summaryrefslogtreecommitdiff
path: root/src/charon/plugins/stroke
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2010-02-23 10:34:14 +0000
commited7d79f96177044949744da10f4431c1d6242241 (patch)
tree3aabaa55ed3b5291daef891cfee9befb5235e2b8 /src/charon/plugins/stroke
parent7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (diff)
downloadvyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.tar.gz
vyos-strongswan-ed7d79f96177044949744da10f4431c1d6242241.zip
[svn-upgrade] Integrating new upstream version, strongswan (4.3.6)
Diffstat (limited to 'src/charon/plugins/stroke')
-rw-r--r--src/charon/plugins/stroke/Makefile.am2
-rw-r--r--src/charon/plugins/stroke/Makefile.in145
-rw-r--r--src/charon/plugins/stroke/stroke_attribute.c68
-rw-r--r--src/charon/plugins/stroke/stroke_attribute.h14
-rw-r--r--src/charon/plugins/stroke/stroke_ca.c77
-rw-r--r--src/charon/plugins/stroke/stroke_ca.h18
-rw-r--r--src/charon/plugins/stroke/stroke_config.c142
-rw-r--r--src/charon/plugins/stroke/stroke_config.h12
-rw-r--r--src/charon/plugins/stroke/stroke_control.c52
-rw-r--r--src/charon/plugins/stroke/stroke_control.h12
-rw-r--r--src/charon/plugins/stroke/stroke_cred.c357
-rw-r--r--src/charon/plugins/stroke/stroke_cred.h21
-rw-r--r--src/charon/plugins/stroke/stroke_list.c385
-rw-r--r--src/charon/plugins/stroke/stroke_list.h6
-rw-r--r--src/charon/plugins/stroke/stroke_plugin.c6
-rw-r--r--src/charon/plugins/stroke/stroke_plugin.h2
-rw-r--r--src/charon/plugins/stroke/stroke_shared_key.c12
-rw-r--r--src/charon/plugins/stroke/stroke_shared_key.h6
-rw-r--r--src/charon/plugins/stroke/stroke_socket.c95
-rw-r--r--src/charon/plugins/stroke/stroke_socket.h8
20 files changed, 834 insertions, 606 deletions
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index 79a63f2c2..94d311609 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -3,7 +3,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_
AM_CFLAGS = \
-rdynamic \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\"
plugin_LTLIBRARIES = libstrongswan-stroke.la
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index 19822ebc8..6e6b3b813 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# Makefile.in generated by automake 1.11 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -16,8 +17,9 @@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
@@ -35,19 +37,41 @@ host_triplet = @host@
subdir = src/charon/plugins/stroke
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/configure.in
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(plugindir)"
-pluginLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(plugin_LTLIBRARIES)
libstrongswan_stroke_la_LIBADD =
am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \
@@ -61,6 +85,7 @@ libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
+am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -108,25 +133,22 @@ INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
-IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
LD = @LD@
LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
-LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
-LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
-LINUX_HEADERS = @LINUX_HEADERS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
@@ -138,11 +160,14 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
+PTHREADLIB = @PTHREADLIB@
RANLIB = @RANLIB@
+RTLIB = @RTLIB@
RUBY = @RUBY@
RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
@@ -171,9 +196,9 @@ build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
-confdir = @confdir@
datadir = @datadir@
datarootdir = @datarootdir@
+default_pkcs11 = @default_pkcs11@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
@@ -196,7 +221,7 @@ ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
libstrongswan_plugins = @libstrongswan_plugins@
-linuxdir = @linuxdir@
+linux_headers = @linux_headers@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
@@ -204,6 +229,7 @@ mandir = @mandir@
mkdir_p = @mkdir_p@
nm_CFLAGS = @nm_CFLAGS@
nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
@@ -212,10 +238,12 @@ pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
+random_device = @random_device@
resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
-simreader = @simreader@
srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
@@ -223,12 +251,13 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
AM_CFLAGS = \
-rdynamic \
--DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_CONFDIR=\"${sysconfdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\"
plugin_LTLIBRARIES = libstrongswan-stroke.la
@@ -256,9 +285,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \
- cd $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/stroke/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -276,23 +305,28 @@ $(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
- @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
if test -f $$p; then \
- f=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ list2="$$list2 $$p"; \
else :; fi; \
- done
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
uninstall-pluginLTLIBRARIES:
@$(NORMAL_UNINSTALL)
- @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
- p=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
done
clean-pluginLTLIBRARIES:
@@ -324,21 +358,21 @@ distclean-compile:
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c $<
.c.obj:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
@@ -361,7 +395,7 @@ tags: TAGS
TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
+ set x; \
here=`pwd`; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
@@ -369,29 +403,34 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
fi
ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$tags $$unique
+ $$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
@@ -412,13 +451,17 @@ distdir: $(DISTFILES)
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@@ -449,6 +492,7 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -470,6 +514,8 @@ dvi-am:
html: html-am
+html-am:
+
info: info-am
info-am:
@@ -478,18 +524,28 @@ install-data-am: install-pluginLTLIBRARIES
install-dvi: install-dvi-am
+install-dvi-am:
+
install-exec-am:
install-html: install-html-am
+install-html-am:
+
install-info: install-info-am
+install-info-am:
+
install-man:
install-pdf: install-pdf-am
+install-pdf-am:
+
install-ps: install-ps-am
+install-ps-am:
+
installcheck-am:
maintainer-clean: maintainer-clean-am
@@ -528,6 +584,7 @@ uninstall-am: uninstall-pluginLTLIBRARIES
mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index d3211fd67..7a5ce683e 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -18,7 +18,7 @@
#include <daemon.h>
#include <utils/linked_list.h>
#include <utils/hashtable.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
#define POOL_LIMIT (sizeof(uintptr_t)*8)
@@ -33,12 +33,12 @@ struct private_stroke_attribute_t {
* public functions
*/
stroke_attribute_t public;
-
+
/**
* list of pools, contains pool_t
*/
linked_list_t *pools;
-
+
/**
* mutex to lock access to pools
*/
@@ -85,7 +85,7 @@ static void pool_destroy(pool_t *this)
{
enumerator_t *enumerator;
identification_t *id;
-
+
enumerator = this->ids->create_enumerator(this->ids);
while (enumerator->enumerate(enumerator, &id, NULL))
{
@@ -107,7 +107,7 @@ static pool_t *find_pool(private_stroke_attribute_t *this, char *name)
{
enumerator_t *enumerator;
pool_t *current, *found = NULL;
-
+
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, &current))
{
@@ -129,13 +129,13 @@ host_t* offset2host(pool_t *pool, int offset)
chunk_t addr;
host_t *host;
u_int32_t *pos;
-
+
offset--;
if (offset > pool->size)
{
return NULL;
}
-
+
addr = chunk_clone(pool->base->get_address(pool->base));
if (pool->base->get_family(pool->base) == AF_INET6)
{
@@ -158,7 +158,7 @@ int host2offset(pool_t *pool, host_t *addr)
{
chunk_t host, base;
u_int32_t hosti, basei;
-
+
if (addr->get_family(addr) != pool->base->get_family(pool->base))
{
return -1;
@@ -195,7 +195,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
uintptr_t offset = 0;
enumerator_t *enumerator;
identification_t *old_id;
-
+
this->mutex->lock(this->mutex);
pool = find_pool(this, name);
while (pool)
@@ -206,7 +206,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
this->mutex->unlock(this->mutex);
return requested->clone(requested);
}
-
+
if (!requested->is_anyaddr(requested) &&
requested->get_family(requested) !=
pool->base->get_family(pool->base))
@@ -214,7 +214,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
DBG1(DBG_CFG, "IP pool address family mismatch");
break;
}
-
+
/* check for a valid offline lease, refresh */
offset = (uintptr_t)pool->offline->remove(pool->offline, id);
if (offset)
@@ -227,7 +227,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
break;
}
}
-
+
/* check for a valid online lease, reassign */
offset = (uintptr_t)pool->online->get(pool->online, id);
if (offset && offset == host2offset(pool, requested))
@@ -235,7 +235,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
break;
}
-
+
if (pool->unused < pool->size)
{
/* assigning offset, starting by 1. Handling 0 in hashtable
@@ -270,7 +270,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
}
}
enumerator->destroy(enumerator);
-
+
DBG1(DBG_CFG, "pool '%s' is full, unable to assign address", name);
break;
}
@@ -291,7 +291,7 @@ static bool release_address(private_stroke_attribute_t *this,
pool_t *pool;
bool found = FALSE;
uintptr_t offset;
-
+
this->mutex->lock(this->mutex);
pool = find_pool(this, name);
if (pool)
@@ -320,10 +320,10 @@ static bool release_address(private_stroke_attribute_t *this,
*/
static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
{
- if (msg->add_conn.other.sourceip_size)
+ if (msg->add_conn.other.sourceip_mask)
{
pool_t *pool;
-
+
pool = malloc_thing(pool_t);
pool->base = NULL;
pool->size = 0;
@@ -335,17 +335,17 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
(hashtable_equals_t)id_equals, 16);
pool->ids = hashtable_create((hashtable_hash_t)id_hash,
(hashtable_equals_t)id_equals, 16);
-
+
/* if %config, add an empty pool, otherwise */
if (msg->add_conn.other.sourceip)
{
u_int32_t bits;
int family;
-
- DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
- msg->add_conn.name, msg->add_conn.other.sourceip,
- msg->add_conn.other.sourceip_size);
-
+
+ DBG1(DBG_CFG, "adding virtual IP address pool '%s': %s/%d",
+ msg->add_conn.name, msg->add_conn.other.sourceip,
+ msg->add_conn.other.sourceip_mask);
+
pool->base = host_create_from_string(msg->add_conn.other.sourceip, 0);
if (!pool->base)
{
@@ -354,7 +354,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
return;
}
family = pool->base->get_family(pool->base);
- bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_size;
+ bits = (family == AF_INET ? 32 : 128) - msg->add_conn.other.sourceip_mask;
if (bits > POOL_LIMIT)
{
bits = POOL_LIMIT;
@@ -363,7 +363,7 @@ static void add_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
(family == AF_INET ? 32 : 128) - bits);
}
pool->size = 1 << (bits);
-
+
if (pool->size > 2)
{ /* do not use first and last addresses of a block */
pool->unused++;
@@ -383,7 +383,7 @@ static void del_pool(private_stroke_attribute_t *this, stroke_msg_t *msg)
{
enumerator_t *enumerator;
pool_t *pool;
-
+
this->mutex->lock(this->mutex);
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, &pool))
@@ -407,7 +407,7 @@ static bool pool_filter(void *mutex, pool_t **poolp, char **name,
void *d3, u_int *offline)
{
pool_t *pool = *poolp;
-
+
*name = pool->name;
*size = pool->size;
*online = pool->online->get_count(pool->online);
@@ -450,10 +450,10 @@ static bool lease_enumerate(lease_enumerator_t *this, identification_t **id_out,
{
identification_t *id;
uintptr_t offset;
-
+
DESTROY_IF(this->current);
this->current = NULL;
-
+
if (this->inner->enumerate(this->inner, &id, NULL))
{
offset = (uintptr_t)this->pool->online->get(this->pool->online, id);
@@ -494,7 +494,7 @@ static enumerator_t* create_lease_enumerator(private_stroke_attribute_t *this,
char *pool)
{
lease_enumerator_t *enumerator;
-
+
this->mutex->lock(this->mutex);
enumerator = malloc_thing(lease_enumerator_t);
enumerator->pool = find_pool(this, pool);
@@ -528,19 +528,19 @@ static void destroy(private_stroke_attribute_t *this)
stroke_attribute_t *stroke_attribute_create()
{
private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
-
+
this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
- this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
+ this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))enumerator_create_empty;
this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
this->public.create_lease_enumerator = (enumerator_t*(*)(stroke_attribute_t*, char *pool))create_lease_enumerator;
this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
-
+
this->pools = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index fc273d1cb..cf6c950a6 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -22,7 +22,7 @@
#define STROKE_ATTRIBUTE_H_
#include <stroke_msg.h>
-#include <config/attributes/attribute_provider.h>
+#include <attributes/attribute_provider.h>
typedef struct stroke_attribute_t stroke_attribute_t;
@@ -30,12 +30,12 @@ typedef struct stroke_attribute_t stroke_attribute_t;
* Stroke IKEv2 cfg attribute provider
*/
struct stroke_attribute_t {
-
+
/**
* Implements attribute provider interface
*/
attribute_provider_t provider;
-
+
/**
* Add a virtual IP address.
*
@@ -43,24 +43,24 @@ struct stroke_attribute_t {
* @param end end of stroke message that contains virtual IP.
*/
void (*add_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a virtual IP address.
*
* @param msg stroke message
*/
void (*del_pool)(stroke_attribute_t *this, stroke_msg_t *msg);
-
+
/**
* Create an enumerator over installed pools.
*
- * Enumerator enumerates over
+ * Enumerator enumerates over
* char *pool, u_int size, u_int offline, u_int online.
*
* @return enumerator
*/
enumerator_t* (*create_pool_enumerator)(stroke_attribute_t *this);
-
+
/**
* Create an enumerator over the leases of a pool.
*
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index c354d8cb8..49146f18b 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -17,7 +17,7 @@
#include "stroke_ca.h"
#include "stroke_cred.h"
-#include <utils/mutex.h>
+#include <threading/rwlock.h>
#include <utils/linked_list.h>
#include <crypto/hashers/hasher.h>
@@ -34,17 +34,17 @@ struct private_stroke_ca_t {
* public functions
*/
stroke_ca_t public;
-
+
/**
* read-write lock to lists
*/
rwlock_t *lock;
-
+
/**
* list of starters CA sections and its certificates (ca_section_t)
*/
linked_list_t *sections;
-
+
/**
* stroke credentials, stores our CA certificates
*/
@@ -62,27 +62,27 @@ struct ca_section_t {
* name of the CA section
*/
char *name;
-
+
/**
* reference to cert in trusted_credential_t
*/
certificate_t *cert;
-
+
/**
* CRL URIs
*/
linked_list_t *crl;
-
+
/**
* OCSP URIs
*/
linked_list_t *ocsp;
-
+
/**
* Hashes of certificates issued by this CA
*/
linked_list_t *hashes;
-
+
/**
* Base URI used for certificates from this CA
*/
@@ -90,12 +90,12 @@ struct ca_section_t {
};
/**
- * create a new CA section
+ * create a new CA section
*/
static ca_section_t *ca_section_create(char *name, certificate_t *cert)
{
ca_section_t *ca = malloc_thing(ca_section_t);
-
+
ca->name = strdup(name);
ca->crl = linked_list_create();
ca->ocsp = linked_list_create();
@@ -142,10 +142,9 @@ static void cdp_data_destroy(cdp_data_t *data)
static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
{
public_key_t *public;
- identification_t *keyid;
enumerator_t *enumerator = NULL;
linked_list_t *list;
-
+
if (data->type == CERT_X509_OCSP_RESPONSE)
{
list = section->ocsp;
@@ -164,10 +163,9 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
}
else
{
- keyid = public->get_id(public, data->id->get_type(data->id));
- if (keyid && keyid->matches(keyid, data->id))
+ if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
{
- enumerator = list->create_enumerator(list);
+ enumerator = list->create_enumerator(list);
}
}
public->destroy(public);
@@ -182,25 +180,25 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data
{
enumerator_t *enumerator = NULL, *hash_enum;
identification_t *current;
-
+
if (!data->id || !section->certuribase)
{
return NULL;
}
-
+
hash_enum = section->hashes->create_enumerator(section->hashes);
while (hash_enum->enumerate(hash_enum, &current))
- {
+ {
if (current->matches(current, data->id))
{
char *url, *hash;
-
+
url = malloc(strlen(section->certuribase) + 40 + 1);
strcpy(url, section->certuribase);
hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
strncat(url, hash, 40);
free(hash);
-
+
enumerator = enumerator_create_single(url, free);
break;
}
@@ -231,7 +229,7 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this,
data->this = this;
data->type = type;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_nested(this->sections->create_enumerator(this->sections),
(type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp,
@@ -244,12 +242,12 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg)
{
certificate_t *cert;
ca_section_t *ca;
-
+
if (msg->add_ca.cacert == NULL)
{
DBG1(DBG_CFG, "missing cacert parameter");
return;
- }
+ }
cert = this->cred->load_ca(this->cred, msg->add_ca.cacert);
if (cert)
{
@@ -288,7 +286,7 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg)
{
enumerator_t *enumerator;
ca_section_t *ca = NULL;
-
+
this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, &ca))
@@ -344,14 +342,14 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
{
ca_section_t *section;
enumerator_t *enumerator;
-
+
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher == NULL)
{
DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
return;
}
-
+
this->lock->write_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)&section))
@@ -361,7 +359,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
chunk_t hash, encoded = cert->get_encoding(cert);
hasher->allocate_hash(hasher, encoded, &hash);
section->hashes->insert_last(section->hashes,
- identification_create_from_encoding(ID_CERT_DER_SHA1, hash));
+ identification_create_from_encoding(ID_KEY_ID, hash));
chunk_free(&hash);
chunk_free(&encoded);
break;
@@ -369,7 +367,7 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer
}
enumerator->destroy(enumerator);
this->lock->unlock(this->lock);
-
+
hasher->destroy(hasher);
}
@@ -381,13 +379,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
bool first = TRUE;
ca_section_t *section;
enumerator_t *enumerator;
-
+
this->lock->read_lock(this->lock);
enumerator = this->sections->create_enumerator(this->sections);
while (enumerator->enumerate(enumerator, (void**)&section))
{
certificate_t *cert = section->cert;
public_key_t *public = cert->get_public_key(cert);
+ chunk_t chunk;
if (first)
{
@@ -401,10 +400,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
/* list authkey and keyid */
if (public)
{
- fprintf(out, " authkey: %Y\n",
- public->get_id(public, ID_PUBKEY_SHA1));
- fprintf(out, " keyid: %Y\n",
- public->get_id(public, ID_PUBKEY_INFO_SHA1));
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk))
+ {
+ fprintf(out, " authkey: %#B\n", &chunk);
+ }
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk))
+ {
+ fprintf(out, " keyid: %#B\n", &chunk);
+ }
public->destroy(public);
}
list_uris(section->crl, " crluris: ", out);
@@ -434,7 +437,7 @@ static void destroy(private_stroke_ca_t *this)
stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
{
private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t);
-
+
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)return_null;
this->public.set.create_shared_enumerator = (void*)return_null;
@@ -445,11 +448,11 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list;
this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url;
this->public.destroy = (void(*)(stroke_ca_t*))destroy;
-
+
this->sections = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->cred = cred;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
index c882d7b4e..21af912ea 100644
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ b/src/charon/plugins/stroke/stroke_ca.h
@@ -37,39 +37,39 @@ struct stroke_ca_t {
* Implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Add a CA to the set using a stroke_msg_t.
*
* @param msg stroke message containing CA info
*/
void (*add)(stroke_ca_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a CA from the set using a stroke_msg_t.
*
* @param msg stroke message containing CA info
*/
void (*del)(stroke_ca_t *this, stroke_msg_t *msg);
-
+
/**
* List CA sections to stroke console.
*
* @param msg stroke message
*/
void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Check if a certificate can be made available through hash and URL.
- *
+ *
* @param cert peer certificate
*/
void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
-
+
/**
- * Destroy a stroke_ca instance.
- */
- void (*destroy)(stroke_ca_t *this);
+ * Destroy a stroke_ca instance.
+ */
+ void (*destroy)(stroke_ca_t *this);
};
/**
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 0b6a4ac31..0752f3c93 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -16,7 +16,7 @@
#include "stroke_config.h"
#include <daemon.h>
-#include <utils/mutex.h>
+#include <threading/mutex.h>
#include <utils/lexparser.h>
typedef struct private_stroke_config_t private_stroke_config_t;
@@ -30,22 +30,22 @@ struct private_stroke_config_t {
* public functions
*/
stroke_config_t public;
-
+
/**
* list of peer_cfg_t
*/
linked_list_t *list;
-
+
/**
* mutex to lock config list
*/
mutex_t *mutex;
-
+
/**
* ca sections
*/
stroke_ca_t *ca;
-
+
/**
* credentials
*/
@@ -93,7 +93,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
enumerator_t *e1, *e2;
peer_cfg_t *current, *found = NULL;
child_cfg_t *child;
-
+
this->mutex->lock(this->mutex);
e1 = this->list->create_enumerator(this->list);
while (e1->enumerate(e1, &current))
@@ -139,7 +139,7 @@ static void add_proposals(private_stroke_config_t *this, char *string,
char *strict;
proposal_t *proposal;
protocol_id_t proto = PROTO_ESP;
-
+
if (ike_cfg)
{
proto = PROTO_IKE;
@@ -195,7 +195,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
ike_cfg_t *ike_cfg;
char *interface;
host_t *host;
-
+
host = host_create_from_dns(msg->add_conn.other.address, 0, 0);
if (host)
{
@@ -227,7 +227,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
{
free(interface);
}
-
+
}
}
}
@@ -236,7 +236,7 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
msg->add_conn.me.address,
msg->add_conn.other.address);
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
- return ike_cfg;
+ return ike_cfg;
}
/**
@@ -275,7 +275,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
stroke_end_t *end, *other_end;
auth_cfg_t *cfg;
char eap_buf[32];
-
+
/* select strings */
if (local)
{
@@ -317,7 +317,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
ca = other_end->ca2;
}
}
-
+
if (!auth)
{
if (primary)
@@ -366,9 +366,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
return NULL;
}
}
-
+
cfg = auth_cfg_create();
-
+
/* add identity and peer certifcate */
identity = identification_create_from_string(id);
if (cert)
@@ -380,12 +380,12 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
{
this->ca->check_for_hash_and_url(this->ca, certificate);
}
- cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+ cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
if (identity->get_type(identity) == ID_ANY ||
!certificate->has_subject(certificate, identity))
{
- DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, "
- "defaulting to subject DN: %Y", identity,
+ DBG1(DBG_CFG, " id '%Y' not confirmed by certificate, "
+ "defaulting to '%Y'", identity,
certificate->get_subject(certificate));
identity->destroy(identity);
identity = certificate->get_subject(certificate);
@@ -394,7 +394,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
}
cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
-
+
/* CA constraint */
if (ca)
{
@@ -412,13 +412,13 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
"constraint", ca);
}
}
-
+
/* AC groups */
if (end->groups)
{
enumerator_t *enumerator;
char *group;
-
+
enumerator = enumerator_create_token(end->groups, ",", " ");
while (enumerator->enumerate(enumerator, &group))
{
@@ -428,7 +428,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
}
enumerator->destroy(enumerator);
}
-
+
/* authentication metod (class, actually) */
if (streq(auth, "pubkey") ||
streq(auth, "rsasig") || streq(auth, "rsa") ||
@@ -446,9 +446,9 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
enumerator_t *enumerator;
char *str;
int i = 0, type = 0, vendor;
-
+
cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
-
+
/* parse EAP string, format: eap[-type[-vendor]] */
enumerator = enumerator_create_token(auth, "-", " ");
while (enumerator->enumerate(enumerator, &str))
@@ -488,7 +488,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
i++;
}
enumerator->destroy(enumerator);
-
+
if (msg->add_conn.eap_identity)
{
if (streq(msg->add_conn.eap_identity, "%identity"))
@@ -529,37 +529,36 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
u_int32_t rekey = 0, reauth = 0, over, jitter;
peer_cfg_t *peer_cfg;
auth_cfg_t *auth_cfg;
-
+
#ifdef ME
if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
{
- DBG1(DBG_CFG, "a mediation connection cannot be a"
- " mediated connection at the same time, aborting");
+ DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+ "at the same time, aborting");
return NULL;
}
-
+
if (msg->add_conn.ikeme.mediation)
{
/* force unique connections for mediation connections */
msg->add_conn.unique = 1;
}
-
+
if (msg->add_conn.ikeme.mediated_by)
{
mediated_by = charon->backends->get_peer_cfg_by_name(charon->backends,
- msg->add_conn.ikeme.mediated_by);
+ msg->add_conn.ikeme.mediated_by);
if (!mediated_by)
{
DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
msg->add_conn.ikeme.mediated_by);
return NULL;
}
-
if (!mediated_by->is_mediation(mediated_by))
{
- DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is"
- "no mediation connection, aborting",
- msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
+ DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
+ "no mediation connection, aborting",
+ msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
mediated_by->destroy(mediated_by);
return NULL;
}
@@ -573,7 +572,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
}
}
#endif /* ME */
-
+
jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
over = msg->add_conn.rekey.margin;
if (msg->add_conn.rekey.reauth)
@@ -583,8 +582,8 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
else
{
rekey = msg->add_conn.rekey.ike_lifetime - over;
- }
- if (msg->add_conn.me.sourceip_size)
+ }
+ if (msg->add_conn.me.sourceip_mask)
{
if (msg->add_conn.me.sourceip)
{
@@ -633,19 +632,19 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
{ /* dpdaction=none disables DPD */
msg->add_conn.dpd.delay = 0;
}
-
+
/* other.sourceip is managed in stroke_attributes. If it is set, we define
* the pool name as the connection name, which the attribute provider
* uses to serve pool addresses. */
peer_cfg = peer_cfg_create(msg->add_conn.name,
msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
- msg->add_conn.me.sendcert, unique,
+ msg->add_conn.me.sendcert, unique,
msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
msg->add_conn.mobike, msg->add_conn.dpd.delay,
- vip, msg->add_conn.other.sourceip_size ?
+ vip, msg->add_conn.other.sourceip_mask ?
msg->add_conn.name : msg->add_conn.other.sourceip,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-
+
/* build leftauth= */
auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
if (auth_cfg)
@@ -685,7 +684,7 @@ static void add_ts(private_stroke_config_t *this,
stroke_end_t *end, child_cfg_t *child_cfg, bool local)
{
traffic_selector_t *ts;
-
+
if (end->tohost)
{
ts = traffic_selector_create_dynamic(end->protocol,
@@ -695,7 +694,7 @@ static void add_ts(private_stroke_config_t *this,
else
{
host_t *net;
-
+
if (!end->subnets)
{
net = host_create_from_string(end->address, IKEV2_UDP_PORT);
@@ -709,12 +708,12 @@ static void add_ts(private_stroke_config_t *this,
else
{
char *del, *start, *bits;
-
+
start = end->subnets;
do
{
int intbits = 0;
-
+
del = strchr(start, ',');
if (del)
{
@@ -726,7 +725,7 @@ static void add_ts(private_stroke_config_t *this,
*bits = '\0';
intbits = atoi(bits + 1);
}
-
+
net = host_create_from_string(start, IKEV2_UDP_PORT);
if (net)
{
@@ -753,7 +752,24 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
{
child_cfg_t *child_cfg;
action_t dpd;
-
+ lifetime_cfg_t lifetime = {
+ .time = {
+ .life = msg->add_conn.rekey.ipsec_lifetime,
+ .rekey = msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
+ .jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100
+ },
+ .bytes = {
+ .life = msg->add_conn.rekey.life_bytes,
+ .rekey = msg->add_conn.rekey.life_bytes - msg->add_conn.rekey.margin_bytes,
+ .jitter = msg->add_conn.rekey.margin_bytes * msg->add_conn.rekey.fuzz / 100
+ },
+ .packets = {
+ .life = msg->add_conn.rekey.life_packets,
+ .rekey = msg->add_conn.rekey.life_packets - msg->add_conn.rekey.margin_packets,
+ .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100
+ }
+ };
+
switch (msg->add_conn.dpd.action)
{ /* map startes magic values to our action type */
case 2: /* =hold */
@@ -766,19 +782,19 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this,
dpd = ACTION_NONE;
break;
}
+
child_cfg = child_cfg_create(
- msg->add_conn.name, msg->add_conn.rekey.ipsec_lifetime,
- msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin,
- msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100,
+ msg->add_conn.name, &lifetime,
msg->add_conn.me.updown, msg->add_conn.me.hostaccess,
- msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp);
+ msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp,
+ msg->add_conn.inactivity);
child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode,
msg->add_conn.install_policy);
add_ts(this, &msg->add_conn.me, child_cfg, TRUE);
add_ts(this, &msg->add_conn.other, child_cfg, FALSE);
-
+
add_proposals(this, msg->add_conn.algorithms.esp, NULL, child_cfg);
-
+
return child_cfg;
}
@@ -804,7 +820,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
ike_cfg->destroy(ike_cfg);
return;
}
-
+
enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
while (enumerator->enumerate(enumerator, &existing))
{
@@ -822,7 +838,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
}
}
enumerator->destroy(enumerator);
-
+
child_cfg = build_child_cfg(this, msg);
if (!child_cfg)
{
@@ -830,7 +846,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
return;
}
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
+
if (use_existing)
{
peer_cfg->destroy(peer_cfg);
@@ -854,13 +870,13 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
peer_cfg_t *peer;
child_cfg_t *child;
bool deleted = FALSE;
-
+
this->mutex->lock(this->mutex);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, (void**)&peer))
{
bool keep = FALSE;
-
+
/* remove any child with such a name */
children = peer->create_child_cfg_enumerator(peer);
while (children->enumerate(children, &child))
@@ -877,7 +893,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
}
}
children->destroy(children);
-
+
/* if peer config matches, or has no children anymore, remove it */
if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
{
@@ -888,7 +904,7 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
-
+
if (deleted)
{
DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
@@ -915,19 +931,19 @@ static void destroy(private_stroke_config_t *this)
stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
{
private_stroke_config_t *this = malloc_thing(private_stroke_config_t);
-
+
this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name;
this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add;
this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del;
this->public.destroy = (void(*)(stroke_config_t*))destroy;
-
+
this->list = linked_list_create();
this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
this->ca = ca;
this->cred = cred;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
index 270795e4a..05e4665ca 100644
--- a/src/charon/plugins/stroke/stroke_config.h
+++ b/src/charon/plugins/stroke/stroke_config.h
@@ -37,25 +37,25 @@ struct stroke_config_t {
* Implements the backend_t interface
*/
backend_t backend;
-
+
/**
* Add a configuration to the backend.
*
* @param msg received stroke message containing config
*/
void (*add)(stroke_config_t *this, stroke_msg_t *msg);
-
+
/**
* Remove a configuration from the backend.
*
* @param msg received stroke message containing config name
*/
void (*del)(stroke_config_t *this, stroke_msg_t *msg);
-
+
/**
- * Destroy a stroke_config instance.
- */
- void (*destroy)(stroke_config_t *this);
+ * Destroy a stroke_config instance.
+ */
+ void (*destroy)(stroke_config_t *this);
};
/**
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index c572117a2..a03aef697 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -43,7 +43,7 @@ struct stroke_log_info_t {
* level to log up to
*/
level_t level;
-
+
/**
* where to write log
*/
@@ -75,7 +75,7 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name)
{
child_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
-
+
enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (enumerator->enumerate(enumerator, &current))
{
@@ -98,7 +98,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
stroke_log_info_t info;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->initiate.name);
if (peer_cfg == NULL)
@@ -113,7 +113,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
peer_cfg->destroy(peer_cfg);
return;
}
-
+
child_cfg = get_child_from_peer(peer_cfg, msg->initiate.name);
if (child_cfg == NULL)
{
@@ -121,7 +121,7 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou
peer_cfg->destroy(peer_cfg);
return;
}
-
+
if (msg->output_verbosity < 0)
{
charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
@@ -150,9 +150,9 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
linked_list_t *ike_list, *child_list;
stroke_log_info_t info;
uintptr_t del;
-
+
string = msg->terminate.name;
-
+
len = strlen(string);
if (len < 1)
{
@@ -174,7 +174,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
child = FALSE;
break;
}
-
+
if (name)
{
/* is a single name */
@@ -202,10 +202,10 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
}
}
}
-
+
info.out = out;
info.level = msg->output_verbosity;
-
+
if (id)
{
if (child)
@@ -220,7 +220,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
}
return;
}
-
+
ike_list = linked_list_create();
child_list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
@@ -228,7 +228,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
{
child_sa_t *child_sa;
iterator_t *children;
-
+
if (child)
{
children = ike_sa->create_child_sa_iterator(ike_sa);
@@ -261,7 +261,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
}
}
enumerator->destroy(enumerator);
-
+
enumerator = child_list->create_enumerator(child_list);
while (enumerator->enumerate(enumerator, &del))
{
@@ -269,7 +269,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
(controller_cb_t)stroke_log, &info);
}
enumerator->destroy(enumerator);
-
+
enumerator = ike_list->create_enumerator(ike_list);
while (enumerator->enumerate(enumerator, &del))
{
@@ -277,7 +277,7 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
(controller_cb_t)stroke_log, &info);
}
enumerator->destroy(enumerator);
-
+
if (child_list->get_count(child_list) == 0 &&
ike_list->get_count(ike_list) == 0)
{
@@ -298,7 +298,7 @@ static void terminate_srcip(private_stroke_control_t *this,
ike_sa_t *ike_sa;
host_t *start = NULL, *end = NULL, *vip;
chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
-
+
if (msg->terminate_srcip.start)
{
start = host_create_from_string(msg->terminate_srcip.start, 0);
@@ -320,7 +320,7 @@ static void terminate_srcip(private_stroke_control_t *this,
}
chunk_end = end->get_address(end);
}
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
@@ -369,10 +369,10 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
linked_list_t *list;
uintptr_t del;
stroke_log_info_t info;
-
+
info.out = out;
info.level = msg->output_verbosity;
-
+
list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
@@ -386,7 +386,7 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
iterator->destroy(iterator);
}
enumerator->destroy(enumerator);
-
+
enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, &del))
{
@@ -404,7 +404,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->route.name);
if (peer_cfg == NULL)
@@ -417,7 +417,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
peer_cfg->destroy(peer_cfg);
return;
}
-
+
child_cfg = get_child_from_peer(peer_cfg, msg->route.name);
if (child_cfg == NULL)
{
@@ -425,7 +425,7 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
peer_cfg->destroy(peer_cfg);
return;
}
-
+
if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
{
fprintf(out, "configuration '%s' routed\n", msg->route.name);
@@ -446,7 +446,7 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out
child_sa_t *child_sa;
enumerator_t *enumerator;
u_int32_t id;
-
+
enumerator = charon->traps->create_enumerator(charon->traps);
while (enumerator->enumerate(enumerator, NULL, &child_sa))
{
@@ -477,7 +477,7 @@ static void destroy(private_stroke_control_t *this)
stroke_control_t *stroke_control_create()
{
private_stroke_control_t *this = malloc_thing(private_stroke_control_t);
-
+
this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
@@ -485,7 +485,7 @@ stroke_control_t *stroke_control_create()
this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
this->public.destroy = (void(*)(stroke_control_t*))destroy;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 5a61a90a4..9b49bdc31 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -38,42 +38,42 @@ struct stroke_control_t {
* @param msg stroke message
*/
void (*initiate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Terminate a connection.
*
* @param msg stroke message
*/
void (*terminate)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Terminate a connection by peers virtual IP.
*
* @param msg stroke message
*/
void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Delete IKE_SAs without a CHILD_SA.
*
* @param msg stroke message
*/
void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Route a connection.
*
* @param msg stroke message
*/
void (*route)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Unroute a connection.
*
* @param msg stroke message
*/
void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Destroy a stroke_control instance.
*/
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 31bcfe9f4..bc0b2f6fc 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -27,8 +27,7 @@
#include <credentials/certificates/ac.h>
#include <utils/linked_list.h>
#include <utils/lexparser.h>
-#include <utils/mutex.h>
-#include <asn1/pem.h>
+#include <threading/rwlock.h>
#include <daemon.h>
/* configuration directories and files */
@@ -56,7 +55,7 @@ struct private_stroke_cred_t {
* public functions
*/
stroke_cred_t public;
-
+
/**
* list of trusted peer/signer/CA certificates (certificate_t)
*/
@@ -71,12 +70,12 @@ struct private_stroke_cred_t {
* list of private keys (private_key_t)
*/
linked_list_t *private;
-
+
/**
* read-write lock to lists
*/
rwlock_t *lock;
-
+
/**
* cache CRLs to disk?
*/
@@ -89,6 +88,7 @@ struct private_stroke_cred_t {
typedef struct {
private_stroke_cred_t *this;
identification_t *id;
+ certificate_type_t type;
} id_data_t;
/**
@@ -106,25 +106,17 @@ static void id_data_destroy(id_data_t *data)
static bool private_filter(id_data_t *data,
private_key_t **in, private_key_t **out)
{
- identification_t *candidate;
- id_type_t type;
-
+ private_key_t *key;
+
+ key = *in;
if (data->id == NULL)
{
- *out = *in;
+ *out = key;
return TRUE;
}
- type = data->id->get_type(data->id);
- if (type == ID_KEY_ID)
- { /* handle ID_KEY_ID as a ID_PUBKEY_SHA1 */
- type = ID_PUBKEY_SHA1;
- }
- candidate = (*in)->get_id(*in, type);
- if (candidate &&
- chunk_equals(candidate->get_encoding(candidate),
- data->id->get_encoding(data->id)))
+ if (key->has_fingerprint(key, data->id->get_encoding(data->id)))
{
- *out = *in;
+ *out = key;
return TRUE;
}
return FALSE;
@@ -141,7 +133,7 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
data = malloc_thing(id_data_t);
data->this = this;
data->id = id;
-
+
this->lock->read_lock(this->lock);
return enumerator_create_filter(this->private->create_enumerator(this->private),
(void*)private_filter, data,
@@ -154,26 +146,22 @@ static enumerator_t* create_private_enumerator(private_stroke_cred_t *this,
static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out)
{
public_key_t *public;
- identification_t *candidate;
certificate_t *cert = *in;
- certificate_type_t type = cert->get_type(cert);
- if (type == CERT_X509_CRL || type == CERT_X509_AC)
+ if (data->type != CERT_ANY && data->type != cert->get_type(cert))
{
return FALSE;
}
-
if (data->id == NULL || cert->has_subject(cert, data->id))
{
*out = *in;
return TRUE;
}
-
- public = (cert)->get_public_key(cert);
+
+ public = cert->get_public_key(cert);
if (public)
{
- candidate = public->get_id(public, data->id->get_type(data->id));
- if (candidate && data->id->equals(data->id, candidate))
+ if (public->has_fingerprint(public, data->id->get_encoding(data->id)))
{
public->destroy(public);
*out = *in;
@@ -185,46 +173,6 @@ static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **ou
}
/**
- * filter function for crl enumerator
- */
-static bool crl_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
- certificate_t *cert = *in;
-
- if (cert->get_type(cert) != CERT_X509_CRL)
- {
- return FALSE;
- }
-
- if (data->id == NULL || cert->has_issuer(cert, data->id))
- {
- *out = *in;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * filter function for attribute certificate enumerator
- */
-static bool ac_filter(id_data_t *data, certificate_t **in, certificate_t **out)
-{
- certificate_t *cert = *in;
-
- if (cert->get_type(cert) != CERT_X509_AC)
- {
- return FALSE;
- }
-
- if (data->id == NULL || cert->has_subject(cert, data->id))
- {
- *out = *in;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
* Implements credential_set_t.create_cert_enumerator
*/
static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
@@ -232,30 +180,16 @@ static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this,
identification_t *id, bool trusted)
{
id_data_t *data;
-
- if (cert == CERT_X509_CRL || cert == CERT_X509_AC)
+
+ if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC))
{
- if (trusted)
- {
- return NULL;
- }
- data = malloc_thing(id_data_t);
- data->this = this;
- data->id = id;
-
- this->lock->read_lock(this->lock);
- return enumerator_create_filter(this->certs->create_enumerator(this->certs),
- (cert == CERT_X509_CRL)? (void*)crl_filter : (void*)ac_filter,
- data, (void*)id_data_destroy);
- }
- if (cert != CERT_X509 && cert != CERT_ANY)
- { /* we only have X509 certificates. TODO: ACs? */
return NULL;
}
data = malloc_thing(id_data_t);
data->this = this;
data->id = id;
-
+ data->type = cert;
+
this->lock->read_lock(this->lock);
return enumerator_create_filter(this->certs->create_enumerator(this->certs),
(void*)certs_filter, data,
@@ -286,7 +220,7 @@ static bool shared_filter(shared_data_t *data,
void **unused1, id_match_t *me,
void **unused2, id_match_t *other)
{
- id_match_t my_match, other_match;
+ id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE;
stroke_shared_key_t *stroke = *in;
shared_key_t *shared = &stroke->shared;
@@ -294,10 +228,16 @@ static bool shared_filter(shared_data_t *data,
{
return FALSE;
}
-
- my_match = stroke->has_owner(stroke, data->me);
- other_match = stroke->has_owner(stroke, data->other);
- if (!my_match && !other_match)
+
+ if (data->me)
+ {
+ my_match = stroke->has_owner(stroke, data->me);
+ }
+ if (data->other)
+ {
+ other_match = stroke->has_owner(stroke, data->other);
+ }
+ if ((data->me || data->other) && (!my_match && !other_match))
{
return FALSE;
}
@@ -316,12 +256,12 @@ static bool shared_filter(shared_data_t *data,
/**
* Implements credential_set_t.create_shared_enumerator
*/
-static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
+static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this,
shared_key_type_t type, identification_t *me,
identification_t *other)
{
shared_data_t *data = malloc_thing(shared_data_t);
-
+
data->this = this;
data->me = me;
data->other = other;
@@ -339,7 +279,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
{
certificate_t *current;
enumerator_t *enumerator;
- bool new = TRUE;
+ bool new = TRUE;
this->lock->read_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
@@ -363,7 +303,7 @@ static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert)
this->lock->unlock(this->lock);
return cert;
}
-
+
/**
* Implementation of stroke_cred_t.load_ca.
*/
@@ -371,7 +311,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
{
certificate_t *cert;
char path[PATH_MAX];
-
+
if (*filename == '/')
{
snprintf(path, sizeof(path), "%s", filename);
@@ -380,7 +320,7 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
{
snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
}
-
+
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path,
@@ -388,12 +328,12 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
if (cert)
{
x509_t *x509 = (x509_t*)cert;
-
+
if (!(x509->get_flags(x509) & X509_CA))
{
+ DBG1(DBG_CFG, " ca certificate \"%Y\" misses ca basic constraint, "
+ "discarded", cert->get_subject(cert));
cert->destroy(cert);
- DBG1(DBG_CFG, " ca certificate must have ca basic constraint set, "
- "discarded");
return NULL;
}
return (certificate_t*)add_cert(this, cert);
@@ -408,7 +348,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
{
certificate_t *current, *cert = &crl->certificate;
enumerator_t *enumerator;
- bool new = TRUE, found = FALSE;
+ bool new = TRUE, found = FALSE;
this->lock->write_lock(this->lock);
enumerator = this->certs->create_enumerator(this->certs);
@@ -417,12 +357,11 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl)
if (current->get_type(current) == CERT_X509_CRL)
{
crl_t *crl_c = (crl_t*)current;
- identification_t *authkey = crl->get_authKeyIdentifier(crl);
- identification_t *authkey_c = crl_c->get_authKeyIdentifier(crl_c);
+ chunk_t authkey = crl->get_authKeyIdentifier(crl);
+ chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c);
/* if compare authorityKeyIdentifiers if available */
- if (authkey != NULL && authkey_c != NULL &&
- authkey->equals(authkey, authkey_c))
+ if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c))
{
found = TRUE;
}
@@ -491,17 +430,19 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename)
{
snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename);
}
-
+
cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
+ CRED_CERTIFICATE, CERT_ANY,
BUILD_FROM_FILE, path,
- BUILD_X509_FLAG, 0,
BUILD_END);
if (cert)
{
cert = add_cert(this, cert);
+ DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), filename);
return cert->get_ref(cert);
}
+ DBG1(DBG_CFG, " loading certificate from '%s' failed", filename);
return NULL;
}
@@ -513,7 +454,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
{
struct stat st;
char *file;
-
+
enumerator_t *enumerator = enumerator_create_directory(path);
if (!enumerator)
@@ -535,22 +476,33 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
{
case CERT_X509:
if (flag & X509_CA)
- { /* for CA certificates, we strictly require CA
- * basicconstraints to be set */
+ { /* for CA certificates, we strictly require
+ * the CA basic constraint to be set */
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, file, BUILD_END);
if (cert)
{
x509_t *x509 = (x509_t*)cert;
-
+
if (!(x509->get_flags(x509) & X509_CA))
{
- DBG1(DBG_CFG, " ca certificate must have ca "
- "basic constraint set, discarded");
+ DBG1(DBG_CFG, " ca certificate \"%Y\" lacks "
+ "ca basic constraint, discarded",
+ cert->get_subject(cert));
cert->destroy(cert);
cert = NULL;
}
+ else
+ {
+ DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), file);
+ }
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading ca certificate from '%s' "
+ "failed", file);
}
}
else
@@ -559,6 +511,16 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, file,
BUILD_X509_FLAG, flag, BUILD_END);
+ if (cert)
+ {
+ DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'",
+ cert->get_subject(cert), file);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading certificate from '%s' "
+ "failed", file);
+ }
}
if (cert)
{
@@ -573,6 +535,11 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
if (cert)
{
add_crl(this, (crl_t*)cert);
+ DBG1(DBG_CFG, " loaded crl from '%s'", file);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading crl from '%s' failed", file);
}
break;
case CERT_X509_AC:
@@ -583,10 +550,17 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
if (cert)
{
add_ac(this, (ac_t*)cert);
+ DBG1(DBG_CFG, " loaded attribute certificate from '%s'",
+ file);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading attribute certificate from '%s' "
+ "failed", file);
}
break;
default:
- break;
+ break;
}
}
enumerator->destroy(enumerator);
@@ -601,20 +575,18 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
{
/* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
crl_t *crl = (crl_t*)cert;
-
+
cert->get_ref(cert);
if (add_crl(this, crl))
{
char buf[BUF_LEN];
chunk_t chunk, hex;
- identification_t *id;
-
- id = crl->get_authKeyIdentifier(crl);
- chunk = id->get_encoding(id);
+
+ chunk = crl->get_authKeyIdentifier(crl);
hex = chunk_to_hex(chunk, NULL, FALSE);
snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex);
free(hex.ptr);
-
+
chunk = cert->get_encoding(cert);
chunk_write(chunk, buf, "crl", 022, TRUE);
free(chunk.ptr);
@@ -669,7 +641,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
}
if (quotes)
- {
+ {
/* treat as an ASCII string */
*secret = chunk_clone(raw_secret);
return NULL;
@@ -693,9 +665,54 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
}
/**
+ * Data to pass to passphrase_cb
+ */
+typedef struct {
+ /** socket we use for prompting */
+ FILE *prompt;
+ /** private key file */
+ char *file;
+ /** buffer for passphrase */
+ char buf[256];
+} passphrase_cb_data_t;
+
+/**
+ * Passphrase callback to read from whack fd
+ */
+chunk_t passphrase_cb(passphrase_cb_data_t *data, int try)
+{
+ chunk_t secret = chunk_empty;;
+
+ if (try > 5)
+ {
+ fprintf(data->prompt, "invalid passphrase, too many trials\n");
+ return chunk_empty;
+ }
+ if (try == 1)
+ {
+ fprintf(data->prompt, "Private key '%s' is encrypted\n", data->file);
+ }
+ else
+ {
+ fprintf(data->prompt, "invalid passphrase\n");
+ }
+ fprintf(data->prompt, "Passphrase:\n");
+ if (fgets(data->buf, sizeof(data->buf), data->prompt))
+ {
+ secret = chunk_create(data->buf, strlen(data->buf));
+ if (secret.len)
+ { /* trim appended \n */
+ secret.len--;
+ }
+ }
+ return secret;
+}
+
+/**
* reload ipsec.secrets
*/
-static void load_secrets(private_stroke_cred_t *this, char *file, int level)
+static void load_secrets(private_stroke_cred_t *this, char *file, int level,
+ FILE *prompt)
{
size_t bytes;
int line_nr = 0;
@@ -709,7 +726,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
fd = fopen(file, "r");
if (fd == NULL)
{
- DBG1(DBG_CFG, "opening secrets file '%s' failed");
+ DBG1(DBG_CFG, "opening secrets file '%s' failed", file);
return;
}
@@ -722,9 +739,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
fclose(fd);
src = chunk;
- this->lock->write_lock(this->lock);
if (level == 0)
{
+ this->lock->write_lock(this->lock);
+
/* flush secrets on non-recursive invocation */
while (this->shared->remove_last(this->shared,
(void**)&shared) == SUCCESS)
@@ -737,7 +755,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
private->destroy(private);
}
}
-
+
while (fetchline(&src, &line))
{
chunk_t ids, token;
@@ -755,7 +773,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
glob_t buf;
char **expanded, *dir, pattern[PATH_MAX];
u_char *pos;
-
+
if (level > MAX_SECRETS_RECURSION)
{
DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
@@ -782,7 +800,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
{ /* use directory of current file if relative */
dir = strdup(file);
dir = dirname(dir);
-
+
if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
{
DBG1(DBG_CFG, "include pattern too long, ignored");
@@ -802,13 +820,13 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
{
for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
{
- load_secrets(this, *expanded, level + 1);
+ load_secrets(this, *expanded, level + 1, prompt);
}
}
globfree(&buf);
continue;
}
-
+
if (line.len > 2 && strneq(": ", line.ptr, 2))
{
/* no ids, skip the ':' */
@@ -837,9 +855,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
char path[PATH_MAX];
chunk_t filename;
chunk_t secret = chunk_empty;
- private_key_t *key;
- bool pgp = FALSE;
- chunk_t chunk = chunk_empty;
+ private_key_t *key = NULL;
key_type_t key_type = match("RSA", &token) ? KEY_RSA : KEY_ECDSA;
err_t ugh = extract_value(&filename, &line);
@@ -862,7 +878,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
else
{
/* relative path name */
- snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
+ snprintf(path, sizeof(path), "%s/%.*s", PRIVATE_KEY_DIR,
filename.len, filename.ptr);
}
@@ -876,18 +892,36 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
goto error;
}
}
-
- if (pem_asn1_load_file(path, &secret, &chunk, &pgp))
+ if (secret.len == 7 && strneq(secret.ptr, "%prompt", 7))
{
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
- BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
- free(chunk.ptr);
- if (key)
+ if (prompt)
{
- DBG1(DBG_CFG, " loaded private key file '%s'", path);
- this->private->insert_last(this->private, key);
+ passphrase_cb_data_t data;
+
+ data.prompt = prompt;
+ data.file = path;
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ key_type, BUILD_FROM_FILE, path,
+ BUILD_PASSPHRASE_CALLBACK,
+ passphrase_cb, &data, BUILD_END);
}
}
+ else
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type,
+ BUILD_FROM_FILE, path,
+ BUILD_PASSPHRASE, secret, BUILD_END);
+ }
+ if (key)
+ {
+ DBG1(DBG_CFG, " loaded %N private key from '%s'",
+ key_type_names, key->get_type(key), path);
+ this->private->insert_last(this->private, key);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " loading private key from '%s' failed", path);
+ }
chunk_clear(&secret);
}
else if (match("PIN", &token))
@@ -896,9 +930,9 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
char smartcard[32], keyid[22], pin[32];
private_key_t *key;
u_int slot;
-
+
err_t ugh = extract_value(&sc, &line);
-
+
if (ugh != NULL)
{
DBG1(DBG_CFG, "line %d: %s", line_nr, ugh);
@@ -911,7 +945,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
}
snprintf(smartcard, sizeof(smartcard), "%.*s", sc.len, sc.ptr);
smartcard[sizeof(smartcard) - 1] = '\0';
-
+
/* parse slot and key id. only two formats are supported.
* first try %smartcard<slot>:<keyid> */
if (sscanf(smartcard, "%%smartcard%u:%s", &slot, keyid) == 2)
@@ -929,7 +963,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
" supported or invalid", line_nr);
goto error;
}
-
+
if (!eat_whitespace(&line))
{
DBG1(DBG_CFG, "line %d: expected PIN", line_nr);
@@ -943,12 +977,12 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
}
snprintf(pin, sizeof(pin), "%.*s", secret.len, secret.ptr);
pin[sizeof(pin) - 1] = '\0';
-
+
/* we assume an RSA key */
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
BUILD_SMARTCARD_KEYID, smartcard,
BUILD_SMARTCARD_PIN, pin, BUILD_END);
-
+
if (key)
{
DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr);
@@ -975,7 +1009,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type,
ids.len > 0 ? (char*)ids.ptr : "%any");
DBG4(DBG_CFG, " secret: %#B", &secret);
-
+
this->shared->insert_last(this->shared, shared_key);
while (ids.len > 0)
{
@@ -992,7 +1026,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
{
continue;
}
-
+
/* NULL terminate the ID string */
*(id.ptr + id.len) = '\0';
peer_id = identification_create_from_string(id.ptr);
@@ -1001,7 +1035,7 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
peer_id->destroy(peer_id);
continue;
}
-
+
shared_key->add_owner(shared_key, peer_id);
any = FALSE;
}
@@ -1019,7 +1053,10 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level)
}
}
error:
- this->lock->unlock(this->lock);
+ if (level == 0)
+ {
+ this->lock->unlock(this->lock);
+ }
chunk_clear(&chunk);
}
@@ -1052,12 +1089,12 @@ static void load_certs(private_stroke_cred_t *this)
/**
* Implementation of stroke_cred_t.reread.
*/
-static void reread(private_stroke_cred_t *this, stroke_msg_t *msg)
+static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt)
{
if (msg->reread.flags & REREAD_SECRETS)
{
DBG1(DBG_CFG, "rereading secrets");
- load_secrets(this, SECRETS_FILE, 0);
+ load_secrets(this, SECRETS_FILE, 0, prompt);
}
if (msg->reread.flags & REREAD_CACERTS)
{
@@ -1110,28 +1147,28 @@ static void destroy(private_stroke_cred_t *this)
stroke_cred_t *stroke_cred_create()
{
private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t);
-
+
this->public.set.create_private_enumerator = (void*)create_private_enumerator;
this->public.set.create_cert_enumerator = (void*)create_cert_enumerator;
this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
this->public.set.create_cdp_enumerator = (void*)return_null;
this->public.set.cache_cert = (void*)cache_cert;
- this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg))reread;
+ this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread;
this->public.load_ca = (certificate_t*(*)(stroke_cred_t*, char *filename))load_ca;
this->public.load_peer = (certificate_t*(*)(stroke_cred_t*, char *filename))load_peer;
this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl;
this->public.destroy = (void(*)(stroke_cred_t*))destroy;
-
+
this->certs = linked_list_create();
this->shared = linked_list_create();
this->private = linked_list_create();
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
load_certs(this);
- load_secrets(this, SECRETS_FILE, 0);
-
+ load_secrets(this, SECRETS_FILE, 0, NULL);
+
this->cachecrl = FALSE;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index 8bc042f13..ccee7d87c 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -21,6 +21,8 @@
#ifndef STROKE_CRED_H_
#define STROKE_CRED_H_
+#include <stdio.h>
+
#include <stroke_msg.h>
#include <credentials/credential_set.h>
#include <credentials/certificates/certificate.h>
@@ -36,14 +38,15 @@ struct stroke_cred_t {
* Implements credential_set_t
*/
credential_set_t set;
-
+
/**
* Reread secrets from config files.
*
* @param msg stroke message
+ * @param prompt I/O channel to prompt for private key passhprase
*/
- void (*reread)(stroke_cred_t *this, stroke_msg_t *msg);
-
+ void (*reread)(stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt);
+
/**
* Load a CA certificate, and serve it through the credential_set.
*
@@ -51,7 +54,7 @@ struct stroke_cred_t {
* @return reference to loaded certificate, or NULL
*/
certificate_t* (*load_ca)(stroke_cred_t *this, char *filename);
-
+
/**
* Load a peer certificate and serve it rhrough the credential_set.
*
@@ -59,18 +62,18 @@ struct stroke_cred_t {
* @return reference to loaded certificate, or NULL
*/
certificate_t* (*load_peer)(stroke_cred_t *this, char *filename);
-
+
/**
* Enable/Disable CRL caching to disk.
*
* @param enabled TRUE to enable, FALSE to disable
*/
void (*cachecrl)(stroke_cred_t *this, bool enabled);
-
+
/**
- * Destroy a stroke_cred instance.
- */
- void (*destroy)(stroke_cred_t *this);
+ * Destroy a stroke_cred instance.
+ */
+ void (*destroy)(stroke_cred_t *this);
};
/**
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 6f421bd30..c2a98da33 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -22,6 +22,8 @@
#include <credentials/certificates/x509.h>
#include <credentials/certificates/ac.h>
#include <credentials/certificates/crl.h>
+#include <credentials/certificates/pgp_certificate.h>
+#include <credentials/ietf_attributes/ietf_attributes.h>
#include <config/peer_cfg.h>
/* warning intervals for list functions */
@@ -40,12 +42,12 @@ struct private_stroke_list_t {
* public functions
*/
stroke_list_t public;
-
+
/**
* timestamp of daemon start
*/
time_t uptime;
-
+
/**
* strokes attribute provider
*/
@@ -58,45 +60,45 @@ struct private_stroke_list_t {
static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
{
ike_sa_id_t *id = ike_sa->get_id(ike_sa);
- time_t now = time(NULL);
-
+ time_t now = time_monotonic(NULL);
+
fprintf(out, "%12s[%d]: %N",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
ike_sa_state_names, ike_sa->get_state(ike_sa));
-
+
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
time_t established;
-
+
established = ike_sa->get_statistic(ike_sa, STAT_ESTABLISHED);
fprintf(out, " %V ago", &now, &established);
}
-
+
fprintf(out, ", %H[%Y]...%H[%Y]\n",
ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
-
+
if (all)
{
proposal_t *ike_proposal;
-
+
ike_proposal = ike_sa->get_proposal(ike_sa);
-
+
fprintf(out, "%12s[%d]: IKE SPIs: %.16llx_i%s %.16llx_r%s",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
id->get_initiator_spi(id), id->is_initiator(id) ? "*" : "",
id->get_responder_spi(id), id->is_initiator(id) ? "" : "*");
-
-
+
+
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
time_t rekey, reauth;
peer_cfg_t *peer_cfg;
-
+
rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
+
if (rekey)
{
fprintf(out, ", rekeying in %V", &rekey, &now);
@@ -106,7 +108,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
bool first = TRUE;
enumerator_t *enumerator;
auth_cfg_t *auth;
-
+
fprintf(out, ", ");
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
while (enumerator->enumerate(enumerator, &auth))
@@ -128,11 +130,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
}
}
fprintf(out, "\n");
-
+
if (ike_proposal)
{
char buf[BUF_LEN];
-
+
snprintf(buf, BUF_LEN, "%P", ike_proposal);
fprintf(out, "%12s[%d]: IKE proposal: %s\n",
ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa),
@@ -146,17 +148,18 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
*/
static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
- time_t use_in, use_out, rekey, now = time(NULL);
+ time_t use_in, use_out, rekey, now;
u_int64_t bytes_in, bytes_out;
proposal_t *proposal;
child_cfg_t *config = child_sa->get_config(child_sa);
-
- fprintf(out, "%12s{%d}: %N, %N%s",
+
+
+ fprintf(out, "%12s{%d}: %N, %N%s",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
ipsec_mode_names, child_sa->get_mode(child_sa),
config->use_proxy_mode(config) ? "_PROXY" : "");
-
+
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
fprintf(out, ", %N%s SPIs: %.8x_i %.8x_o",
@@ -164,30 +167,30 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
child_sa->has_encap(child_sa) ? " in UDP" : "",
ntohl(child_sa->get_spi(child_sa, TRUE)),
ntohl(child_sa->get_spi(child_sa, FALSE)));
-
+
if (child_sa->get_ipcomp(child_sa) != IPCOMP_NONE)
{
fprintf(out, ", IPCOMP CPIs: %.4x_i %.4x_o",
ntohs(child_sa->get_cpi(child_sa, TRUE)),
ntohs(child_sa->get_cpi(child_sa, FALSE)));
}
-
+
if (all)
{
- fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
+ fprintf(out, "\n%12s{%d}: ", child_sa->get_name(child_sa),
child_sa->get_reqid(child_sa));
-
+
proposal = child_sa->get_proposal(child_sa);
if (proposal)
{
u_int16_t encr_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED;
u_int16_t encr_size = 0, int_size = 0;
-
+
proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
&encr_alg, &encr_size);
proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
&int_alg, &int_size);
-
+
if (encr_alg != ENCR_UNDEFINED)
{
fprintf(out, "%N", encryption_algorithm_names, encr_alg);
@@ -206,6 +209,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
}
+ now = time_monotonic(NULL);
child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
fprintf(out, ", %llu bytes_i", bytes_in);
if (use_in)
@@ -220,7 +224,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
fprintf(out, " (%ds ago)", now - use_out);
}
fprintf(out, ", rekeying ");
-
+
rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
@@ -237,10 +241,10 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
fprintf(out, "disabled");
}
-
+
}
}
-
+
fprintf(out, "\n%12s{%d}: %#R=== %#R\n",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa->get_traffic_selectors(child_sa, TRUE),
@@ -260,9 +264,9 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
certificate_t *cert;
cert_validation_t valid;
char *name;
-
+
name = peer_cfg->get_name(peer_cfg);
-
+
enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
while (enumerator->enumerate(enumerator, &auth))
{
@@ -327,7 +331,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
fprintf(out, "%12s: ocsp: status must be GOOD%s\n", name,
(valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
}
-
+
valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
if (valid != VALIDATION_FAILED)
{
@@ -360,18 +364,21 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
ike_sa_t *ike_sa;
bool first, found = FALSE;
char *name = msg->status.name;
-
+
if (all)
{
peer_cfg_t *peer_cfg;
char *plugin, *pool;
host_t *host;
u_int32_t dpd;
- time_t now = time(NULL);
+ time_t since, now;
u_int size, online, offline;
-
+
+ now = time_monotonic(NULL);
+ since = time(NULL) - (now - this->uptime);
+
fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
- fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
+ fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE);
fprintf(out, " worker threads: %d idle of %d,",
charon->processor->get_idle_threads(charon->processor),
charon->processor->get_total_threads(charon->processor));
@@ -387,7 +394,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
}
enumerator->destroy(enumerator);
fprintf(out, "\n");
-
+
first = TRUE;
enumerator = this->attribute->create_pool_enumerator(this->attribute);
while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
@@ -404,7 +411,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
fprintf(out, " %s: %u/%u/%u\n", pool, size, online, offline);
}
enumerator->destroy(enumerator);
-
+
enumerator = charon->kernel_interface->create_address_enumerator(
charon->kernel_interface, FALSE, FALSE);
fprintf(out, "Listening IP addresses:\n");
@@ -413,7 +420,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
fprintf(out, " %H\n", host);
}
enumerator->destroy(enumerator);
-
+
fprintf(out, "Connections:\n");
enumerator = charon->backends->create_peer_cfg_enumerator(
charon->backends, NULL, NULL, NULL, NULL);
@@ -424,33 +431,33 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
{
continue;
}
-
+
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
fprintf(out, "%12s: %s...%s", peer_cfg->get_name(peer_cfg),
ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
-
+
dpd = peer_cfg->get_dpd(peer_cfg);
if (dpd)
{
fprintf(out, ", dpddelay=%us", dpd);
}
fprintf(out, "\n");
-
+
log_auth_cfgs(out, peer_cfg, TRUE);
log_auth_cfgs(out, peer_cfg, FALSE);
-
+
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (children->enumerate(children, &child_cfg))
{
linked_list_t *my_ts, *other_ts;
-
+
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg),
my_ts, other_ts);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-
+
if (dpd)
{
fprintf(out, ", dpdaction=%N", action_names,
@@ -463,7 +470,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
enumerator->destroy(enumerator);
}
- first = TRUE;
+ first = TRUE;
enumerator = charon->traps->create_enumerator(charon->traps);
while (enumerator->enumerate(enumerator, NULL, &child_sa))
{
@@ -475,14 +482,14 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
log_child_sa(out, child_sa, all);
}
enumerator->destroy(enumerator);
-
+
fprintf(out, "Security Associations:\n");
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
bool ike_printed = FALSE;
iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
-
+
if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
{
log_ike_sa(out, ike_sa, all);
@@ -501,12 +508,12 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
ike_printed = TRUE;
}
log_child_sa(out, child_sa, all);
- }
+ }
}
children->destroy(children);
}
enumerator->destroy(enumerator);
-
+
if (!found)
{
if (name)
@@ -531,14 +538,14 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
charon->credentials, type, KEY_ANY,
NULL, FALSE);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
iterator_t *iterator = list->create_iterator(list, TRUE);
identification_t *issuer = cert->get_issuer(cert);
bool previous_same, same = FALSE, last = TRUE;
certificate_t *list_cert;
-
+
while (iterator->iterate(iterator, (void**)&list_cert))
{
/* exit if we have a duplicate? */
@@ -569,6 +576,41 @@ static linked_list_t* create_unique_cert_list(certificate_type_t type)
}
/**
+ * Print a single public key.
+ */
+static void list_public_key(public_key_t *public, FILE *out)
+{
+ private_key_t *private = NULL;
+ chunk_t keyid;
+ identification_t *id;
+ auth_cfg_t *auth;
+
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+ {
+ id = identification_create_from_encoding(ID_KEY_ID, keyid);
+ auth = auth_cfg_create();
+ private = charon->credentials->get_private(charon->credentials,
+ public->get_type(public), id, auth);
+ auth->destroy(auth);
+ id->destroy(id);
+ }
+
+ fprintf(out, " pubkey: %N %d bits%s\n",
+ key_type_names, public->get_type(public),
+ public->get_keysize(public) * 8,
+ private ? ", has private key" : "");
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid))
+ {
+ fprintf(out, " keyid: %#B\n", &keyid);
+ }
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid))
+ {
+ fprintf(out, " subjkey: %#B\n", &keyid);
+ }
+ DESTROY_IF(private);
+}
+
+/**
* list all raw public keys
*/
static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
@@ -584,9 +626,6 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
if (public)
{
- private_key_t *private = NULL;
- identification_t *id, *keyid;
-
if (first)
{
fprintf(out, "\n");
@@ -595,20 +634,52 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
}
fprintf(out, "\n");
- /* list public key information */
- id = public->get_id(public, ID_PUBKEY_SHA1);
- keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
- private = charon->credentials->get_private(
- charon->credentials,
- public->get_type(public), keyid, NULL);
- fprintf(out, " pubkey: %N %d bits%s\n",
- key_type_names, public->get_type(public),
- public->get_keysize(public) * 8,
- private ? ", has private key" : "");
- fprintf(out, " keyid: %Y\n", keyid);
- fprintf(out, " subjkey: %Y\n", id);
- DESTROY_IF(private);
+ list_public_key(public, out);
+ public->destroy(public);
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * list OpenPGP certificates
+ */
+static void stroke_list_pgp(linked_list_t *list,bool utc, FILE *out)
+{
+ bool first = TRUE;
+ time_t now = time(NULL);
+ enumerator_t *enumerator = list->create_enumerator(list);
+ certificate_t *cert;
+
+ while (enumerator->enumerate(enumerator, (void**)&cert))
+ {
+ time_t created, until;
+ public_key_t *public;
+ pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert;
+ chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert);
+
+ if (first)
+ {
+
+ fprintf(out, "\n");
+ fprintf(out, "List of PGP End Entity Certificates:\n");
+ first = FALSE;
+ }
+ fprintf(out, "\n");
+ fprintf(out, " userid: '%Y'\n", cert->get_subject(cert));
+
+ fprintf(out, " digest: %#B\n", &fingerprint);
+
+ /* list validity */
+ cert->get_validity(cert, &now, &created, &until);
+ fprintf(out, " created: %T\n", &created, utc);
+ fprintf(out, " until: %T%s\n", &until, utc,
+ (until == TIME_32_BIT_SIGNED_MAX) ? " (expires never)":"");
+
+ public = cert->get_public_key(cert);
+ if (public)
+ {
+ list_public_key(public, out);
public->destroy(public);
}
}
@@ -618,29 +689,35 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
/**
* list all X.509 certificates matching the flags
*/
-static void stroke_list_certs(linked_list_t *list, char *label,
+static void stroke_list_certs(linked_list_t *list, char *label,
x509_flag_t flags, bool utc, FILE *out)
{
bool first = TRUE;
time_t now = time(NULL);
- enumerator_t *enumerator = list->create_enumerator(list);
+ enumerator_t *enumerator;
certificate_t *cert;
+ x509_flag_t flag_mask;
+
+ /* mask all auxiliary flags */
+ flag_mask = ~(X509_SERVER_AUTH | X509_CLIENT_AUTH |
+ X509_SELF_SIGNED | X509_IP_ADDR_BLOCKS );
+ enumerator = list->create_enumerator(list);
while (enumerator->enumerate(enumerator, (void**)&cert))
{
x509_t *x509 = (x509_t*)cert;
- x509_flag_t x509_flags = x509->get_flags(x509);
+ x509_flag_t x509_flags = x509->get_flags(x509) & flag_mask;
- /* list only if flag is set, or flags == 0 (ignoring self-signed) */
- if ((x509_flags & flags) || (flags == (x509_flags & ~X509_SELF_SIGNED)))
+ /* list only if flag is set or flag == 0 */
+ if ((x509_flags & flags) || (x509_flags == flags))
{
enumerator_t *enumerator;
identification_t *altName;
bool first_altName = TRUE;
- chunk_t serial = x509->get_serial(x509);
- identification_t *authkey = x509->get_authKeyIdentifier(x509);
+ int pathlen;
+ chunk_t serial, authkey;
time_t notBefore, notAfter;
- public_key_t *public = cert->get_public_key(cert);
+ public_key_t *public;
if (first)
{
@@ -673,6 +750,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
+ serial = x509->get_serial(x509);
fprintf(out, " serial: %#B\n", &serial);
/* list validity */
@@ -700,33 +778,50 @@ static void stroke_list_certs(linked_list_t *list, char *label,
}
fprintf(out, " \n");
}
-
- /* list public key information */
+
+ public = cert->get_public_key(cert);
if (public)
{
- private_key_t *private = NULL;
- identification_t *id, *keyid;
-
- id = public->get_id(public, ID_PUBKEY_SHA1);
- keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
-
- private = charon->credentials->get_private(
- charon->credentials,
- public->get_type(public), keyid, NULL);
- fprintf(out, " pubkey: %N %d bits%s\n",
- key_type_names, public->get_type(public),
- public->get_keysize(public) * 8,
- private ? ", has private key" : "");
- fprintf(out, " keyid: %Y\n", keyid);
- fprintf(out, " subjkey: %Y\n", id);
- DESTROY_IF(private);
+ list_public_key(public, out);
public->destroy(public);
}
-
+
/* list optional authorityKeyIdentifier */
- if (authkey)
+ authkey = x509->get_authKeyIdentifier(x509);
+ if (authkey.ptr)
{
- fprintf(out, " authkey: %Y\n", authkey);
+ fprintf(out, " authkey: %#B\n", &authkey);
+ }
+
+ /* list optional pathLenConstraint */
+ pathlen = x509->get_pathLenConstraint(x509);
+ if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
+ {
+ fprintf(out, " pathlen: %d\n", pathlen);
+ }
+
+ /* list optional ipAddrBlocks */
+ if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
+ {
+ traffic_selector_t *ipAddrBlock;
+ bool first_ipAddrBlock = TRUE;
+
+ fprintf(out, " addresses: ");
+ enumerator = x509->create_ipAddrBlock_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &ipAddrBlock))
+ {
+ if (first_ipAddrBlock)
+ {
+ first_ipAddrBlock = FALSE;
+ }
+ else
+ {
+ fprintf(out, ", ");
+ }
+ fprintf(out, "%R", ipAddrBlock);
+ }
+ enumerator->destroy(enumerator);
+ fprintf(out, "\n");
}
}
}
@@ -746,11 +841,9 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
while (enumerator->enumerate(enumerator, (void**)&cert))
{
ac_t *ac = (ac_t*)cert;
- chunk_t serial = ac->get_serial(ac);
- chunk_t holderSerial = ac->get_holderSerial(ac);
- identification_t *holderIssuer = ac->get_holderIssuer(ac);
- identification_t *authkey = ac->get_authKeyIdentifier(ac);
- identification_t *entityName = cert->get_subject(cert);
+ identification_t *id;
+ ietf_attributes_t *groups;
+ chunk_t chunk;
if (first)
{
@@ -760,20 +853,30 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
}
fprintf(out, "\n");
- if (entityName)
+ id = cert->get_subject(cert);
+ if (id)
{
- fprintf(out, " holder: \"%Y\"\n", entityName);
+ fprintf(out, " holder: \"%Y\"\n", id);
}
- if (holderIssuer)
+ id = ac->get_holderIssuer(ac);
+ if (id)
{
- fprintf(out, " hissuer: \"%Y\"\n", holderIssuer);
+ fprintf(out, " hissuer: \"%Y\"\n", id);
}
- if (holderSerial.ptr)
+ chunk = ac->get_holderSerial(ac);
+ if (chunk.ptr)
{
- fprintf(out, " hserial: %#B\n", &holderSerial);
+ fprintf(out, " hserial: %#B\n", &chunk);
+ }
+ groups = ac->get_groups(ac);
+ if (groups)
+ {
+ fprintf(out, " groups: %s\n", groups->get_string(groups));
+ groups->destroy(groups);
}
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
- fprintf(out, " serial: %#B\n", &serial);
+ chunk = ac->get_serial(ac);
+ fprintf(out, " serial: %#B\n", &chunk);
/* list validity */
cert->get_validity(cert, &now, &thisUpdate, &nextUpdate);
@@ -794,9 +897,10 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
}
/* list optional authorityKeyIdentifier */
- if (authkey)
+ chunk = ac->get_authKeyIdentifier(ac);
+ if (chunk.ptr)
{
- fprintf(out, " authkey: %Y\n", authkey);
+ fprintf(out, " authkey: %#B\n", &chunk);
}
}
enumerator->destroy(enumerator);
@@ -811,12 +915,11 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
time_t thisUpdate, nextUpdate, now = time(NULL);
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
crl_t *crl = (crl_t*)cert;
- chunk_t serial = crl->get_serial(crl);
- identification_t *authkey = crl->get_authKeyIdentifier(crl);
+ chunk_t chunk;
if (first)
{
@@ -829,9 +932,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
/* list optional crlNumber */
- if (serial.ptr)
+ chunk = crl->get_serial(crl);
+ if (chunk.ptr)
{
- fprintf(out, " serial: %#B\n", &serial);
+ fprintf(out, " serial: %#B\n", &chunk);
}
/* count the number of revoked certificates */
@@ -867,9 +971,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
}
/* list optional authorityKeyIdentifier */
- if (authkey)
+ chunk = crl->get_authKeyIdentifier(crl);
+ if (chunk.ptr)
{
- fprintf(out, " authkey: %Y\n", authkey);
+ fprintf(out, " authkey: %#B\n", &chunk);
}
}
enumerator->destroy(enumerator);
@@ -883,7 +988,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
bool first = TRUE;
enumerator_t *enumerator = list->create_enumerator(list);
certificate_t *cert;
-
+
while (enumerator->enumerate(enumerator, (void**)&cert))
{
if (first)
@@ -910,7 +1015,7 @@ static void list_algs(FILE *out)
hash_algorithm_t hash;
pseudo_random_function_t prf;
diffie_hellman_group_t group;
-
+
fprintf(out, "\n");
fprintf(out, "List of registered IKEv2 Algorithms:\n");
fprintf(out, "\n encryption: ");
@@ -963,7 +1068,14 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
linked_list_t *pubkey_list = create_unique_cert_list(CERT_TRUSTED_PUBKEY);
stroke_list_pubkeys(pubkey_list, msg->list.utc, out);
- pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+ pubkey_list->destroy_offset(pubkey_list, offsetof(certificate_t, destroy));
+ }
+ if (msg->list.flags & LIST_CERTS)
+ {
+ linked_list_t *pgp_list = create_unique_cert_list(CERT_GPG);
+
+ stroke_list_pgp(pgp_list, msg->list.utc, out);
+ pgp_list->destroy_offset(pgp_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & (LIST_CERTS | LIST_CACERTS | LIST_OCSPCERTS | LIST_AACERTS))
{
@@ -972,7 +1084,7 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
if (msg->list.flags & LIST_CERTS)
{
stroke_list_certs(cert_list, "X.509 End Entity Certificates",
- 0, msg->list.utc, out);
+ X509_NONE, msg->list.utc, out);
}
if (msg->list.flags & LIST_CACERTS)
{
@@ -989,33 +1101,34 @@ static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
stroke_list_certs(cert_list, "X.509 AA Certificates",
X509_AA, msg->list.utc, out);
}
+ DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
+
if (msg->list.flags & LIST_ACERTS)
{
linked_list_t *ac_list = create_unique_cert_list(CERT_X509_AC);
stroke_list_acerts(ac_list, msg->list.utc, out);
- ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
+ ac_list->destroy_offset(ac_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_CRLS)
{
linked_list_t *crl_list = create_unique_cert_list(CERT_X509_CRL);
stroke_list_crls(crl_list, msg->list.utc, out);
- crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
+ crl_list->destroy_offset(crl_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_OCSP)
{
linked_list_t *ocsp_list = create_unique_cert_list(CERT_X509_OCSP_RESPONSE);
stroke_list_ocsp(ocsp_list, msg->list.utc, out);
-
- ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
+
+ ocsp_list->destroy_offset(ocsp_list, offsetof(certificate_t, destroy));
}
if (msg->list.flags & LIST_ALGS)
{
list_algs(out);
}
- DESTROY_OFFSET_IF(cert_list, offsetof(certificate_t, destroy));
}
/**
@@ -1029,7 +1142,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
host_t *lease;
bool on;
int found = 0;
-
+
fprintf(out, "Leases in pool '%s', usage: %lu/%lu, %lu online\n",
pool, online + offline, size, online);
enumerator = this->attribute->create_lease_enumerator(this->attribute, pool);
@@ -1059,12 +1172,12 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out)
host_t *address = NULL;
char *pool;
int found = 0;
-
+
if (msg->leases.address)
{
address = host_create_from_string(msg->leases.address, 0);
}
-
+
enumerator = this->attribute->create_pool_enumerator(this->attribute);
while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
{
@@ -1103,15 +1216,15 @@ static void destroy(private_stroke_list_t *this)
stroke_list_t *stroke_list_create(stroke_attribute_t *attribute)
{
private_stroke_list_t *this = malloc_thing(private_stroke_list_t);
-
+
this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list;
this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status;
this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases;
this->public.destroy = (void(*)(stroke_list_t*))destroy;
-
- this->uptime = time(NULL);
+
+ this->uptime = time_monotonic(NULL);
this->attribute = attribute;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index 2430abfbb..b5bedc6c2 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -40,7 +40,7 @@ struct stroke_list_t {
* @param out stroke console stream
*/
void (*list)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Log status information to stroke console.
*
@@ -49,7 +49,7 @@ struct stroke_list_t {
* @param all TRUE for "statusall"
*/
void (*status)(stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all);
-
+
/**
* Log pool leases to stroke console.
*
@@ -57,7 +57,7 @@ struct stroke_list_t {
* @param out stroke console stream
*/
void (*leases)(stroke_list_t *this, stroke_msg_t *msg, FILE *out);
-
+
/**
* Destroy a stroke_list instance.
*/
diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c
index 22c1125a1..61ae10953 100644
--- a/src/charon/plugins/stroke/stroke_plugin.c
+++ b/src/charon/plugins/stroke/stroke_plugin.c
@@ -29,7 +29,7 @@ struct private_stroke_plugin_t {
* public functions
*/
stroke_plugin_t public;
-
+
/**
* stroke socket, receives strokes
*/
@@ -51,9 +51,9 @@ static void destroy(private_stroke_plugin_t *this)
plugin_t *plugin_create()
{
private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t);
-
+
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
-
+
this->socket = stroke_socket_create();
if (this->socket == NULL)
{
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
index 6e9d556ad..3a1e81df6 100644
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ b/src/charon/plugins/stroke/stroke_plugin.h
@@ -20,7 +20,7 @@
* @defgroup stroke_plugin stroke_plugin
* @{ @ingroup stroke
*/
-
+
#ifndef STROKE_PLUGIN_H_
#define STROKE_PLUGIN_H_
diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c
index 8f53f509d..4f716e83a 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.c
+++ b/src/charon/plugins/stroke/stroke_shared_key.c
@@ -28,7 +28,7 @@ struct private_stroke_shared_key_t {
* implements shared_key_t
*/
stroke_shared_key_t public;
-
+
/**
* type of this key
*/
@@ -43,7 +43,7 @@ struct private_stroke_shared_key_t {
* list of key owners, as identification_t
*/
linked_list_t *owners;
-
+
/**
* reference counter
*/
@@ -73,8 +73,8 @@ static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this)
static chunk_t get_key(private_stroke_shared_key_t *this)
{
return this->key;
-}
-
+}
+
/**
* Implementation of stroke_shared_key_t.has_owner.
*/
@@ -83,7 +83,7 @@ static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t
enumerator_t *enumerator;
id_match_t match, best = ID_MATCH_NONE;
identification_t *current;
-
+
enumerator = this->owners->create_enumerator(this->owners);
while (enumerator->enumerate(enumerator, &current))
{
@@ -135,6 +135,6 @@ stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t ke
this->type = type;
this->key = key;
this->ref = 1;
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
index 224062100..05ad55083 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ b/src/charon/plugins/stroke/stroke_shared_key.h
@@ -35,21 +35,21 @@ struct stroke_shared_key_t {
* Implements the shared_key_t interface.
*/
shared_key_t shared;
-
+
/**
* Add an owner to the key.
*
* @param owner owner to add
*/
void (*add_owner)(stroke_shared_key_t *this, identification_t *owner);
-
+
/**
* Check if a key has a specific owner.
*
* @param owner owner to check
* @return best match found
*/
- id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
+ id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner);
};
/**
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 9b6a8a3a7..820e097f1 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -23,11 +23,10 @@
#include <sys/fcntl.h>
#include <unistd.h>
#include <errno.h>
-#include <pthread.h>
#include <processing/jobs/callback_job.h>
#include <daemon.h>
-#include <utils/mutex.h> /* for Mac OS X compatible accept */
+#include <threading/thread.h>
#include "stroke_config.h"
#include "stroke_control.h"
@@ -48,42 +47,42 @@ struct private_stroke_socket_t {
* public functions
*/
stroke_socket_t public;
-
+
/**
* Unix socket to listen for strokes
*/
int socket;
-
+
/**
* job accepting stroke messages
*/
callback_job_t *job;
-
+
/**
* configuration backend
*/
stroke_config_t *config;
-
+
/**
* attribute provider
*/
stroke_attribute_t *attribute;
-
+
/**
* controller to control daemon
*/
stroke_control_t *control;
-
+
/**
* credential set
*/
stroke_cred_t *cred;
-
+
/**
* CA sections
*/
stroke_ca_t *ca;
-
+
/**
* Status information logging
*/
@@ -99,7 +98,7 @@ struct stroke_job_context_t {
* file descriptor to read from
*/
int fd;
-
+
/**
* global stroke interface
*/
@@ -152,7 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
pop_string(msg, &end->ca2);
pop_string(msg, &end->groups);
pop_string(msg, &end->updown);
-
+
DBG2(DBG_CFG, " %s=%s", label, end->address);
DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets);
DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip);
@@ -202,7 +201,7 @@ static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
{
pop_string(msg, &msg->del_conn.name);
DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
-
+
this->config->del(this->config, msg);
this->attribute->del_pool(this->attribute, msg);
}
@@ -214,7 +213,7 @@ static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FI
{
pop_string(msg, &msg->initiate.name);
DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
-
+
this->control->initiate(this->control, msg, out);
}
@@ -227,7 +226,7 @@ static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, F
DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
this->control->terminate(this->control, msg, out);
-}
+}
/**
* terminate a connection by peers virtual IP
@@ -250,7 +249,7 @@ static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE
{
pop_string(msg, &msg->route.name);
DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
-
+
this->control->route(this->control, msg, out);
}
@@ -261,7 +260,7 @@ static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FIL
{
pop_string(msg, &msg->terminate.name);
DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
-
+
this->control->unroute(this->control, msg, out);
}
@@ -287,7 +286,7 @@ static void stroke_add_ca(private_stroke_socket_t *this,
DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri);
DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2);
DBG2(DBG_CFG, " certuribase=%s", msg->add_ca.certuribase);
-
+
this->ca->add(this->ca, msg);
}
@@ -299,7 +298,7 @@ static void stroke_del_ca(private_stroke_socket_t *this,
{
pop_string(msg, &msg->del_ca.name);
DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
-
+
this->ca->del(this->ca, msg);
}
@@ -311,7 +310,7 @@ static void stroke_status(private_stroke_socket_t *this,
stroke_msg_t *msg, FILE *out, bool all)
{
pop_string(msg, &(msg->status.name));
-
+
this->list->status(this->list, msg, out, all);
}
@@ -333,7 +332,7 @@ static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *
static void stroke_reread(private_stroke_socket_t *this,
stroke_msg_t *msg, FILE *out)
{
- this->cred->reread(this->cred, msg);
+ this->cred->reread(this->cred, msg, out);
}
/**
@@ -361,7 +360,7 @@ static void stroke_leases(private_stroke_socket_t *this,
{
pop_string(msg, &msg->leases.pool);
pop_string(msg, &msg->leases.address);
-
+
this->list->leases(this->list, msg, out);
}
@@ -390,11 +389,11 @@ static void stroke_loglevel(private_stroke_socket_t *this,
sys_logger_t *sys_logger;
file_logger_t *file_logger;
debug_t group;
-
+
pop_string(msg, &(msg->loglevel.type));
DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
msg->loglevel.level, msg->loglevel.type);
-
+
group = get_group_from_name(msg->loglevel.type);
if (group < 0)
{
@@ -448,7 +447,7 @@ static job_requeue_t process(stroke_job_context_t *ctx)
FILE *out;
private_stroke_socket_t *this = ctx->this;
int strokefd = ctx->fd;
-
+
/* peek the length */
bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
if (bytes_read != sizeof(msg_length))
@@ -457,7 +456,7 @@ static job_requeue_t process(stroke_job_context_t *ctx)
strerror(errno));
return JOB_REQUEUE_NONE;
}
-
+
/* read message */
msg = alloca(msg_length);
bytes_read = recv(strokefd, msg, msg_length, 0);
@@ -466,16 +465,16 @@ static job_requeue_t process(stroke_job_context_t *ctx)
DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
return JOB_REQUEUE_NONE;
}
-
- out = fdopen(strokefd, "w");
+
+ out = fdopen(strokefd, "w+");
if (out == NULL)
{
DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
return JOB_REQUEUE_NONE;
}
-
+
DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
-
+
switch (msg->type)
{
case STR_INITIATE:
@@ -547,27 +546,27 @@ static job_requeue_t receive(private_stroke_socket_t *this)
struct sockaddr_un strokeaddr;
int strokeaddrlen = sizeof(strokeaddr);
int strokefd;
- int oldstate;
+ bool oldstate;
callback_job_t *job;
stroke_job_context_t *ctx;
-
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+
+ oldstate = thread_cancelability(TRUE);
strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
- pthread_setcancelstate(oldstate, NULL);
-
+ thread_cancelability(oldstate);
+
if (strokefd < 0)
{
DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
return JOB_REQUEUE_FAIR;
}
-
+
ctx = malloc_thing(stroke_job_context_t);
ctx->fd = strokefd;
ctx->this = this;
job = callback_job_create((callback_job_cb_t)process,
ctx, (void*)stroke_job_context_destroy, this->job);
charon->processor->queue_job(charon->processor, (job_t*)job);
-
+
return JOB_REQUEUE_FAIR;
}
@@ -582,7 +581,7 @@ static bool open_socket(private_stroke_socket_t *this)
socket_addr.sun_family = AF_UNIX;
strcpy(socket_addr.sun_path, STROKE_SOCKET);
-
+
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
if (this->socket == -1)
@@ -590,7 +589,7 @@ static bool open_socket(private_stroke_socket_t *this)
DBG1(DBG_CFG, "could not create stroke socket");
return FALSE;
}
-
+
unlink(socket_addr.sun_path);
old = umask(~(S_IRWXU | S_IRWXG));
if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
@@ -605,7 +604,7 @@ static bool open_socket(private_stroke_socket_t *this)
DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
strerror(errno));
}
-
+
if (listen(this->socket, 10) < 0)
{
DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
@@ -625,7 +624,7 @@ static void destroy(private_stroke_socket_t *this)
charon->credentials->remove_set(charon->credentials, &this->ca->set);
charon->credentials->remove_set(charon->credentials, &this->cred->set);
charon->backends->remove_backend(charon->backends, &this->config->backend);
- charon->attributes->remove_provider(charon->attributes, &this->attribute->provider);
+ lib->attributes->remove_provider(lib->attributes, &this->attribute->provider);
this->cred->destroy(this->cred);
this->ca->destroy(this->ca);
this->config->destroy(this->config);
@@ -641,31 +640,31 @@ static void destroy(private_stroke_socket_t *this)
stroke_socket_t *stroke_socket_create()
{
private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
-
+
this->public.destroy = (void(*)(stroke_socket_t*))destroy;
-
+
if (!open_socket(this))
{
free(this);
return NULL;
}
-
+
this->cred = stroke_cred_create();
this->attribute = stroke_attribute_create();
this->ca = stroke_ca_create(this->cred);
this->config = stroke_config_create(this->ca, this->cred);
this->control = stroke_control_create();
this->list = stroke_list_create(this->attribute);
-
+
charon->credentials->add_set(charon->credentials, &this->ca->set);
charon->credentials->add_set(charon->credentials, &this->cred->set);
charon->backends->add_backend(charon->backends, &this->config->backend);
- charon->attributes->add_provider(charon->attributes, &this->attribute->provider);
-
+ lib->attributes->add_provider(lib->attributes, &this->attribute->provider);
+
this->job = callback_job_create((callback_job_cb_t)receive,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
+
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
index 6073f5133..2aac8be9b 100644
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ b/src/charon/plugins/stroke/stroke_socket.h
@@ -27,11 +27,11 @@ typedef struct stroke_socket_t stroke_socket_t;
* Stroke socket, opens UNIX communication socket, reads and dispatches.
*/
struct stroke_socket_t {
-
+
/**
- * Destroy a stroke_socket instance.
- */
- void (*destroy)(stroke_socket_t *this);
+ * Destroy a stroke_socket instance.
+ */
+ void (*destroy)(stroke_socket_t *this);
};
/**