgr, &data.cache->set);
+ data.cache->destroy(data.cache);
lib->credmgr->remove_set(lib->credmgr, &cb->set);
cb->destroy(cb);
- return private;
+ return cred;
}
/**
- * Try to parse a potentially encrypted private key using configured secret
+ * Try to parse a potentially encrypted credential using configured secret
*/
-static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
- char *type, chunk_t encoding)
-{ key_type_t kt = KEY_ANY;
+static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
+ chunk_t encoding)
+{
+ credential_type_t credtype;
+ int subtype;
enumerator_t *enumerator, *secrets;
char *section, *key, *value, *file, buf[128];
shared_key_t *shared;
- private_key_t *private = NULL;
+ void *cred = NULL;
mem_cred_t *mem = NULL;
- if (streq(type, "rsa"))
- {
- kt = KEY_RSA;
- }
- else if (streq(type, "ecdsa"))
- {
- kt = KEY_ECDSA;
- }
- else
+ if (!determine_credtype(type, &credtype, &subtype))
{
- type = "pkcs8";
+ return NULL;
}
/* load all secrets for this key type */
@@ -265,12 +341,12 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
{
lib->credmgr->add_local_set(lib->credmgr, &mem->set, FALSE);
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, kt,
- BUILD_BLOB_PEM, encoding, BUILD_END);
+ cred = lib->creds->create(lib->creds, credtype, subtype,
+ BUILD_BLOB_PEM, encoding, BUILD_END);
lib->credmgr->remove_local_set(lib->credmgr, &mem->set);
- if (!private)
+ if (!cred)
{
fprintf(stderr, "configured decryption secret for '%s' invalid\n",
name);
@@ -279,7 +355,7 @@ static private_key_t* decrypt_key_with_config(settings_t *cfg, char *name,
mem->destroy(mem);
}
- return private;
+ return cred;
}
/**
@@ -292,30 +368,15 @@ static bool load_encrypted_key(vici_conn_t *conn,
{
private_key_t *private;
bool loaded = FALSE;
- chunk_t encoding;
- private = decrypt_key_with_config(cfg, rel, type, data);
+ private = decrypt_with_config(cfg, rel, type, data);
if (!private && !noprompt)
{
- private = decrypt_key(rel, type, data);
+ private = decrypt(rel, type, data);
}
if (private)
{
- if (private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
- {
- switch (private->get_type(private))
- {
- case KEY_RSA:
- loaded = load_key(conn, format, path, "rsa", encoding);
- break;
- case KEY_ECDSA:
- loaded = load_key(conn, format, path, "ecdsa", encoding);
- break;
- default:
- break;
- }
- chunk_clear(&encoding);
- }
+ loaded = load_key_anytype(conn, format, path, private);
private->destroy(private);
}
return loaded;
@@ -361,6 +422,114 @@ static void load_keys(vici_conn_t *conn, command_format_options_t format,
}
/**
+ * Load credentials from a PKCS#12 container over vici
+ */
+static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
+ char *path, pkcs12_t *p12)
+{
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ private_key_t *private;
+ chunk_t encoding;
+ bool loaded = TRUE;
+
+ enumerator = p12->create_cert_enumerator(p12);
+ while (loaded && enumerator->enumerate(enumerator, &cert))
+ {
+ loaded = FALSE;
+ if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
+ {
+ loaded = load_cert(conn, format, path, "x509", encoding);
+ if (loaded)
+ {
+ fprintf(stderr, " %Y\n", cert->get_subject(cert));
+ }
+ free(encoding.ptr);
+ }
+ else
+ {
+ fprintf(stderr, "encoding certificate from '%s' failed\n", path);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = p12->create_key_enumerator(p12);
+ while (loaded && enumerator->enumerate(enumerator, &private))
+ {
+ loaded = load_key_anytype(conn, format, path, private);
+ }
+ enumerator->destroy(enumerator);
+
+ return loaded;
+}
+
+/**
+ * Try to decrypt and load credentials from a container
+ */
+static bool load_encrypted_container(vici_conn_t *conn,
+ command_format_options_t format, settings_t *cfg, char *rel,
+ char *path, char *type, bool noprompt, chunk_t data)
+{
+ container_t *container;
+ bool loaded = FALSE;
+
+ container = decrypt_with_config(cfg, rel, type, data);
+ if (!container && !noprompt)
+ {
+ container = decrypt(rel, type, data);
+ }
+ if (container)
+ {
+ switch (container->get_type(container))
+ {
+ case CONTAINER_PKCS12:
+ loaded = load_pkcs12(conn, format, path, (pkcs12_t*)container);
+ break;
+ default:
+ break;
+ }
+ container->destroy(container);
+ }
+ return loaded;
+}
+
+/**
+ * Load credential containers from a directory
+ */
+static void load_containers(vici_conn_t *conn, command_format_options_t format,
+ bool noprompt, settings_t *cfg, char *type, char *dir)
+{
+ enumerator_t *enumerator;
+ struct stat st;
+ chunk_t *map;
+ char *path, *rel;
+
+ enumerator = enumerator_create_directory(dir);
+ if (enumerator)
+ {
+ while (enumerator->enumerate(enumerator, &rel, &path, &st))
+ {
+ if (S_ISREG(st.st_mode))
+ {
+ map = chunk_map(path, FALSE);
+ if (map)
+ {
+ load_encrypted_container(conn, format, cfg, rel, path,
+ type, noprompt, *map);
+ chunk_unmap(map);
+ }
+ else
+ {
+ fprintf(stderr, "mapping '%s' failed: %s, skipped\n",
+ path, strerror(errno));
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+}
+
+/**
* Load a single secret over VICI
*/
static bool load_secret(vici_conn_t *conn, settings_t *cfg,
@@ -380,6 +549,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
"rsa",
"ecdsa",
"pkcs8",
+ "pkcs12",
};
for (i = 0; i < countof(types); i++)
@@ -510,7 +680,9 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
- load_keys(conn, format, noprompt, cfg, "any", SWANCTL_PKCS8DIR);
+ load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+
+ load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
enumerator = cfg->create_section_enumerator(cfg, "secrets");
while (enumerator->enumerate(enumerator, &section))
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index 0808cf58b..faafecc44 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -286,6 +286,18 @@
# }
+ # PKCS#12 decryption passphrase for a container in the pkcs12 folder.
+ # pkcs12<suffix> {
+
+ # File name in the pkcs12 folder for which this passphrase should be
+ # used.
+ # file =
+
+ # Value of decryption passphrase for PKCS#12 container.
+ # secret =
+
+ # }
+
# }
# Section defining named pools.
@@ -294,7 +306,7 @@
# Section defining a single pool with a unique name.
# <name> {
- # Subnet defining addresses allocated in pool.
+ # Addresses allocated in pool.
# addrs =
# Comma separated list of additional attributes from type <attr>.
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 8943b62db..a770b28b1 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -251,7 +251,12 @@ performs a reauthentication procedure instead.
With the default value IKE rekeying is scheduled every 4 hours, minus the
configured
.RB "" "rand_time" "."
-
+If a
+.RB "" "reauth_time" ""
+is configured,
+.RB "" "rekey_time" ""
+defaults to zero disabling rekeying; explicitly set both to enforce rekeying and
+reauthentication.
.TP
.BR connections.<conn>.over_time " [10% of rekey_time/reauth_time]"
@@ -363,6 +368,37 @@ IKE identity to use for authentication round. When using certificate
authentication, the IKE identity must be contained in the certificate, either as
subject or as subjectAltName.
+The identity can be an IP address, a fully\-qualified domain name, an email
+address or a Distinguished Name for which the ID type is determined
+automatically and the string is converted to the appropriate encoding. To
+enforce a specific identity type, a prefix may be used, followed by a colon (:).
+If the number sign (#) follows the colon, the remaining data is interpreted as
+hex encoding, otherwise the string is used as\-is as the identification data.
+Note that this implies that no conversion is performed for non\-string
+identities. For example,
+.RI "" "ipv4:10.0.0.1" ""
+does not create a valid ID_IPV4_ADDR
+IKE identity, as it does not get converted to binary 0x0a000001. Instead, one
+could use
+.RI "" "ipv4:#0a000001" ""
+to get a valid identity, but just using the implicit
+type with automatic conversion is usually simpler. The same applies to the ASN1
+encoded types. The following prefixes are known:
+.RI "" "ipv4" ","
+.RI "" "ipv6" ","
+.RI "" "rfc822" ","
+.RI "" "email" ","
+.RI "" "userfqdn" ","
+.RI "" "fqdn" ","
+.RI "" "dns" ","
+.RI "" "asn1dn" ","
+.RI "" "asn1gn" ""
+and
+.RI "" "keyid" "."
+Custom type
+prefixes may be specified by surrounding the numerical type value by curly
+brackets.
+
.TP
.BR connections.<conn>.local<suffix>.eap_id " [id]"
Client EAP\-Identity to use in EAP\-Identity exchange and the EAP method.
@@ -397,9 +433,10 @@ omitted.
.TP
.BR connections.<conn>.remote<suffix>.id " [%any]"
-IKE identity to expect for authentication round. When using certificate
-authentication, the IKE identity must be contained in the certificate, either as
-subject or as subjectAltName.
+IKE identity to expect for authentication round. Refer to the
+.RI "" "local" ""
+.RI "" "id" ""
+section for details.
.TP
.BR connections.<conn>.remote<suffix>.groups " []"
@@ -725,9 +762,11 @@ uses dynamic reqids, allocated incrementally.
.TP
.BR connections.<conn>.children.<child>.mark_in " [0/0x00000000]"
-Netfilter mark and mask for input traffic. On Linux Netfilter may apply marks to
-each packet coming from a tunnel having that option set. The mark may then be
-used by Netfilter to match rules.
+Netfilter mark and mask for input traffic. On Linux Netfilter may require marks
+on each packet to match an SA having that option set. This allows Netfilter
+rules to select specific tunnels for incoming traffic. The special value
+.RI "" "%unique" ""
+sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The default
mask if omitted is 0xffffffff.
@@ -736,7 +775,9 @@ mask if omitted is 0xffffffff.
.BR connections.<conn>.children.<child>.mark_out " [0/0x00000000]"
Netfilter mark and mask for output traffic. On Linux Netfilter may require marks
on each packet to match a policy having that option set. This allows Netfilter
-rules to select specific tunnels for outgoing traffic.
+rules to select specific tunnels for outgoing traffic. The special value
+.RI "" "%unique" ""
+sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The default
mask if omitted is 0xffffffff.
@@ -925,6 +966,23 @@ folder for which this passphrase should be used.
Value of decryption passphrase for PKCS#8 key.
.TP
+.B secrets.pkcs12<suffix>
+.br
+PKCS#12 decryption passphrase for a container in the
+.RI "" "pkcs12" ""
+folder.
+
+.TP
+.BR secrets.pkcs12<suffix>.file " []"
+File name in the
+.RI "" "pkcs12" ""
+folder for which this passphrase should be used.
+
+.TP
+.BR secrets.pkcs12<suffix>.secret " []"
+Value of decryption passphrase for PKCS#12 container.
+
+.TP
.B pools
.br
Section defining named pools. Named pools may be referenced by connections with
@@ -939,9 +997,9 @@ Section defining a single pool with a unique name.
.TP
.BR pools.<name>.addrs " []"
-Subnet defining addresses allocated in pool. Accepts a single CIDR subnet
-defining the pool to allocate addresses from. Pools must be unique and
-non\-overlapping.
+Subnet or range defining addresses allocated in pool. Accepts a single CIDR
+subnet defining the pool to allocate addresses from, or an address range
+(<from>\-<to>). Pools must be unique and non\-overlapping.
.TP
.BR pools.<name>.<attr> " []"
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index bd7e00378..cb570cd34 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -66,4 +66,9 @@
*/
#define SWANCTL_PKCS8DIR SWANCTLDIR "/pkcs8"
+/**
+ * Directory for PKCS#12 containers
+ */
+#define SWANCTL_PKCS12DIR SWANCTLDIR "/pkcs12"
+
#endif /** SWANCTL_H_ @}*/
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index f1e47a9e4..b6ef17546 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -220,7 +220,9 @@ connections.<conn>.rekey_time = 4h
IKEv1 performs a reauthentication procedure instead.
With the default value IKE rekeying is scheduled every 4 hours, minus the
- configured **rand_time**.
+ configured **rand_time**. If a **reauth_time** is configured, **rekey_time**
+ defaults to zero disabling rekeying; explicitly set both to enforce
+ rekeying and reauthentication.
connections.<conn>.over_time = 10% of rekey_time/reauth_time
Hard IKE_SA lifetime if rekey/reauth does not complete, as time.
@@ -303,6 +305,22 @@ connections.<conn>.local<suffix>.id =
authentication, the IKE identity must be contained in the certificate,
either as subject or as subjectAltName.
+ The identity can be an IP address, a fully-qualified domain name, an email
+ address or a Distinguished Name for which the ID type is determined
+ automatically and the string is converted to the appropriate encoding. To
+ enforce a specific identity type, a prefix may be used, followed by a colon
+ (:). If the number sign (#) follows the colon, the remaining data is
+ interpreted as hex encoding, otherwise the string is used as-is as the
+ identification data. Note that this implies that no conversion is performed
+ for non-string identities. For example, _ipv4:10.0.0.1_ does not create a
+ valid ID_IPV4_ADDR IKE identity, as it does not get converted to binary
+ 0x0a000001. Instead, one could use _ipv4:#0a000001_ to get a valid identity,
+ but just using the implicit type with automatic conversion is usually
+ simpler. The same applies to the ASN1 encoded types. The following prefixes
+ are known: _ipv4_, _ipv6_, _rfc822_, _email_, _userfqdn_, _fqdn_, _dns_,
+ _asn1dn_, _asn1gn_ and _keyid_. Custom type prefixes may be specified by
+ surrounding the numerical type value by curly brackets.
+
connections.<conn>.local<suffix>.eap_id = id
Client EAP-Identity to use in EAP-Identity exchange and the EAP method.
@@ -335,9 +353,8 @@ connections.<conn>.remote<suffix> {}
connections.<conn>.remote<suffix>.id = %any
IKE identity to expect for authentication round.
- IKE identity to expect for authentication round. When using certificate
- authentication, the IKE identity must be contained in the certificate,
- either as subject or as subjectAltName.
+ IKE identity to expect for authentication round. Refer to the _local_ _id_
+ section for details.
connections.<conn>.remote<suffix>.groups =
Authorization group memberships to require.
@@ -607,9 +624,10 @@ connections.<conn>.children.<child>.reqid = 0
connections.<conn>.children.<child>.mark_in = 0/0x00000000
Netfilter mark and mask for input traffic.
- Netfilter mark and mask for input traffic. On Linux Netfilter may apply
- marks to each packet coming from a tunnel having that option set. The
- mark may then be used by Netfilter to match rules.
+ Netfilter mark and mask for input traffic. On Linux Netfilter may require
+ marks on each packet to match an SA having that option set. This allows
+ Netfilter rules to select specific tunnels for incoming traffic. The
+ special value _%unique_ sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
@@ -619,7 +637,8 @@ connections.<conn>.children.<child>.mark_out = 0/0x00000000
Netfilter mark and mask for output traffic. On Linux Netfilter may require
marks on each packet to match a policy having that option set. This allows
- Netfilter rules to select specific tunnels for outgoing traffic.
+ Netfilter rules to select specific tunnels for outgoing traffic. The
+ special value _%unique_ sets a unique mark on each CHILD_SA instance.
An additional mask may be appended to the mark, separated by _/_. The
default mask if omitted is 0xffffffff.
@@ -756,6 +775,15 @@ secrets.pkcs8<suffix>.file =
secrets.pkcs8<suffix>.secret
Value of decryption passphrase for PKCS#8 key.
+secrets.pkcs12<suffix> { # }
+ PKCS#12 decryption passphrase for a container in the _pkcs12_ folder.
+
+secrets.pkcs12<suffix>.file =
+ File name in the _pkcs12_ folder for which this passphrase should be used.
+
+secrets.pkcs12<suffix>.secret
+ Value of decryption passphrase for PKCS#12 container.
+
pools { # }
Section defining named pools.
@@ -767,11 +795,11 @@ pools.<name> { # }
Section defining a single pool with a unique name.
pools.<name>.addrs =
- Subnet defining addresses allocated in pool.
+ Addresses allocated in pool.
- Subnet defining addresses allocated in pool. Accepts a single CIDR subnet
- defining the pool to allocate addresses from. Pools must be unique and
- non-overlapping.
+ Subnet or range defining addresses allocated in pool. Accepts a single CIDR
+ subnet defining the pool to allocate addresses from, or an address range
+ (<from>-<to>). Pools must be unique and non-overlapping.
pools.<name>.<attr> =
Comma separated list of additional attributes from type <attr>.
diff --git a/testing/Makefile.in b/testing/Makefile.in
index c151a87d3..b66c2be76 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -142,6 +142,7 @@ DLLIB = @DLLIB@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
@@ -202,10 +203,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
PTHREADLIB = @PTHREADLIB@
PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
RANLIB = @RANLIB@
RTLIB = @RTLIB@
RUBY = @RUBY@
@@ -279,6 +282,8 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
diff --git a/testing/config/kernel/config-3.18 b/testing/config/kernel/config-3.18
new file mode 100644
index 000000000..345d4f52f
--- /dev/null
+++ b/testing/config/kernel/config-3.18
@@ -0,0 +1,2165 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.18.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_PREEMPT_RCU is not set
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+# CONFIG_PM_RUNTIME is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+# CONFIG_PCI_IOAPIC is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/config/kernel/config-3.19 b/testing/config/kernel/config-3.19
new file mode 100644
index 000000000..8520b3155
--- /dev/null
+++ b/testing/config/kernel/config-3.19
@@ -0,0 +1,2181 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 3.19.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_LATENCYTOP_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_HWEIGHT_CFLAGS="-fcall-saved-rdi -fcall-saved-rsi -fcall-saved-rdx -fcall-saved-rcx -fcall-saved-r8 -fcall-saved-r9 -fcall-saved-r10 -fcall-saved-r11"
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+# CONFIG_FHANDLE is not set
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_LEGACY_ALLOC_HWIRQ=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+# CONFIG_CGROUPS is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+CONFIG_INIT_FALLBACK=y
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+CONFIG_PRINTK=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+CONFIG_PCI_QUIRKS=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_ATTRS=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUE_RWLOCK=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_MPPARSE=y
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_LPSS is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MEMTEST is not set
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_X86_UP_APIC_MSI=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+# CONFIG_MICROCODE is not set
+# CONFIG_MICROCODE_INTEL_EARLY is not set
+# CONFIG_MICROCODE_AMD_EARLY is not set
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_PAGEFLAGS_EXTENDED=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_ZONE_DMA_FLAG=1
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_MSI=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+
+#
+# PCI host controller drivers
+#
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_HOTPLUG_PCI is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+# CONFIG_GENEVE is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_LRO is not set
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+CONFIG_IPV6_GRE=y
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_QUEUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+CONFIG_NF_CONNTRACK_PROC_COMPAT=y
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_MMAP is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_NET_MPLS_GSO is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+CONFIG_HAVE_BPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+# CONFIG_DEVTMPFS is not set
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_I2O is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_IPVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+# CONFIG_VHOST_NET is not set
+
+#
+# Distributed Switch Architecture drivers
+#
+# CONFIG_NET_DSA_MV88E6XXX is not set
+# CONFIG_NET_DSA_MV88E6060 is not set
+# CONFIG_NET_DSA_MV88E6XXX_NEED_PPU is not set
+# CONFIG_NET_DSA_MV88E6131 is not set
+# CONFIG_NET_DSA_MV88E6123_61_65 is not set
+# CONFIG_NET_DSA_MV88E6171 is not set
+# CONFIG_NET_DSA_MV88E6352 is not set
+# CONFIG_NET_DSA_BCM_SF2 is not set
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_XGENE is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_IP1000 is not set
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+# CONFIG_PRISM54 is not set
+# CONFIG_HOSTAP is not set
+# CONFIG_WL_TI is not set
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_ISDN is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_MFD_HSU is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27x00 is not set
+# CONFIG_CHARGER_MAX8903 is not set
+# CONFIG_POWER_RESET is not set
+# CONFIG_POWER_AVS is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+# CONFIG_INT340X_THERMAL is not set
+
+#
+# Texas Instruments thermal drivers
+#
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+
+#
+# Direct Rendering Manager
+#
+# CONFIG_DRM is not set
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_UCLOGIC is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_BALLOON=y
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_ASUS_LAPTOP is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_THINKPAD_ACPI is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+# CONFIG_EXT2_FS_XIP is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_DEFAULTS_TO_ORDERED is not set
+# CONFIG_EXT3_FS_XATTR is not set
+# CONFIG_EXT4_FS is not set
+CONFIG_JBD=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_FILE_LOCKING=y
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+# CONFIG_F2FS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS=y
+# CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_FP_TEST=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA=y
+CONFIG_DEBUG_RODATA_TEST=y
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_PCOMP=y
+CONFIG_CRYPTO_PCOMP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+# CONFIG_CRYPTO_MCRYPTD is not set
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_SEQIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_ZLIB=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+# CONFIG_CRYPTO_DRBG_MENU is not set
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_HW is not set
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE=y
+CONFIG_AVERAGE=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissCert.der
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
new file mode 100644
index 000000000..76cafc198
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/bliss/strongswan_blissKey.der
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
deleted file mode 100644
index c98775369..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/0b5362afd8838bafb66c854732b490d5d8318261
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
new file mode 100644
index 000000000..016c4125d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/35ef6b73537e090d3b09359bfee642eafa6192eb
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
deleted file mode 100644
index 0f2a0ec8d..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/533394399c61128c957881790d70511537798da1
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
new file mode 100644
index 000000000..1a40299f2
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6645da3911d7f86e5410b698e2a441f1e2e4491a
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
deleted file mode 100644
index 489030d9f..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/6b5aec8fe9dcb8d0f707490abc84ab0890a7d2da
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488 b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
deleted file mode 100644
index 863f65237..000000000
--- a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/b8a73c3433f4e341cc7c4ae42989f0a23a956488
+++ /dev/null
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
new file mode 100644
index 000000000..49f4ad719
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/e2d52f0f42f61f786f1c570a4acc8fa8d72a329f
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
new file mode 100644
index 000000000..267516b0c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/certs/rfc3779/f22389d26d00a7ddb5ff61f3b2e66022b18b2e3d
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckCert.pem
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
index 5fff90708..a5b46cc6c 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/duckKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNuMfyRDsc7m1KRDVt8N4h/
-EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKaub5AgsRa2fOOR9xfyf0Q
-7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsOUHOJAPZNoGPey5UL9Zjj
-sN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKDh/pliP7uZANd0ZpPcrIc
-68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeYi9wFLnS2tgV3ID4LzEEI
-CSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQABAoIBADfb0r6cpnRsnSKF
-5RBfReyu6vo4GB0lNGSeRqFRgivU+vMoiG2S58t7AQi2FyTNYbNDFdh31LS8WLbI
-OkWv2HehijN4FO4pqmI9JtSHnbLNJEHEizDBTASLz/9irisX3HCXMVORh4oEb2Ko
-QdmulOjePSJDZbLv6H/JI0bpYsgiAw26KEoB8cnHwiApF69a4uPJA6gW98nsabyq
-9NQVW5QAmUFDnzA6upFRBUeBBpufYMvP82zfntFx72yLBmXgBnyZW23WwZfQZSzw
-FChhl40mwykOE8jpeGgxmdWyPc29roF+kuvaOUaSF2nmyl4qhLCISdr0eHXHAGDH
-2RjVJ6ECgYEA0YW38d4309J1QegK5vhPWehnxpZHpK86DENevYaS7zRcCu1BRZc0
-aBAceTYCZHYofOWmeIns0qtMfzzuemPCiOZWy9VYgJrJ0YkmNin3DM1/13pWiKqn
-EkQCFa6K5AiB0umTOwJoAHlJYlJ2k4bw7Rm/LtiHC2fnRq2KJeKmg60CgYEAyP30
-5D8sUkih9rRfZRHAPo0x1qJpJQC+cFUBMIuOXFIz37TqbZcGDkRRb+ewywNxT73t
-TfVDvR7tD3cYTi78dVz539Dwl9mt10QLGsQJ4825uY/LQqUe8F2qz+E3lWqoo+yJ
-WlTAqbHI2a4g4CjFC4/+i6lKQ+NpmJLZIPz3HAUCgYEAiduy4Ti2gPAb6OZ1re05
-wM1y4q5kq04EIqd9QbS3Hx7TZPkgllpbyBC5u2M3BcTc9PjhpLQTl7XQGnQL8YmM
-KSlteKaCmfO+0NitxLut6sWX1T6Qi1HFpfYLbRqwFkQmr5CyKAR4S7+B8miRzpXe
-FhN3wKoFiRKvkMiEelL7/u0CgYEAnh4TWsBL+MuFBxTs+xDU4SCotYZ9GwwTxUFK
-N0uCiiRtBK9JwT8PF4gtXNCzZ3Jk4Ou0VSD+0jgTHJh/eXpDR30GYkn4DC3GMdQo
-vDy+3wSH+HAj4mEODuBRMUqnNJd85cB+aZ7FFnpzXLQ8zrukEC2OfYaHkxLDjrDv
-uaDoMZUCgYEAhD89Cj849LXbJEmjX0MGUCCBO9EBR2Ux2nbuB+TQnvwz7VT0Jkds
-Db1IfljoDefqzyFfH/0Z3bNg4EpidAG3BMC4MwY7WzR1rfnXwNluaWM5gmUzFNw0
-mBGXonIf6nRMIO9eeTFI8VfFb6BYvosNxz+9QA/5rpamGN1cKdMjgPc=
+MIIEpQIBAAKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPzw6tqtEkIdftEawgc5gvl
+C80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw1duoY7NE+RZwODEsWVgn
+DRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IRIcEfZeAv7URGz7xdrzmK
+/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX7mdNHnpjcwT9/ruyOaNQ
+0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0wF0Bc9lZxnv9ppYgBPsOT
+jE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQABAoIBADxEv72xBkCinBEt
+ExPeXLnb7ADwC6MZuoFbbHtsv+YWFC84YaIHhJlY8ldvUPa4y+SuFCVAZI7d76uE
+iRrYEzqKNuzWPuRcMwjI2beOmzFrlO6UePKZ3R/7EhoA6oSmX2U4Wr0R7eEKrgi8
+w9no5NIr6Ota8mQBsDDeWoGjBZReLHcagK3P+LG7B9EfMbdedd4c+sAYypmbhjvf
+pj2AE08D/eI1j9Jd0w9J4oVNel1p7iYT5wYnZzdHcJdAWHlzFrKFQVVfJBBviskX
+dm8GUOP0ZdOc0xYAyVcFAyu1x0JBkrFM5zOs6UAsRSzP5PQ/J8VFK7BQAv9/TX1D
+eZi2DwECgYEA3mPpG0VRsZXDF63KlWnCn7cl6i+CAhMxYVCVn8RwBGc7Q8Xtw+9b
+y7VktDGTcgcZIxDh/T17FBAn2ZL28tbssRxnRD+lQG1pf86RKLU+HXQ4Ppt7CbA0
+G2oV7+qxA2At3yknHmeIyvzBp+OuCc2XboOhshN5ncgMXl9EzRsCilUCgYEA2EPT
+dXf57rG4k9mcjdohIdutBB+mOXS8K9fbg+V/l+bmGxINWKxF4w2N3pulw4380TRr
+caYI7dxjpmCopnxNEhBiyOuBOEEqdGxdm69CNSO/hFDE92pQECl+6+AIa9Kv/Z3+
+Wdxwo447xgz1wDclhEcVW9rD6sAshpLQREOvIMcCgYEAjxrDmeTVWO0CCW6v+c2A
+i74TC8teYW9wSyrL3W9OlcbIACiRg4+3BjLHhpyQQMQIjOQESC0T0ilDO2KyvjlH
+PgEFAoniEL9XMAMAra1TNyjeOItcdTOJlEqDq0redUmiuwOERLBi+hwDkcGU8IH3
+fAoANtMJY1qjeubbIxDKZbECgYEAleJkMtzFBq57m1TNkO6l2d5zShFZVibWp5hC
+Fma/iJrJzec0Asna4eMp+Sdsuly05JVtBeYp+Bivo8cH++LYU3Wx0UiPVVqsvuW/
+9r9/pm6xNFX6PPOcq6bmxTmO/JOXz7FpcAQ8uM5CFSA0TlSqFsRhRDkZYaBw+4/S
+8gzq2k8CgYEAz/0eK0YPxxh4NHwXVWEsMeTDmC37BmoXU5oOmcgFHmhWXFSvvJLn
+OB5QojTUuEsU9soHqk8F5oCt8DTz/LkJt+lygcSZ+qDOLJ0c9fGxDIp0s3HxiX4G
+BwiYDDqLzFNi6TOQsk15rWWVC9W+PaxsfkrdewvW4ZT695ZWxsKAHP8=
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/duck/index.txt b/testing/hosts/winnetou/etc/openssl/duck/index.txt
index 759a85b80..70a88fcbb 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/duck/index.txt
@@ -1 +1 @@
-V 141103162335Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
+V 190225221822Z 01 unknown /C=CH/O=Linux strongSwan/OU=Duck Research/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
+++ b/testing/hosts/winnetou/etc/openssl/duck/newcerts/01.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 839816bf5..f064bdb0b 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -44,4 +44,6 @@ cd /etc/openssl/rfc3779
openssl ca -gencrl -crldays 15 -config /etc/openssl/rfc3779/openssl.cnf -out crl.pem
openssl crl -in crl.pem -outform der -out strongswan_rfc3779.crl
cp strongswan_rfc3779.crl ${ROOT}
-
+cd /etc/openssl/bliss
+pki --signcrl --cacert strongswan_blissCert.der --cakey strongswan_blissKey.der --lifetime 30 --digest sha512 > strongswan_bliss.crl
+cp strongswan_bliss.crl ${ROOT}
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 49264a5ee..ba3349cf9 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU=
R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -47,3 +47,4 @@ V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongsw
R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
+V 191127201436Z 32 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index cd5ddfd6b..b3ff1c581 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -27,7 +27,7 @@ R 140826100818Z 140827143358Z,superseded 1A unknown /C=CH/O=Linux strongSwan/OU=
R 140826103106Z 090827103405Z,keyCompromise 1B unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
R 140826103739Z 140827143427Z,superseded 1C unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
R 140826104451Z 140827143432Z,superseded 1D unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
-V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
+R 141123125153Z 141128194312Z,superseded 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org
V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org
V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
@@ -46,3 +46,4 @@ V 190826145436Z 2D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswa
V 190826145626Z 2E unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org
R 190826150222Z 140827150343Z,keyCompromise 2F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 190826150536Z 30 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
+V 190826151202Z 31 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/32.pem b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
new file mode 100644
index 000000000..f7c90d302
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/32.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
+U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
+AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
+d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
+b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
+MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
index f84d1a877..f7c90d302 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspCert.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem
@@ -1,25 +1,25 @@
-----BEGIN CERTIFICATE-----
-MIIEQzCCAyugAwIBAgIBHjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEQzCCAyugAwIBAgIBMjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTA5MTEyNDEyNTE1M1oXDTE0MTEyMzEyNTE1M1owZzELMAkGA1UE
+b290IENBMB4XDTE0MTEyODIwMTQzNloXDTE5MTEyNzIwMTQzNlowZzELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag
U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8BT5LvsaxM0gOw9QM74ML
-vbxXXxTv9W0L//oBnPohbVyueSl0/r2rcIeYa0g1eePgwRRBHwr356Om2mv/zXTp
-lQA4qtY6YMZkoeYCOVhO/fJ4CGO213qWeWIYOe4njTuiPUiI20PWancgaic5UOAC
-UBnyes94I5kB1OWx0THma4Sv0HdBRoWwO+ZqAA87fpV/Wagi6ElJBcjLbO5Hpy3J
-dFvrjNWZwuJw2+qHQ4QOT4McpusfIjgXaZtyEpVIcbJ7knNSq+MapdP0RBS6wzXa
-kWx9tMIAB9gKUfENTNl60ZnmqI0KgKiR3Yqia/bbsD7JcangOcOjWA2H0LKnnLdp
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcEKXgcanpPoLMCxFLx1Br
+9WYJGHxMIi6eGfHHFObA56DpDxEUfRA88wvOgcq/PxSjAJZLePO9VQLU+sdK9+u9
+7INf7AMQ7CSRfHgkjEAt2SK4iWAk01I957qdwbvTTsBvmEAiKtqpQVcKbkokx1dC
+J7prB4TjJWQlxihMAfgRQEX8EWE1c2vmzQ8fVkEc37E/kWpwDYlKtVidn+Nrt5j7
+SuE+HKZOE9zc2hRXU9IE/5hgHmPd0sIkmusTYqr+feeS3x6FfiWn/xIMlf4eTQ6F
+55EgdUsem4su0y30i369aMviOL5Rc9OAyT/eH5AU/5BBy9M/y0Sep3wgdrOLsD3h
AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU
-NJFukTK/NSVDzCh074LCV5J5E3MwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
+DPBHE7nzb272+F6creQm6ORqEkIwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg
YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT
d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT
b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E
MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u
-Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBteNdmkKbr3bUJSKTaJ/qssbyPjL7MjAmi
-QA1sSq5yIh7Ir23xEq/XQFF51N2yDNuXhLYk1fWou8BL+X9x97BlQkp9/nZ+BdJG
-uH2zOUxcsfq57jtwMzlXGrmVUTMAJRtMqrSnVa9jbW+IF2p/sJfeSRRqJ2qwQoDW
-ppvvBF4RfdWOVCCidtRmWKycEtP1ylSYyiHswVWhL2gLXQRQ0l5wJdgT2URRDopC
-CBiE5mHOWn17gTWQw9SdGbY37o9jXNrY8GRgOeubHFRmdXa1Cli5P5HhIZygUBWX
-tn5BvNDEIUz11/AT+HfpdMSKDiAXMq44wqWoYoUXsaLTIp+Vt6NM
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQBvnya63noZrXlKv5daWjqGTmpftPIvK5KA
+tyQlZn4eSY0GDK4M9HPtPmg1o+gYJnQr9STADh737clPb3P05xzc1LLBiQ+laLZ4
+8KpZ4od5QSMTPCzYgx2LQxqKQz9PjbeLP1wcMLxRsluiwPJu9KnfZBDvHsow/UU8
+SPg62z3p17SZxoCk/87Q3eyZkI7BFJJtyrq4yiRf7lFjaLyw1SnM7sjwOMzoQBVO
+bj21Spn1XQ/1X+DiCB3pFvsGEU0ZdfWKrURNeYgh+KX6S1q0mDusOwIunpR0z2Nx
+Oc8QA3YT5fse48k3sUlRuKY+YSQZqj/vG12cHjBGGQRwmpbaTBHT
-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
index d25396b09..13a81f29d 100644
--- a/testing/hosts/winnetou/etc/openssl/ocspKey.pem
+++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvAU+S77GsTNIDsPUDO+DC728V18U7/VtC//6AZz6IW1crnkp
-dP69q3CHmGtINXnj4MEUQR8K9+ejptpr/8106ZUAOKrWOmDGZKHmAjlYTv3yeAhj
-ttd6lnliGDnuJ407oj1IiNtD1mp3IGonOVDgAlAZ8nrPeCOZAdTlsdEx5muEr9B3
-QUaFsDvmagAPO36Vf1moIuhJSQXIy2zuR6ctyXRb64zVmcLicNvqh0OEDk+DHKbr
-HyI4F2mbchKVSHGye5JzUqvjGqXT9EQUusM12pFsfbTCAAfYClHxDUzZetGZ5qiN
-CoCokd2Komv227A+yXGp4DnDo1gNh9Cyp5y3aQIDAQABAoIBACKheJrs9Z3XyzLl
-AN6tEt8LwG/7VFjqRH6MVFkNt8iGYybDrE4fSYIVRPRe9jrbS4yvI3LnK9cDdFIc
-Mv43sov/ZL4LQVAZWRFZ/Ip2U3yhK5LOQMeBotOqYdYCfYoNaml0jjKe6DzK+Uwg
-IT9eVRQ3+r99vU7sh5cdxnzdAirlXAGdy2QxdF1lyC/49H6jxS7qxuxHPqI0P8VR
-9xVKIXaAKaxcijg47slC386/yEbO96morZuJX+F+iaQ37T0nV3tTergbwDtit3xo
-cOdsHan9zGHE1ayKh8DkBinD+BpiLZdapRvcSm2wAKlamXfI3GIAB5r/3B1NW9yb
-rsThgc0CgYEA4CN+fNaFYQmLMK33wZfXvcadaktSWWXmnqPVLIWRddUH3SA5qEJB
-RwuuLgcfmlmZqBqSOj4pDTtAoNooqA9Ryi0Ugzpvmn5iPevfixQoLix4mn1/bvbF
-bo4CX7Vb7mUdfXpu7PwVNALNfaW6fgKM79LoqX4yZ4k/yFuYl+JTIGcCgYEA1r9k
-mTi/5royyVX0vV7uwyKrXQ8VRVhnVeT2nG1KkuQqUraUQG8WD9J9uxvbZxhsrax1
-Hg1iCAobzlEL2XoX2y+dN+81o2tm9qcy3L7+g6M/+7nQmU+fbGdBkcWq72dZC4ev
-K6grD+gl0uQmdVc7m+3lErojNAlvxTSK1BKrR68CgYA2CxjijO8YGK8BC9FjUnNo
-hM1L5eFzQMi8k5BA7evG15jPzodYdLE8qipTWtBZ7STJja6YcIiBcjoBDtkivJ7h
-+sCpa5uhSrvxZkA+Tpvpljt2NLBXVxT/tSoJXbdO4f6cVLsOVTHfmpVlqGIxI/hL
-kzUaOR16LXO9oahHZwDYHQKBgHPg60PS35p9NxJ1k47sPyKE/rtEfFHjFj+/QWO/
-hdIl1MC1TOJIDzuSdc4Vhhrnjx1YRgplZlS4P7DhAufjfiQEWW3pYqRAPFs0dbmw
-Rl56JPiMmAdic8BnJ3all0uAFQinutpv8Gyw9FgMTMRcwgmuIUIttvlJbkqXw6IU
-QOB5AoGBAJkTG5alPABxJG9ZuEE+iWCPAV1671FXT115D5wlKOY3CImuhsEW085X
-uGZz7WDZWFZJres8RiRlpK035MAg6lUG3trC9+wOluRNehT6h0Vwru8TxjLBxPcc
-yjdSVDH61FQLSKWIGLH9VVLX03NXqi3qxVGrrulUSW5h/HR2s3f7
+MIIEowIBAAKCAQEAnBCl4HGp6T6CzAsRS8dQa/VmCRh8TCIunhnxxxTmwOeg6Q8R
+FH0QPPMLzoHKvz8UowCWS3jzvVUC1PrHSvfrveyDX+wDEOwkkXx4JIxALdkiuIlg
+JNNSPee6ncG7007Ab5hAIiraqUFXCm5KJMdXQie6aweE4yVkJcYoTAH4EUBF/BFh
+NXNr5s0PH1ZBHN+xP5FqcA2JSrVYnZ/ja7eY+0rhPhymThPc3NoUV1PSBP+YYB5j
+3dLCJJrrE2Kq/n3nkt8ehX4lp/8SDJX+Hk0OheeRIHVLHpuLLtMt9It+vWjL4ji+
+UXPTgMk/3h+QFP+QQcvTP8tEnqd8IHazi7A94QIDAQABAoIBAEP6NGZY3AuOgOZj
+g7sgK/V6RGF92tZGpUuUPW3bus8XlU0ulN/5wZLqwp/GhQtcbJ67aLujCXfUiZE/
+UoNjDboCRQ8I/CTo1tzP/Hze4i2WQLtkiw4/RblVMEH62tclnEh/Zp/7TpcesM0I
+UR9H/MgCCf8InWdbKA4UDAVfbjAEws/72QSMnhhsdUfNMKKFiaaDz596MXpI3AWY
+SsenVmcqhMTP819DEem7GTSyOZbx482i7tr1Ix/HB/WlXoTZLB4IFsUOjbtQkoym
+fJHftuCsuN6xg6xUq28zaWqcZzDje7pavqmexXfxvG7a8jXFGY/sagWIHSIp32la
+0WoUO2ECgYEAy0pG09+zY5pHsHoNrSEsN3wIXOv4EIwwEuk4ZTqBPyh/lbHozHDp
+JlO+ObJVzRG/NS4RnlJUicmAUtI7CSpdvTD1OclROBF3DPwiu18zEJTqXkGDcVyt
+bmy8JQDZPYt4mE/TsuRN3uoc9+2jc1ZL6zvS3u6s0EV5j4SYxrn/oQ0CgYEAxIe5
+uBvR+wRXeWddRbIAKxQJa1PR4WDbIQWGm8TlXpcBWsyaqId3AIg9IoQH9AtFvl5F
++6QHjhl5jNK/PkzNM/xAMbS4X4S32zDVUtmJXheyze65lQvXVfUFQUCyb5DeBtvk
+XOf6k5WfM8rAzCb4PNwp+U21vQW7dfOSWp1yEyUCgYEAv3QHeljOYHqXE4wPP0Lj
+mqmUUrbk2+i7CcRdGXDc8jdY2QlBfvDDkxYBK+NZTRVup03ox9svxMhhsx5M/RfK
+SnhGKxL/C7ffD/qRVzeUJwSoKPa4LNYke7+p/YtsDLtCauebL3o2ID8J4zEJ44Cd
+ZT/lG5FabZdQoao2G8pmBi0CgYBrdG5mLMflwJz3Yz3LUqTm6OCxjzXtTeDiMDxG
+RSTIUDZMaByT0uWNI/CRQ7F5jQRILxGColADMQiVp9ErBiEYsG6E/vPkPhOsxAmP
+cCO8j6aTFFjiFoRZmkuSPwaRG5taErbM2YXXVfKjBdPei9wkophMmGGrBUxXFKNL
+6lQqBQKBgFeDuiesvRr+3KUxO6FiRXdGzkhFpfVaSxnFpvyd03vByTsuI5AugjHt
+UPHkOxnrXYg2bZwHSy5fvhUs18FdcucfJnsVl+/Clhl5jkeQzSOszoPx8lvhcck5
+uzlqo+L2XXWN3MaiBHvboA/duTiSQAvcPaEi8gpprxvLHojz/P9R
-----END RSA PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt
index 0565c768e..25f57370c 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt
@@ -2,8 +2,9 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
+V 190401220708Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
index 8a0231b05..3fc101e9e 100644
--- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old
@@ -2,7 +2,8 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=
R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
R 120323210330Z 140324140605Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
R 140323203747Z 140324142334Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
-V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
+R 151103161503Z 141128215838Z,superseded 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA
V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org
V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA
V 190323140633Z 08 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org
+V 190323142352Z 09 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
new file mode 100644
index 000000000..2076242cc
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/0A.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial
index d9bb888f8..eb589e9da 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial
+++ b/testing/hosts/winnetou/etc/openssl/research/serial
@@ -1 +1 @@
-0A
+0B
diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old
index 86397e5c1..d9bb888f8 100644
--- a/testing/hosts/winnetou/etc/openssl/research/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/research/serial.old
@@ -1 +1 @@
-09
+0A
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
index 20107f5f6..b41b2202b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/.rand
Binary files differ
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
index 9adf263bf..bfafdee5d 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt
@@ -1,4 +1,8 @@
-V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
-V 141222133736Z 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+V 191221085457Z 08 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
index be48eeee4..56242a38b 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/index.txt.old
@@ -1,3 +1,7 @@
-V 141222133356Z 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
-V 141222133521Z 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
-V 141222133612Z 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133356Z 141227062317Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+R 141222133521Z 141227062321Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+R 141222133612Z 141227062326Z,superseded 03 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
+R 141222133736Z 141227062335Z,superseded 04 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=dave@strongswan.org
+V 191221064542Z 05 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=moon.strongswan.org
+V 191221064900Z 06 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=sun.strongswan.org
+V 191221085130Z 07 unknown /C=CH/O=Linux strongSwan/OU=RFC3779/CN=carol@strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
new file mode 100644
index 000000000..124e2ae46
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/05.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
+Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
+MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
+bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
new file mode 100644
index 000000000..a93121da1
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/06.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
+IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
+RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
new file mode 100644
index 000000000..bf8a4919d
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/07.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
+0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
+dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
+U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
+b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
+d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
+MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
new file mode 100644
index 000000000..88ce01ed5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/newcerts/08.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
+eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
+d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
+FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
index 9ec4b01a8..e8a0a2ee7 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/openssl.cnf
@@ -40,7 +40,7 @@ x509_extensions = host_ext # The extensions to add to the cert
crl_extensions = crl_ext # The extensions to add to the CRL
-default_days = 1825 # how long to certify for
+default_days = 1820 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # which md to use.
preserve = no # keep passed DN ordering
@@ -153,6 +153,13 @@ sbgp-ipAddrBlock = critical, @host-addr-section
[host-addr-section]
+#moon networks
+#IPv4.0 = 192.168.0.1
+#IPv4.1 = 10.1.0.0/16
+#IPv6.0 = fec0::1
+#IPv6.1 = fec1::/16
+
+#sun networks
IPv4.0 = 192.168.0.2
IPv4.1 = 10.2.0.0/16
IPv6.0 = fec0::2
@@ -176,6 +183,12 @@ sbgp-ipAddrBlock = critical, @user-addr-section
[user-addr-section]
+#carol networks
+#IPv4.0 = 192.168.0.100
+#IPv4.1 = 10.3.0.1
+#IPv6.0 = fec0::10
+
+#dave networks
IPv4.0 = 192.168.0.200
IPv4.1 = 10.3.0.2
IPv6.0 = fec0::20
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
index eeee65ec4..86397e5c1 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial
@@ -1 +1 @@
-05
+09
diff --git a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
index 64969239d..adb9de8ee 100644
--- a/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/rfc3779/serial.old
@@ -1 +1 @@
-04
+08
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index f5c89552b..bb95160cb 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-32
+33
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index e85087aff..f5c89552b 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-31
+32
diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage
index 075fd8e1e..c927934f1 100755
--- a/testing/scripts/build-baseimage
+++ b/testing/scripts/build-baseimage
@@ -21,7 +21,7 @@ INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip
INC=$INC,python,python-setuptools,python-dev,python-pip
-INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi
+INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi,iptables-dev
SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
INC=$INC,${SERVICES// /,}
diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk
index 2b7bde5a5..d58de95bf 100644
--- a/testing/scripts/recipes/013_strongswan.mk
+++ b/testing/scripts/recipes/013_strongswan.mk
@@ -70,6 +70,8 @@ CONFIG_OPTS = \
--enable-socket-dynamic \
--enable-dhcp \
--enable-farp \
+ --enable-connmark \
+ --enable-forecast \
--enable-addrblock \
--enable-ctr \
--enable-ccm \
@@ -92,7 +94,8 @@ CONFIG_OPTS = \
--enable-tkm \
--enable-ntru \
--enable-lookip \
- --enable-swanctl
+ --enable-swanctl \
+ --enable-bliss
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt
index 4c64fff97..2d04e74f2 100644
--- a/testing/tests/ha/both-active/description.txt
+++ b/testing/tests/ha/both-active/description.txt
@@ -4,5 +4,5 @@ to the virtual gateway <b>mars</b> implemented by the two real gateways
based on <b>ClusterIP</b>. Depending on the hash of the IP addresses of the peers
and the SPIs, the inbound and outbound CHILD_SAs are either assigned to
segment 1 managed by <b>alice</b> or segment 2 handled by <b>moon</b>.
-The IKEv2 protocol is managed by <b>moon</b> exclusively with passive
-IKE_SAs installed on the backup gateway <b>alice</b>.
+The IKEv2 protocol is managed by <b>alice</b> exclusively with passive
+IKE_SAs installed on the backup gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev1/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev1/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev1/double-nat/evaltest.dat
+++ b/testing/tests/ikev1/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev1/nat-rw/evaltest.dat
+++ b/testing/tests/ikev1/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..b8b1fdd09 100755
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,7 +13,6 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
-# things that this script gets (from ipsec_pluto(8) man page)
#
# PLUTO_VERSION
# indicates what version of this interface is being
@@ -32,15 +31,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -54,25 +58,21 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -80,31 +80,38 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
#
# define a minimum PATH environment in case it is not set
@@ -129,22 +136,22 @@ up-client:)
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+ echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
index 842eda00b..2dd5a40dd 100644
--- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1468 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1388 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES
sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat
index 52c561964..8f5ffdb50 100644
--- a/testing/tests/ikev2/double-nat-net/evaltest.dat
+++ b/testing/tests/ikev2/double-nat-net/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat
index 9ddad2de5..5f0622690 100644
--- a/testing/tests/ikev2/double-nat/evaltest.dat
+++ b/testing/tests/ikev2/double-nat/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES
bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES
moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES
diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt
new file mode 100644
index 000000000..db67b9c3d
--- /dev/null
+++ b/testing/tests/ikev2/forecast/description.txt
@@ -0,0 +1,8 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to
+gateway <b>moon</b> and request a <b>virtual IP</b>. <b>moon</b> negotiates
+broadcast and multicast traffic selectors with the clients, and uses
+<i>%unique</i> marks to avoid any policy conflicts. The enabled <i>forecast</i>
+plugin on <b>moon</b> installs the required Netfilter rules to make use of these
+policies, and additionally starts forwarding broadcast and multicast packets
+between the clients.<br/>
+To test forwarding, the hosts send multicast and broadcast ping messages.
diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat
new file mode 100644
index 000000000..6babe57f0
--- /dev/null
+++ b/testing/tests/ikev2/forecast/evaltest.dat
@@ -0,0 +1,20 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES
+alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null
+carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null
+dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null
+carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null
+moon::iptables -t mangle -L -n -v
+carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES
+carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES
+dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..4cd628384
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..e2255d96b
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftsubnet=0.0.0.0/0
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ right=PH_IP_MOON
+ rightsubnet=0.0.0.0/0
+ rightid=@moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..7b81476e9
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..fde2e9103
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16,224.0.0.0/4
+ right=%any
+ rightid=*@strongswan.org
+ rightsourceip=10.1.0.128/26
+ rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..986ef32de
--- /dev/null
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast
+ syslog {
+ daemon {
+ net = 2
+ }
+ }
+ plugins {
+ forecast {
+ interface = eth1
+ reinject = rw
+ }
+ }
+}
diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/forecast/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat
new file mode 100644
index 000000000..206bf5b64
--- /dev/null
+++ b/testing/tests/ikev2/forecast/pretest.dat
@@ -0,0 +1,7 @@
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf
new file mode 100644
index 000000000..13b3927ae
--- /dev/null
+++ b/testing/tests/ikev2/forecast/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt
new file mode 100644
index 000000000..6660279c9
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt
@@ -0,0 +1,8 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b>
+and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind
+the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b>
+connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on
+the CHILD_SAs to select the correct return path SA using connection tracking.
+This allows <b>sun</b> to talk to both nodes for client initiated flows, even
+if the SAs are actually both over <b>moon</b>.<br/>
+To test the connection, both hosts establish an SSH connection to <b>sun</b>.
diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
new file mode 100644
index 000000000..04a35c10c
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat
@@ -0,0 +1,7 @@
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES
+venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES
+sun::iptables -t mangle -L -n -v
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..9000ebcfe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..220059c43
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ left=192.168.0.2
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+
+conn nat-t
+ right=%any
+ type=transport
+ mark=%unique
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1311e5b27
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..cea239abe
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,17 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn nat-t
+ leftcert=venusCert.pem
+ leftid=venus@strongswan.org
+ right=192.168.0.2
+ rightid=@sun.strongswan.org
+ type=transport
+ auto=add
diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
new file mode 100644
index 000000000..144be6c90
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat
@@ -0,0 +1,5 @@
+alice::ipsec stop
+venus::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
new file mode 100644
index 000000000..ab6408427
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat
@@ -0,0 +1,11 @@
+moon::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE
+moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT
+moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf
new file mode 100644
index 000000000..8c2facefd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun alice venus moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
index 6f18a88cd..fc7186c53 100644
--- a/testing/tests/ikev2/host2host-transport-nat/description.txt
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host
dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
in <em>/proc/net/xfrm_stat</em>).</li>
<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
-<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from
+<b>venus</b> to send traffic to the common transport mode address.</li>
</ol>
diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
index faa9fb265..0ec50bc92 100644
--- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat
@@ -1,12 +1,9 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES
-alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
-venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
-venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES
-sun::cat /var/log/daemon.log::unable to install policy::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES
+alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO
+venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES
sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO
diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
index fe0f17d3d..2d2607078 100644
--- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat
+++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat
@@ -10,3 +10,4 @@ sun::ipsec start
alice::expect-connection nat-t
venus::expect-connection nat-t
alice::ipsec up nat-t
+venus::ipsec up nat-t
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
index 65a003d23..8457ae0dd 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
-moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
@@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
-moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES
-dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES
+dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES
moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 4e13b52d0..70b953e49 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
-BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
-MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1
+MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
-c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
-IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
-30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
-jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
-veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
-ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
-7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
-jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk
+Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv
+QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK
+sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh
+6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo
+6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7
+GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv
+K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
-IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
-DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
-TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
-4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
-Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
-3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
-BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq
+O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6
+tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW
+E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP
+ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN
+Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 48727ed9d..ce60672bc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
-Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
-w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
-rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
-UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
-aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
-33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
-ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
-zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
-DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
-QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
-5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
-44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
-Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
-2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
-PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
-LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
-Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
-VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
-Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
-6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
-Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
-Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
-Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
-QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X
+XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/
+OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S
+FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L
+GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq
+4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3
+NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW
+HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT
+1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+
++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd
+BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx
+xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw
+5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb
+HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA
+F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX
+OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ
+0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC
+uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s
+rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV
+3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx
+A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1
+lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R
+UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67
+lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD
+ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
index bb205a0fd..2076242cc 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem
@@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
-MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
-BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
-M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw
+OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
-MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
-ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
-UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
-h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
-i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
-o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
-KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz
+w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw
+1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR
+IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX
+7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w
+F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK
+cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
-YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
-AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
-YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
-rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
-1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
-wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
-DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF
+AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd
+i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4
+zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM
+4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE
+VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF
+5n7mN4ssNQdcD86W5lnI9pT5s1uvdw==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
index bb8e856cc..c5390fbb6 100644
--- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat
@@ -1,7 +1,7 @@
alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
index 421335ffb..e0c15f56a 100755
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ]
then
if [ -n "$PLUTO_UDP_ENC" ]
then
- SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
+ SET_MARK="-p udp --sport $PLUTO_UDP_ENC"
else
- SET_MARK="-p esp"
+ SET_MARK="-p $PLUTO_PROTO"
fi
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
index 6ec29c779..86fc1975e 100644
--- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat
@@ -1,6 +1,6 @@
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES
sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat
index 387dbae23..36d9f8456 100644
--- a/testing/tests/ikev2/nat-rw/evaltest.dat
+++ b/testing/tests/ikev2/nat-rw/evaltest.dat
@@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.
venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES
sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES
-alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES
-sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES
+alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES
+sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
moon:: sleep 6::no output expected::NO
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
index aab1df687..1afd70df8 100755
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# NAT updown script
#
# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org>
@@ -13,8 +13,6 @@
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -32,15 +30,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -54,25 +57,21 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
-# if non-empty, then the source address for the route will be
-# set to this IP address.
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
#
# PLUTO_MY_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -80,31 +79,38 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
#
# define a minimum PATH environment in case it is not set
@@ -129,22 +135,22 @@ up-client:)
# If you are doing a custom version, firewall commands go here.
iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
-d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
- iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
- -s $PLUTO_PEER_CLIENT -j ACCEPT
- iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
- -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
- echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
+ iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \
+ -s $PLUTO_PEER_CLIENT -j ACCEPT
+ iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \
+ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP
+ echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2
;;
*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
exit 1
diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt
new file mode 100644
index 000000000..c659b4c47
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt
@@ -0,0 +1,7 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures
+as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>.
+Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
new file mode 100644
index 000000000..65737ba1f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat
@@ -0,0 +1,9 @@
+moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..5af6d2bbc
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftauth=rsa-sha384
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..3c3d1e51d
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftauth=rsa-sha512
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..2127105da
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
new file mode 100644
index 000000000..837738fc6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
new file mode 100644
index 000000000..81a98fa41
--- /dev/null
+++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf
index 646b8b3e6..afa2accbe 100755..100644
--- a/testing/tests/swanctl/net2net-cert-ipv6/test.conf
+++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf
@@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob"
# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"
-
+
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index a26295090..6e5c24063 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -3,4 +3,5 @@
charon {
load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
+ signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
index 7f227fd62..c7437c8bb 100644
--- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
+++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat
@@ -1,7 +1,7 @@
moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES
sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES
-moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES
-sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES
+moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
+sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES
moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES
sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
index bdba3fb05..e9ab41c7f 100755
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -186,7 +169,6 @@ fi
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
up-client:)
# connection to my client subnet coming up
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
new file mode 100644
index 000000000..dfec6a3b6
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt
@@ -0,0 +1,8 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option for
+clients using an assigned virtual IP. The initiator <b>carol</b> reauthenticates
+the IKE_SA with host <b>moon</b> using <b>ikelifetime=10s</b>, but does not
+close the old IKE_SA before the replacement CHILD_SA using the same virtual IP
+is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..6447b1cca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftsourceip=%config
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..121ea7eab
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/24
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt
new file mode 100644
index 000000000..ab92d7df8
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/description.txt
@@ -0,0 +1,7 @@
+This scenario tests <b>make-before-break reauthentication</b> using overlapping
+IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The
+initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using
+<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement
+CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b>
+hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the
+whole procedure.
diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat
new file mode 100644
index 000000000..509457418
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat
@@ -0,0 +1,7 @@
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f46405a47
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ keylife=20m
+ ikelifetime=10s
+ rekeymargin=5s
+ rekeyfuzz=0%
+ keyingtries=1
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..f89437e43
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+
+ make_before_break = yes
+}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2f4557447
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=30m
+ keylife=20m
+ rekeymargin=0s
+ keyingtries=1
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=%any
+ keyexchange=ikev2
+ auto=add
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat
new file mode 100644
index 000000000..baacc1605
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf
new file mode 100644
index 000000000..4a5fc470f
--- /dev/null
+++ b/testing/tests/ikev2/reauth-mbb/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
index d59eef513..20f1f132c 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
index 0ea4e21ab..77e306bf9 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
index 6a20b8e8c..e09765fb6 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat
@@ -1,7 +1,7 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
index 1460ec8f9..10ce861b1 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa
moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
index aa6d4291b..47a4977a2 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
@@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw
moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
-dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES
dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
index 42d2c319e..5853deb26 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat
@@ -1,6 +1,6 @@
carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES
carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
index 8f813395a..109407b96 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
index 881971e80..87c37f3a3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
index a8019b3e7..49045c9ef 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
index 84f41fd93..88ab87d29 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
index 010f48315..892fdd6ef 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
index 95c29b7f5..d3d97dc38 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
index f1a68bc19..0dfc89e07 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
index 21cfe429a..a514f48b7 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
index ab27b4510..f33e7bc36 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
index b4825fb82..c2efc3fcd 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
index 7584e14dc..75349b031 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
index a471a2cfa..f250c0cb3 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat
@@ -1,9 +1,9 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
index 421335ffb..b8b45e3b0 100755
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown
@@ -1,4 +1,4 @@
-#! /bin/sh
+#!/bin/sh
# updown script setting inbound marks on ESP traffic in the mangle chain
#
# Copyright (C) 2003-2004 Nigel Meteringham
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,20 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
#
# PLUTO_ME
# is the IP address of our host.
@@ -63,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -85,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -93,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -143,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -157,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- parms1="$PLUTO_PEER_CLIENT"
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
- if [ -n "$PLUTO_NEXT_HOP" ]
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- parms2="via $PLUTO_NEXT_HOP"
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
fi
- if test " $oops" != " " -o " $st" != " 0"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ if [ -n "$ICMP_TYPE_OPTION" ]
then
- echo "$0: doroute \`$it' failed ($oops)" >&2
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
fi
# is there an inbound mark to be set?
@@ -320,75 +219,11 @@ then
SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN"
fi
-# are there port numbers?
-if [ "$PLUTO_MY_PORT" != 0 ]
-then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
-fi
-if [ "$PLUTO_PEER_PORT" != 0 ]
-then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
-fi
-
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -403,6 +238,14 @@ up-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -430,6 +273,13 @@ down-host:)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -472,6 +322,15 @@ up-client:)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -518,6 +377,13 @@ down-client:)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt
new file mode 100644
index 000000000..b81fdb7cf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt
@@ -0,0 +1,15 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>.
+The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and
+192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS
+algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for
+<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively.
+<p>
+Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload
+by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual
+IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously
+increasing order.
+<p>
+<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass
+the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping
+the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two
+pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively.
diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
new file mode 100644
index 000000000..5a88b6641
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat
@@ -0,0 +1,26 @@
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES
+dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES
+moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES
+moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES
+alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES
+alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..f13e47a71
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128!
+ esp=aes128-sha256!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_CAROL
+ leftsourceip=%config
+ leftcert=carolCert.der
+ leftid=carol@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
new file mode 100644
index 000000000..491e245dd
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
new file mode 100644
index 000000000..b2831a8ed
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..c2225646d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS carolKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..5f605a43d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes192-sha384-ntru192!
+ esp=aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn home
+ left=PH_IP_DAVE
+ leftsourceip=%config
+ leftcert=daveCert.der
+ leftid=dave@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightsubnet=10.1.0.0/16
+ rightid=moon.strongswan.org
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
new file mode 100644
index 000000000..83a213710
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
new file mode 100644
index 000000000..0ec528ddf
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..fe2643204
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS daveKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..2a9b33aae
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128-sha256-ntru128,aes192-sha384-ntru192!
+ esp=aes128-sha256,aes192-sha384!
+ authby=pubkey
+ fragmentation=yes
+
+conn rw
+ left=PH_IP_MOON
+ leftsubnet=10.1.0.0/16
+ leftcert=moonCert.der
+ leftauth=bliss-sha512
+ leftid=moon.strongswan.org
+ leftfirewall=yes
+ right=%any
+ rightsourceip=10.3.0.0/28
+ auto=add
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
new file mode 100644
index 000000000..cbc7e09c1
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
new file mode 100644
index 000000000..1ab7d21f7
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
new file mode 100644
index 000000000..c989f91e5
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der
Binary files differ
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..b4a9ee68d
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: BLISS moonKey.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..ab824c993
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown
+ send_vendor_id = yes
+ fragment_size = 1500
+}
diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
new file mode 100644
index 000000000..9ba8c5f55
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat
@@ -0,0 +1,9 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
+dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der
diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
new file mode 100644
index 000000000..24249435e
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat
@@ -0,0 +1,13 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
+dave::ipsec up home
+carol::sleep 1
diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf
new file mode 100644
index 000000000..164b07ff9
--- /dev/null
+++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon alice"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
index ab398a3bb..55b295781 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat
@@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr
moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES
moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
index ccbc769e2..b192f788f 100644
--- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
+++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES
carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
index 438e1c14c..6ebb7c356 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf
@@ -11,7 +11,6 @@ conn %default
conn home
left=PH_IP_CAROL
- leftnexthop=%direct
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt
new file mode 100644
index 000000000..569d7e054
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway
+<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but
+they use different hash algorithms. <b>moon</b> uses signature scheme constraints
+to only allow access to the <b>research</b> and <b>accounting</b> subnets if
+specific algorithms are used. <b>Note:</b> Because the client certificate's are signed
+with SHA-256 we have to accept that algorithm too because signature schemes in
+<b>rightauth</b> are also used as constraints for the whole certificate chain.
+Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway
+<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not
+vice-versa.
diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
new file mode 100644
index 000000000..261475f56
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES
+moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES
+carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
+carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO
+dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
+moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES
+moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES
+dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES
+moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES
+dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO
+dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..b1aa2d99a
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=carolCert.pem
+ leftauth=pubkey-sha384
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..eef3e2622
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn alice
+ rightsubnet=10.1.0.10/32
+ also=home
+ auto=add
+
+conn venus
+ rightsubnet=10.1.0.20/32
+ also=home
+ auto=add
+
+conn home
+ left=%any
+ leftcert=daveCert.pem
+ leftauth=pubkey-sha512
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=pubkey
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..9f9051eeb
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,30 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn research
+ rightauth=pubkey-sha384-sha256
+ leftsubnet=10.1.0.0/28
+ also=rw
+ auto=add
+
+conn accounting
+ rightauth=pubkey-sha512-sha256
+ leftsubnet=10.1.0.16/28
+ also=rw
+ auto=add
+
+conn rw
+ left=PH_IP_MOON
+ leftid=@moon.strongswan.org
+ leftcert=moonCert.pem
+ leftauth=pubkey
+ leftfirewall=yes
+ right=%any
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..e86d6aa5c
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..044d73ac3
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+}
diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat
new file mode 100644
index 000000000..bec31cc68
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up alice
+carol::ipsec up venus
+dave::ipsec up alice
+dave::ipsec up venus
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf
new file mode 100644
index 000000000..b9e97e43b
--- /dev/null
+++ b/testing/tests/ikev2/rw-sig-auth/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou moon"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=""
+
diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat
index 9418d6ee1..3522c3d79 100644
--- a/testing/tests/ikev2/rw-whitelist/evaltest.dat
+++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES
-moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES
moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
index 9ccd47a2c..a93121da1 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0
-MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5
+MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE
-CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k
-XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H
-k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC
-VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno
-Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr
-6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
-DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5
+oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf
+pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw
+ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1
+Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd
+0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd
+bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud
+DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj
Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4
IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3
YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz
d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww
RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR
-AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA
-mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j
-C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd
-4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ
-TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ
-Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E
-dXN+1axy9zQ34g==
+AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu
+7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p
+nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg
+oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx
+k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD
+yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug
+NnBR3lf2HB2lWA==
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
index 6e047af69..55f5f8037 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho
-K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ
-SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+
-NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3
-IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU
-RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1
-K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7
-nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D
-feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL
-/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2
-K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B
-UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc
-T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm
-7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb
-t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs
-cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o
-WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn
-qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP
-U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX
-6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp
-ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq
-b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF
-TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v
-h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE
-FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd
+MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS
+dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV
+eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835
+dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid
+gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah
+tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn
+d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB
+J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3
+6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD
+cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0
+SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB
+BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG
+KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2
+iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg
+zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0
+7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE
+ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4
+Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0
+lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU
+7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7
+yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT
+1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX
+uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ
+dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+
+QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
index 3243bc294..bf8a4919d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE-----
-MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0
-MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5
+MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3
-YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2
-cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/
-zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ
-P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+
-hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM
-2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3
-Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
-VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3
+YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ
+u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu
+a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr
+xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ
+Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj
+FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2
+g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3
0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu
dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n
U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry
b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz
d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw
MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA
-ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q
-ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn
-z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m
-FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq
-kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG
-1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww=
+ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0
+atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl
+mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT
+FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/
+6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0
+9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0=
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
index 275162721..a75622149 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr
-z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB
-NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY
-PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8
-T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9
-A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF
-JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW
-J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7
-4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P
-TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29
-nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v
-NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z
-mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9
-gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH
-WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO
-rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I
-pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM
-GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr
-SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF
-0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu
-eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX
-XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq
-grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9
-Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH
-EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG
+MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1
+XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++
+e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie
+SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP
+uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN
+8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL
+KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG
+nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo
+U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg
+qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6
+MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO
+zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU
+0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb
+/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8
+5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl
+lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58
+gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w
+ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB
+Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi
+jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4
+OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s
+zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy
+R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn
+oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv
+XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
index dffbc67e9..88ce01ed5 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -1,27 +1,27 @@
-----BEGIN CERTIFICATE-----
-MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0
-MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5
+MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX
-eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y
-ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp
-hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb
-00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp
-Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip
-M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO
+8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+
+OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz
+eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4
+WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn
+RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m
+mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u
Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw
FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg
-MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH
-0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D
-Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp
-Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V
-G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4
-Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S
+MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4
+TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t
+U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU
+IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe
+5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2
+jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
index e79cbdd9f..f72970c4d 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0
-st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr
-jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH
-jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA
-RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o
-lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH
-V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m
-/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ
-pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3
-hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij
-MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB
-9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw
-bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr
-Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED
-/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ
-QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT
-Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu
-k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG
-3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt
-8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR
-9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE
-+hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g
-tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f
-TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3
-M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg==
+MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx
+EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR
+cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8
+74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D
+M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G
+pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq
+1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa
+7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ
+iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt
+su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ
+AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm
+B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE
+kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC
+XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1
+VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z
+/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU
+CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf
+552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG
+XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi
+o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ
+NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2
+u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d
+xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC
+dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE
+DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w==
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
index 7f5f8d703..124e2ae46 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -1,28 +1,28 @@
-----BEGIN CERTIFICATE-----
-MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
+MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG
-A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0
-MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
+A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5
+MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u
Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh
-bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm
-RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG
-aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs
-BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU
-lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO
-wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51
-vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
-HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
+bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6
+GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu
+uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA
+PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2
+jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd
+D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK
+KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV
+HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ
owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51
eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT
d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u
Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG
MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy
bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY
-AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX
-QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S
-smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1
-Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O
-vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC
-kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6
-Y0Y2hqCja6SsIjVc
+AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL
+aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo
+830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5
+lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2
+NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR
+pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu
+Mc/lk4Nl8pHRO+Xm
-----END CERTIFICATE-----
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
index 8295f97c1..11607c8cb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q
-t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/
-rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW
-B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi
-aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi
-81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot
-teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI
-B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT
-p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd
-yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq
-+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea
-zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv
-AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/
-dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn
-UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2
-1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9
-yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu
-fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc
-3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC
-reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb
-zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV
-3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu
-uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR
-OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn
-gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA==
+MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0
+unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd
+GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb
+kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg
+z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY
+pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ
+ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB
+u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9
+ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt
+pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV
+VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/
+ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/
+intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku
+4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I
+HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd
+iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE
+caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX
+b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0
+8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04
+J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7
+3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09
+NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh
+VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU
+KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof
+50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
index aea6d8555..7c510261d 100755
--- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
index 1a68ada0e..1b362e65c 100755
--- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
-
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -421,6 +253,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -445,6 +285,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -484,6 +331,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -527,6 +383,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -543,16 +406,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
index d59ea3c34..3a9493ba3 100644
--- a/testing/tests/libipsec/rw-suite-b/evaltest.dat
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -1,8 +1,8 @@
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
index 15c239466..7d0c583b3 100755
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -1,5 +1,5 @@
-#! /bin/sh
-# iproute2 version, default updown script
+#!/bin/sh
+# default updown script
#
# Copyright (C) 2003-2004 Nigel Meteringham
# Copyright (C) 2003-2004 Tuomo Soini
@@ -22,8 +22,6 @@
# that, and use the (left/right)updown parameters in ipsec.conf to make
# strongSwan use yours instead of this default one.
-# things that this script gets (from ipsec_pluto(8) man page)
-#
# PLUTO_VERSION
# indicates what version of this interface is being
# used. This document describes version 1.1. This
@@ -41,15 +39,17 @@
# is the name of the connection for which we are
# routing.
#
-# PLUTO_NEXT_HOP
-# is the next hop to which packets bound for the peer
-# must be sent.
-#
# PLUTO_INTERFACE
# is the name of the ipsec interface to be used.
#
# PLUTO_REQID
-# is the requid of the ESP policy
+# is the requid of the AH|ESP policy
+#
+# PLUTO_PROTO
+# is the negotiated IPsec protocol, ah|esp
+#
+# PLUTO_IPCOMP
+# is not empty if IPComp was negotiated
#
# PLUTO_UNIQUEID
# is the unique identifier of the associated IKE_SA
@@ -66,15 +66,6 @@
# host's own IP address / max (where max is 32 for
# IPv4 and 128 for IPv6).
#
-# PLUTO_MY_CLIENT_NET
-# is the IP address of our client net. If the client
-# is just the host, this will be the host's own IP
-# address.
-#
-# PLUTO_MY_CLIENT_MASK
-# is the mask for our client net. If the client is
-# just the host, this will be 255.255.255.255.
-#
# PLUTO_MY_SOURCEIP
# PLUTO_MY_SOURCEIP4_$i
# PLUTO_MY_SOURCEIP6_$i
@@ -88,7 +79,8 @@
#
# PLUTO_MY_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on our side.
+# restricted on our side. For ICMP/ICMPv6 this contains the
+# message type, and PLUTO_PEER_PORT the message code.
#
# PLUTO_PEER
# is the IP address of our peer.
@@ -96,31 +88,19 @@
# PLUTO_PEER_ID
# is the ID of our peer.
#
-# PLUTO_PEER_CA
-# is the CA which issued the cert of our peer.
-#
# PLUTO_PEER_CLIENT
# is the IP address / count of the peer's client sub-
# net. If the client is just the peer, this will be
# the peer's own IP address / max (where max is 32
# for IPv4 and 128 for IPv6).
#
-# PLUTO_PEER_CLIENT_NET
-# is the IP address of the peer's client net. If the
-# client is just the peer, this will be the peer's
-# own IP address.
-#
-# PLUTO_PEER_CLIENT_MASK
-# is the mask for the peer's client net. If the
-# client is just the peer, this will be
-# 255.255.255.255.
-#
# PLUTO_PEER_PROTOCOL
# is the IP protocol that will be transported.
#
# PLUTO_PEER_PORT
# is the UDP/TCP port to which the IPsec SA is
-# restricted on the peer side.
+# restricted on the peer side. For ICMP/ICMPv6 this contains the
+# message code, and PLUTO_MY_PORT the message type.
#
# PLUTO_XAUTH_ID
# is an optional user ID employed by the XAUTH protocol
@@ -146,7 +126,7 @@
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
export PATH
-# uncomment to log VPN connections
+# comment to disable logging VPN connections to syslog
VPN_LOGGING=1
#
# tag put in front of each log entry:
@@ -160,21 +140,11 @@ FAC_PRIO=local0.notice
#
# local0.notice -/var/log/vpn
-# in order to use source IP routing the Linux kernel options
-# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
-# must be enabled
-#
-# special routing table for sourceip routes
-SOURCEIP_ROUTING_TABLE=220
-#
-# priority of the sourceip routing table
-SOURCEIP_ROUTING_TABLE_PRIO=220
-
# check interface version
case "$PLUTO_VERSION" in
-1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+1.[0|1]) # Older release?!? Play it safe, script may be using new features.
echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
- echo "$0: called by obsolete Pluto?" >&2
+ echo "$0: called by obsolete release?" >&2
exit 2
;;
1.*) ;;
@@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment)
;;
esac
-# utility functions for route manipulation
-# Meddling with this stuff should not be necessary and requires great care.
-uproute() {
- doroute add
- ip route flush cache
-}
-downroute() {
- doroute delete
- ip route flush cache
-}
-
-addsource() {
- st=0
- if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
- then
- it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: addsource \`$it' failed ($oops)" >&2
- fi
- fi
- return $st
-}
-
-doroute() {
- st=0
-
- if [ -z "$PLUTO_MY_SOURCEIP" ]
- then
- for dir in /etc/sysconfig /etc/conf.d; do
- if [ -f "$dir/defaultsource" ]
- then
- . "$dir/defaultsource"
- fi
- done
-
- if [ -n "$DEFAULTSOURCE" ]
- then
- PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
- fi
- fi
+IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID"
+IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # leave because no route entry is required
- return $st
- fi
-
- parms1="$PLUTO_PEER_CLIENT"
-
- if [ -n "$PLUTO_NEXT_HOP" ]
- then
- parms2="via $PLUTO_NEXT_HOP"
- else
- parms2="via $PLUTO_PEER"
- fi
- parms2="$parms2 dev $PLUTO_INTERFACE"
-
- parms3=
- if [ -n "$PLUTO_MY_SOURCEIP" ]
- then
- if test "$1" = "add"
- then
- addsource
- if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
- then
- ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
- fi
- fi
- parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
- fi
-
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # opportunistic encryption work around
- # need to provide route that eclipses default, without
- # replacing it.
- it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
- ip route $1 128.0.0.0/1 $parms2 $parms3"
- ;;
- *) it="ip route $1 $parms1 $parms2 $parms3"
- ;;
- esac
- oops="`eval $it 2>&1`"
- st=$?
- if test " $oops" = " " -a " $st" != " 0"
- then
- oops="silent error, exit status $st"
- fi
- if test " $oops" != " " -o " $st" != " 0"
- then
- echo "$0: doroute \`$it' failed ($oops)" >&2
- fi
- return $st
-}
-
-# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
-if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
-then
- KLIPS=1
- IPSEC_POLICY_IN=""
- IPSEC_POLICY_OUT=""
-else
- KLIPS=
- IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
- IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
- IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
-fi
+# use protocol specific options to set ports
+case "$PLUTO_MY_PROTOCOL" in
+1) # ICMP
+ ICMP_TYPE_OPTION="--icmp-type"
+ ;;
+58) # ICMPv6
+ ICMP_TYPE_OPTION="--icmpv6-type"
+ ;;
+*)
+ ;;
+esac
# are there port numbers?
if [ "$PLUTO_MY_PORT" != 0 ]
then
- S_MY_PORT="--sport $PLUTO_MY_PORT"
- D_MY_PORT="--dport $PLUTO_MY_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT"
+ else
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+ fi
fi
if [ "$PLUTO_PEER_PORT" != 0 ]
then
- S_PEER_PORT="--sport $PLUTO_PEER_PORT"
- D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ if [ -n "$ICMP_TYPE_OPTION" ]
+ then
+ # the syntax is --icmp[v6]-type type[/code], so add it to the existing option
+ S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT"
+ D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT"
+ else
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+ fi
fi
# resolve octal escape sequences
PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
-# the big choice
case "$PLUTO_VERB:$1" in
-prepare-host:*|prepare-client:*)
- if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
- then
- # exit because no route will be added,
- # so that existing routes can stay
- exit 0
- fi
-
- # delete possibly-existing route (preliminary to adding a route)
- case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
- "0.0.0.0/0.0.0.0")
- # need to provide route that eclipses default, without
- # replacing it.
- parms1="0.0.0.0/1"
- parms2="128.0.0.0/1"
- it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
- oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
- ;;
- *)
- parms="$PLUTO_PEER_CLIENT"
- it="ip route delete $parms 2>&1"
- oops="`ip route delete $parms 2>&1`"
- ;;
- esac
- status="$?"
- if test " $oops" = " " -a " $status" != " 0"
- then
- oops="silent error, exit status $status"
- fi
- case "$oops" in
- *'RTNETLINK answers: No such process'*)
- # This is what route (currently -- not documented!) gives
- # for "could not find such a route".
- oops=
- status=0
- ;;
- esac
- if test " $oops" != " " -o " $status" != " 0"
- then
- echo "$0: \`$it' failed ($oops)" >&2
- fi
- exit $status
- ;;
-route-host:*|route-client:*)
- # connection to me or my client subnet being routed
- uproute
- ;;
-unroute-host:*|unroute-client:*)
- # connection to me or my client subnet being unrouted
- downroute
- ;;
up-host:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
@@ -395,7 +227,7 @@ down-host:)
# connection to me going down
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_ME $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
@@ -406,8 +238,8 @@ up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
PLUTO_INTERFACE=ipsec0
- if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
- then
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
@@ -444,7 +276,7 @@ down-client:)
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
- -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
-s $PLUTO_MY_CLIENT $S_MY_PORT \
@@ -462,6 +294,14 @@ up-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed)
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection setup
if [ $VPN_LOGGING ]
then
@@ -486,6 +326,13 @@ down-host:iptables)
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec host connection teardown
if [ $VPN_LOGGING ]
then
@@ -525,6 +372,15 @@ up-client:iptables)
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # allow IPIP traffic because of the implicit SA created by the kernel if
+ # IPComp is used (for small inbound packets that are not compressed).
+ # INPUT is correct here even for forwarded traffic.
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection setup
if [ $VPN_LOGGING ]
then
@@ -568,6 +424,13 @@ down-client:iptables)
$IPSEC_POLICY_OUT -j ACCEPT
fi
#
+ # IPIP exception teardown
+ if [ -n "$PLUTO_IPCOMP" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \
+ -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
# log IPsec client connection teardown
if [ $VPN_LOGGING ]
then
@@ -584,16 +447,6 @@ down-client:iptables)
#
# IPv6
#
-prepare-host-v6:*|prepare-client-v6:*)
- ;;
-route-host-v6:*|route-client-v6:*)
- # connection to me or my client subnet being routed
- #uproute_v6
- ;;
-unroute-host-v6:*|unroute-client-v6:*)
- # connection to me or my client subnet being unrouted
- #downroute_v6
- ;;
up-host-v6:)
# connection to me coming up
# If you are doing a custom version, firewall commands go here.
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..4d99866f7
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm
+MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ
+qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1
+ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR
+fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN
+2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9
+K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7
+mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc
+ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f
+XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy
+Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx
+J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj
+zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0
+8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT
+61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo
+PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug
+bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b
+eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1
+ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am
+DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt
+v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0
+fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw
+y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC
+h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2
+cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 000000000..d8fad9aad
--- /dev/null
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB
+eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+
+mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV
+sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK
+3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ
+mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl
+QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw
+HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH
+eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54
+/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/
+RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc
+Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY
+Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/
+Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h
+BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv
+NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF
+wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc
+JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78
+5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf
+mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi
+N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr
+r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX
+jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy
+gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV
+zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
index 0110bb996..55ac10935 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat
@@ -6,9 +6,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
index 4a5e52dbd..d94b17950 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf
@@ -2,4 +2,5 @@
charon {
load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ signature_authentication = no
}
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
index 8a4215dcc..2d7324a9a 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat
@@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
-moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES
-carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
-dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
+carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
+dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
index 7169a091d..a0831f746 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat
@@ -1,7 +1,7 @@
dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
index 57cbee1d4..200ec3cfb 100644
--- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat
@@ -1,7 +1,7 @@
dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
-moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
index e1d33feb7..73173f06b 100644
--- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
+++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat
@@ -1,4 +1,4 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
index 1648c9557..1206ea4b7 100644
--- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
+++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat
@@ -1,6 +1,6 @@
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES
-moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/description.txt b/testing/tests/swanctl/net2net-cert-ipv6/description.txt
deleted file mode 100755
index 5952ecc2d..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/description.txt
+++ /dev/null
@@ -1,6 +0,0 @@
-An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up.
-It connects the two subnets hiding behind their respective gateways. The authentication is based on
-X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b>
-automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic.
-In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b>
-sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command.
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat b/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
deleted file mode 100755
index cdbecd553..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
-
- fragment_size = 1400
-}
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
deleted file mode 100755
index 16e145cd7..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
- gw-gw {
- local_addrs = fec0::1
- remote_addrs = fec0::2
-
- local {
- auth = pubkey
- certs = moonCert.pem
- id = moon.strongswan.org
- }
- remote {
- auth = pubkey
- id = sun.strongswan.org
- }
- children {
- net-net {
- local_ts = fec1::0/16
- remote_ts = fec2::0/16
-
- start_action = none
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 10m
- esp_proposals = aes128gcm128-modp2048
- }
- }
-
- version = 2
- mobike = no
- fragmentation = yes
- reauth_time = 60m
- rekey_time = 20m
- proposals = aes128-sha256-modp2048
- }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
deleted file mode 100755
index bd131af39..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
-}
-
-charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
-
- fragment_size = 1400
-}
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
deleted file mode 100755
index 90aa137f0..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-connections {
-
- gw-gw {
- local_addrs = fec0::2
- remote_addrs = fec0::1
-
- local {
- auth = pubkey
- certs = sunCert.pem
- id = sun.strongswan.org
- }
- remote {
- auth = pubkey
- id = moon.strongswan.org
- }
- children {
- net-net {
- local_ts = fec2::0/16
- remote_ts = fec1::0/16
-
- start_action = none
- updown = /usr/local/libexec/ipsec/_updown iptables
- rekey_time = 10m
- esp_proposals = aes128gcm128-modp2048
- }
- }
-
- version = 2
- mobike = no
- fragmentation = yes
- reauth_time = 60m
- rekey_time = 20m
- proposals = aes128-sha256-modp2048
- }
-}
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat b/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
deleted file mode 100755
index a40a7dd2f..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat
+++ /dev/null
@@ -1,11 +0,0 @@
-moon::swanctl --terminate --ike gw-gw 2> /dev/null
-moon::service charon stop 2> /dev/null
-sun::service charon stop 2> /dev/null
-alice::"ip route del fec2:\:/16 via fec1:\:1"
-moon::"ip route del fec2:\:/16 via fec0:\:2"
-sun::"ip route del fec1:\:/16 via fec0:\:1"
-bob::"ip route del fec1:\:/16 via fec2:\:1"
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-moon::ip6tables-restore < /etc/ip6tables.flush
-sun::ip6tables-restore < /etc/ip6tables.flush
diff --git a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat b/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
deleted file mode 100755
index 36e8e1999..000000000
--- a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat
+++ /dev/null
@@ -1,16 +0,0 @@
-moon::iptables-restore < /etc/iptables.drop
-sun::iptables-restore < /etc/iptables.drop
-moon::ip6tables-restore < /etc/ip6tables.rules
-sun::ip6tables-restore < /etc/ip6tables.rules
-alice::"ip route add fec2:\:/16 via fec1:\:1"
-moon::"ip route add fec2:\:/16 via fec0:\:2"
-sun::"ip route add fec1:\:/16 via fec0:\:1"
-bob::"ip route add fec1:\:/16 via fec2:\:1"
-moon::service charon start 2> /dev/null
-sun::service charon start 2> /dev/null
-moon::sleep 1
-moon::swanctl --load-conns 2> /dev/null
-sun::swanctl --load-conns 2> /dev/null
-moon::swanctl --load-creds 2> /dev/null
-sun::swanctl --load-creds 2> /dev/null
-moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat
index d8d44dff6..de50ab32b 100644
--- a/testing/tests/tkm/host2host-initiator/evaltest.dat
+++ b/testing/tests/tkm/host2host-initiator/evaltest.dat
@@ -10,3 +10,7 @@ moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
+moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
index 7c8c6b24a..f5143f19a 100644
--- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat
index 8e0042102..1f0c88b53 100644
--- a/testing/tests/tkm/multiple-clients/evaltest.dat
+++ b/testing/tests/tkm/multiple-clients/evaltest.dat
@@ -15,8 +15,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES
sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES
sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
-sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES
+sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES
sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
index a38dba0ee..98eff247f 100644
--- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
+++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat
@@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES
moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/description.txt b/testing/tests/tkm/xfrmproxy-expire/description.txt
new file mode 100644
index 000000000..9578cd8f3
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/description.txt
@@ -0,0 +1,6 @@
+A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up.
+The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM
+proxy, which relays XFRM kernel messages to charon. The authentication is based
+on X.509 certificates. The connection is initiated by a ping from <b>moon</b>
+to <b>sun</b>. The test asserts that XFRM expire messages from the kernel are
+handled correctly.
diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
new file mode 100644
index 000000000..96b486a07
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat
@@ -0,0 +1,22 @@
+moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES
+sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES
+moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES
+moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES
+moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES
+moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES
+moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES
+moon::cat /tmp/tkm.log::Resetting ESA context 1::YES
+moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES
+moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..cc9d6e072
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,8 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+ dh_mapping {
+ 15 = 1
+ 16 = 2
+ }
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
new file mode 100644
index 000000000..d3748930a
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der
Binary files differ
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
new file mode 100644
index 000000000..a5a631f4b
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der
Binary files differ
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
new file mode 100644
index 000000000..23e958ab0
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf
@@ -0,0 +1,21 @@
+<tkmconfig>
+ <local_identity id="1">
+ <identity>moon.strongswan.org</identity>
+ <certificate>moonCert.pem</certificate>
+ </local_identity>
+ <policy id="1">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.1</ip>
+ </local>
+ <remote>
+ <identity>sun.strongswan.org</identity>
+ <ip>192.168.0.2</ip>
+ </remote>
+ <lifetime>
+ <soft>2</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+</tkmconfig>
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..e52a04f42
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ ike=aes256-sha512-modp4096!
+ esp=aes256-sha512-modp4096!
+ type=transport
+ auto=add
diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..f585edfca
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
new file mode 100644
index 000000000..99efe7b00
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat
@@ -0,0 +1,5 @@
+moon::DAEMON_NAME=charon-tkm ipsec stop
+moon::killall xfrm_proxy
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log
+sun::ipsec stop
diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
new file mode 100644
index 000000000..d645ddbfe
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat
@@ -0,0 +1,12 @@
+sun::ipsec start
+moon::rm /etc/ipsec.secrets
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/ipsec.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::DAEMON_NAME=charon-tkm ipsec start
+moon::expect-file /tmp/tkm.rpc.ees
+moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 &
+moon::DAEMON_NAME=charon-tkm expect-connection conn1
+sun::expect-connection host-host
+moon::ping -c 3 192.168.0.2
diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf
new file mode 100644
index 000000000..9647dc6a2
--- /dev/null
+++ b/testing/tests/tkm/xfrmproxy-expire/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
index d93407434..b9eee4f57 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
index e22b767f7..224807860 100644
--- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat
+++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat
@@ -1,8 +1,8 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt
new file mode 100644
index 000000000..91fbbaad9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and
+<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set.
+Therefore both connection setups fail due to fatal PB-TNC errors.
diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
new file mode 100644
index 000000000..4cbf60ff7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
@@ -0,0 +1,10 @@
+moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES
+dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES
+dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fcd224651
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..504408488
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..76f413722
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnc-imc {
+ preferred_language = ru, pl , de
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_noskip = yes
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = isolate
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9c13fcb67
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
new file mode 100644
index 000000000..38c651328
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
new file mode 100644
index 000000000..3c8e3996f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
new file mode 100644
index 000000000..0aa07193c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the client doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number .
+Therefore the connection setup fails due to a fatal PB-TNC error.
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
new file mode 100644
index 000000000..df4bdc857
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
@@ -0,0 +1,5 @@
+carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed6d6f718
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..626731f58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
new file mode 100644
index 000000000..80ce1a125
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -0,0 +1,4 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
new file mode 100644
index 000000000..6947c4bdf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
new file mode 100644
index 000000000..e8430743e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
new file mode 100644
index 000000000..6c79b8c49
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP
+using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
new file mode 100644
index 000000000..0ef7b5d7d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
@@ -0,0 +1,11 @@
+moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
+moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES
+moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..47a0283dc
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=moon.strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightid=sun.strongswan.org
+ rightsendcert=never
+ rightauth=any
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..953e7fcea
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+ multiple_authentication = no
+ plugins {
+ eap-ttls {
+ phase2_tnc =yes
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..c20bce930
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn host-host
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightauth=eap-ttls
+ rightsendcert=never
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..570126a0e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown
+
+ multiple_authentication = no
+ plugins {
+ eap-ttls {
+ request_peer_auth = yes
+ phase2_piggyback = yes
+ phase2_tnc =yes
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
new file mode 100644
index 000000000..3bce9f6e5
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up host-host
diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
new file mode 100644
index 000000000..09ab8e9f1
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
@@ -0,0 +1,3 @@
+The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
+PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
+X.509 certificates.
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
new file mode 100644
index 000000000..eb996192d
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat
@@ -0,0 +1,6 @@
+moon::cat /var/log/auth.log::PT-TLS authentication complete::YES
+sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES
+sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES
+moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES
+sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..98c415edb
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+/* configuration is read from /etc/pts/options */
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
new file mode 100644
index 000000000..79ae1e866
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options
@@ -0,0 +1,8 @@
+--connect sun.strongswan.org
+--client moon.strongswan.org
+--key /etc/ipsec.d/private/moonKey.pem
+--cert /etc/ipsec.d/certs/moonCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--mutual
+--quiet
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..fafdac4aa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+pt-tls-client {
+ load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..ba629a24f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 2, imc 2, imv 2"
+
+conn pdp
+ leftcert=sunCert.pem
+ leftid=sun.strongswan.org
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..05ffdb178
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20
+
+ plugins {
+ tnc-pdp {
+ server = sun.strongswan.org
+ radius {
+ enable = no
+ }
+ }
+ tnccs-20 {
+ mutual = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
new file mode 100644
index 000000000..476e8807e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config
@@ -0,0 +1,4 @@
+#IMC/IMV configuration file for strongSwan endpoint
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
new file mode 100644
index 000000000..e6ccb14fe
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat
@@ -0,0 +1 @@
+sun::ipsec stop
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
new file mode 100644
index 000000000..fab55d11a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat
@@ -0,0 +1,4 @@
+sun::ipsec start
+moon::cat /etc/pts/options
+moon::sleep 1
+moon::ipsec pt-tls-client --optionsfrom /etc/pts/options
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
new file mode 100644
index 000000000..55d6e9fd6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-w-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
index a86fcff61..f744453e6 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
@@ -1,10 +1,10 @@
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
dave:: cat /var/log/daemon.log::collected ... SWID tags::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES
carol::cat /var/log/daemon.log::collected 1 SWID tag::YES