diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:18:20 +0000 |
commit | a9b7f8d4a4a4202facd9690580b38542e7933f00 (patch) | |
tree | d82a9d506c62cff257e5292845b68df3ca5c60dc /src/charon/plugins | |
parent | 12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff) | |
download | vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip |
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in
some cases.
- Enable integrity checking.
Diffstat (limited to 'src/charon/plugins')
74 files changed, 1000 insertions, 237 deletions
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am index d5eb99d9f..b4b3b7da6 100644 --- a/src/charon/plugins/attr/Makefile.am +++ b/src/charon/plugins/attr/Makefile.am @@ -6,4 +6,4 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in index c0467054e..5c94771e1 100644 --- a/src/charon/plugins/attr/Makefile.in +++ b/src/charon/plugins/attr/Makefile.in @@ -73,12 +73,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -183,7 +186,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-attr.la libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \ attr_provider.h attr_provider.c -libstrongswan_attr_la_LDFLAGS = -module +libstrongswan_attr_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am index e1ad1eaf9..1a3ea1857 100644 --- a/src/charon/plugins/eap_aka/Makefile.am +++ b/src/charon/plugins/eap_aka/Makefile.am @@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in index 74d49ac73..2d2405379 100644 --- a/src/charon/plugins/eap_aka/Makefile.in +++ b/src/charon/plugins/eap_aka/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapaka.la libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c -libstrongswan_eapaka_la_LDFLAGS = -module +libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version libstrongswan_eapaka_la_LIBADD = -lgmp all: all-am diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am index 1057bd506..547a8dfc5 100644 --- a/src/charon/plugins/eap_gtc/Makefile.am +++ b/src/charon/plugins/eap_gtc/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in index 19d648bbd..46d438a97 100644 --- a/src/charon/plugins/eap_gtc/Makefile.in +++ b/src/charon/plugins/eap_gtc/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapgtc.la libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c -libstrongswan_eapgtc_la_LDFLAGS = -module -lpam +libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am index dbf66e74b..79ddee3e8 100644 --- a/src/charon/plugins/eap_identity/Makefile.am +++ b/src/charon/plugins/eap_identity/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in index f275cd770..0adb9ce10 100644 --- a/src/charon/plugins/eap_identity/Makefile.in +++ b/src/charon/plugins/eap_identity/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-eapidentity.la libstrongswan_eapidentity_la_SOURCES = \ eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c -libstrongswan_eapidentity_la_LDFLAGS = -module +libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am index d7964fee9..8bad64368 100644 --- a/src/charon/plugins/eap_md5/Makefile.am +++ b/src/charon/plugins/eap_md5/Makefile.am @@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in index 372b80b3e..c11837b91 100644 --- a/src/charon/plugins/eap_md5/Makefile.in +++ b/src/charon/plugins/eap_md5/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon AM_CFLAGS = -rdynamic plugin_LTLIBRARIES = libstrongswan-eapmd5.la libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c -libstrongswan_eapmd5_la_LDFLAGS = -module +libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am index 6ab931905..179da70fc 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.am +++ b/src/charon/plugins/eap_mschapv2/Makefile.am @@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in index 5ae41d896..d6dd74b88 100644 --- a/src/charon/plugins/eap_mschapv2/Makefile.in +++ b/src/charon/plugins/eap_mschapv2/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_eapmschapv2_la_SOURCES = \ eap_mschapv2_plugin.h eap_mschapv2_plugin.c \ eap_mschapv2.h eap_mschapv2.c -libstrongswan_eapmschapv2_la_LDFLAGS = -module +libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am index f7de2f14f..df5c94656 100644 --- a/src/charon/plugins/eap_radius/Makefile.am +++ b/src/charon/plugins/eap_radius/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapradius_la_SOURCES = \ eap_radius.h eap_radius.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in index e7a4cd0f8..c30111fad 100644 --- a/src/charon/plugins/eap_radius/Makefile.in +++ b/src/charon/plugins/eap_radius/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_eapradius_la_SOURCES = \ radius_client.h radius_client.c \ radius_message.h radius_message.c -libstrongswan_eapradius_la_LDFLAGS = -module +libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c index ee2477440..deb3b648b 100644 --- a/src/charon/plugins/eap_radius/eap_radius.c +++ b/src/charon/plugins/eap_radius/eap_radius.c @@ -66,6 +66,11 @@ struct private_eap_radius_t { * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly */ bool eap_start; + + /** + * Prefix to prepend to EAP identity + */ + char *id_prefix; }; /** @@ -86,18 +91,20 @@ static void add_eap_identity(private_eap_radius_t *this, /** identity data */ u_int8_t data[]; } __attribute__((__packed__)) *hdr; - chunk_t id; + chunk_t id, prefix; size_t len; id = this->peer->get_encoding(this->peer); - len = sizeof(*hdr) + id.len; + prefix = chunk_create(this->id_prefix, strlen(this->id_prefix)); + len = sizeof(*hdr) + prefix.len + id.len; hdr = alloca(len); hdr->code = EAP_RESPONSE; hdr->identifier = 0; hdr->length = htons(len); hdr->type = EAP_IDENTITY; - memcpy(hdr->data, id.ptr, id.len); + memcpy(hdr->data, prefix.ptr, prefix.len); + memcpy(hdr->data + prefix.len, id.ptr, id.len); request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len)); } @@ -136,9 +143,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; + chunk_t username; request = radius_message_create_request(); - request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer)); + username = chunk_create(this->id_prefix, strlen(this->id_prefix)); + username = chunk_cata("cc", username, this->peer->get_encoding(this->peer)); + request->add(request, RAT_USER_NAME, username); if (this->eap_start) { @@ -283,7 +293,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer this->msk = chunk_empty; this->eap_start = lib->settings->get_bool(lib->settings, "charon.plugins.eap_radius.eap_start", FALSE); - + this->id_prefix = lib->settings->get_str(lib->settings, + "charon.plugins.eap_radius.id_prefix", ""); return &this->public; } diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c index 57d3f8f21..de1bafc6d 100644 --- a/src/charon/plugins/eap_radius/radius_client.c +++ b/src/charon/plugins/eap_radius/radius_client.c @@ -161,8 +161,8 @@ bool radius_client_init() "charon.plugins.eap_radius.sockets", 1); sockets = linked_list_create(); - mutex = mutex_create(MUTEX_DEFAULT); - condvar = condvar_create(CONDVAR_DEFAULT); + mutex = mutex_create(MUTEX_TYPE_DEFAULT); + condvar = condvar_create(CONDVAR_TYPE_DEFAULT); for (i = 0; i < count; i++) { fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); @@ -353,6 +353,7 @@ static radius_message_t* request(private_radius_client_t *this, } DBG1(DBG_CFG, "RADIUS server is not responding"); put_socket(socket); + charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); return NULL; } diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am index 6cb53ebb5..e503bddab 100644 --- a/src/charon/plugins/eap_sim/Makefile.am +++ b/src/charon/plugins/eap_sim/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in index 2374567bc..8f6daacad 100644 --- a/src/charon/plugins/eap_sim/Makefile.in +++ b/src/charon/plugins/eap_sim/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \ eap_sim_plugin.h eap_sim_plugin.c -libstrongswan_eapsim_la_LDFLAGS = -module +libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am index fc3a0fa14..1cd1dd9e2 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.am +++ b/src/charon/plugins/eap_sim_file/Makefile.am @@ -10,5 +10,5 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_card.h eap_sim_file_card.c \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in index 554b3a7bc..b19cc839f 100644 --- a/src/charon/plugins/eap_sim_file/Makefile.in +++ b/src/charon/plugins/eap_sim_file/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -230,7 +235,7 @@ libstrongswan_eapsim_file_la_SOURCES = \ eap_sim_file_provider.h eap_sim_file_provider.c \ eap_sim_file_triplets.h eap_sim_file_triplets.c -libstrongswan_eapsim_file_la_LDFLAGS = -module +libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c index d093851c2..e27ed6860 100644 --- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c +++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c @@ -251,7 +251,7 @@ eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file) this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy; this->triplets = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); read_triplets(this, file); diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am index dc0234775..0c0987cca 100644 --- a/src/charon/plugins/kernel_klips/Makefile.am +++ b/src/charon/plugins/kernel_klips/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in index a1efe9d5a..4b1c27352 100644 --- a/src/charon/plugins/kernel_klips/Makefile.in +++ b/src/charon/plugins/kernel_klips/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \ kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h -libstrongswan_kernel_klips_la_LDFLAGS = -module +libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c index c69ce4c9a..9a903d027 100644 --- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1934,6 +1934,16 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; /* TODO */ +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src, @@ -2609,6 +2619,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2621,8 +2632,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create() this->allocated_spis = linked_list_create(); this->installed_sas = linked_list_create(); this->ipsec_devices = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am index e0efe5779..6351280d6 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.am +++ b/src/charon/plugins/kernel_netlink/Makefile.am @@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \ kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in index b97738bff..46d2a1c65 100644 --- a/src/charon/plugins/kernel_netlink/Makefile.in +++ b/src/charon/plugins/kernel_netlink/Makefile.in @@ -77,12 +77,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -187,7 +190,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \ kernel_netlink_shared.h kernel_netlink_shared.c -libstrongswan_kernel_netlink_la_LDFLAGS = -module +libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 9322d8dfe..2051316f6 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, break; case ENCR_AES_CCM_ICV16: case ENCR_AES_GCM_ICV16: + case ENCR_CAMELLIA_CCM_ICV16: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV12: case ENCR_AES_GCM_ICV12: + case ENCR_CAMELLIA_CCM_ICV12: icv_size += 32; /* FALL */ case ENCR_AES_CCM_ICV8: case ENCR_AES_GCM_ICV8: + case ENCR_CAMELLIA_CCM_ICV8: { - rthdr->rta_type = XFRMA_ALG_AEAD; + struct xfrm_algo_aead *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); + algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; algo->alg_icv_len = icv_size; strcpy(algo->alg_name, alg_name); @@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, } default: { - rthdr->rta_type = XFRMA_ALG_CRYPT; + struct xfrm_algo *algo; + alg_name = lookup_algorithm(encryption_algs, enc_alg); if (alg_name == NULL) { @@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); + rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); hdr->nlmsg_len += rthdr->rta_len; if (hdr->nlmsg_len > sizeof(request)) @@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this, return FAILED; } - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); + algo = (struct xfrm_algo*)RTA_DATA(rthdr); algo->alg_key_len = enc_key.len * 8; strcpy(algo->alg_name, alg_name); memcpy(algo->alg_key, enc_key.ptr, enc_key.len); rthdr = XFRM_RTA_NEXT(rthdr); - break; } } @@ -1230,6 +1236,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + netlink_buf_t request; + struct nlmsghdr *out = NULL, *hdr; + struct xfrm_usersa_id *sa_id; + struct xfrm_usersa_info *sa = NULL; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST; + hdr->nlmsg_type = XFRM_MSG_GETSA; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); + + sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); + host2xfrm(dst, &sa_id->daddr); + sa_id->spi = spi; + sa_id->proto = proto_ike2kernel(protocol); + sa_id->family = dst->get_family(dst); + + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) + { + hdr = out; + while (NLMSG_OK(hdr, len)) + { + switch (hdr->nlmsg_type) + { + case XFRM_MSG_NEWSA: + { + sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); + break; + } + case NLMSG_ERROR: + { + struct nlmsgerr *err = NLMSG_DATA(hdr); + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", + ntohl(spi), strerror(-err->error), -err->error); + break; + } + default: + hdr = NLMSG_NEXT(hdr, len); + continue; + case NLMSG_DONE: + break; + } + break; + } + } + + if (sa == NULL) + { + DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = sa->curlft.bytes; + + free(out); + return SUCCESS; +} +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src, @@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() /* private members */ this->policies = hashtable_create((hashtable_hash_t)policy_hash, (hashtable_equals_t)policy_equals, 32); - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c index 32154a7ea..e5c0b5da7 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c @@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); timerclear(&this->last_roam); this->routing_table = lib->settings->get_int(lib->settings, "charon.routing_table", IPSEC_ROUTING_TABLE); diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c index 7ef7cc56e..ec1187083 100644 --- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c +++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c @@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) { /* private members */ this->seq = 200; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am index c9d66b5de..e03a0ca02 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.am +++ b/src/charon/plugins/kernel_pfkey/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in index df2492ef7..e01510127 100644 --- a/src/charon/plugins/kernel_pfkey/Makefile.in +++ b/src/charon/plugins/kernel_pfkey/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \ kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c -libstrongswan_kernel_pfkey_la_LDFLAGS = -module +libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 56f0320dc..1f83e8f39 100644 --- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -17,6 +17,10 @@ #include <sys/types.h> #include <sys/socket.h> +#ifdef __FreeBSD__ +#include <limits.h> /* for LONG_MAX */ +#endif + #ifdef HAVE_NET_PFKEYV2_H #include <net/pfkeyv2.h> #else @@ -37,11 +41,11 @@ #endif #ifdef HAVE_NATT -#ifdef HAVE_NETINET_UDP_H -#include <netinet/udp.h> -#else +#ifdef HAVE_LINUX_UDP_H #include <linux/udp.h> -#endif /*HAVE_NETINET_UDP_H*/ +#else +#include <netinet/udp.h> +#endif /*HAVE_LINUX_UDP_H*/ #endif /*HAVE_NATT*/ #include <unistd.h> @@ -89,7 +93,7 @@ #define IP_IPSEC_POLICY 16 #endif -/* missing on uclibc */ +/** missing on uclibc */ #ifndef IPV6_IPSEC_POLICY #define IPV6_IPSEC_POLICY 34 #endif @@ -98,6 +102,17 @@ #define PRIO_LOW 3000 #define PRIO_HIGH 2000 +#ifdef __APPLE__ +/** from xnu/bsd/net/pfkeyv2.h */ +#define SADB_X_EXT_NATT 0x002 + struct sadb_sa_2 { + struct sadb_sa sa; + u_int16_t sadb_sa_natt_port; + u_int16_t sadb_reserved0; + u_int32_t sadb_reserved1; + }; +#endif + /** buffer size for PF_KEY messages */ #define PFKEY_BUFFER_SIZE 4096 @@ -467,7 +482,7 @@ static u_int8_t dir2kernel(policy_dir_t dir) return IPSEC_DIR_FWD; #endif default: - return dir; + return IPSEC_DIR_INVALID; } } @@ -693,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out) while (len >= PFKEY_LEN(sizeof(struct sadb_ext))) { - DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); + DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type); if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) || ext->sadb_ext_len > len) { @@ -740,6 +755,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket this->mutex_pfkey->lock(this->mutex_pfkey); + /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367, + * in particular the behavior in response to an SADB_ACQUIRE. */ in->sadb_msg_seq = ++this->seq; in->sadb_msg_pid = getpid(); @@ -801,14 +818,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket } if (msg->sadb_msg_seq != this->seq) { - DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, " - "was %d expected %d", msg->sadb_msg_seq, this->seq); - if (msg->sadb_msg_seq < this->seq) + DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence " + "number, was %d expected %d", msg->sadb_msg_seq, this->seq); + if (msg->sadb_msg_seq == 0) + { + /* FreeBSD and Mac OS X do this for the response to + * SADB_X_SPDGET (but not for the response to SADB_GET). + * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */ + } + else if (msg->sadb_msg_seq < this->seq) { continue; } - this->mutex_pfkey->unlock(this->mutex_pfkey); - return FAILED; + else + { + this->mutex_pfkey->unlock(this->mutex_pfkey); + return FAILED; + } } if (msg->sadb_msg_type != in->sadb_msg_type) { @@ -1223,10 +1249,25 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD; msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); - - sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + +#ifdef __APPLE__ + if (encap) + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sadb_sa_natt_port = dst->get_port(dst); + sa = &sa_2->sa; + sa->sadb_sa_flags |= SADB_X_EXT_NATT; + len = sizeof(struct sadb_sa_2); + } + else +#endif + { + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + len = sizeof(struct sadb_sa); + } sa->sadb_sa_exttype = SADB_EXT_SA; - sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_len = PFKEY_LEN(len); sa->sadb_sa_spi = spi; sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32; sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg); @@ -1403,7 +1444,21 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, msg->sadb_msg_satype = proto_ike2satype(protocol); msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); +#ifdef __APPLE__ + { + struct sadb_sa_2 *sa_2; + sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg); + sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2)); + memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa)); + if (encap) + { + sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst); + sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT; + } + } +#else PFKEY_EXT_COPY(msg, response.sa); +#endif PFKEY_EXT_COPY(msg, response.x_sa2); PFKEY_EXT_COPY(msg, response.src); @@ -1421,7 +1476,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, { PFKEY_EXT_COPY(msg, response.key_auth); } - + #ifdef HAVE_NATT if (new_encap) { @@ -1449,6 +1504,65 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + unsigned char request[PFKEY_BUFFER_SIZE]; + struct sadb_msg *msg, *out; + struct sadb_sa *sa; + pfkey_msg_t response; + size_t len; + + memset(&request, 0, sizeof(request)); + + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + + msg = (struct sadb_msg*)request; + msg->sadb_msg_version = PF_KEY_V2; + msg->sadb_msg_type = SADB_GET; + msg->sadb_msg_satype = proto_ike2satype(protocol); + msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg)); + + sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg); + sa->sadb_sa_exttype = SADB_EXT_SA; + sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa)); + sa->sadb_sa_spi = spi; + PFKEY_EXT_ADD(msg, sa); + + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ + add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); + add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); + + if (pfkey_send(this, msg, &out, &len) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + return FAILED; + } + else if (out->sadb_msg_errno) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)", + ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno); + free(out); + return FAILED; + } + else if (parse_pfkey_message(out, &response) != SUCCESS) + { + DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); + free(out); + return FAILED; + } + *bytes = response.lft_current->sadb_lifetime_bytes; + + free(out); + return SUCCESS; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, @@ -1476,7 +1590,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src, sa->sadb_sa_spi = spi; PFKEY_EXT_ADD(msg, sa); - /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */ + /* the Linux Kernel doesn't care for the src address, but other systems do + * (e.g. FreeBSD) + */ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0); add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0); @@ -1518,6 +1634,12 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + /* create a policy */ policy = create_policy_entry(src_ts, dst_ts, direction, reqid); @@ -1594,6 +1716,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this, add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto, policy->dst.mask); +#ifdef __FreeBSD__ + { /* on FreeBSD a lifetime has to be defined to be able to later query + * the current use time. */ + struct sadb_lifetime *lft; + lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg); + lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; + lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime)); + lft->sadb_lifetime_addtime = LONG_MAX; + PFKEY_EXT_ADD(msg, lft); + } +#endif + this->mutex->unlock(this->mutex); if (pfkey_send(this, msg, &out, &len) != SUCCESS) @@ -1700,6 +1834,12 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, pfkey_msg_t response; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return NOT_FOUND; + } + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1764,6 +1904,13 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this, free(out); return FAILED; } + else if (response.lft_current == NULL) + { + DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no " + "use time", src_ts, dst_ts, policy_dir_names, direction); + free(out); + return FAILED; + } *use_time = response.lft_current->sadb_lifetime_usetime; @@ -1787,6 +1934,12 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this, route_entry_t *route; size_t len; + if (dir2kernel(direction) == IPSEC_DIR_INVALID) + { + /* FWD policies are not supported on all platforms */ + return SUCCESS; + } + DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, policy_dir_names, direction); @@ -1995,6 +2148,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; @@ -2004,8 +2158,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create() /* private members */ this->policies = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfkey = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT); this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE); this->seq = 0; diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am index 3ad445c09..b6e6587a7 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.am +++ b/src/charon/plugins/kernel_pfroute/Makefile.am @@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in index e585a7db2..05da8e271 100644 --- a/src/charon/plugins/kernel_pfroute/Makefile.in +++ b/src/charon/plugins/kernel_pfroute/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \ kernel_pfroute_net.h kernel_pfroute_net.c -libstrongswan_kernel_pfroute_la_LDFLAGS = -module +libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c index c2b35a5ce..d5a864b1c 100644 --- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -681,8 +681,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create() /* private members */ this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_DEFAULT); - this->mutex_pfroute = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT); this->seq = 0; diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am index 121f0b080..e6e04229a 100644 --- a/src/charon/plugins/load_tester/Makefile.am +++ b/src/charon/plugins/load_tester/Makefile.am @@ -13,5 +13,5 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in index 056ac16d3..3b494cea2 100644 --- a/src/charon/plugins/load_tester/Makefile.in +++ b/src/charon/plugins/load_tester/Makefile.in @@ -78,12 +78,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -188,7 +191,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -233,7 +238,7 @@ libstrongswan_load_tester_la_SOURCES = \ load_tester_listener.c load_tester_listener.h \ load_tester_diffie_hellman.c load_tester_diffie_hellman.h -libstrongswan_load_tester_la_LDFLAGS = -module +libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c index d37f7a7bd..e463d2adc 100644 --- a/src/charon/plugins/load_tester/load_tester_ipsec.c +++ b/src/charon/plugins/load_tester/load_tester_ipsec.c @@ -84,6 +84,16 @@ static status_t update_sa(private_load_tester_ipsec_t *this, } /** + * Implementation of kernel_interface_t.query_sa. + */ +static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src, + host_t *dst, u_int32_t spi, protocol_id_t protocol, + u_int64_t *bytes) +{ + return NOT_SUPPORTED; +} + +/** * Implementation of kernel_interface_t.del_sa. */ static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, @@ -151,6 +161,7 @@ load_tester_ipsec_t *load_tester_ipsec_create() this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa; this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; + this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c index 12ac7b090..93ed2e3c5 100644 --- a/src/charon/plugins/load_tester/load_tester_plugin.c +++ b/src/charon/plugins/load_tester/load_tester_plugin.c @@ -202,8 +202,8 @@ plugin_t *plugin_create() shutdown_on = this->iterations * this->initiators; } - this->mutex = mutex_create(MUTEX_DEFAULT); - this->condvar = condvar_create(CONDVAR_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); this->config = load_tester_config_create(); this->creds = load_tester_creds_create(); this->listener = load_tester_listener_create(shutdown_on); diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am index f15950af9..a5f018f82 100644 --- a/src/charon/plugins/medcli/Makefile.am +++ b/src/charon/plugins/medcli/Makefile.am @@ -8,5 +8,5 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_creds.h medcli_creds.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in index cef486411..9a2b3f889 100644 --- a/src/charon/plugins/medcli/Makefile.in +++ b/src/charon/plugins/medcli/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -227,7 +232,7 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \ medcli_config.h medcli_config.c \ medcli_listener.h medcli_listener.c -libstrongswan_medcli_la_LDFLAGS = -module +libstrongswan_medcli_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am index 476da1878..f3611a79e 100644 --- a/src/charon/plugins/medsrv/Makefile.am +++ b/src/charon/plugins/medsrv/Makefile.am @@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-medsrv.la libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in index ec537e505..ba599499b 100644 --- a/src/charon/plugins/medsrv/Makefile.in +++ b/src/charon/plugins/medsrv/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \ medsrv_creds.h medsrv_creds.c \ medsrv_config.h medsrv_config.c -libstrongswan_medsrv_la_LDFLAGS = -module +libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am index 9a0b48cd2..b74a4e46f 100644 --- a/src/charon/plugins/nm/Makefile.am +++ b/src/charon/plugins/nm/Makefile.am @@ -9,5 +9,5 @@ libstrongswan_nm_la_SOURCES = \ nm_service.h nm_service.c \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in index a75af8a0f..c7c428c2a 100644 --- a/src/charon/plugins/nm/Makefile.in +++ b/src/charon/plugins/nm/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -228,7 +233,7 @@ libstrongswan_nm_la_SOURCES = \ nm_creds.h nm_creds.c \ nm_handler.h nm_handler.c -libstrongswan_nm_la_LDFLAGS = -module +libstrongswan_nm_la_LDFLAGS = -module -avoid-version libstrongswan_nm_la_LIBADD = ${nm_LIBS} all: all-am diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c index d93b81c9a..4ea2c36dd 100644 --- a/src/charon/plugins/nm/nm_creds.c +++ b/src/charon/plugins/nm/nm_creds.c @@ -322,7 +322,7 @@ nm_creds_t *nm_creds_create() this->public.clear = (void(*)(nm_creds_t*))clear; this->public.destroy = (void(*)(nm_creds_t*))destroy; - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cert = NULL; this->user = NULL; diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c index bca4d9e09..88a3cc95e 100644 --- a/src/charon/plugins/nm/nm_service.c +++ b/src/charon/plugins/nm/nm_service.c @@ -14,6 +14,7 @@ */ #include <nm-setting-vpn.h> +#include <nm-setting-connection.h> #include "nm_service.h" #include <daemon.h> @@ -25,8 +26,6 @@ #include <stdio.h> -#define CONFIG_NAME "NetworkManager" - G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN) /** @@ -43,6 +42,8 @@ typedef struct { nm_creds_t *creds; /* attribute handler for DNS/NBNS server information */ nm_handler_t *handler; + /* name of the connection */ + char *name; } NMStrongswanPluginPrivate; #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \ @@ -121,14 +122,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin, /** * signal failure to NM, connecting failed */ -static void signal_failure(NMVPNPlugin *plugin) +static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure) { nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler; handler->reset(handler); /* TODO: NM does not handle this failure!? */ - nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + nm_vpn_plugin_failure(plugin, failure); nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED); } @@ -140,16 +141,10 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa, { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; - if (private->ike_sa == ike_sa) + if (private->ike_sa == ike_sa && state == IKE_DESTROYING) { - switch (state) - { - case IKE_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; - } + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED); + return FALSE; } return TRUE; } @@ -161,32 +156,63 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state) { NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; + } + return TRUE; +} +/** + * Implementation of listener_t.child_updown + */ +static bool child_updown(listener_t *listener, ike_sa_t *ike_sa, + child_sa_t *child_sa, bool up) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + if (private->ike_sa == ike_sa) { - switch (state) + if (up) + { /* disable initiate-failure-detection hooks */ + private->listener.ike_state_change = NULL; + private->listener.child_state_change = NULL; + signal_ipv4_config(private->plugin, ike_sa, child_sa); + } + else { - case CHILD_INSTALLED: - signal_ipv4_config(private->plugin, ike_sa, child_sa); - return FALSE; - case CHILD_DESTROYING: - signal_failure(private->plugin); - return FALSE; - default: - break; + signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); + return FALSE; } } return TRUE; } /** + * Implementation of listener_t.ike_rekey + */ +static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new) +{ + NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener; + + if (private->ike_sa == old) + { /* follow a rekeyed IKE_SA */ + private->ike_sa = new; + } + return TRUE; +} + +/** * Connect function called from NM via DBUS */ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, GError **err) { - nm_creds_t *creds; - NMSettingVPN *settings; + NMStrongswanPluginPrivate *priv; + NMSettingConnection *conn; + NMSettingVPN *vpn; identification_t *user = NULL, *gateway; const char *address, *str; bool virtual, encap, ipcomp; @@ -204,25 +230,34 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Read parameters */ - settings = NM_SETTING_VPN(nm_connection_get_setting(connection, - NM_TYPE_SETTING_VPN)); - - DBG4(DBG_CFG, "received NetworkManager connection: %s", - nm_setting_to_string(NM_SETTING(settings))); - address = nm_setting_vpn_get_data_item(settings, "address"); + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection, + NM_TYPE_SETTING_CONNECTION)); + vpn = NM_SETTING_VPN(nm_connection_get_setting(connection, + NM_TYPE_SETTING_VPN)); + if (priv->name) + { + free(priv->name); + } + priv->name = strdup(nm_setting_connection_get_id(conn)); + DBG1(DBG_CFG, "received initiate for NetworkManager connection %s", + priv->name); + DBG4(DBG_CFG, "%s", + nm_setting_to_string(NM_SETTING(vpn))); + address = nm_setting_vpn_get_data_item(vpn, "address"); if (!address || !*address) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, "Gateway address missing."); return FALSE; } - str = nm_setting_vpn_get_data_item(settings, "virtual"); + str = nm_setting_vpn_get_data_item(vpn, "virtual"); virtual = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "encap"); + str = nm_setting_vpn_get_data_item(vpn, "encap"); encap = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "ipcomp"); + str = nm_setting_vpn_get_data_item(vpn, "ipcomp"); ipcomp = str && streq(str, "yes"); - str = nm_setting_vpn_get_data_item(settings, "method"); + str = nm_setting_vpn_get_data_item(vpn, "method"); if (str) { if (streq(str, "psk")) @@ -243,16 +278,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, /** * Register credentials */ - creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds; - creds->clear(creds); + priv->creds->clear(priv->creds); /* gateway/CA cert */ - str = nm_setting_vpn_get_data_item(settings, "certificate"); + str = nm_setting_vpn_get_data_item(vpn, "certificate"); if (str) { cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, str, BUILD_END); - creds->set_certificate(creds, cert); + priv->creds->set_certificate(priv->creds, cert); } if (!cert) { @@ -279,19 +313,19 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, if (auth_class == AUTH_CLASS_EAP) { /* username/password authentication ... */ - str = nm_setting_vpn_get_data_item(settings, "user"); + str = nm_setting_vpn_get_data_item(vpn, "user"); if (str) { user = identification_create_from_string((char*)str); - str = nm_setting_vpn_get_secret(settings, "password"); - creds->set_username_password(creds, user, (char*)str); + str = nm_setting_vpn_get_secret(vpn, "password"); + priv->creds->set_username_password(priv->creds, user, (char*)str); } } if (auth_class == AUTH_CLASS_PUBKEY) { /* ... or certificate/private key authenitcation */ - str = nm_setting_vpn_get_data_item(settings, "usercert"); + str = nm_setting_vpn_get_data_item(vpn, "usercert"); if (str) { public_key_t *public; @@ -308,7 +342,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, return FALSE; } /* try agent */ - str = nm_setting_vpn_get_secret(settings, "agent"); + str = nm_setting_vpn_get_secret(vpn, "agent"); if (agent && str) { public = cert->get_public_key(cert); @@ -329,14 +363,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, } } /* ... or key file */ - str = nm_setting_vpn_get_data_item(settings, "userkey"); + str = nm_setting_vpn_get_data_item(vpn, "userkey"); if (!agent && str) { chunk_t secret, chunk; bool pgp = FALSE; - secret.ptr = (char*)nm_setting_vpn_get_secret(settings, - "password"); + secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password"); if (secret.ptr) { secret.len = strlen(secret.ptr); @@ -358,7 +391,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { user = cert->get_subject(cert); user = user->clone(user); - creds->set_cert_and_key(creds, cert, private); + priv->creds->set_cert_and_key(priv->creds, cert, private); } else { @@ -382,7 +415,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, */ ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address); ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg, + peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */ 36000, 0, /* rekey 10h, reauth none */ 600, 600, /* jitter, over 10min */ @@ -398,11 +431,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, auth->add(auth, AUTH_RULE_IDENTITY, gateway); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - child_cfg = child_cfg_create(CONFIG_NAME, + child_cfg = child_cfg_create(priv->name, 10800, 10200, /* lifetime 3h, rekey 2h50min */ 300, /* jitter 5min */ NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_RESTART, ipcomp); + ACTION_NONE, ACTION_NONE, ipcomp); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -413,7 +446,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, peer_cfg->add_child_cfg(peer_cfg, child_cfg); /** - * Start to initiate + * Prepare IKE_SA */ ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, peer_cfg); @@ -425,21 +458,27 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, { peer_cfg->destroy(peer_cfg); } + + /** + * Register listener, enable initiate-failure-detection hooks + */ + priv->ike_sa = ike_sa; + priv->listener.ike_state_change = ike_state_change; + priv->listener.child_state_change = child_state_change; + charon->bus->add_listener(charon->bus, &priv->listener); + + /** + * Initiate + */ if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) { + charon->bus->remove_listener(charon->bus, &priv->listener); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa); g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, "Initiating failed."); return FALSE; } - - /** - * Register listener - */ - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa; - charon->bus->add_listener(charon->bus, - &NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); return TRUE; } @@ -501,14 +540,16 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection, */ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) { + NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); enumerator_t *enumerator; ike_sa_t *ike_sa; u_int id; + /* our ike_sa pointer might be invalid, lookup sa */ enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); while (enumerator->enumerate(enumerator, &ike_sa)) { - if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa))) + if (priv->ike_sa == ike_sa) { id = ike_sa->get_unique_id(ike_sa); enumerator->destroy(enumerator); @@ -529,13 +570,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err) */ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin) { - NMStrongswanPluginPrivate *private; + NMStrongswanPluginPrivate *priv; - private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); - private->plugin = NM_VPN_PLUGIN(plugin); - memset(&private->listener.log, 0, sizeof(listener_t)); - private->listener.ike_state_change = ike_state_change; - private->listener.child_state_change = child_state_change; + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->plugin = NM_VPN_PLUGIN(plugin); + memset(&priv->listener.log, 0, sizeof(listener_t)); + priv->listener.child_updown = child_updown; + priv->listener.ike_rekey = ike_rekey; } /** @@ -565,8 +606,12 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds, NULL); if (plugin) { - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds; - NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler; + NMStrongswanPluginPrivate *priv; + + priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); + priv->creds = creds; + priv->handler = handler; + priv->name = NULL; } return plugin; } diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am index 917964f93..be7f862f2 100644 --- a/src/charon/plugins/resolv_conf/Makefile.am +++ b/src/charon/plugins/resolv_conf/Makefile.am @@ -8,6 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-resolv-conf.la libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in index 91ddae582..19c20467a 100644 --- a/src/charon/plugins/resolv_conf/Makefile.in +++ b/src/charon/plugins/resolv_conf/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -229,7 +234,7 @@ libstrongswan_resolv_conf_la_SOURCES = \ resolv_conf_plugin.h resolv_conf_plugin.c \ resolv_conf_handler.h resolv_conf_handler.c -libstrongswan_resolv_conf_la_LDFLAGS = -module +libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c index 19e3b3275..749cfbc5b 100644 --- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c +++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c @@ -183,7 +183,7 @@ resolv_conf_handler_t *resolv_conf_handler_create() this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release; this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy; - this->mutex = mutex_create(MUTEX_DEFAULT); + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); this->file = lib->settings->get_str(lib->settings, "charon.plugins.resolv-conf.file", RESOLV_CONF); diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am index 1679f1c68..a434b388b 100644 --- a/src/charon/plugins/smp/Makefile.am +++ b/src/charon/plugins/smp/Makefile.am @@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in index f06321ba7..d23d2d001 100644 --- a/src/charon/plugins/smp/Makefile.in +++ b/src/charon/plugins/smp/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CF AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\" plugin_LTLIBRARIES = libstrongswan-smp.la libstrongswan_smp_la_SOURCES = smp.h smp.c -libstrongswan_smp_la_LDFLAGS = -module +libstrongswan_smp_la_LDFLAGS = -module -avoid-version libstrongswan_smp_la_LIBADD = ${xml_LIBS} all: all-am diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am index ea39ce0d5..bf4963f29 100644 --- a/src/charon/plugins/sql/Makefile.am +++ b/src/charon/plugins/sql/Makefile.am @@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = pool pool_SOURCES = pool.c diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in index 0848ea0dd..f6fd8e4f7 100644 --- a/src/charon/plugins/sql/Makefile.in +++ b/src/charon/plugins/sql/Makefile.in @@ -82,12 +82,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -192,7 +195,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \ sql_config.h sql_config.c sql_cred.h sql_cred.c \ sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c -libstrongswan_sql_la_LDFLAGS = -module +libstrongswan_sql_la_LDFLAGS = -module -avoid-version pool_SOURCES = pool.c pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c index 7d393b6f7..ebcc9adc7 100644 --- a/src/charon/plugins/sql/pool.c +++ b/src/charon/plugins/sql/pool.c @@ -637,8 +637,19 @@ int main(int argc, char *argv[]) } operation = OP_USAGE; dbg = dbg_stderr; - library_init(STRONGSWAN_CONF); atexit(library_deinit); + + /* initialize library */ + if (!library_init(STRONGSWAN_CONF)) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pool", argv[0])) + { + fprintf(stderr, "integrity check of pool failed\n"); + exit(SS_RC_DAEMON_INTEGRITY); + } lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR, lib->settings->get_str(lib->settings, "pool.load", PLUGINS)); diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c index 95d0d30d4..77601e612 100644 --- a/src/charon/plugins/sql/sql_attribute.c +++ b/src/charon/plugins/sql/sql_attribute.c @@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout) } /** - * Lookup a lease + * Look up an existing lease */ -static host_t *get_address(private_sql_attribute_t *this, char *name, - u_int pool, u_int timeout, u_int identity) +static host_t* check_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int identity) { - enumerator_t *e; - u_int id; - chunk_t address; - host_t *host; - time_t now = time(NULL); - - /* We check for leases for that identity first and for other expired - * leases afterwards. We select an address as a candidate, but double - * check if it is still valid in the update. This allows us to work - * without locking. */ - - /* check for an existing lease for that identity */ while (TRUE) { + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1", @@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } address = chunk_clonea(address); e->destroy(e); + if (this->db->execute(this->db, NULL, "UPDATE addresses SET acquired = ?, released = 0 " "WHERE id = ? AND identity = ? AND released != 0", DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0) { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } } - - /* check for an expired lease */ + return NULL; +} + +/** + * We check for unallocated addresses or expired leases. First we select an + * address as a candidate, but double check later on if it is still available + * during the update operation. This allows us to work without locking. + */ +static host_t* get_lease(private_sql_attribute_t *this, char *name, + u_int pool, u_int timeout, u_int identity) +{ while (TRUE) { - e = this->db->query(this->db, + u_int id; + chunk_t address; + enumerator_t *e; + time_t now = time(NULL); + int hits; + + if (timeout) + { + /* check for an expired lease */ + e = this->db->query(this->db, "SELECT id, address FROM addresses " "WHERE pool = ? AND released != 0 AND released < ? LIMIT 1", DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB); + } + else + { + /* with static leases, check for an unallocated address */ + e = this->db->query(this->db, + "SELECT id, address FROM addresses " + "WHERE pool = ? AND identity = 0 LIMIT 1", + DB_UINT, pool, DB_UINT, DB_BLOB); + + } + if (!e || !e->enumerate(e, &id, &address)) { DESTROY_IF(e); @@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, address = chunk_clonea(address); e->destroy(e); - if (this->db->execute(this->db, NULL, - "UPDATE addresses SET " - "acquired = ?, released = 0, identity = ? " - "WHERE id = ? AND released != 0 AND released < ?", - DB_UINT, now, DB_UINT, identity, - DB_UINT, id, DB_UINT, now - timeout) > 0) + if (timeout) + { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND released != 0 AND released < ?", + DB_UINT, now, DB_UINT, identity, + DB_UINT, id, DB_UINT, now - timeout); + } + else { + hits = this->db->execute(this->db, NULL, + "UPDATE addresses SET " + "acquired = ?, released = 0, identity = ? " + "WHERE id = ? AND identity = 0", + DB_UINT, now, DB_UINT, identity, DB_UINT, id); + } + if (hits > 0) + { + host_t *host; + host = host_create_from_chunk(AF_UNSPEC, address, 0); if (host) { @@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name, } } DBG1(DBG_CFG, "no available address found in pool '%s'", name); - return 0; + return NULL; } /** * Implementation of attribute_provider_t.acquire_address */ static host_t* acquire_address(private_sql_attribute_t *this, - char *name, identification_t *id, + char *names, identification_t *id, host_t *requested) { - enumerator_t *enumerator; - u_int pool, timeout, identity; host_t *address = NULL; - + u_int identity, pool, timeout; + identity = get_identity(this, id); if (identity) { - enumerator = enumerator_create_token(name, ",", " "); - while (enumerator->enumerate(enumerator, &name)) + /* check for a single pool first (no concatenation and enumeration) */ + if (strchr(names, ',') == NULL) { - pool = get_pool(this, name, &timeout); + pool = get_pool(this, names, &timeout); if (pool) { - address = get_address(this, name, pool, timeout, identity); - if (address) + /* check for an existing lease */ + address = check_lease(this, names, pool, identity); + if (address == NULL) + { + /* get an unallocated address or expired lease */ + address = get_lease(this, names, pool, timeout, identity); + } + } + } + else + { + enumerator_t *enumerator; + char *name; + + /* in a first step check for an existing lease over all pools */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) + { + address = check_lease(this, name, pool, identity); + if (address) + { + enumerator->destroy(enumerator); + return address; + } + } + } + enumerator->destroy(enumerator); + + /* in a second step get an unallocated address or expired lease */ + enumerator = enumerator_create_token(names, ",", " "); + while (enumerator->enumerate(enumerator, &name)) + { + pool = get_pool(this, name, &timeout); + if (pool) { - break; + address = get_lease(this, name, pool, timeout, identity); + if (address) + { + break; + } } } + enumerator->destroy(enumerator); } - enumerator->destroy(enumerator); } return address; } diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c index 3e5efce34..e7dfe573b 100644 --- a/src/charon/plugins/sql/sql_config.c +++ b/src/charon/plugins/sql/sql_config.c @@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, mediation, mediated_cfg, peer_id); auth = auth_cfg_create(); auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method); - auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id)); + auth->add(auth, AUTH_RULE_IDENTITY, local_id); peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); auth = auth_cfg_create(); - auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id)); + auth->add(auth, AUTH_RULE_IDENTITY, remote_id); if (eap_type) { auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am index fb58ba62b..79a63f2c2 100644 --- a/src/charon/plugins/stroke/Makefile.am +++ b/src/charon/plugins/stroke/Makefile.am @@ -18,5 +18,5 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in index f246286a0..19822ebc8 100644 --- a/src/charon/plugins/stroke/Makefile.in +++ b/src/charon/plugins/stroke/Makefile.in @@ -76,12 +76,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -186,7 +189,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -237,7 +242,7 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \ stroke_list.h stroke_list.c \ stroke_shared_key.h stroke_shared_key.c -libstrongswan_stroke_la_LDFLAGS = -module +libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c index a7925ce3e..d3211fd67 100644 --- a/src/charon/plugins/stroke/stroke_attribute.c +++ b/src/charon/plugins/stroke/stroke_attribute.c @@ -539,7 +539,7 @@ stroke_attribute_t *stroke_attribute_create() this->public.destroy = (void(*)(stroke_attribute_t*))destroy; this->pools = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); return &this->public; } diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c index fab06e6c5..c354d8cb8 100644 --- a/src/charon/plugins/stroke/stroke_ca.c +++ b/src/charon/plugins/stroke/stroke_ca.c @@ -447,7 +447,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_ca_t*))destroy; this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->cred = cred; return &this->public; diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index 028e71e71..0b6a4ac31 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -924,7 +924,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) this->public.destroy = (void(*)(stroke_config_t*))destroy; this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_RECURSIVE); + this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->ca = ca; this->cred = cred; diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c index dc73299b8..31bcfe9f4 100644 --- a/src/charon/plugins/stroke/stroke_cred.c +++ b/src/charon/plugins/stroke/stroke_cred.c @@ -16,6 +16,8 @@ #include <sys/stat.h> #include <limits.h> +#include <glob.h> +#include <libgen.h> #include "stroke_cred.h" #include "stroke_shared_key.h" @@ -41,6 +43,8 @@ #define CRL_DIR IPSEC_D_DIR "/crls" #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" +#define MAX_SECRETS_RECURSION 10 + typedef struct private_stroke_cred_t private_stroke_cred_t; /** @@ -691,7 +695,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line) /** * reload ipsec.secrets */ -static void load_secrets(private_stroke_cred_t *this) +static void load_secrets(private_stroke_cred_t *this, char *file, int level) { size_t bytes; int line_nr = 0; @@ -700,9 +704,9 @@ static void load_secrets(private_stroke_cred_t *this) private_key_t *private; shared_key_t *shared; - DBG1(DBG_CFG, "loading secrets from '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "loading secrets from '%s'", file); - fd = fopen(SECRETS_FILE, "r"); + fd = fopen(file, "r"); if (fd == NULL) { DBG1(DBG_CFG, "opening secrets file '%s' failed"); @@ -719,15 +723,19 @@ static void load_secrets(private_stroke_cred_t *this) src = chunk; this->lock->write_lock(this->lock); - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) + if (level == 0) { - private->destroy(private); + /* flush secrets on non-recursive invocation */ + while (this->shared->remove_last(this->shared, + (void**)&shared) == SUCCESS) + { + shared->destroy(shared); + } + while (this->private->remove_last(this->private, + (void**)&private) == SUCCESS) + { + private->destroy(private); + } } while (fetchline(&src, &line)) @@ -741,6 +749,66 @@ static void load_secrets(private_stroke_cred_t *this) { continue; } + if (line.len > strlen("include ") && + strneq(line.ptr, "include ", strlen("include "))) + { + glob_t buf; + char **expanded, *dir, pattern[PATH_MAX]; + u_char *pos; + + if (level > MAX_SECRETS_RECURSION) + { + DBG1(DBG_CFG, "maximum level of %d includes reached, ignored", + MAX_SECRETS_RECURSION); + continue; + } + /* terminate filename by space */ + line = chunk_skip(line, strlen("include ")); + pos = memchr(line.ptr, ' ', line.len); + if (pos) + { + line.len = pos - line.ptr; + } + if (line.len && line.ptr[0] == '/') + { + if (line.len + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + continue; + } + snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr); + } + else + { /* use directory of current file if relative */ + dir = strdup(file); + dir = dirname(dir); + + if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern)) + { + DBG1(DBG_CFG, "include pattern too long, ignored"); + free(dir); + continue; + } + snprintf(pattern, sizeof(pattern), "%s/%.*s", + dir, line.len, line.ptr); + free(dir); + } + if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) + { + DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); + globfree(&buf); + } + else + { + for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) + { + load_secrets(this, *expanded, level + 1); + } + } + globfree(&buf); + continue; + } + if (line.len > 2 && strneq(": ", line.ptr, 2)) { /* no ids, skip the ':' */ @@ -989,7 +1057,7 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg) if (msg->reread.flags & REREAD_SECRETS) { DBG1(DBG_CFG, "rereading secrets"); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); } if (msg->reread.flags & REREAD_CACERTS) { @@ -1057,10 +1125,10 @@ stroke_cred_t *stroke_cred_create() this->certs = linked_list_create(); this->shared = linked_list_create(); this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_DEFAULT); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); load_certs(this); - load_secrets(this); + load_secrets(this, SECRETS_FILE, 0); this->cachecrl = FALSE; diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 564a511a1..6f421bd30 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -146,8 +146,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) */ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) { - u_int32_t rekey, now = time(NULL); - u_int32_t use_in, use_out; + time_t use_in, use_out, rekey, now = time(NULL); + u_int64_t bytes_in, bytes_out; proposal_t *proposal; child_cfg_t *config = child_sa->get_config(child_sa); @@ -205,6 +205,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) } } } + + child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in); + fprintf(out, ", %llu bytes_i", bytes_in); + if (use_in) + { + fprintf(out, " (%ds ago)", now - use_in); + } + + child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out); + fprintf(out, ", %llu bytes_o", bytes_out); + if (use_out) + { + fprintf(out, " (%ds ago)", now - use_out); + } fprintf(out, ", rekeying "); rekey = child_sa->get_lifetime(child_sa, FALSE); @@ -224,25 +238,6 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all) fprintf(out, "disabled"); } - fprintf(out, ", last use: "); - use_in = child_sa->get_usetime(child_sa, TRUE); - if (use_in) - { - fprintf(out, "%ds_i ", now - use_in); - } - else - { - fprintf(out, "no_i "); - } - use_out = child_sa->get_usetime(child_sa, FALSE); - if (use_out) - { - fprintf(out, "%ds_o ", now - use_out); - } - else - { - fprintf(out, "no_o "); - } } } diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c index f61171e22..9b6a8a3a7 100644 --- a/src/charon/plugins/stroke/stroke_socket.c +++ b/src/charon/plugins/stroke/stroke_socket.c @@ -27,6 +27,7 @@ #include <processing/jobs/callback_job.h> #include <daemon.h> +#include <utils/mutex.h> /* for Mac OS X compatible accept */ #include "stroke_config.h" #include "stroke_control.h" diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am index 0136bf5e9..9fdbfb709 100644 --- a/src/charon/plugins/uci/Makefile.am +++ b/src/charon/plugins/uci/Makefile.am @@ -8,7 +8,7 @@ libstrongswan_uci_la_SOURCES = \ uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in index e599135cb..c4fb335d7 100644 --- a/src/charon/plugins/uci/Makefile.in +++ b/src/charon/plugins/uci/Makefile.in @@ -74,12 +74,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -184,7 +187,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_uci_la_SOURCES = \ uci_config.h uci_config.c uci_creds.h uci_creds.c \ uci_control.h uci_control.c -libstrongswan_uci_la_LDFLAGS = -module +libstrongswan_uci_la_LDFLAGS = -module -avoid-version libstrongswan_uci_la_LIBADD = -luci all: all-am diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am index 50c5e0362..64846f995 100644 --- a/src/charon/plugins/unit_tester/Makefile.am +++ b/src/charon/plugins/unit_tester/Makefile.am @@ -20,5 +20,5 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in index 2ee5e48d8..0bf0cf301 100644 --- a/src/charon/plugins/unit_tester/Makefile.in +++ b/src/charon/plugins/unit_tester/Makefile.in @@ -79,12 +79,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -189,7 +192,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -241,7 +246,7 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \ tests/test_agent.c \ tests/test_id.c -libstrongswan_unit_tester_la_LDFLAGS = -module +libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h index dcf2a5d18..b99940c1a 100644 --- a/src/charon/plugins/unit_tester/tests.h +++ b/src/charon/plugins/unit_tester/tests.h @@ -36,5 +36,8 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE) DEFINE_TEST("IP pool", test_pool, FALSE) DEFINE_TEST("SSH agent", test_agent, FALSE) DEFINE_TEST("ID parts", test_id_parts, FALSE) +DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE) +DEFINE_TEST("ID equals", test_id_equals, FALSE) +DEFINE_TEST("ID matches", test_id_matches, FALSE) /** @}*/ diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c index 56dab2421..a1ef76be8 100644 --- a/src/charon/plugins/unit_tester/tests/test_id.c +++ b/src/charon/plugins/unit_tester/tests/test_id.c @@ -67,3 +67,183 @@ bool test_id_parts() return TRUE; } +/******************************************************************************* + * identification contains_wildcards() test + ******************************************************************************/ + +static bool test_id_wildcards_has(char *string) +{ + identification_t *id; + bool contains; + + id = identification_create_from_string(string); + contains = id->contains_wildcards(id); + id->destroy(id); + return contains; +} + +bool test_id_wildcards() +{ + if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw")) + { + return FALSE; + } + if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*")) + { + return FALSE; + } + if (test_id_wildcards_has("C=**, O=a*, CN=*a")) + { + return FALSE; + } + if (!test_id_wildcards_has("*@strongswan.org")) + { + return FALSE; + } + if (!test_id_wildcards_has("*.strongswan.org")) + { + return FALSE; + } + return TRUE; +} + +/******************************************************************************* + * identification equals test + ******************************************************************************/ + +static bool test_id_equals_one(identification_t *a, char *b_str) +{ + identification_t *b; + bool equals; + + b = identification_create_from_string(b_str); + equals = a->equals(a, b); + b->destroy(b); + return equals; +} + +bool test_id_equals() +{ + identification_t *a; + chunk_t encoding, fuzzed; + int i; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin")) + { + return FALSE; + } + encoding = chunk_clone(a->get_encoding(a)); + a->destroy(a); + + /* simple fuzzing, increment each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { /* skip ASN.1 type fields, as equals() handles them graceful */ + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]++; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + + /* and decrement each byte of encoding */ + for (i = 0; i < encoding.len; i++) + { + if (i == 11 || i == 30 || i == 62) + { + continue; + } + fuzzed = chunk_clone(encoding); + fuzzed.ptr[i]--; + a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed); + if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin")) + { + return FALSE; + } + a->destroy(a); + free(fuzzed.ptr); + } + free(encoding.ptr); + return TRUE; +} + +/******************************************************************************* + * identification matches test + ******************************************************************************/ + +static id_match_t test_id_matches_one(identification_t *a, char *b_str) +{ + identification_t *b; + id_match_t match; + + b = identification_create_from_string(b_str); + match = a->matches(a, b); + b->destroy(b); + return match; +} + +bool test_id_matches() +{ + identification_t *a; + + a = identification_create_from_string( + "C=CH, E=martin@strongswan.org, CN=martin"); + + if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin") + != ID_MATCH_PERFECT) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD) + { + return FALSE; + } + if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE) + { + return FALSE; + } + if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE) + { + return FALSE; + } + a->destroy(a); + return TRUE; +} diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c index a305d5082..cb315276b 100644 --- a/src/charon/plugins/unit_tester/tests/test_mutex.c +++ b/src/charon/plugins/unit_tester/tests/test_mutex.c @@ -65,7 +65,7 @@ bool test_mutex() int i; pthread_t threads[THREADS]; - mutex = mutex_create(MUTEX_RECURSIVE); + mutex = mutex_create(MUTEX_TYPE_RECURSIVE); for (i = 0; i < 10; i++) { diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am index de60d9fbf..fe6e0bb52 100644 --- a/src/charon/plugins/updown/Makefile.am +++ b/src/charon/plugins/updown/Makefile.am @@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-updown.la libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in index d0aac79f9..b1b6fb497 100644 --- a/src/charon/plugins/updown/Makefile.in +++ b/src/charon/plugins/updown/Makefile.in @@ -75,12 +75,14 @@ ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ @@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ VERSION = @VERSION@ YACC = @YACC@ @@ -185,7 +188,9 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libdir = @libdir@ libexecdir = @libexecdir@ @@ -226,7 +231,7 @@ libstrongswan_updown_la_SOURCES = \ updown_plugin.h updown_plugin.c \ updown_listener.h updown_listener.c -libstrongswan_updown_la_LDFLAGS = -module +libstrongswan_updown_la_LDFLAGS = -module -avoid-version all: all-am .SUFFIXES: |