- New upstream release.

- Don't disable internal crypto plugins, pluto expects to find them in
  some cases.
- Enable integrity checking.

5 files changed, 134 insertions, 41 deletions

diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am
index ea39ce0d5..bf4963f29 100644
--- a/src/charon/plugins/sql/Makefile.am
+++ b/src/charon/plugins/sql/Makefile.am
@@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la
 libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
   sql_config.h sql_config.c sql_cred.h sql_cred.c \
   sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
 
 ipsec_PROGRAMS = pool
 pool_SOURCES = pool.c
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 0848ea0dd..f6fd8e4f7 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -82,12 +82,14 @@ ETAGS = etags
 CTAGS = ctags
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AR = @AR@
 AUTOCONF = @AUTOCONF@
 AUTOHEADER = @AUTOHEADER@
 AUTOMAKE = @AUTOMAKE@
 AWK = @AWK@
+BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
@@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
 STRIP = @STRIP@
 VERSION = @VERSION@
 YACC = @YACC@
@@ -192,7 +195,9 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
 ipsecuser = @ipsecuser@
 libdir = @libdir@
 libexecdir = @libexecdir@
@@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
   sql_config.h sql_config.c sql_cred.h sql_cred.c \
   sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
 
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
 pool_SOURCES = pool.c
 pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
 all: all-am
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 7d393b6f7..ebcc9adc7 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -637,8 +637,19 @@ int main(int argc, char *argv[])
 	} operation = OP_USAGE;
 
 	dbg = dbg_stderr;
-	library_init(STRONGSWAN_CONF);
 	atexit(library_deinit);
+
+	/* initialize library */
+	if (!library_init(STRONGSWAN_CONF))
+	{
+		exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+	}
+	if (lib->integrity &&
+		!lib->integrity->check_file(lib->integrity, "pool", argv[0]))
+	{
+		fprintf(stderr, "integrity check of pool failed\n");
+		exit(SS_RC_DAEMON_INTEGRITY);
+	}
 	lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
 		lib->settings->get_str(lib->settings, "pool.load", PLUGINS));
 	
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 95d0d30d4..77601e612 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
 }
 
 /**
- * Lookup a lease
+ * Look up an existing lease
  */
-static host_t *get_address(private_sql_attribute_t *this, char *name,
-						   u_int pool, u_int timeout, u_int identity)
+static host_t* check_lease(private_sql_attribute_t *this, char *name,
+						   u_int pool, u_int identity)
 {
-	enumerator_t *e;
-	u_int id;
-	chunk_t address;
-	host_t *host;
-	time_t now = time(NULL);
-	
-	/* We check for leases for that identity first and for other expired
-	 * leases afterwards. We select an address as a candidate, but double
-	 * check if it is still valid in the update. This allows us to work
-	 * without locking. */
-	
-	/* check for an existing lease for that identity  */
 	while (TRUE)
 	{
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+
 		e = this->db->query(this->db,
 				"SELECT id, address FROM addresses "
 				"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
@@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		}
 		address = chunk_clonea(address);
 		e->destroy(e);
+
 		if (this->db->execute(this->db, NULL,
 				"UPDATE addresses SET acquired = ?, released = 0 "
 				"WHERE id = ? AND identity = ? AND released != 0",
 				DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
 		{
+			host_t *host;
+
 			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
@@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 			}
 		}
 	}
-	
-	/* check for an expired lease */
+	return NULL;
+}
+
+/**
+ * We check for unallocated addresses or expired leases. First we select an
+ * address as a candidate, but double check later on if it is still available
+ * during the update operation. This allows us to work without locking.
+ */
+static host_t* get_lease(private_sql_attribute_t *this, char *name,
+						 u_int pool, u_int timeout, u_int identity)
+{
 	while (TRUE)
 	{
-		e = this->db->query(this->db,
+		u_int id;
+		chunk_t address;
+		enumerator_t *e;
+		time_t now = time(NULL);
+		int hits;
+
+		if (timeout)
+		{
+			/* check for an expired lease */
+			e = this->db->query(this->db,
 				"SELECT id, address FROM addresses "
 				"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
 				DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+		}
+		else
+		{
+			/* with static leases, check for an unallocated address */
+			e = this->db->query(this->db,
+				"SELECT id, address FROM addresses "
+				"WHERE pool = ? AND identity = 0 LIMIT 1",
+				DB_UINT, pool, DB_UINT, DB_BLOB);
+
+		}
+
 		if (!e || !e->enumerate(e, &id, &address))
 		{
 			DESTROY_IF(e);
@@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		address = chunk_clonea(address);
 		e->destroy(e);
 			
-		if (this->db->execute(this->db, NULL,
-				"UPDATE addresses SET "
-				"acquired = ?, released = 0, identity = ? "
-				"WHERE id = ? AND released != 0 AND released < ?",
-				DB_UINT, now, DB_UINT, identity,
-				DB_UINT, id, DB_UINT, now - timeout) > 0)
+		if (timeout)
+		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND released != 0 AND released < ?",
+						DB_UINT, now, DB_UINT, identity,
+						DB_UINT, id, DB_UINT, now - timeout);
+		}
+		else
 		{
+			hits = this->db->execute(this->db, NULL,
+						"UPDATE addresses SET "
+						"acquired = ?, released = 0, identity = ? "
+						"WHERE id = ? AND identity = 0",
+						DB_UINT, now, DB_UINT, identity, DB_UINT, id);
+		}
+		if (hits > 0)
+		{
+			host_t *host;
+
 			host = host_create_from_chunk(AF_UNSPEC, address, 0);
 			if (host)
 			{
@@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
 		}
 	}
 	DBG1(DBG_CFG, "no available address found in pool '%s'", name);
-	return 0;
+	return NULL;
 }
 
 /**
  * Implementation of attribute_provider_t.acquire_address
  */
 static host_t* acquire_address(private_sql_attribute_t *this,
-							   char *name, identification_t *id,
+							   char *names, identification_t *id,
 							   host_t *requested)
 {
-	enumerator_t *enumerator;
-	u_int pool, timeout, identity;
 	host_t *address = NULL;
-	
+	u_int identity, pool, timeout;
+
 	identity = get_identity(this, id);
 	if (identity)
 	{
-		enumerator = enumerator_create_token(name, ",", " ");
-		while (enumerator->enumerate(enumerator, &name))
+		/* check for a single pool first (no concatenation and enumeration) */
+		if (strchr(names, ',') == NULL)
 		{
-			pool = get_pool(this, name, &timeout);
+			pool = get_pool(this, names, &timeout);
 			if (pool)
 			{
-				address = get_address(this, name, pool, timeout, identity);
-				if (address)
+				/* check for an existing lease */
+				address = check_lease(this, names, pool, identity);
+				if (address == NULL)
+				{
+					/* get an unallocated address or expired lease */
+					address = get_lease(this, names, pool, timeout, identity);
+				}
+			}
+		}
+		else
+		{
+			enumerator_t *enumerator;
+			char *name;
+
+			/* in a first step check for an existing lease over all pools */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
+				{
+					address = check_lease(this, name, pool, identity);
+					if (address)
+					{
+						enumerator->destroy(enumerator);
+						return address;
+					}
+				}
+			}
+			enumerator->destroy(enumerator);
+
+			/* in a second step get an unallocated address or expired lease */
+			enumerator = enumerator_create_token(names, ",", " ");
+			while (enumerator->enumerate(enumerator, &name))
+			{
+				pool = get_pool(this, name, &timeout);
+				if (pool)
 				{
-					break;
+					address = get_lease(this, name, pool, timeout, identity);
+					if (address)
+					{
+						break;
+					}
 				}
 			}
+			enumerator->destroy(enumerator);
 		}
-		enumerator->destroy(enumerator);
 	}
 	return address;
 }
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index 3e5efce34..e7dfe573b 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
 					mediation, mediated_cfg, peer_id);
 			auth = auth_cfg_create();
 			auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
-			auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id));
+			auth->add(auth, AUTH_RULE_IDENTITY, local_id);
 			peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
 			auth = auth_cfg_create();
-			auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id));
+			auth->add(auth, AUTH_RULE_IDENTITY, remote_id);
 			if (eap_type)
 			{
 				auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);