summaryrefslogtreecommitdiff
path: root/src/charon
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 11:35:38 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-06-23 11:35:38 +0000
commit7c52c3f35cdbdff58443b994f2f33d13b4d81f57 (patch)
treee54a27979ea72ec41702bec2984c2eadac3b8862 /src/charon
parent4ef45ba0404dac3773e83af995a5ec584b23d633 (diff)
downloadvyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.tar.gz
vyos-strongswan-7c52c3f35cdbdff58443b994f2f33d13b4d81f57.zip
Updated to new upstream version.
Diffstat (limited to 'src/charon')
-rw-r--r--src/charon/Makefile.am30
-rw-r--r--src/charon/Makefile.in286
-rw-r--r--src/charon/bus/bus.c42
-rw-r--r--src/charon/bus/bus.h28
-rw-r--r--src/charon/bus/listeners/file_logger.c2
-rw-r--r--src/charon/bus/listeners/file_logger.h2
-rw-r--r--src/charon/bus/listeners/sys_logger.c2
-rw-r--r--src/charon/bus/listeners/sys_logger.h2
-rw-r--r--src/charon/config/attributes/attribute_handler.h58
-rw-r--r--src/charon/config/attributes/attribute_manager.c120
-rw-r--r--src/charon/config/attributes/attribute_manager.h74
-rw-r--r--src/charon/config/attributes/attribute_provider.h16
-rw-r--r--src/charon/config/auth_cfg.c768
-rw-r--r--src/charon/config/auth_cfg.h201
-rw-r--r--src/charon/config/backend.h18
-rw-r--r--src/charon/config/backend_manager.c314
-rw-r--r--src/charon/config/backend_manager.h32
-rw-r--r--src/charon/config/child_cfg.c2
-rw-r--r--src/charon/config/child_cfg.h2
-rw-r--r--src/charon/config/ike_cfg.c2
-rw-r--r--src/charon/config/ike_cfg.h2
-rw-r--r--src/charon/config/peer_cfg.c194
-rw-r--r--src/charon/config/peer_cfg.h78
-rw-r--r--src/charon/config/proposal.c251
-rw-r--r--src/charon/config/proposal.h23
-rw-r--r--src/charon/config/traffic_selector.c2
-rw-r--r--src/charon/config/traffic_selector.h2
-rw-r--r--src/charon/control/controller.c128
-rw-r--r--src/charon/control/controller.h34
-rw-r--r--src/charon/credentials/auth_info.c607
-rw-r--r--src/charon/credentials/auth_info.h198
-rw-r--r--src/charon/credentials/credential_manager.c176
-rw-r--r--src/charon/credentials/credential_manager.h18
-rw-r--r--src/charon/credentials/credential_set.h2
-rw-r--r--src/charon/credentials/sets/auth_cfg_wrapper.c (renamed from src/charon/credentials/sets/auth_info_wrapper.c)89
-rw-r--r--src/charon/credentials/sets/auth_cfg_wrapper.h (renamed from src/charon/credentials/sets/auth_info_wrapper.h)28
-rw-r--r--src/charon/credentials/sets/cert_cache.c2
-rw-r--r--src/charon/credentials/sets/cert_cache.h2
-rw-r--r--src/charon/credentials/sets/ocsp_response_wrapper.c2
-rw-r--r--src/charon/credentials/sets/ocsp_response_wrapper.h2
-rw-r--r--src/charon/daemon.c74
-rw-r--r--src/charon/daemon.h12
-rw-r--r--src/charon/encoding/generator.c444
-rw-r--r--src/charon/encoding/generator.h8
-rw-r--r--src/charon/encoding/message.c132
-rw-r--r--src/charon/encoding/message.h21
-rw-r--r--src/charon/encoding/parser.c479
-rw-r--r--src/charon/encoding/parser.h2
-rw-r--r--src/charon/encoding/payloads/auth_payload.c2
-rw-r--r--src/charon/encoding/payloads/auth_payload.h2
-rw-r--r--src/charon/encoding/payloads/cert_payload.c2
-rw-r--r--src/charon/encoding/payloads/cert_payload.h2
-rw-r--r--src/charon/encoding/payloads/certreq_payload.c2
-rw-r--r--src/charon/encoding/payloads/certreq_payload.h2
-rw-r--r--src/charon/encoding/payloads/configuration_attribute.c2
-rw-r--r--src/charon/encoding/payloads/configuration_attribute.h2
-rw-r--r--src/charon/encoding/payloads/cp_payload.c2
-rw-r--r--src/charon/encoding/payloads/cp_payload.h2
-rw-r--r--src/charon/encoding/payloads/delete_payload.c2
-rw-r--r--src/charon/encoding/payloads/delete_payload.h2
-rw-r--r--src/charon/encoding/payloads/eap_payload.c2
-rw-r--r--src/charon/encoding/payloads/eap_payload.h2
-rw-r--r--src/charon/encoding/payloads/encodings.c3
-rw-r--r--src/charon/encoding/payloads/encodings.h15
-rw-r--r--src/charon/encoding/payloads/encryption_payload.c2
-rw-r--r--src/charon/encoding/payloads/encryption_payload.h2
-rw-r--r--src/charon/encoding/payloads/endpoint_notify.c2
-rw-r--r--src/charon/encoding/payloads/endpoint_notify.h2
-rw-r--r--src/charon/encoding/payloads/id_payload.c2
-rw-r--r--src/charon/encoding/payloads/id_payload.h2
-rw-r--r--src/charon/encoding/payloads/ike_header.c2
-rw-r--r--src/charon/encoding/payloads/ike_header.h2
-rw-r--r--src/charon/encoding/payloads/ke_payload.c2
-rw-r--r--src/charon/encoding/payloads/ke_payload.h2
-rw-r--r--src/charon/encoding/payloads/nonce_payload.c2
-rw-r--r--src/charon/encoding/payloads/nonce_payload.h2
-rw-r--r--src/charon/encoding/payloads/notify_payload.c2
-rw-r--r--src/charon/encoding/payloads/notify_payload.h2
-rw-r--r--src/charon/encoding/payloads/payload.c2
-rw-r--r--src/charon/encoding/payloads/payload.h2
-rw-r--r--src/charon/encoding/payloads/proposal_substructure.c2
-rw-r--r--src/charon/encoding/payloads/proposal_substructure.h2
-rw-r--r--src/charon/encoding/payloads/sa_payload.c2
-rw-r--r--src/charon/encoding/payloads/sa_payload.h2
-rw-r--r--src/charon/encoding/payloads/traffic_selector_substructure.c2
-rw-r--r--src/charon/encoding/payloads/traffic_selector_substructure.h2
-rw-r--r--src/charon/encoding/payloads/transform_attribute.c6
-rw-r--r--src/charon/encoding/payloads/transform_attribute.h2
-rw-r--r--src/charon/encoding/payloads/transform_substructure.c36
-rw-r--r--src/charon/encoding/payloads/transform_substructure.h2
-rw-r--r--src/charon/encoding/payloads/ts_payload.c2
-rw-r--r--src/charon/encoding/payloads/ts_payload.h2
-rw-r--r--src/charon/encoding/payloads/unknown_payload.c2
-rw-r--r--src/charon/encoding/payloads/unknown_payload.h2
-rw-r--r--src/charon/encoding/payloads/vendor_id_payload.c2
-rw-r--r--src/charon/encoding/payloads/vendor_id_payload.h2
-rw-r--r--src/charon/kernel/kernel_interface.c154
-rw-r--r--src/charon/kernel/kernel_interface.h12
-rw-r--r--src/charon/kernel/kernel_ipsec.c2
-rw-r--r--src/charon/kernel/kernel_ipsec.h17
-rw-r--r--src/charon/kernel/kernel_net.h2
-rw-r--r--src/charon/network/packet.c2
-rw-r--r--src/charon/network/packet.h2
-rw-r--r--src/charon/network/receiver.c100
-rw-r--r--src/charon/network/receiver.h2
-rw-r--r--src/charon/network/sender.c2
-rw-r--r--src/charon/network/sender.h2
-rw-r--r--src/charon/network/socket-raw.c4
-rw-r--r--src/charon/network/socket.c151
-rw-r--r--src/charon/network/socket.h2
-rw-r--r--src/charon/plugins/attr/Makefile.am9
-rw-r--r--src/charon/plugins/attr/Makefile.in507
-rw-r--r--src/charon/plugins/attr/attr_plugin.c63
-rw-r--r--src/charon/plugins/attr/attr_plugin.h47
-rw-r--r--src/charon/plugins/attr/attr_provider.c154
-rw-r--r--src/charon/plugins/attr/attr_provider.h49
-rw-r--r--src/charon/plugins/eap_aka/Makefile.in17
-rw-r--r--src/charon/plugins/eap_aka/eap_aka.c6
-rw-r--r--src/charon/plugins/eap_aka/eap_aka.h2
-rw-r--r--src/charon/plugins/eap_aka/eap_aka_plugin.c2
-rw-r--r--src/charon/plugins/eap_aka/eap_aka_plugin.h2
-rw-r--r--src/charon/plugins/eap_gtc/Makefile.in17
-rw-r--r--src/charon/plugins/eap_gtc/eap_gtc.c4
-rw-r--r--src/charon/plugins/eap_gtc/eap_gtc.h2
-rw-r--r--src/charon/plugins/eap_gtc/eap_gtc_plugin.c2
-rw-r--r--src/charon/plugins/eap_gtc/eap_gtc_plugin.h2
-rw-r--r--src/charon/plugins/eap_identity/Makefile.in17
-rw-r--r--src/charon/plugins/eap_identity/eap_identity.c2
-rw-r--r--src/charon/plugins/eap_identity/eap_identity.h2
-rw-r--r--src/charon/plugins/eap_identity/eap_identity_plugin.c2
-rw-r--r--src/charon/plugins/eap_identity/eap_identity_plugin.h2
-rw-r--r--src/charon/plugins/eap_md5/Makefile.in17
-rw-r--r--src/charon/plugins/eap_md5/eap_md5.c4
-rw-r--r--src/charon/plugins/eap_md5/eap_md5.h2
-rw-r--r--src/charon/plugins/eap_md5/eap_md5_plugin.c2
-rw-r--r--src/charon/plugins/eap_md5/eap_md5_plugin.h2
-rw-r--r--src/charon/plugins/eap_mschapv2/Makefile.in17
-rw-r--r--src/charon/plugins/eap_mschapv2/eap_mschapv2.c98
-rw-r--r--src/charon/plugins/eap_mschapv2/eap_mschapv2.h2
-rw-r--r--src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c2
-rw-r--r--src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h2
-rw-r--r--src/charon/plugins/eap_radius/Makefile.in17
-rw-r--r--src/charon/plugins/eap_radius/eap_radius.c21
-rw-r--r--src/charon/plugins/eap_radius/eap_radius.h2
-rw-r--r--src/charon/plugins/eap_radius/eap_radius_plugin.c2
-rw-r--r--src/charon/plugins/eap_radius/eap_radius_plugin.h2
-rw-r--r--src/charon/plugins/eap_radius/radius_client.c2
-rw-r--r--src/charon/plugins/eap_radius/radius_client.h2
-rw-r--r--src/charon/plugins/eap_radius/radius_message.c2
-rw-r--r--src/charon/plugins/eap_radius/radius_message.h2
-rw-r--r--src/charon/plugins/eap_sim/Makefile.in17
-rw-r--r--src/charon/plugins/eap_sim/eap_sim.c6
-rw-r--r--src/charon/plugins/eap_sim/eap_sim_plugin.c2
-rw-r--r--src/charon/plugins/eap_sim/eap_sim_plugin.h2
-rw-r--r--src/charon/plugins/eap_sim_file/Makefile.in17
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_card.c8
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_card.h2
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c2
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h2
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_provider.c2
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_provider.h2
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c107
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h10
-rw-r--r--src/charon/plugins/kernel_klips/Makefile.in17
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_ipsec.c11
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_ipsec.h2
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_plugin.c2
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_plugin.h2
-rw-r--r--src/charon/plugins/kernel_netlink/Makefile.in17
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c53
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h2
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_net.c30
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_net.h2
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c2
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h2
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_shared.c2
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_shared.h2
-rw-r--r--src/charon/plugins/kernel_pfkey/Makefile.in17
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c209
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h2
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c2
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h2
-rw-r--r--src/charon/plugins/kernel_pfroute/Makefile.am10
-rw-r--r--src/charon/plugins/kernel_pfroute/Makefile.in510
-rw-r--r--src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c713
-rw-r--r--src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h46
-rw-r--r--src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c58
-rw-r--r--src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h47
-rw-r--r--src/charon/plugins/load_tester/Makefile.in17
-rw-r--r--src/charon/plugins/load_tester/load_tester_config.c169
-rw-r--r--src/charon/plugins/load_tester/load_tester_config.h2
-rw-r--r--src/charon/plugins/load_tester/load_tester_creds.c2
-rw-r--r--src/charon/plugins/load_tester/load_tester_creds.h2
-rw-r--r--src/charon/plugins/load_tester/load_tester_diffie_hellman.c2
-rw-r--r--src/charon/plugins/load_tester/load_tester_diffie_hellman.h2
-rw-r--r--src/charon/plugins/load_tester/load_tester_ipsec.c9
-rw-r--r--src/charon/plugins/load_tester/load_tester_ipsec.h2
-rw-r--r--src/charon/plugins/load_tester/load_tester_listener.c2
-rw-r--r--src/charon/plugins/load_tester/load_tester_listener.h2
-rw-r--r--src/charon/plugins/load_tester/load_tester_plugin.c2
-rw-r--r--src/charon/plugins/load_tester/load_tester_plugin.h2
-rw-r--r--src/charon/plugins/medcli/Makefile.in17
-rw-r--r--src/charon/plugins/medcli/medcli_config.c46
-rw-r--r--src/charon/plugins/medcli/medcli_config.h2
-rw-r--r--src/charon/plugins/medcli/medcli_creds.c4
-rw-r--r--src/charon/plugins/medcli/medcli_creds.h2
-rw-r--r--src/charon/plugins/medcli/medcli_listener.c2
-rw-r--r--src/charon/plugins/medcli/medcli_listener.h2
-rw-r--r--src/charon/plugins/medcli/medcli_plugin.c2
-rw-r--r--src/charon/plugins/medcli/medcli_plugin.h2
-rw-r--r--src/charon/plugins/medsrv/Makefile.in17
-rw-r--r--src/charon/plugins/medsrv/medsrv_config.c14
-rw-r--r--src/charon/plugins/medsrv/medsrv_config.h2
-rw-r--r--src/charon/plugins/medsrv/medsrv_creds.c2
-rw-r--r--src/charon/plugins/medsrv/medsrv_creds.h2
-rw-r--r--src/charon/plugins/medsrv/medsrv_plugin.c2
-rw-r--r--src/charon/plugins/medsrv/medsrv_plugin.h2
-rw-r--r--src/charon/plugins/nm/Makefile.am5
-rw-r--r--src/charon/plugins/nm/Makefile.in25
-rw-r--r--src/charon/plugins/nm/nm_creds.c6
-rw-r--r--src/charon/plugins/nm/nm_creds.h3
-rw-r--r--src/charon/plugins/nm/nm_handler.c148
-rw-r--r--src/charon/plugins/nm/nm_handler.h62
-rw-r--r--src/charon/plugins/nm/nm_plugin.c24
-rw-r--r--src/charon/plugins/nm/nm_plugin.h2
-rw-r--r--src/charon/plugins/nm/nm_service.c97
-rw-r--r--src/charon/plugins/nm/nm_service.h8
-rw-r--r--src/charon/plugins/resolv_conf/Makefile.am13
-rw-r--r--src/charon/plugins/resolv_conf/Makefile.in513
-rw-r--r--src/charon/plugins/resolv_conf/resolv_conf_handler.c192
-rw-r--r--src/charon/plugins/resolv_conf/resolv_conf_handler.h49
-rw-r--r--src/charon/plugins/resolv_conf/resolv_conf_plugin.c64
-rw-r--r--src/charon/plugins/resolv_conf/resolv_conf_plugin.h47
-rw-r--r--src/charon/plugins/smp/Makefile.in17
-rw-r--r--src/charon/plugins/smp/smp.c13
-rw-r--r--src/charon/plugins/smp/smp.h2
-rw-r--r--src/charon/plugins/sql/Makefile.in17
-rw-r--r--src/charon/plugins/sql/pool.c10
-rw-r--r--src/charon/plugins/sql/sql_attribute.c7
-rw-r--r--src/charon/plugins/sql/sql_attribute.h2
-rw-r--r--src/charon/plugins/sql/sql_config.c20
-rw-r--r--src/charon/plugins/sql/sql_config.h2
-rw-r--r--src/charon/plugins/sql/sql_cred.c2
-rw-r--r--src/charon/plugins/sql/sql_cred.h2
-rw-r--r--src/charon/plugins/sql/sql_logger.c2
-rw-r--r--src/charon/plugins/sql/sql_logger.h2
-rw-r--r--src/charon/plugins/sql/sql_plugin.c2
-rw-r--r--src/charon/plugins/sql/sql_plugin.h2
-rw-r--r--src/charon/plugins/stroke/Makefile.am5
-rw-r--r--src/charon/plugins/stroke/Makefile.in23
-rw-r--r--src/charon/plugins/stroke/stroke_attribute.c22
-rw-r--r--src/charon/plugins/stroke/stroke_attribute.h2
-rw-r--r--src/charon/plugins/stroke/stroke_ca.c8
-rw-r--r--src/charon/plugins/stroke/stroke_ca.h2
-rw-r--r--src/charon/plugins/stroke/stroke_config.c732
-rw-r--r--src/charon/plugins/stroke/stroke_config.h2
-rw-r--r--src/charon/plugins/stroke/stroke_control.c203
-rw-r--r--src/charon/plugins/stroke/stroke_control.h15
-rw-r--r--src/charon/plugins/stroke/stroke_cred.c81
-rw-r--r--src/charon/plugins/stroke/stroke_cred.h2
-rw-r--r--src/charon/plugins/stroke/stroke_list.c335
-rw-r--r--src/charon/plugins/stroke/stroke_list.h2
-rw-r--r--src/charon/plugins/stroke/stroke_plugin.c2
-rw-r--r--src/charon/plugins/stroke/stroke_plugin.h2
-rw-r--r--src/charon/plugins/stroke/stroke_shared_key.c2
-rw-r--r--src/charon/plugins/stroke/stroke_shared_key.h2
-rw-r--r--src/charon/plugins/stroke/stroke_socket.c48
-rw-r--r--src/charon/plugins/stroke/stroke_socket.h2
-rw-r--r--src/charon/plugins/uci/Makefile.in17
-rw-r--r--src/charon/plugins/uci/uci_config.c43
-rw-r--r--src/charon/plugins/uci/uci_config.h2
-rw-r--r--src/charon/plugins/uci/uci_control.c47
-rw-r--r--src/charon/plugins/uci/uci_control.h2
-rw-r--r--src/charon/plugins/uci/uci_creds.c10
-rw-r--r--src/charon/plugins/uci/uci_creds.h2
-rw-r--r--src/charon/plugins/uci/uci_parser.c2
-rw-r--r--src/charon/plugins/uci/uci_parser.h2
-rw-r--r--src/charon/plugins/uci/uci_plugin.c2
-rw-r--r--src/charon/plugins/uci/uci_plugin.h2
-rw-r--r--src/charon/plugins/unit_tester/Makefile.am4
-rw-r--r--src/charon/plugins/unit_tester/Makefile.in57
-rw-r--r--src/charon/plugins/unit_tester/tests.h9
-rw-r--r--src/charon/plugins/unit_tester/tests/test_aes.c467
-rw-r--r--src/charon/plugins/unit_tester/tests/test_auth_info.c29
-rw-r--r--src/charon/plugins/unit_tester/tests/test_fips_prf.c64
-rw-r--r--src/charon/plugins/unit_tester/tests/test_id.c69
-rw-r--r--src/charon/plugins/unit_tester/tests/test_med_db.c2
-rw-r--r--src/charon/plugins/unit_tester/tests/test_pool.c17
-rw-r--r--src/charon/plugins/unit_tester/tests/test_rng.c221
-rw-r--r--src/charon/plugins/unit_tester/tests/test_rsa_gen.c20
-rw-r--r--src/charon/plugins/unit_tester/unit_tester.c2
-rw-r--r--src/charon/plugins/unit_tester/unit_tester.h2
-rw-r--r--src/charon/plugins/updown/Makefile.in17
-rw-r--r--src/charon/plugins/updown/updown_listener.c6
-rw-r--r--src/charon/plugins/updown/updown_listener.h2
-rw-r--r--src/charon/plugins/updown/updown_plugin.c2
-rw-r--r--src/charon/plugins/updown/updown_plugin.h2
-rw-r--r--src/charon/processing/jobs/acquire_job.c31
-rw-r--r--src/charon/processing/jobs/acquire_job.h6
-rw-r--r--src/charon/processing/jobs/callback_job.c2
-rw-r--r--src/charon/processing/jobs/callback_job.h2
-rw-r--r--src/charon/processing/jobs/delete_child_sa_job.c2
-rw-r--r--src/charon/processing/jobs/delete_child_sa_job.h2
-rw-r--r--src/charon/processing/jobs/delete_ike_sa_job.c2
-rw-r--r--src/charon/processing/jobs/delete_ike_sa_job.h2
-rw-r--r--src/charon/processing/jobs/initiate_mediation_job.c18
-rw-r--r--src/charon/processing/jobs/initiate_mediation_job.h2
-rw-r--r--src/charon/processing/jobs/job.h2
-rw-r--r--src/charon/processing/jobs/mediation_job.c10
-rw-r--r--src/charon/processing/jobs/mediation_job.h2
-rw-r--r--src/charon/processing/jobs/migrate_job.c2
-rw-r--r--src/charon/processing/jobs/migrate_job.h2
-rw-r--r--src/charon/processing/jobs/process_message_job.c2
-rw-r--r--src/charon/processing/jobs/process_message_job.h2
-rw-r--r--src/charon/processing/jobs/rekey_child_sa_job.c2
-rw-r--r--src/charon/processing/jobs/rekey_child_sa_job.h2
-rw-r--r--src/charon/processing/jobs/rekey_ike_sa_job.c2
-rw-r--r--src/charon/processing/jobs/rekey_ike_sa_job.h2
-rw-r--r--src/charon/processing/jobs/retransmit_job.c2
-rw-r--r--src/charon/processing/jobs/retransmit_job.h2
-rw-r--r--src/charon/processing/jobs/roam_job.c2
-rw-r--r--src/charon/processing/jobs/roam_job.h2
-rw-r--r--src/charon/processing/jobs/send_dpd_job.c2
-rw-r--r--src/charon/processing/jobs/send_dpd_job.h2
-rw-r--r--src/charon/processing/jobs/send_keepalive_job.c2
-rw-r--r--src/charon/processing/jobs/send_keepalive_job.h2
-rw-r--r--src/charon/processing/jobs/update_sa_job.c2
-rw-r--r--src/charon/processing/jobs/update_sa_job.h2
-rw-r--r--src/charon/processing/processor.c2
-rw-r--r--src/charon/processing/processor.h2
-rw-r--r--src/charon/processing/scheduler.c122
-rw-r--r--src/charon/processing/scheduler.h84
-rw-r--r--src/charon/sa/authenticators/authenticator.c49
-rw-r--r--src/charon/sa/authenticators/authenticator.h89
-rw-r--r--src/charon/sa/authenticators/eap/eap_manager.c22
-rw-r--r--src/charon/sa/authenticators/eap/eap_manager.h2
-rw-r--r--src/charon/sa/authenticators/eap/eap_method.c35
-rw-r--r--src/charon/sa/authenticators/eap/eap_method.h11
-rw-r--r--src/charon/sa/authenticators/eap/sim_manager.c2
-rw-r--r--src/charon/sa/authenticators/eap/sim_manager.h4
-rw-r--r--src/charon/sa/authenticators/eap_authenticator.c786
-rw-r--r--src/charon/sa/authenticators/eap_authenticator.h113
-rw-r--r--src/charon/sa/authenticators/psk_authenticator.c147
-rw-r--r--src/charon/sa/authenticators/psk_authenticator.h30
-rw-r--r--src/charon/sa/authenticators/pubkey_authenticator.c229
-rw-r--r--src/charon/sa/authenticators/pubkey_authenticator.h30
-rw-r--r--src/charon/sa/child_sa.c45
-rw-r--r--src/charon/sa/child_sa.h2
-rw-r--r--src/charon/sa/connect_manager.c24
-rw-r--r--src/charon/sa/connect_manager.h2
-rw-r--r--src/charon/sa/ike_sa.c559
-rw-r--r--src/charon/sa/ike_sa.h96
-rw-r--r--src/charon/sa/ike_sa_id.c2
-rw-r--r--src/charon/sa/ike_sa_id.h2
-rw-r--r--src/charon/sa/ike_sa_manager.c127
-rw-r--r--src/charon/sa/ike_sa_manager.h5
-rw-r--r--src/charon/sa/keymat.c17
-rw-r--r--src/charon/sa/keymat.h2
-rw-r--r--src/charon/sa/mediation_manager.c10
-rw-r--r--src/charon/sa/mediation_manager.h2
-rw-r--r--src/charon/sa/task_manager.c265
-rw-r--r--src/charon/sa/task_manager.h2
-rw-r--r--src/charon/sa/tasks/child_create.c132
-rw-r--r--src/charon/sa/tasks/child_create.h9
-rw-r--r--src/charon/sa/tasks/child_delete.c17
-rw-r--r--src/charon/sa/tasks/child_delete.h2
-rw-r--r--src/charon/sa/tasks/child_rekey.c26
-rw-r--r--src/charon/sa/tasks/child_rekey.h2
-rw-r--r--src/charon/sa/tasks/ike_auth.c1107
-rw-r--r--src/charon/sa/tasks/ike_auth.h2
-rw-r--r--src/charon/sa/tasks/ike_auth_lifetime.c10
-rw-r--r--src/charon/sa/tasks/ike_auth_lifetime.h2
-rw-r--r--src/charon/sa/tasks/ike_cert_post.c122
-rw-r--r--src/charon/sa/tasks/ike_cert_post.h2
-rw-r--r--src/charon/sa/tasks/ike_cert_pre.c302
-rw-r--r--src/charon/sa/tasks/ike_cert_pre.h2
-rw-r--r--src/charon/sa/tasks/ike_config.c310
-rw-r--r--src/charon/sa/tasks/ike_config.h2
-rw-r--r--src/charon/sa/tasks/ike_delete.c6
-rw-r--r--src/charon/sa/tasks/ike_delete.h2
-rw-r--r--src/charon/sa/tasks/ike_dpd.c2
-rw-r--r--src/charon/sa/tasks/ike_dpd.h2
-rw-r--r--src/charon/sa/tasks/ike_init.c43
-rw-r--r--src/charon/sa/tasks/ike_init.h2
-rw-r--r--src/charon/sa/tasks/ike_me.c16
-rw-r--r--src/charon/sa/tasks/ike_me.h2
-rw-r--r--src/charon/sa/tasks/ike_mobike.c20
-rw-r--r--src/charon/sa/tasks/ike_mobike.h2
-rw-r--r--src/charon/sa/tasks/ike_natd.c10
-rw-r--r--src/charon/sa/tasks/ike_natd.h2
-rw-r--r--src/charon/sa/tasks/ike_reauth.c6
-rw-r--r--src/charon/sa/tasks/ike_reauth.h2
-rw-r--r--src/charon/sa/tasks/ike_rekey.c45
-rw-r--r--src/charon/sa/tasks/ike_rekey.h2
-rw-r--r--src/charon/sa/tasks/task.c2
-rw-r--r--src/charon/sa/tasks/task.h2
-rw-r--r--src/charon/sa/trap_manager.c371
-rw-r--r--src/charon/sa/trap_manager.h81
398 files changed, 11101 insertions, 7584 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 9da2b238a..3b5b9c068 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -9,8 +9,10 @@ config/child_cfg.c config/child_cfg.h \
config/ike_cfg.c config/ike_cfg.h \
config/peer_cfg.c config/peer_cfg.h \
config/proposal.c config/proposal.h \
+config/auth_cfg.c config/auth_cfg.h \
config/traffic_selector.c config/traffic_selector.h \
config/attributes/attribute_provider.h \
+config/attributes/attribute_handler.h \
config/attributes/attribute_manager.c config/attributes/attribute_manager.h \
control/controller.c control/controller.h \
daemon.c daemon.h \
@@ -76,6 +78,7 @@ sa/ike_sa_id.c sa/ike_sa_id.h \
sa/ike_sa_manager.c sa/ike_sa_manager.h \
sa/task_manager.c sa/task_manager.h \
sa/keymat.c sa/keymat.h \
+sa/trap_manager.c sa/trap_manager.h \
sa/tasks/child_create.c sa/tasks/child_create.h \
sa/tasks/child_delete.c sa/tasks/child_delete.h \
sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
@@ -93,8 +96,7 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
sa/tasks/task.c sa/tasks/task.h \
credentials/credential_manager.c credentials/credential_manager.h \
-credentials/auth_info.c credentials/auth_info.h \
-credentials/sets/auth_info_wrapper.c credentials/sets/auth_info_wrapper.h \
+credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
credentials/credential_set.h
@@ -104,9 +106,8 @@ AM_CFLAGS = -rdynamic \
-DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" \
- -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DRESOLV_CONF=\"${resolv_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm -ldl
+ -DSTRONGSWAN_CONF=\"${strongswan_conf}\"
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
# compile options
#################
@@ -131,10 +132,6 @@ if USE_INTEGRITY_TEST
AM_CFLAGS += -DINTEGRITY_TEST
endif
-if USE_SELF_TEST
- AM_CFLAGS += -DSELF_TEST
-endif
-
if USE_CAPABILITIES
charon_LDADD += -lcap
endif
@@ -156,6 +153,11 @@ if USE_KERNEL_PFKEY
PLUGINS += kernel-pfkey
endif
+if USE_KERNEL_PFROUTE
+ SUBDIRS += plugins/kernel_pfroute
+ PLUGINS += kernel-pfroute
+endif
+
if USE_KERNEL_KLIPS
SUBDIRS += plugins/kernel_klips
PLUGINS += kernel-klips
@@ -186,6 +188,11 @@ if USE_UPDOWN
PLUGINS += updown
endif
+if USE_ATTR
+ SUBDIRS += plugins/attr
+ PLUGINS += attr
+endif
+
if USE_EAP_IDENTITY
SUBDIRS += plugins/eap_identity
PLUGINS += eapidentity
@@ -241,6 +248,11 @@ if USE_NM
PLUGINS += nm
endif
+if USE_RESOLV_CONF
+ SUBDIRS += plugins/resolv_conf
+ PLUGINS += resolv-conf
+endif
+
if USE_UCI
SUBDIRS += plugins/uci
PLUGINS += uci
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index f74577c8c..77884d50e 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -48,50 +48,55 @@ ipsec_PROGRAMS = charon$(EXEEXT)
@USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h
@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_SELF_TEST_TRUE@am__append_5 = -DSELF_TEST
-@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
-@USE_LOAD_TESTS_TRUE@am__append_7 = plugins/load_tester
-@USE_LOAD_TESTS_TRUE@am__append_8 = load-tester
-@USE_KERNEL_PFKEY_TRUE@am__append_9 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_10 = kernel-pfkey
-@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
-@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
-@USE_STROKE_TRUE@am__append_15 = plugins/stroke
-@USE_STROKE_TRUE@am__append_16 = stroke
-@USE_SMP_TRUE@am__append_17 = plugins/smp
-@USE_SMP_TRUE@am__append_18 = smp
-@USE_SQL_TRUE@am__append_19 = plugins/sql
-@USE_SQL_TRUE@am__append_20 = sql
-@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_22 = updown
-@USE_EAP_IDENTITY_TRUE@am__append_23 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_24 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_25 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_26 = eapsim
-@USE_EAP_SIM_FILE_TRUE@am__append_27 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_28 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_29 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_30 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_31 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_32 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_33 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_34 = eapaka
-@USE_EAP_MSCHAPV2_TRUE@am__append_35 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_36 = eapmschapv2
-@USE_EAP_RADIUS_TRUE@am__append_37 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_38 = eapradius
-@USE_MEDSRV_TRUE@am__append_39 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_40 = medsrv
-@USE_MEDCLI_TRUE@am__append_41 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_42 = medcli
-@USE_NM_TRUE@am__append_43 = plugins/nm
-@USE_NM_TRUE@am__append_44 = nm
-@USE_UCI_TRUE@am__append_45 = plugins/uci
-@USE_UCI_TRUE@am__append_46 = uci
-@USE_UNIT_TESTS_TRUE@am__append_47 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_48 = unit-tester
+@USE_CAPABILITIES_TRUE@am__append_5 = -lcap
+@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester
+@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester
+@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey
+@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute
+@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
+@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink
+@USE_STROKE_TRUE@am__append_16 = plugins/stroke
+@USE_STROKE_TRUE@am__append_17 = stroke
+@USE_SMP_TRUE@am__append_18 = plugins/smp
+@USE_SMP_TRUE@am__append_19 = smp
+@USE_SQL_TRUE@am__append_20 = plugins/sql
+@USE_SQL_TRUE@am__append_21 = sql
+@USE_UPDOWN_TRUE@am__append_22 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_23 = updown
+@USE_ATTR_TRUE@am__append_24 = plugins/attr
+@USE_ATTR_TRUE@am__append_25 = attr
+@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_29 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_33 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_35 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_37 = eapaka
+@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2
+@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius
+@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_43 = medsrv
+@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_45 = medcli
+@USE_NM_TRUE@am__append_46 = plugins/nm
+@USE_NM_TRUE@am__append_47 = nm
+@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf
+@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf
+@USE_UCI_TRUE@am__append_50 = plugins/uci
+@USE_UCI_TRUE@am__append_51 = uci
+@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester
subdir = src/charon
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -110,8 +115,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
config/backend.h config/child_cfg.c config/child_cfg.h \
config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
config/peer_cfg.h config/proposal.c config/proposal.h \
- config/traffic_selector.c config/traffic_selector.h \
+ config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
+ config/traffic_selector.h \
config/attributes/attribute_provider.h \
+ config/attributes/attribute_handler.h \
config/attributes/attribute_manager.c \
config/attributes/attribute_manager.h control/controller.c \
control/controller.h daemon.c daemon.h encoding/generator.c \
@@ -199,10 +206,10 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
- sa/tasks/child_create.c sa/tasks/child_create.h \
- sa/tasks/child_delete.c sa/tasks/child_delete.h \
- sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
- sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+ sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+ sa/tasks/child_create.h sa/tasks/child_delete.c \
+ sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+ sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -214,9 +221,9 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
credentials/credential_manager.c \
- credentials/credential_manager.h credentials/auth_info.c \
- credentials/auth_info.h credentials/sets/auth_info_wrapper.c \
- credentials/sets/auth_info_wrapper.h \
+ credentials/credential_manager.h \
+ credentials/sets/auth_cfg_wrapper.c \
+ credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.c \
credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
@@ -238,15 +245,15 @@ am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
sys_logger.$(OBJEXT) backend_manager.$(OBJEXT) \
child_cfg.$(OBJEXT) ike_cfg.$(OBJEXT) peer_cfg.$(OBJEXT) \
- proposal.$(OBJEXT) traffic_selector.$(OBJEXT) \
- attribute_manager.$(OBJEXT) controller.$(OBJEXT) \
- daemon.$(OBJEXT) generator.$(OBJEXT) message.$(OBJEXT) \
- parser.$(OBJEXT) auth_payload.$(OBJEXT) cert_payload.$(OBJEXT) \
- certreq_payload.$(OBJEXT) configuration_attribute.$(OBJEXT) \
- cp_payload.$(OBJEXT) delete_payload.$(OBJEXT) \
- eap_payload.$(OBJEXT) encodings.$(OBJEXT) \
- encryption_payload.$(OBJEXT) id_payload.$(OBJEXT) \
- ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
+ proposal.$(OBJEXT) auth_cfg.$(OBJEXT) \
+ traffic_selector.$(OBJEXT) attribute_manager.$(OBJEXT) \
+ controller.$(OBJEXT) daemon.$(OBJEXT) generator.$(OBJEXT) \
+ message.$(OBJEXT) parser.$(OBJEXT) auth_payload.$(OBJEXT) \
+ cert_payload.$(OBJEXT) certreq_payload.$(OBJEXT) \
+ configuration_attribute.$(OBJEXT) cp_payload.$(OBJEXT) \
+ delete_payload.$(OBJEXT) eap_payload.$(OBJEXT) \
+ encodings.$(OBJEXT) encryption_payload.$(OBJEXT) \
+ id_payload.$(OBJEXT) ike_header.$(OBJEXT) ke_payload.$(OBJEXT) \
nonce_payload.$(OBJEXT) notify_payload.$(OBJEXT) \
payload.$(OBJEXT) proposal_substructure.$(OBJEXT) \
sa_payload.$(OBJEXT) traffic_selector_substructure.$(OBJEXT) \
@@ -267,22 +274,22 @@ am_charon_OBJECTS = bus.$(OBJEXT) file_logger.$(OBJEXT) \
psk_authenticator.$(OBJEXT) pubkey_authenticator.$(OBJEXT) \
child_sa.$(OBJEXT) ike_sa.$(OBJEXT) ike_sa_id.$(OBJEXT) \
ike_sa_manager.$(OBJEXT) task_manager.$(OBJEXT) \
- keymat.$(OBJEXT) child_create.$(OBJEXT) child_delete.$(OBJEXT) \
- child_rekey.$(OBJEXT) ike_auth.$(OBJEXT) \
- ike_cert_pre.$(OBJEXT) ike_cert_post.$(OBJEXT) \
- ike_config.$(OBJEXT) ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) \
- ike_init.$(OBJEXT) ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) \
- ike_rekey.$(OBJEXT) ike_reauth.$(OBJEXT) \
- ike_auth_lifetime.$(OBJEXT) task.$(OBJEXT) \
- credential_manager.$(OBJEXT) auth_info.$(OBJEXT) \
- auth_info_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
+ keymat.$(OBJEXT) trap_manager.$(OBJEXT) child_create.$(OBJEXT) \
+ child_delete.$(OBJEXT) child_rekey.$(OBJEXT) \
+ ike_auth.$(OBJEXT) ike_cert_pre.$(OBJEXT) \
+ ike_cert_post.$(OBJEXT) ike_config.$(OBJEXT) \
+ ike_delete.$(OBJEXT) ike_dpd.$(OBJEXT) ike_init.$(OBJEXT) \
+ ike_natd.$(OBJEXT) ike_mobike.$(OBJEXT) ike_rekey.$(OBJEXT) \
+ ike_reauth.$(OBJEXT) ike_auth_lifetime.$(OBJEXT) \
+ task.$(OBJEXT) credential_manager.$(OBJEXT) \
+ auth_cfg_wrapper.$(OBJEXT) ocsp_response_wrapper.$(OBJEXT) \
cert_cache.$(OBJEXT) $(am__objects_1) $(am__objects_2) \
$(am__objects_3)
charon_OBJECTS = $(am_charon_OBJECTS)
am__DEPENDENCIES_1 =
charon_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -309,12 +316,13 @@ RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
- plugins/kernel_klips plugins/kernel_netlink plugins/stroke \
- plugins/smp plugins/sql plugins/updown plugins/eap_identity \
+ plugins/kernel_pfroute plugins/kernel_klips \
+ plugins/kernel_netlink plugins/stroke plugins/smp plugins/sql \
+ plugins/updown plugins/attr plugins/eap_identity \
plugins/eap_sim plugins/eap_sim_file plugins/eap_md5 \
plugins/eap_gtc plugins/eap_aka plugins/eap_mschapv2 \
plugins/eap_radius plugins/medsrv plugins/medcli plugins/nm \
- plugins/uci plugins/unit_tester
+ plugins/resolv_conf plugins/uci plugins/unit_tester
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -331,6 +339,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -353,6 +362,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -364,6 +376,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -377,6 +390,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -437,6 +452,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -448,6 +464,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -458,9 +475,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
config/backend_manager.h config/backend.h config/child_cfg.c \
config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
config/peer_cfg.c config/peer_cfg.h config/proposal.c \
- config/proposal.h config/traffic_selector.c \
- config/traffic_selector.h \
+ config/proposal.h config/auth_cfg.c config/auth_cfg.h \
+ config/traffic_selector.c config/traffic_selector.h \
config/attributes/attribute_provider.h \
+ config/attributes/attribute_handler.h \
config/attributes/attribute_manager.c \
config/attributes/attribute_manager.h control/controller.c \
control/controller.h daemon.c daemon.h encoding/generator.c \
@@ -548,10 +566,10 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_id.c \
sa/ike_sa_id.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
sa/task_manager.c sa/task_manager.h sa/keymat.c sa/keymat.h \
- sa/tasks/child_create.c sa/tasks/child_create.h \
- sa/tasks/child_delete.c sa/tasks/child_delete.h \
- sa/tasks/child_rekey.c sa/tasks/child_rekey.h \
- sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
+ sa/trap_manager.c sa/trap_manager.h sa/tasks/child_create.c \
+ sa/tasks/child_create.h sa/tasks/child_delete.c \
+ sa/tasks/child_delete.h sa/tasks/child_rekey.c \
+ sa/tasks/child_rekey.h sa/tasks/ike_auth.c sa/tasks/ike_auth.h \
sa/tasks/ike_cert_pre.c sa/tasks/ike_cert_pre.h \
sa/tasks/ike_cert_post.c sa/tasks/ike_cert_post.h \
sa/tasks/ike_config.c sa/tasks/ike_config.h \
@@ -563,9 +581,9 @@ charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \
sa/tasks/ike_auth_lifetime.h sa/tasks/task.c sa/tasks/task.h \
credentials/credential_manager.c \
- credentials/credential_manager.h credentials/auth_info.c \
- credentials/auth_info.h credentials/sets/auth_info_wrapper.c \
- credentials/sets/auth_info_wrapper.h \
+ credentials/credential_manager.h \
+ credentials/sets/auth_cfg_wrapper.c \
+ credentials/sets/auth_cfg_wrapper.h \
credentials/sets/ocsp_response_wrapper.c \
credentials/sets/ocsp_response_wrapper.h \
credentials/sets/cert_cache.c credentials/sets/cert_cache.h \
@@ -575,29 +593,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c
AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" \
- -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DRESOLV_CONF=\"${resolv_conf}\" $(am__append_4) \
- $(am__append_5) -DPLUGINS=\""${PLUGINS}\""
+ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \
+ -DPLUGINS=\""${PLUGINS}\""
charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
- -lpthread -lm -ldl $(am__append_6)
+ -lpthread -lm $(DLLIB) $(am__append_5)
# build optional plugins
########################
-SUBDIRS = . $(am__append_7) $(am__append_9) $(am__append_11) \
- $(am__append_13) $(am__append_15) $(am__append_17) \
- $(am__append_19) $(am__append_21) $(am__append_23) \
- $(am__append_25) $(am__append_27) $(am__append_29) \
- $(am__append_31) $(am__append_33) $(am__append_35) \
- $(am__append_37) $(am__append_39) $(am__append_41) \
- $(am__append_43) $(am__append_45) $(am__append_47)
-PLUGINS = ${libstrongswan_plugins} $(am__append_8) $(am__append_10) \
+SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \
$(am__append_12) $(am__append_14) $(am__append_16) \
$(am__append_18) $(am__append_20) $(am__append_22) \
$(am__append_24) $(am__append_26) $(am__append_28) \
$(am__append_30) $(am__append_32) $(am__append_34) \
$(am__append_36) $(am__append_38) $(am__append_40) \
$(am__append_42) $(am__append_44) $(am__append_46) \
- $(am__append_48)
+ $(am__append_48) $(am__append_50) $(am__append_52)
+PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \
+ $(am__append_11) $(am__append_13) $(am__append_15) \
+ $(am__append_17) $(am__append_19) $(am__append_21) \
+ $(am__append_23) $(am__append_25) $(am__append_27) \
+ $(am__append_29) $(am__append_31) $(am__append_33) \
+ $(am__append_35) $(am__append_37) $(am__append_39) \
+ $(am__append_41) $(am__append_43) $(am__append_45) \
+ $(am__append_47) $(am__append_49) $(am__append_51) \
+ $(am__append_53)
all: all-recursive
.SUFFIXES:
@@ -606,8 +625,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -671,8 +690,8 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attribute_manager.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_info.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_info_wrapper.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Po@am__quote@
@@ -765,6 +784,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/trap_manager.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ts_payload.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unknown_payload.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/update_sa_job.Po@am__quote@
@@ -903,6 +923,20 @@ proposal.obj: config/proposal.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.obj `if test -f 'config/proposal.c'; then $(CYGPATH_W) 'config/proposal.c'; else $(CYGPATH_W) '$(srcdir)/config/proposal.c'; fi`
+auth_cfg.o: config/auth_cfg.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.o -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/auth_cfg.c' object='auth_cfg.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.o `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c
+
+auth_cfg.obj: config/auth_cfg.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.obj -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/auth_cfg.c' object='auth_cfg.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.obj `if test -f 'config/auth_cfg.c'; then $(CYGPATH_W) 'config/auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/config/auth_cfg.c'; fi`
+
traffic_selector.o: config/traffic_selector.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT traffic_selector.o -MD -MP -MF $(DEPDIR)/traffic_selector.Tpo -c -o traffic_selector.o `test -f 'config/traffic_selector.c' || echo '$(srcdir)/'`config/traffic_selector.c
@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/traffic_selector.Tpo $(DEPDIR)/traffic_selector.Po
@@ -1771,6 +1805,20 @@ keymat.obj: sa/keymat.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o keymat.obj `if test -f 'sa/keymat.c'; then $(CYGPATH_W) 'sa/keymat.c'; else $(CYGPATH_W) '$(srcdir)/sa/keymat.c'; fi`
+trap_manager.o: sa/trap_manager.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.o -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/trap_manager.c' object='trap_manager.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.o `test -f 'sa/trap_manager.c' || echo '$(srcdir)/'`sa/trap_manager.c
+
+trap_manager.obj: sa/trap_manager.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT trap_manager.obj -MD -MP -MF $(DEPDIR)/trap_manager.Tpo -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/trap_manager.Tpo $(DEPDIR)/trap_manager.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sa/trap_manager.c' object='trap_manager.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o trap_manager.obj `if test -f 'sa/trap_manager.c'; then $(CYGPATH_W) 'sa/trap_manager.c'; else $(CYGPATH_W) '$(srcdir)/sa/trap_manager.c'; fi`
+
child_create.o: sa/tasks/child_create.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT child_create.o -MD -MP -MF $(DEPDIR)/child_create.Tpo -c -o child_create.o `test -f 'sa/tasks/child_create.c' || echo '$(srcdir)/'`sa/tasks/child_create.c
@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/child_create.Tpo $(DEPDIR)/child_create.Po
@@ -2009,33 +2057,19 @@ credential_manager.obj: credentials/credential_manager.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.obj `if test -f 'credentials/credential_manager.c'; then $(CYGPATH_W) 'credentials/credential_manager.c'; else $(CYGPATH_W) '$(srcdir)/credentials/credential_manager.c'; fi`
-auth_info.o: credentials/auth_info.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info.o -MD -MP -MF $(DEPDIR)/auth_info.Tpo -c -o auth_info.o `test -f 'credentials/auth_info.c' || echo '$(srcdir)/'`credentials/auth_info.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_info.Tpo $(DEPDIR)/auth_info.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/auth_info.c' object='auth_info.o' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info.o `test -f 'credentials/auth_info.c' || echo '$(srcdir)/'`credentials/auth_info.c
-
-auth_info.obj: credentials/auth_info.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info.obj -MD -MP -MF $(DEPDIR)/auth_info.Tpo -c -o auth_info.obj `if test -f 'credentials/auth_info.c'; then $(CYGPATH_W) 'credentials/auth_info.c'; else $(CYGPATH_W) '$(srcdir)/credentials/auth_info.c'; fi`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_info.Tpo $(DEPDIR)/auth_info.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/auth_info.c' object='auth_info.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info.obj `if test -f 'credentials/auth_info.c'; then $(CYGPATH_W) 'credentials/auth_info.c'; else $(CYGPATH_W) '$(srcdir)/credentials/auth_info.c'; fi`
-
-auth_info_wrapper.o: credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info_wrapper.o -MD -MP -MF $(DEPDIR)/auth_info_wrapper.Tpo -c -o auth_info_wrapper.o `test -f 'credentials/sets/auth_info_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_info_wrapper.Tpo $(DEPDIR)/auth_info_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_info_wrapper.c' object='auth_info_wrapper.o' libtool=no @AMDEPBACKSLASH@
+auth_cfg_wrapper.o: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.o -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info_wrapper.o `test -f 'credentials/sets/auth_info_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_info_wrapper.c
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.o `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c
-auth_info_wrapper.obj: credentials/sets/auth_info_wrapper.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_info_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_info_wrapper.Tpo -c -o auth_info_wrapper.obj `if test -f 'credentials/sets/auth_info_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_info_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_info_wrapper.c'; fi`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_info_wrapper.Tpo $(DEPDIR)/auth_info_wrapper.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_info_wrapper.c' object='auth_info_wrapper.obj' libtool=no @AMDEPBACKSLASH@
+auth_cfg_wrapper.obj: credentials/sets/auth_cfg_wrapper.c
+@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.obj -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_info_wrapper.obj `if test -f 'credentials/sets/auth_info_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_info_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_info_wrapper.c'; fi`
+@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.obj `if test -f 'credentials/sets/auth_cfg_wrapper.c'; then $(CYGPATH_W) 'credentials/sets/auth_cfg_wrapper.c'; else $(CYGPATH_W) '$(srcdir)/credentials/sets/auth_cfg_wrapper.c'; fi`
ocsp_response_wrapper.o: credentials/sets/ocsp_response_wrapper.c
@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.o -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.o `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c
@@ -2258,7 +2292,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index 504947465..bb7014b0b 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: bus.c 4622 2008-11-11 10:52:37Z martin $
*/
#include "bus.h"
@@ -521,6 +519,45 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
}
/**
+ * Implementation of bus_t.authorize
+ */
+static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ bool keep, success = TRUE;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->authorize)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->authorize(entry->listener, ike_sa,
+ auth, final, &success);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ break;
+ }
+ if (!success)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+ return success;
+}
+
+/**
* Implementation of bus_t.destroy.
*/
static void destroy(private_bus_t *this)
@@ -548,6 +585,7 @@ bus_t *bus_create()
this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+ this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
this->public.destroy = (void(*)(bus_t*)) destroy;
this->listeners = linked_list_create();
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index fe7d1e53d..5faea088f 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: bus.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -210,6 +208,23 @@ struct listener_t {
*/
bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+
+ /**
+ * Hook called to invoke additional authorization rules.
+ *
+ * An authorization hook gets invoked several times: After each
+ * authentication round, the hook gets invoked with with final = FALSE.
+ * After authentication is complete and the peer configuration is selected,
+ * it is invoked again, but with final = TRUE.
+ *
+ * @param ike_sa IKE_SA to authorize
+ * @param auth list of auth_cfg_t, done in peers authentication rounds
+ * @param final TRUE if this is the final hook invocation
+ * @param success set to TRUE to complete IKE_SA, FALSE abort
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+ bool final, bool *success);
};
/**
@@ -317,6 +332,15 @@ struct bus_t {
void (*message)(bus_t *this, message_t *message, bool incoming);
/**
+ * IKE_SA authorization hook.
+ *
+ * @param auth list of auth_cfg_t, containing peers authentication info
+ * @param final TRUE if this is the final invocation
+ * @return TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
+ */
+ bool (*authorize)(bus_t *this, linked_list_t *auth, bool final);
+
+ /**
* IKE_SA keymat hook.
*
* @param ike_sa IKE_SA this keymat belongs to
diff --git a/src/charon/bus/listeners/file_logger.c b/src/charon/bus/listeners/file_logger.c
index 4259630ec..c3213f5f8 100644
--- a/src/charon/bus/listeners/file_logger.c
+++ b/src/charon/bus/listeners/file_logger.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: file_logger.c 4622 2008-11-11 10:52:37Z martin $
*/
#include <stdio.h>
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 5cd37adc0..7282224a5 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: file_logger.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 37dbce926..5bcf28f24 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sys_logger.c 4434 2008-10-14 08:52:13Z martin $
*/
#include <stdio.h>
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 50301924e..6eda096a9 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sys_logger.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/config/attributes/attribute_handler.h b/src/charon/config/attributes/attribute_handler.h
new file mode 100644
index 000000000..de1c4414d
--- /dev/null
+++ b/src/charon/config/attributes/attribute_handler.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attribute_handler attribute_handler
+ * @{ @ingroup attributes
+ */
+
+#ifndef ATTRIBUTE_HANDLER_H_
+#define ATTRIBUTE_HANDLER_H_
+
+#include <sa/ike_sa.h>
+#include <encoding/payloads/configuration_attribute.h>
+
+typedef struct attribute_handler_t attribute_handler_t;
+
+/**
+ * Interface to handle configuration payload attributes.
+ */
+struct attribute_handler_t {
+
+ /**
+ * Handle a configuration attribute.
+ *
+ * After receiving a configuration attriubte, it is passed to each
+ * attribute handler until it is handled.
+ *
+ * @param type type of configuration attribute to handle
+ * @param data associated attribute data
+ * @return TRUE if attribute handled
+ */
+ bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data);
+
+ /**
+ * Release an attribute handled during handle().
+ *
+ * A handler that handle()d an attribute gets a call to release() when the
+ * IKE_SA gets closed. Depending on the implementation, this is required
+ * to remove the attribute.
+ */
+ void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data);
+};
+
+#endif /* ATTRIBUTE_HANDLER_ @}*/
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index a069c954a..83e431c43 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "attribute_manager.h"
@@ -39,6 +37,11 @@ struct private_attribute_manager_t {
linked_list_t *providers;
/**
+ * list of registered handlers
+ */
+ linked_list_t *handlers;
+
+ /**
* rwlock provider list
*/
rwlock_t *lock;
@@ -49,7 +52,7 @@ struct private_attribute_manager_t {
*/
static host_t* acquire_address(private_attribute_manager_t *this,
char *pool, identification_t *id,
- auth_info_t *auth, host_t *requested)
+ host_t *requested)
{
enumerator_t *enumerator;
attribute_provider_t *current;
@@ -59,7 +62,7 @@ static host_t* acquire_address(private_attribute_manager_t *this,
enumerator = this->providers->create_enumerator(this->providers);
while (enumerator->enumerate(enumerator, &current))
{
- host = current->acquire_address(current, pool, id, auth, requested);
+ host = current->acquire_address(current, pool, id, requested);
if (host)
{
break;
@@ -105,6 +108,29 @@ static void release_address(private_attribute_manager_t *this,
}
/**
+ * inner enumerator constructor for attributes
+ */
+static enumerator_t *attrib_enum_create(attribute_provider_t *provider,
+ identification_t *id)
+{
+ return provider->create_attribute_enumerator(provider, id);
+}
+
+/**
+ * Implementation of attribute_manager_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(
+ private_attribute_manager_t *this, identification_t *id)
+{
+ this->lock->read_lock(this->lock);
+ return enumerator_create_cleaner(
+ enumerator_create_nested(
+ this->providers->create_enumerator(this->providers),
+ (void*)attrib_enum_create, id, NULL),
+ (void*)this->lock->unlock, this->lock);
+}
+
+/**
* Implementation of attribute_manager_t.add_provider.
*/
static void add_provider(private_attribute_manager_t *this,
@@ -127,11 +153,89 @@ static void remove_provider(private_attribute_manager_t *this,
}
/**
+ * Implementation of attribute_manager_t.handle
+ */
+static attribute_handler_t* handle(private_attribute_manager_t *this,
+ ike_sa_t *ike_sa, configuration_attribute_type_t type,
+ chunk_t data)
+{
+ enumerator_t *enumerator;
+ attribute_handler_t *current, *handled = NULL;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->handlers->create_enumerator(this->handlers);
+ while (enumerator->enumerate(enumerator, &current))
+ {
+ if (current->handle(current, ike_sa, type, data))
+ {
+ handled = current;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ if (!handled)
+ {
+ DBG1(DBG_CFG, "handling %N attribute failed",
+ configuration_attribute_type_names, type);
+ }
+ return handled;
+}
+
+/**
+ * Implementation of attribute_manager_t.release
+ */
+static void release(private_attribute_manager_t *this,
+ attribute_handler_t *handler, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data)
+{
+ enumerator_t *enumerator;
+ attribute_handler_t *current;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->handlers->create_enumerator(this->handlers);
+ while (enumerator->enumerate(enumerator, &current))
+ {
+ if (current == handler)
+ {
+ current->release(current, ike_sa, type, data);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.add_handler
+ */
+static void add_handler(private_attribute_manager_t *this,
+ attribute_handler_t *handler)
+{
+ this->lock->write_lock(this->lock);
+ this->handlers->insert_last(this->handlers, handler);
+ this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of attribute_manager_t.remove_handler
+ */
+static void remove_handler(private_attribute_manager_t *this,
+ attribute_handler_t *handler)
+{
+ this->lock->write_lock(this->lock);
+ this->handlers->remove(this->handlers, handler, NULL);
+ this->lock->unlock(this->lock);
+}
+
+/**
* Implementation of attribute_manager_t.destroy
*/
static void destroy(private_attribute_manager_t *this)
{
this->providers->destroy(this->providers);
+ this->handlers->destroy(this->handlers);
this->lock->destroy(this->lock);
free(this);
}
@@ -143,13 +247,19 @@ attribute_manager_t *attribute_manager_create()
{
private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t);
- this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address;
+ this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address;
this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address;
+ this->public.create_attribute_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t *id))create_attribute_enumerator;
this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider;
this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider;
+ this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))handle;
+ this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t *handler, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))release;
+ this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))add_handler;
+ this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))remove_handler;
this->public.destroy = (void(*)(attribute_manager_t*))destroy;
this->providers = linked_list_create();
+ this->handlers = linked_list_create();
this->lock = rwlock_create(RWLOCK_DEFAULT);
return &this->public;
diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h
index aef6e7b6e..ceea06581 100644
--- a/src/charon/config/attributes/attribute_manager.h
+++ b/src/charon/config/attributes/attribute_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -24,26 +22,31 @@
#define ATTRIBUTE_MANAGER_H_
#include <config/attributes/attribute_provider.h>
+#include <config/attributes/attribute_handler.h>
typedef struct attribute_manager_t attribute_manager_t;
/**
- * Provide configuration attributes to include in CFG Payloads.
+ * The attribute manager hands out attributes or handles them.
+ *
+ * The attribute manager manages both, attribute providers and attribute
+ * handlers. Attribute providers are responsible to hand out attributes if
+ * a connecting peer requests them. Handlers handle such attributes if they
+ * are received on the requesting peer.
*/
struct attribute_manager_t {
-
+
/**
* Acquire a virtual IP address to assign to a peer.
*
* @param pool pool name to acquire address from
- * @param id peer identity to get address for
- * @param auth authorization infos of peer
+ * @param id peer identity to get address forua
* @param requested IP in configuration request
* @return allocated address, NULL to serve none
*/
host_t* (*acquire_address)(attribute_manager_t *this,
char *pool, identification_t *id,
- auth_info_t *auth, host_t *requested);
+ host_t *requested);
/**
* Release a previously acquired address.
@@ -56,6 +59,15 @@ struct attribute_manager_t {
char *pool, host_t *address, identification_t *id);
/**
+ * Create an enumerator over attributes to hand out to a peer.
+ *
+ * @param id peer identity to hand out attributes to
+ * @return enumerator (configuration_attribute_type_t, chunk_t)
+ */
+ enumerator_t* (*create_attribute_enumerator)(attribute_manager_t *this,
+ identification_t *id);
+
+ /**
* Register an attribute provider to the manager.
*
* @param provider attribute provider to register
@@ -69,10 +81,50 @@ struct attribute_manager_t {
*/
void (*remove_provider)(attribute_manager_t *this,
attribute_provider_t *provider);
+
+ /**
+ * Handle a configuration attribute by passing them to the handlers.
+ *
+ * @param ike_sa IKE_SA where attribute was received
+ * @param type type of configuration attribute
+ * @param data associated attribute data
+ * @return handler which handled this attribute, NULL if none
+ */
+ attribute_handler_t* (*handle)(attribute_manager_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data);
+
/**
- * Destroy a attribute_manager instance.
- */
- void (*destroy)(attribute_manager_t *this);
+ * Release an attribute previously handle()d by a handler.
+ *
+ * @param handler handler returned by handle() for this attribute
+ * @param ike_sa IKE_SA owning the attribute
+ * @param type type of attribute to release
+ * @param data associated attribute data
+ */
+ void (*release)(attribute_manager_t *this, attribute_handler_t *handler,
+ ike_sa_t *ike_sa, configuration_attribute_type_t type,
+ chunk_t data);
+
+ /**
+ * Register an attribute handler to the manager.
+ *
+ * @param handler attribute handler to register
+ */
+ void (*add_handler)(attribute_manager_t *this,
+ attribute_handler_t *handler);
+
+ /**
+ * Unregister an attribute handler from the manager.
+ *
+ * @param handler attribute handler to unregister
+ */
+ void (*remove_handler)(attribute_manager_t *this,
+ attribute_handler_t *handler);
+
+ /**
+ * Destroy a attribute_manager instance.
+ */
+ void (*destroy)(attribute_manager_t *this);
};
/**
diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h
index 5d563e86b..0f1057af4 100644
--- a/src/charon/config/attributes/attribute_provider.h
+++ b/src/charon/config/attributes/attribute_provider.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -25,7 +23,7 @@
#include <library.h>
#include <utils/host.h>
-#include <credentials/auth_info.h>
+#include <utils/identification.h>
typedef struct attribute_provider_t attribute_provider_t;
@@ -39,13 +37,12 @@ struct attribute_provider_t {
*
* @param pool name of the pool to acquire address from
* @param id peer ID
- * @param auth authorization infos
* @param requested IP in configuration request
* @return allocated address, NULL to serve none
*/
host_t* (*acquire_address)(attribute_provider_t *this,
char *pool, identification_t *id,
- auth_info_t *auth, host_t *requested);
+ host_t *requested);
/**
* Release a previously acquired address.
*
@@ -56,6 +53,15 @@ struct attribute_provider_t {
*/
bool (*release_address)(attribute_provider_t *this,
char *pool, host_t *address, identification_t *id);
+
+ /**
+ * Create an enumerator over attributes to hand out to a peer.
+ *
+ * @param id peer ID
+ * @return enumerator (configuration_attribute_type_t, chunk_t)
+ */
+ enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this,
+ identification_t *id);
};
#endif /** ATTRIBUTE_PROVIDER_H_ @}*/
diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c
new file mode 100644
index 000000000..e4501bc93
--- /dev/null
+++ b/src/charon/config/auth_cfg.c
@@ -0,0 +1,768 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "auth_cfg.h"
+
+#include <daemon.h>
+#include <utils/linked_list.h>
+#include <utils/identification.h>
+#include <credentials/certificates/certificate.h>
+
+ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL,
+ "RULE_IDENTITY",
+ "RULE_AUTH_CLASS",
+ "RULE_EAP_IDENTITY",
+ "RULE_EAP_TYPE",
+ "RULE_EAP_VENDOR",
+ "RULE_CA_CERT",
+ "RULE_IM_CERT",
+ "RULE_SUBJECT_CERT",
+ "RULE_CRL_VALIDATION",
+ "RULE_OCSP_VALIDATION",
+ "RULE_AC_GROUP",
+ "HELPER_IM_CERT",
+ "HELPER_SUBJECT_CERT",
+ "HELPER_IM_HASH_URL",
+ "HELPER_SUBJECT_HASH_URL",
+);
+
+typedef struct private_auth_cfg_t private_auth_cfg_t;
+
+/**
+ * private data of item_set
+ */
+struct private_auth_cfg_t {
+
+ /**
+ * public functions
+ */
+ auth_cfg_t public;
+
+ /**
+ * list of entry_t
+ */
+ linked_list_t *entries;
+};
+
+typedef struct entry_t entry_t;
+
+struct entry_t {
+ /** rule type */
+ auth_rule_t type;
+ /** associated value */
+ void *value;
+};
+
+/**
+ * enumerator for auth_cfg_t.create_enumerator()
+ */
+typedef struct {
+ /** implements enumerator_t */
+ enumerator_t public;
+ /** inner enumerator from linked_list_t */
+ enumerator_t *inner;
+ /** current entry */
+ entry_t *current;
+} entry_enumerator_t;
+
+/**
+ * enumerate function for item_enumerator_t
+ */
+static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value)
+{
+ entry_t *entry;
+
+ if (this->inner->enumerate(this->inner, &entry))
+ {
+ this->current = entry;
+ *type = entry->type;
+ *value = entry->value;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * destroy function for item_enumerator_t
+ */
+static void entry_enumerator_destroy(entry_enumerator_t *this)
+{
+ this->inner->destroy(this->inner);
+ free(this);
+}
+
+/**
+ * Implementation of auth_cfg_t.create_enumerator.
+ */
+static enumerator_t* create_enumerator(private_auth_cfg_t *this)
+{
+ entry_enumerator_t *enumerator;
+
+ enumerator = malloc_thing(entry_enumerator_t);
+ enumerator->inner = this->entries->create_enumerator(this->entries);
+ enumerator->public.enumerate = (void*)enumerate;
+ enumerator->public.destroy = (void*)entry_enumerator_destroy;
+ enumerator->current = NULL;
+ return &enumerator->public;
+}
+
+/**
+ * Destroy the value associated with an entry
+ */
+static void destroy_entry_value(entry_t *entry)
+{
+ switch (entry->type)
+ {
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ {
+ identification_t *id = (identification_t*)entry->value;
+ id->destroy(id);
+ break;
+ }
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ {
+ certificate_t *cert = (certificate_t*)entry->value;
+ cert->destroy(cert);
+ break;
+ }
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ {
+ free(entry->value);
+ break;
+ }
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ break;
+ }
+}
+
+/**
+ * Implementation of auth_cfg_t.replace.
+ */
+static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator,
+ auth_rule_t type, ...)
+{
+ if (enumerator->current)
+ {
+ va_list args;
+
+ va_start(args, type);
+
+ destroy_entry_value(enumerator->current);
+ enumerator->current->type = type;
+ switch (type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ /* integer type */
+ enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int);
+ break;
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ /* pointer type */
+ enumerator->current->value = va_arg(args, void*);
+ break;
+ }
+ va_end(args);
+ }
+}
+
+/**
+ * Implementation of auth_cfg_t.get.
+ */
+static void* get(private_auth_cfg_t *this, auth_rule_t type)
+{
+ enumerator_t *enumerator;
+ void *current_value, *best_value = NULL;
+ auth_rule_t current_type;
+ bool found = FALSE;
+
+ enumerator = create_enumerator(this);
+ while (enumerator->enumerate(enumerator, &current_type, &current_value))
+ {
+ if (type == current_type)
+ {
+ if (type == AUTH_RULE_CRL_VALIDATION ||
+ type == AUTH_RULE_OCSP_VALIDATION)
+ { /* for CRL/OCSP validation, always get() the highest value */
+ if (!found || current_value > best_value)
+ {
+ best_value = current_value;
+ }
+ found = TRUE;
+ continue;
+ }
+ best_value = current_value;
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (found)
+ {
+ return best_value;
+ }
+ switch (type)
+ {
+ /* use some sane defaults if we don't find an entry */
+ case AUTH_RULE_AUTH_CLASS:
+ return (void*)AUTH_CLASS_ANY;
+ case AUTH_RULE_EAP_TYPE:
+ return (void*)EAP_NAK;
+ case AUTH_RULE_EAP_VENDOR:
+ return (void*)0;
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ return (void*)VALIDATION_FAILED;
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ default:
+ return NULL;
+ }
+}
+
+/**
+ * Implementation of auth_cfg_t.add.
+ */
+static void add(private_auth_cfg_t *this, auth_rule_t type, ...)
+{
+ entry_t *entry = malloc_thing(entry_t);
+ va_list args;
+
+ va_start(args, type);
+ entry->type = type;
+ switch (type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ /* integer type */
+ entry->value = (void*)(uintptr_t)va_arg(args, u_int);
+ break;
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ /* pointer type */
+ entry->value = va_arg(args, void*);
+ break;
+ }
+ va_end(args);
+ this->entries->insert_last(this->entries, entry);
+}
+
+/**
+ * Implementation of auth_cfg_t.complies.
+ */
+static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints,
+ bool log_error)
+{
+ enumerator_t *e1, *e2;
+ bool success = TRUE;
+ auth_rule_t t1, t2;
+ void *value;
+
+ e1 = constraints->create_enumerator(constraints);
+ while (e1->enumerate(e1, &t1, &value))
+ {
+ switch (t1)
+ {
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ {
+ certificate_t *c1, *c2;
+
+ c1 = (certificate_t*)value;
+
+ success = FALSE;
+ e2 = create_enumerator(this);
+ while (e2->enumerate(e2, &t2, &c2))
+ {
+ if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) &&
+ c1->equals(c1, c2))
+ {
+ success = TRUE;
+ }
+ }
+ e2->destroy(e2);
+ if (!success && log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: peer not "
+ "authenticated by CA '%Y'.", c1->get_subject(c1));
+ }
+ break;
+ }
+ case AUTH_RULE_SUBJECT_CERT:
+ {
+ certificate_t *c1, *c2;
+
+ c1 = (certificate_t*)value;
+ c2 = get(this, AUTH_RULE_SUBJECT_CERT);
+ if (!c2 || !c1->equals(c1, c2))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: peer not "
+ "authenticated with peer cert '%Y'.",
+ c1->get_subject(c1));
+ }
+ }
+ break;
+ }
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ {
+ cert_validation_t validated, required;
+
+ required = (uintptr_t)value;
+ validated = (uintptr_t)get(this, t1);
+ switch (required)
+ {
+ case VALIDATION_FAILED:
+ /* no constraint */
+ break;
+ case VALIDATION_SKIPPED:
+ if (validated == VALIDATION_SKIPPED)
+ {
+ break;
+ }
+ /* FALL */
+ case VALIDATION_GOOD:
+ if (validated == VALIDATION_GOOD)
+ {
+ break;
+ }
+ /* FALL */
+ default:
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: %N is %N, "
+ "but requires at least %N", auth_rule_names,
+ t1, cert_validation_names, validated,
+ cert_validation_names, required);
+ }
+ break;
+ }
+ break;
+ }
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ {
+ identification_t *id1, *id2;
+
+ id1 = (identification_t*)value;
+ id2 = get(this, t1);
+ if (!id2 || !id2->matches(id2, id1))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'"
+ " required ", t1 == AUTH_RULE_IDENTITY ? "" :
+ "EAP ", id1);
+ }
+ }
+ break;
+ }
+ case AUTH_RULE_AUTH_CLASS:
+ {
+ if ((uintptr_t)value != AUTH_CLASS_ANY &&
+ (uintptr_t)value != (uintptr_t)get(this, t1))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %N authentication, "
+ "but %N was used", auth_class_names, (uintptr_t)value,
+ auth_class_names, (uintptr_t)get(this, t1));
+ }
+ }
+ break;
+ }
+ case AUTH_RULE_EAP_TYPE:
+ {
+ if ((uintptr_t)value != (uintptr_t)get(this, t1))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires %N, "
+ "but %N was used", eap_type_names, (uintptr_t)value,
+ eap_type_names, (uintptr_t)get(this, t1));
+ }
+ }
+ break;
+ }
+ case AUTH_RULE_EAP_VENDOR:
+ {
+ if ((uintptr_t)value != (uintptr_t)get(this, t1))
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint requires EAP vendor %d, "
+ "but %d was used", (uintptr_t)value,
+ (uintptr_t)get(this, t1));
+ }
+ }
+ break;
+ }
+ case AUTH_RULE_AC_GROUP:
+ {
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check %N not implemented!",
+ auth_rule_names, t1);
+ }
+ break;
+ }
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ /* skip helpers */
+ continue;
+ }
+ if (!success)
+ {
+ break;
+ }
+ }
+ e1->destroy(e1);
+ return success;
+}
+
+/**
+ * Implementation of auth_cfg_t.merge.
+ */
+static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy)
+{
+ if (!other)
+ { /* nothing to merge */
+ return;
+ }
+ if (copy)
+ {
+ enumerator_t *enumerator;
+ auth_rule_t type;
+ void *value;
+
+ enumerator = create_enumerator(other);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ switch (type)
+ {
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ {
+ certificate_t *cert = (certificate_t*)value;
+
+ add(this, type, cert->get_ref(cert));
+ break;
+ }
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ {
+ add(this, type, (uintptr_t)value);
+ break;
+ }
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ {
+ identification_t *id = (identification_t*)value;
+
+ add(this, type, id->clone(id));
+ break;
+ }
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ {
+ add(this, type, strdup((char*)value));
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ entry_t *entry;
+
+ while (other->entries->remove_first(other->entries,
+ (void**)&entry) == SUCCESS)
+ {
+ this->entries->insert_last(this->entries, entry);
+ }
+ }
+}
+
+/**
+ * Implementation of auth_cfg_t.equals.
+ */
+static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other)
+{
+ enumerator_t *e1, *e2;
+ entry_t *i1, *i2;
+ bool equal = TRUE, found;
+
+ if (this->entries->get_count(this->entries) !=
+ other->entries->get_count(other->entries))
+ {
+ return FALSE;
+ }
+ e1 = this->entries->create_enumerator(this->entries);
+ while (e1->enumerate(e1, &i1))
+ {
+ found = FALSE;
+ e2 = other->entries->create_enumerator(other->entries);
+ while (e2->enumerate(e2, &i2))
+ {
+ if (i1->type == i2->type)
+ {
+ switch (i1->type)
+ {
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ {
+ if (i1->value == i2->value)
+ {
+ found = TRUE;
+ break;
+ }
+ continue;
+ }
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ {
+ certificate_t *c1, *c2;
+
+ c1 = (certificate_t*)i1->value;
+ c2 = (certificate_t*)i2->value;
+
+ if (c1->equals(c1, c2))
+ {
+ found = TRUE;
+ break;
+ }
+ continue;
+ }
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ {
+ identification_t *id1, *id2;
+
+ id1 = (identification_t*)i1->value;
+ id2 = (identification_t*)i2->value;
+
+ if (id1->equals(id1, id2))
+ {
+ found = TRUE;
+ break;
+ }
+ continue;
+ }
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ {
+ if (streq(i1->value, i2->value))
+ {
+ found = TRUE;
+ break;
+ }
+ continue;
+ }
+ }
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (!found)
+ {
+ equal = FALSE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ return equal;
+}
+
+/**
+ * Implementation of auth_cfg_t.purge
+ */
+static void purge(private_auth_cfg_t *this, bool keep_ca)
+{
+ entry_t *entry;
+ linked_list_t *cas;
+
+ cas = linked_list_create();
+ while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS)
+ {
+ if (keep_ca && entry->type == AUTH_RULE_CA_CERT)
+ {
+ cas->insert_first(cas, entry);
+ }
+ else
+ {
+ destroy_entry_value(entry);
+ free(entry);
+ }
+ }
+ while (cas->remove_last(cas, (void**)&entry) == SUCCESS)
+ {
+ this->entries->insert_first(this->entries, entry);
+ }
+ cas->destroy(cas);
+}
+
+/**
+ * Implementation of auth_cfg_t.clone
+ */
+static auth_cfg_t* clone_(private_auth_cfg_t *this)
+{
+ enumerator_t *enumerator;
+ auth_cfg_t *clone;
+ entry_t *entry;
+
+ clone = auth_cfg_create();
+ enumerator = this->entries->create_enumerator(this->entries);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ switch (entry->type)
+ {
+ case AUTH_RULE_IDENTITY:
+ case AUTH_RULE_EAP_IDENTITY:
+ case AUTH_RULE_AC_GROUP:
+ {
+ identification_t *id = (identification_t*)entry->value;
+ clone->add(clone, entry->type, id->clone(id));
+ break;
+ }
+ case AUTH_RULE_CA_CERT:
+ case AUTH_RULE_IM_CERT:
+ case AUTH_RULE_SUBJECT_CERT:
+ case AUTH_HELPER_IM_CERT:
+ case AUTH_HELPER_SUBJECT_CERT:
+ {
+ certificate_t *cert = (certificate_t*)entry->value;
+ clone->add(clone, entry->type, cert->get_ref(cert));
+ break;
+ }
+ case AUTH_HELPER_IM_HASH_URL:
+ case AUTH_HELPER_SUBJECT_HASH_URL:
+ {
+ clone->add(clone, entry->type, strdup(entry->value));
+ break;
+ }
+ case AUTH_RULE_AUTH_CLASS:
+ case AUTH_RULE_EAP_TYPE:
+ case AUTH_RULE_EAP_VENDOR:
+ case AUTH_RULE_CRL_VALIDATION:
+ case AUTH_RULE_OCSP_VALIDATION:
+ clone->add(clone, entry->type, (uintptr_t)entry->value);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return clone;
+}
+
+/**
+ * Implementation of auth_cfg_t.destroy
+ */
+static void destroy(private_auth_cfg_t *this)
+{
+ purge(this, FALSE);
+ this->entries->destroy(this->entries);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+auth_cfg_t *auth_cfg_create()
+{
+ private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t);
+
+ this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add;
+ this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get;
+ this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator;
+ this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace;
+ this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies;
+ this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge;
+ this->public.purge = (void(*)(auth_cfg_t*,bool))purge;
+ this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals;
+ this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_;
+ this->public.destroy = (void(*)(auth_cfg_t*))destroy;
+
+ this->entries = linked_list_create();
+
+ return &this->public;
+}
+
diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h
new file mode 100644
index 000000000..c6bc1959b
--- /dev/null
+++ b/src/charon/config/auth_cfg.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2007-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup auth_cfg auth_cfg
+ * @{ @ingroup config
+ */
+
+#ifndef AUTH_CFG_H_
+#define AUTH_CFG_H_
+
+#include <utils/enumerator.h>
+
+typedef struct auth_cfg_t auth_cfg_t;
+typedef enum auth_rule_t auth_rule_t;
+
+/**
+ * Authentication config to use during authentication process.
+ *
+ * Each authentication config contains a set of rules. These rule-sets are used
+ * in two ways:
+ * - For configs specifying local authentication behavior, the rules define
+ * which authentication method in which way.
+ * - For configs specifying remote peer authentication, the rules define
+ * constraints the peer has to fullfill.
+ *
+ * Additionally to the rules, there is a set of helper items. These are used
+ * to transport credentials during the authentication process.
+ */
+enum auth_rule_t {
+
+ /** identity to use for IKEv2 authentication exchange, identification_t* */
+ AUTH_RULE_IDENTITY,
+ /** authentication class, auth_class_t */
+ AUTH_RULE_AUTH_CLASS,
+ /** EAP identity to use within EAP-Identity exchange, identification_t* */
+ AUTH_RULE_EAP_IDENTITY,
+ /** EAP type to propose for peer authentication, eap_type_t */
+ AUTH_RULE_EAP_TYPE,
+ /** EAP vendor for vendor specific type, u_int32_t */
+ AUTH_RULE_EAP_VENDOR,
+ /** certificate authority, certificate_t* */
+ AUTH_RULE_CA_CERT,
+ /** intermediate certificate in trustchain, certificate_t* */
+ AUTH_RULE_IM_CERT,
+ /** subject certificate, certificate_t* */
+ AUTH_RULE_SUBJECT_CERT,
+ /** result of a CRL validation, cert_validation_t */
+ AUTH_RULE_CRL_VALIDATION,
+ /** result of a OCSP validation, cert_validation_t */
+ AUTH_RULE_OCSP_VALIDATION,
+ /** subject is in attribute certificate group, identification_t* */
+ AUTH_RULE_AC_GROUP,
+
+ /** intermediate certificate, certificate_t* */
+ AUTH_HELPER_IM_CERT,
+ /** subject certificate, certificate_t* */
+ AUTH_HELPER_SUBJECT_CERT,
+ /** Hash and URL of a intermediate certificate, char* */
+ AUTH_HELPER_IM_HASH_URL,
+ /** Hash and URL of a end-entity certificate, char* */
+ AUTH_HELPER_SUBJECT_HASH_URL,
+};
+
+/**
+ * enum name for auth_rule_t.
+ */
+extern enum_name_t *auth_rule_names;
+
+/**
+ * Authentication/Authorization round.
+ *
+ * RFC4739 defines multiple authentication rounds. This class defines such
+ * a round from a configuration perspective, either for the local or the remote
+ * peer. Local config are called "rulesets", as they define how we authenticate.
+ * Remote peer configs are called "constraits", they define what is needed to
+ * complete the authentication round successfully.
+ *
+ * @verbatim
+
+ [Repeat for each configuration]
+ +--------------------------------------------------+
+ | |
+ | |
+ | +----------+ IKE_AUTH +--------- + |
+ | | config | -----------> | | |
+ | | ruleset | | | |
+ | +----------+ [ <----------- ] | | |
+ | [ optional EAP ] | Peer | |
+ | +----------+ [ -----------> ] | | |
+ | | config | | | |
+ | | constr. | <----------- | | |
+ | +----------+ IKE_AUTH +--------- + |
+ | |
+ | |
+ +--------------------------------------------------+
+
+ @endverbatim
+ *
+ * Values for each items are either pointers (casted to void*) or short
+ * integers (use uintptr_t cast).
+ */
+struct auth_cfg_t {
+
+ /**
+ * Add an rule to the set.
+ *
+ * @param rule rule type
+ * @param ... associated value to rule
+ */
+ void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
+
+ /**
+ * Get an rule value.
+ *
+ * @param rule rule type
+ * @return bool if item has been found
+ */
+ void* (*get)(auth_cfg_t *this, auth_rule_t rule);
+
+ /**
+ * Create an enumerator over added rules.
+ *
+ * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
+ */
+ enumerator_t* (*create_enumerator)(auth_cfg_t *this);
+
+ /**
+ * Replace an rule at enumerator position.
+ *
+ * @param pos enumerator position position
+ * @param rule rule type
+ * @param ... associated value to rule
+ */
+ void (*replace)(auth_cfg_t *this, enumerator_t *pos,
+ auth_rule_t rule, ...);
+
+ /**
+ * Check if a used config fulfills a set of configured constraints.
+ *
+ * @param constraints required authorization rules
+ * @param log_error wheter to log compliance errors
+ * @return TRUE if this complies with constraints
+ */
+ bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
+
+ /**
+ * Merge items from other into this.
+ *
+ * @param other items to read for merge
+ * @param copy TRUE to copy items, FALSE to move them
+ */
+ void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
+
+ /**
+ * Purge all rules in a config.
+ *
+ * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
+ */
+ void (*purge)(auth_cfg_t *this, bool keep_ca);
+
+ /**
+ * Check two configs for equality.
+ *
+ * @param other other config to compaire against this
+ * @return TRUE if auth infos identical
+ */
+ bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
+
+ /**
+ * Clone a authentication config, including all rules.
+ *
+ * @return cloned configuration
+ */
+ auth_cfg_t* (*clone)(auth_cfg_t *this);
+
+ /**
+ * Destroy a config with all associated rules/values.
+ */
+ void (*destroy)(auth_cfg_t *this);
+};
+
+/**
+ * Create a authentication config.
+ */
+auth_cfg_t *auth_cfg_create();
+
+#endif /** AUTH_CFG_H_ @}*/
diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h
index 3a22f61ac..458abc37f 100644
--- a/src/charon/config/backend.h
+++ b/src/charon/config/backend.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: backend.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -28,7 +26,6 @@ typedef struct backend_t backend_t;
#include <library.h>
#include <config/ike_cfg.h>
#include <config/peer_cfg.h>
-#include <credentials/auth_info.h>
#include <utils/linked_list.h>
/**
@@ -45,6 +42,10 @@ struct backend_t {
*
* Hosts may be NULL to get all.
*
+ * There is no requirement for the backend to filter the configurations
+ * using the supplied hosts; but it may do so if it increases lookup times
+ * (e.g. include hosts in SQL query).
+ *
* @param me address of local host
* @param other address of remote host
* @return enumerator over ike_cfg_t's
@@ -52,10 +53,17 @@ struct backend_t {
enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this,
host_t *me, host_t *other);
/**
- * Create an enumerator over all Peer configs matching two IDs.
+ * Create an enumerator over all peer configs matching two identities.
*
* IDs may be NULL to get all.
*
+ * As configurations are looked up in the first authentication round (when
+ * multiple authentication), the backend implementation should compare
+ * the identities to the first auth_cfgs only.
+ * There is no requirement for the backend to filter the configurations
+ * using the supplied identities; but it may do so if it increases lookup
+ * times (e.g. include hosts in SQL query).
+ *
* @param me identity of ourself
* @param other identity of remote host
* @return enumerator over peer_cfg_t
@@ -64,7 +72,7 @@ struct backend_t {
identification_t *me,
identification_t *other);
/**
- * Get a peer_cfg identified by it's name, or a name of its child.
+ * Get a peer_cfg identified by it's name, or a name of its children.
*
* @param name name of peer/child cfg
* @return matching peer_config, or NULL if none found
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index a9fe974af..3a3a78466 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2007-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: backend_manager.c 4758 2008-12-04 23:16:10Z andreas $
*/
#include "backend_manager.h"
@@ -68,15 +66,6 @@ typedef struct {
} ike_data_t;
/**
- * data to pass nested peer enumerator
- */
-typedef struct {
- private_backend_manager_t *this;
- identification_t *me;
- identification_t *other;
-} peer_data_t;
-
-/**
* inner enumerator constructor for IKE cfgs
*/
static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
@@ -85,59 +74,58 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data)
}
/**
- * inner enumerator constructor for Peer cfgs
- */
-static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
-{
- return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
-}
-/**
- * inner enumerator constructor for all Peer cfgs
- */
-static enumerator_t *peer_enum_create_all(backend_t *backend)
-{
- return backend->create_peer_cfg_enumerator(backend, NULL, NULL);
-}
-
-/**
* get a match of a candidate ike_cfg for two hosts
*/
-static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other)
+static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other)
{
host_t *me_cand, *other_cand;
ike_cfg_match_t match = MATCH_NONE;
- me_cand = host_create_from_dns(cand->get_my_addr(cand),
- me->get_family(me), 0);
- if (!me_cand)
+ if (me)
{
- return MATCH_NONE;
- }
- if (me_cand->ip_equals(me_cand, me))
- {
- match += MATCH_ME;
+ me_cand = host_create_from_dns(cand->get_my_addr(cand),
+ me->get_family(me), 0);
+ if (!me_cand)
+ {
+ return MATCH_NONE;
+ }
+ if (me_cand->ip_equals(me_cand, me))
+ {
+ match += MATCH_ME;
+ }
+ else if (me_cand->is_anyaddr(me_cand))
+ {
+ match += MATCH_ANY;
+ }
+ me_cand->destroy(me_cand);
}
- else if (me_cand->is_anyaddr(me_cand))
+ else
{
match += MATCH_ANY;
}
- me_cand->destroy(me_cand);
- other_cand = host_create_from_dns(cand->get_other_addr(cand),
- other->get_family(other), 0);
- if (!other_cand)
+ if (other)
{
- return MATCH_NONE;
- }
- if (other_cand->ip_equals(other_cand, other))
- {
- match += MATCH_OTHER;
+ other_cand = host_create_from_dns(cand->get_other_addr(cand),
+ other->get_family(other), 0);
+ if (!other_cand)
+ {
+ return MATCH_NONE;
+ }
+ if (other_cand->ip_equals(other_cand, other))
+ {
+ match += MATCH_OTHER;
+ }
+ else if (other_cand->is_anyaddr(other_cand))
+ {
+ match += MATCH_ANY;
+ }
+ other_cand->destroy(other_cand);
}
- else if (other_cand->is_anyaddr(other_cand))
+ else
{
match += MATCH_ANY;
}
- other_cand->destroy(other_cand);
return match;
}
@@ -165,7 +153,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
(void*)ike_enum_create, data, (void*)free);
while (enumerator->enumerate(enumerator, (void**)&current))
{
- match = get_match(current, me, other);
+ match = get_ike_match(current, me, other);
if (match)
{
@@ -191,87 +179,198 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this,
return found;
}
+/**
+ * Get the best ID match in one of the configs auth_cfg
+ */
+static id_match_t get_peer_match(identification_t *id,
+ peer_cfg_t *cfg, bool local)
+{
+ enumerator_t *enumerator;
+ auth_cfg_t *auth;
+ identification_t *candidate;
+ id_match_t match = ID_MATCH_NONE;
+
+ if (!id)
+ {
+ return ID_MATCH_ANY;
+ }
+
+ /* compare first auth config only */
+ enumerator = cfg->create_auth_cfg_enumerator(cfg, local);
+ if (enumerator->enumerate(enumerator, &auth))
+ {
+ candidate = auth->get(auth, AUTH_RULE_IDENTITY);
+ if (candidate)
+ {
+ match = id->matches(id, candidate);
+ /* match vice-versa, as the proposed IDr might be ANY */
+ if (!match)
+ {
+ match = candidate->matches(candidate, id);
+ }
+ }
+ else
+ {
+ match = ID_MATCH_ANY;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return match;
+}
+
+/**
+ * data to pass nested peer enumerator
+ */
+typedef struct {
+ rwlock_t *lock;
+ identification_t *me;
+ identification_t *other;
+} peer_data_t;
+
+/**
+ * list element to help sorting
+ */
+typedef struct {
+ id_match_t match_peer;
+ ike_cfg_match_t match_ike;
+ peer_cfg_t *cfg;
+} match_entry_t;
+
+/**
+ * inner enumerator constructor for peer cfgs
+ */
+static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data)
+{
+ return backend->create_peer_cfg_enumerator(backend, data->me, data->other);
+}
+
+/**
+ * unlock/cleanup peer enumerator
+ */
+static void peer_enum_destroy(peer_data_t *data)
+{
+ data->lock->unlock(data->lock);
+ free(data);
+}
-static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this)
+/**
+ * convert enumerator value from match_entry to config
+ */
+static bool peer_enum_filter(linked_list_t *configs,
+ match_entry_t **in, peer_cfg_t **out)
{
- this->lock->read_lock(this->lock);
- return enumerator_create_nested(
- this->backends->create_enumerator(this->backends),
- (void*)peer_enum_create_all, this->lock,
- (void*)this->lock->unlock);
+ *out = (*in)->cfg;
+ return TRUE;
+}
+
+/**
+ * Clean up temporary config list
+ */
+static void peer_enum_filter_destroy(linked_list_t *configs)
+{
+ match_entry_t *entry;
+
+ while (configs->remove_last(configs, (void**)&entry) == SUCCESS)
+ {
+ entry->cfg->destroy(entry->cfg);
+ free(entry);
+ }
+ configs->destroy(configs);
}
/**
- * implements backend_manager_t.get_peer_cfg.
+ * Insert entry into match-sorted list, using helper
+ */
+static void insert_sorted(match_entry_t *entry, linked_list_t *list,
+ linked_list_t *helper)
+{
+ match_entry_t *current;
+
+ while (list->remove_first(list, (void**)&current) == SUCCESS)
+ {
+ helper->insert_last(helper, current);
+ }
+ while (helper->remove_first(helper, (void**)&current) == SUCCESS)
+ {
+ if (entry && (
+ (entry->match_ike > current->match_ike &&
+ entry->match_peer >= current->match_peer) ||
+ (entry->match_ike >= current->match_ike &&
+ entry->match_peer > current->match_peer)))
+ {
+ list->insert_last(list, entry);
+ entry = NULL;
+ }
+ list->insert_last(list, current);
+ }
+ if (entry)
+ {
+ list->insert_last(list, entry);
+ }
+}
+
+/**
+ * Implements backend_manager_t.create_peer_cfg_enumerator.
*/
-static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me,
- host_t *other, identification_t *my_id,
- identification_t *other_id, auth_info_t *auth)
+static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this,
+ host_t *me, host_t *other, identification_t *my_id,
+ identification_t *other_id)
{
- peer_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
- id_match_t best_peer = ID_MATCH_NONE;
- ike_cfg_match_t best_ike = MATCH_NONE;
peer_data_t *data;
-
- DBG2(DBG_CFG, "looking for a peer config for %H[%D]...%H[%D]",
- me, my_id, other, other_id);
+ peer_cfg_t *cfg;
+ linked_list_t *configs, *helper;
data = malloc_thing(peer_data_t);
- data->this = this;
+ data->lock = this->lock;
data->me = my_id;
data->other = other_id;
+ /* create a sorted list with all matches */
this->lock->read_lock(this->lock);
enumerator = enumerator_create_nested(
- this->backends->create_enumerator(this->backends),
- (void*)peer_enum_create, data, (void*)free);
- while (enumerator->enumerate(enumerator, &current))
+ this->backends->create_enumerator(this->backends),
+ (void*)peer_enum_create, data, (void*)peer_enum_destroy);
+
+ if (!me && !other && !my_id && !other_id)
+ { /* shortcut if we are doing a "listall" */
+ return enumerator;
+ }
+
+ DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
+ me, my_id, other, other_id);
+
+ configs = linked_list_create();
+ /* only once allocated helper list for sorting */
+ helper = linked_list_create();
+ while (enumerator->enumerate(enumerator, &cfg))
{
- identification_t *my_cand, *other_cand;
- id_match_t m1, m2, match_peer;
+ id_match_t match_peer_me, match_peer_other;
ike_cfg_match_t match_ike;
+ match_entry_t *entry;
- my_cand = current->get_my_id(current);
- other_cand = current->get_other_id(current);
-
- /* own ID may have wildcards in both, config and request (missing IDr) */
- m1 = my_cand->matches(my_cand, my_id);
- if (!m1)
- {
- m1 = my_id->matches(my_id, my_cand);
- }
- m2 = other_id->matches(other_id, other_cand);
-
- match_peer = m1 + m2;
- match_ike = get_match(current->get_ike_cfg(current), me, other);
+ match_peer_me = get_peer_match(my_id, cfg, TRUE);
+ match_peer_other = get_peer_match(other_id, cfg, FALSE);
+ match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other);
- if (m1 && m2 && match_ike &&
- auth->complies(auth, current->get_auth(current)))
+ if (match_peer_me && match_peer_other && match_ike)
{
- DBG2(DBG_CFG, " candidate \"%s\": %D...%D with prio %d.%d",
- current->get_name(current), my_cand, other_cand,
- match_peer, match_ike);
- if ((match_peer > best_peer && match_ike >= best_ike) ||
- (match_peer >= best_peer && match_ike > best_ike))
- {
- DESTROY_IF(found);
- found = current;
- found->get_ref(found);
- best_peer = match_peer;
- best_ike = match_ike;
- }
+ DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)",
+ cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike);
+
+ entry = malloc_thing(match_entry_t);
+ entry->match_peer = match_peer_me + match_peer_other;
+ entry->match_ike = match_ike;
+ entry->cfg = cfg->get_ref(cfg);
+ insert_sorted(entry, configs, helper);
}
}
- if (found)
- {
- DBG1(DBG_CFG, "found matching peer config \"%s\": %D...%D with prio %d.%d",
- found->get_name(found), found->get_my_id(found),
- found->get_other_id(found), best_peer, best_ike);
- }
enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
- return found;
+ helper->destroy(helper);
+
+ return enumerator_create_filter(configs->create_enumerator(configs),
+ (void*)peer_enum_filter, configs,
+ (void*)peer_enum_filter_destroy);
}
/**
@@ -332,9 +431,8 @@ backend_manager_t *backend_manager_create()
private_backend_manager_t *this = malloc_thing(private_backend_manager_t);
this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg;
- this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg;
this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name;
- this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator;
+ this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator;
this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend;
this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend;
this->public.destroy = (void (*)(backend_manager_t*))destroy;
diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h
index 657e5af94..0b7d7d0f8 100644
--- a/src/charon/config/backend_manager.h
+++ b/src/charon/config/backend_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: backend_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -64,20 +62,6 @@ struct backend_manager_t {
host_t *my_host, host_t *other_host);
/**
- * Get a peer_config identified by two IDs and authorization info.
- *
- * @param me own address
- * @param other peer address
- * @param my_id own ID
- * @param other_id peer ID
- * @param auth_info authorization info
- * @return matching peer_config, or NULL if none found
- */
- peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me,
- host_t *other, identification_t *my_id,
- identification_t *other_id, auth_info_t *auth);
-
- /**
* Get a peer_config identified by it's name.
*
* @param name name of the peer_config
@@ -86,12 +70,20 @@ struct backend_manager_t {
peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name);
/**
- * Create an enumerator over all peer configs.
+ * Create an enumerator over all matching peer configs.
*
- * @return enumerator over peer configs
+ * Pass NULL as parameters to match any. The enumerator enumerates over
+ * peer_cfgs, ordered by priority (best match first).
+ *
+ * @param me local address
+ * @param other remote address
+ * @param my_id IDr in first authentication round
+ * @param other_id IDi in first authentication round
+ * @return enumerator over peer_cfg_t
*/
- enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this);
-
+ enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this,
+ host_t *me, host_t *other, identification_t *my_id,
+ identification_t *other_id);
/**
* Register a backend on the manager.
*
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 737a38e89..43e41671a 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_cfg.c 4862 2009-02-11 16:41:37Z andreas $
*/
#include "child_cfg.h"
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 6e3b0ba00..185fee3da 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_cfg.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c
index 8beccdc29..e80ab577e 100644
--- a/src/charon/config/ike_cfg.c
+++ b/src/charon/config/ike_cfg.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cfg.c 4062 2008-06-12 11:42:19Z martin $
*/
#include "ike_cfg.h"
diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h
index c2f1f2867..064906423 100644
--- a/src/charon/config/ike_cfg.h
+++ b/src/charon/config/ike_cfg.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cfg.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index 9cbca040d..da796d6a2 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: peer_cfg.c 4612 2008-11-11 06:37:37Z andreas $
*/
#include <string.h>
@@ -82,16 +80,6 @@ struct private_peer_cfg_t {
mutex_t *mutex;
/**
- * id to use to identify us
- */
- identification_t *my_id;
-
- /**
- * allowed id for other
- */
- identification_t *other_id;
-
- /**
* should we send a certificate
*/
cert_policy_t cert_policy;
@@ -147,10 +135,15 @@ struct private_peer_cfg_t {
char *pool;
/**
- * required authorization constraints
+ * local authentication configs (rulesets)
*/
- auth_info_t *auth;
-
+ linked_list_t *local_auth;
+
+ /**
+ * remote authentication configs (constraints)
+ */
+ linked_list_t *remote_auth;
+
#ifdef ME
/**
* Is this a mediation connection?
@@ -205,13 +198,39 @@ static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg)
}
/**
+ * child_cfg enumerator
+ */
+typedef struct {
+ enumerator_t public;
+ enumerator_t *wrapped;
+ mutex_t *mutex;
+} child_cfg_enumerator_t;
+
+/**
* Implementation of peer_cfg_t.remove_child_cfg.
*/
-static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator)
+static void remove_child_cfg(private_peer_cfg_t *this,
+ child_cfg_enumerator_t *enumerator)
+{
+ this->child_cfgs->remove_at(this->child_cfgs, enumerator->wrapped);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.destroy
+ */
+static void child_cfg_enumerator_destroy(child_cfg_enumerator_t *this)
{
- this->mutex->lock(this->mutex);
- this->child_cfgs->remove_at(this->child_cfgs, enumerator);
this->mutex->unlock(this->mutex);
+ this->wrapped->destroy(this->wrapped);
+ free(this);
+}
+
+/**
+ * Implementation of child_cfg_enumerator_t.enumerate
+ */
+static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd)
+{
+ return this->wrapped->enumerate(this->wrapped, chd);
}
/**
@@ -219,12 +238,15 @@ static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator)
*/
static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
{
- enumerator_t *enumerator;
-
+ child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t);
+
+ enumerator->public.enumerate = (void*)child_cfg_enumerate;
+ enumerator->public.destroy = (void*)child_cfg_enumerator_destroy;
+ enumerator->mutex = this->mutex;
+ enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs);
+
this->mutex->lock(this->mutex);
- enumerator = this->child_cfgs->create_enumerator(this->child_cfgs);
- return enumerator_create_cleaner(enumerator,
- (void*)this->mutex->unlock, this->mutex);
+ return &enumerator->public;
}
/**
@@ -287,22 +309,6 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
}
/**
- * Implementation of peer_cfg_t.get_my_id
- */
-static identification_t *get_my_id(private_peer_cfg_t *this)
-{
- return this->my_id;
-}
-
-/**
- * Implementation of peer_cfg_t.get_other_id
- */
-static identification_t *get_other_id(private_peer_cfg_t *this)
-{
- return this->other_id;
-}
-
-/**
* Implementation of peer_cfg_t.get_cert_policy.
*/
static cert_policy_t get_cert_policy(private_peer_cfg_t *this)
@@ -397,13 +403,34 @@ static char* get_pool(private_peer_cfg_t *this)
{
return this->pool;
}
-
+
+/**
+ * Implementation of peer_cfg_t.add_auth_cfg
+ */
+static void add_auth_cfg(private_peer_cfg_t *this,
+ auth_cfg_t *cfg, bool local)
+{
+ if (local)
+ {
+ this->local_auth->insert_last(this->local_auth, cfg);
+ }
+ else
+ {
+ this->remote_auth->insert_last(this->remote_auth, cfg);
+ }
+}
+
/**
- * Implementation of peer_cfg_t.get_auth.
+ * Implementation of peer_cfg_t.create_auth_cfg_enumerator
*/
-static auth_info_t* get_auth(private_peer_cfg_t *this)
+static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this,
+ bool local)
{
- return this->auth;
+ if (local)
+ {
+ return this->local_auth->create_enumerator(this->local_auth);
+ }
+ return this->remote_auth->create_enumerator(this->remote_auth);
}
#ifdef ME
@@ -433,6 +460,60 @@ static identification_t* get_peer_id(private_peer_cfg_t *this)
#endif /* ME */
/**
+ * check auth configs for equality
+ */
+static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other)
+{
+ enumerator_t *e1, *e2;
+ auth_cfg_t *cfg1, *cfg2;
+ bool equal = TRUE;
+
+ if (this->local_auth->get_count(this->local_auth) !=
+ other->local_auth->get_count(other->local_auth))
+ {
+ return FALSE;
+ }
+ if (this->remote_auth->get_count(this->remote_auth) !=
+ other->remote_auth->get_count(other->remote_auth))
+ {
+ return FALSE;
+ }
+
+ e1 = this->local_auth->create_enumerator(this->local_auth);
+ e2 = other->local_auth->create_enumerator(other->local_auth);
+ while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+ {
+ if (!cfg1->equals(cfg1, cfg2))
+ {
+ equal = FALSE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+
+ if (!equal)
+ {
+ return FALSE;
+ }
+
+ e1 = this->remote_auth->create_enumerator(this->remote_auth);
+ e2 = other->remote_auth->create_enumerator(other->remote_auth);
+ while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2))
+ {
+ if (!cfg1->equals(cfg1, cfg2))
+ {
+ equal = FALSE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+
+ return equal;
+}
+
+/**
* Implementation of peer_cfg_t.equals.
*/
static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
@@ -448,8 +529,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
return (
this->ike_version == other->ike_version &&
- this->my_id->equals(this->my_id, other->my_id) &&
- this->other_id->equals(this->other_id, other->other_id) &&
this->cert_policy == other->cert_policy &&
this->unique == other->unique &&
this->keyingtries == other->keyingtries &&
@@ -464,7 +543,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other)
this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) &&
(this->pool == other->pool ||
(this->pool && other->pool && streq(this->pool, other->pool))) &&
- this->auth->equals(this->auth, other->auth)
+ auth_cfg_equal(this, other)
#ifdef ME
&& this->mediation == other->mediation &&
this->mediated_by == other->mediated_by &&
@@ -492,11 +571,13 @@ static void destroy(private_peer_cfg_t *this)
if (ref_put(&this->refcount))
{
this->ike_cfg->destroy(this->ike_cfg);
- this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy));
- this->my_id->destroy(this->my_id);
- this->other_id->destroy(this->other_id);
+ this->child_cfgs->destroy_offset(this->child_cfgs,
+ offsetof(child_cfg_t, destroy));
DESTROY_IF(this->virtual_ip);
- this->auth->destroy(this->auth);
+ this->local_auth->destroy_offset(this->local_auth,
+ offsetof(auth_cfg_t, destroy));
+ this->remote_auth->destroy_offset(this->remote_auth,
+ offsetof(auth_cfg_t, destroy));
#ifdef ME
DESTROY_IF(this->mediated_by);
DESTROY_IF(this->peer_id);
@@ -512,7 +593,6 @@ static void destroy(private_peer_cfg_t *this)
* Described in header-file
*/
peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
- identification_t *my_id, identification_t *other_id,
cert_policy_t cert_policy, unique_policy_t unique,
u_int32_t keyingtries, u_int32_t rekey_time,
u_int32_t reauth_time, u_int32_t jitter_time,
@@ -531,8 +611,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg;
this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator;
this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg;
- this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id;
- this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id;
this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy;
this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy;
this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries;
@@ -543,7 +621,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd;
this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip;
this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool;
- this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth;
+ this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg;
+ this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator;
this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals;
this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref;
this->public.destroy = (void(*)(peer_cfg_t *))destroy;
@@ -559,8 +638,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->ike_cfg = ike_cfg;
this->child_cfgs = linked_list_create();
this->mutex = mutex_create(MUTEX_DEFAULT);
- this->my_id = my_id;
- this->other_id = other_id;
this->cert_policy = cert_policy;
this->unique = unique;
this->keyingtries = keyingtries;
@@ -580,7 +657,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->dpd = dpd;
this->virtual_ip = virtual_ip;
this->pool = pool ? strdup(pool) : NULL;
- this->auth = auth_info_create();
+ this->local_auth = linked_list_create();
+ this->remote_auth = linked_list_create();
this->refcount = 1;
#ifdef ME
this->mediation = mediation;
diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h
index 93bc7d495..3c095eff0 100644
--- a/src/charon/config/peer_cfg.h
+++ b/src/charon/config/peer_cfg.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2007-2008 Tobias Brunner
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: peer_cfg.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -38,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t;
#include <config/child_cfg.h>
#include <sa/authenticators/authenticator.h>
#include <sa/authenticators/eap/eap_method.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
/**
* Certificate sending policy. This is also used for certificate
@@ -87,27 +85,33 @@ extern enum_name_t *unique_policy_names;
* exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
* multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
* @verbatim
-
- +-------------------+ +---------------+
- +---------------+ | peer_cfg | +---------------+ |
- | ike_cfg | +-------------------+ | child_cfg | |
- +---------------+ | - ids | +---------------+ |
- | - hosts | 1 1 | - cas | 1 n | - proposals | |
- | - proposals |<------| - auth info |-------->| - traffic sel | |
- | - ... | | - dpd config | | - ... |-+
- +---------------+ | - ... | +---------------+
- +-------------------+
- ^
- |
- +-------------------+
- | auth_info |
- +-------------------+
- | auth_items |
- +-------------------+
+ +-------------------+ +---------------+
+ +---------------+ | peer_cfg | +---------------+ |
+ | ike_cfg | +-------------------+ | child_cfg | |
+ +---------------+ | - ids | +---------------+ |
+ | - hosts | 1 1 | - cas | 1 n | - proposals | |
+ | - proposals |<-----| - auth info |----->| - traffic sel | |
+ | - ... | | - dpd config | | - ... |-+
+ +---------------+ | - ... | +---------------+
+ +-------------------+
+ | 1 0 |
+ | |
+ v n n V
+ +-------------------+ +-------------------+
+ +-------------------+ | +-------------------+ |
+ | auth_cfg | | | auth_cfg | |
+ +-------------------+ | +-------------------+ |
+ | - local rules |-+ | - remote constr. |-+
+ +-------------------+ +-------------------+
@endverbatim
- * The auth_info_t object associated to the peer_cfg holds additional
- * authorization constraints. A peer who wants to use a config needs to fullfil
- * the requirements defined in auth_info.
+ *
+ * Each peer_cfg has two lists of authentication config attached. Local
+ * authentication configs define how to authenticate ourself against the remote
+ * peer. Each config is enforced using the multiple authentication extension
+ * (RFC4739).
+ * The remote authentication configs are handled as constraints. The peer has
+ * to fullfill each of these rules (using multiple authentication, in any order)
+ * to gain access to the configuration.
*/
struct peer_cfg_t {
@@ -169,25 +173,20 @@ struct peer_cfg_t {
host_t *other_host);
/**
- * Get the authentication constraint items.
+ * Add an authentication config to the peer configuration.
*
- * @return auth_info object to manipulate requirements
- */
- auth_info_t* (*get_auth)(peer_cfg_t *this);
-
- /**
- * Get own ID.
- *
- * @return own id
+ * @param config config to add
+ * @param local TRUE for local rules, FALSE for remote constraints
*/
- identification_t* (*get_my_id)(peer_cfg_t *this);
+ void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
/**
- * Get peers ID.
- *
- * @return other id
+ * Create an enumerator over registered authentication configs.
+ *
+ * @param local TRUE for local rules, FALSE for remote constraints
+ * @return enumerator over auth_cfg_t*
*/
- identification_t* (*get_other_id)(peer_cfg_t *this);
+ enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
/**
* Should be sent a certificate for this connection?
@@ -331,8 +330,6 @@ struct peer_cfg_t {
* @param name name of the peer_cfg
* @param ike_version which IKE version we sould use for this peer
* @param ike_cfg IKE config to use when acting as initiator
- * @param my_id identification_t for ourselves
- * @param other_id identification_t for the remote guy
* @param cert_policy should we send a certificate payload?
* @param unique uniqueness of an IKE_SA
* @param keyingtries how many keying tries should be done before giving up
@@ -350,7 +347,6 @@ struct peer_cfg_t {
* @return peer_cfg_t object
*/
peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
- identification_t *my_id, identification_t *other_id,
cert_policy_t cert_policy, unique_policy_t unique,
u_int32_t keyingtries, u_int32_t rekey_time,
u_int32_t reauth_time, u_int32_t jitter_time,
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index 92ef34b75..e2dfcca4f 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: proposal.c 4936 2009-03-12 18:07:32Z tobias $
*/
#include <string.h>
@@ -24,10 +22,11 @@
#include <utils/linked_list.h>
#include <utils/identification.h>
#include <utils/lexparser.h>
+#include <crypto/transform.h>
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
-
+#include <crypto/proposal/proposal_keywords.h>
ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
"PROTO_NONE",
@@ -36,16 +35,6 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP,
"ESP",
);
-ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, UNDEFINED_TRANSFORM_TYPE,
- "UNDEFINED_TRANSFORM_TYPE");
-ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, UNDEFINED_TRANSFORM_TYPE,
- "ENCRYPTION_ALGORITHM",
- "PSEUDO_RANDOM_FUNCTION",
- "INTEGRITY_ALGORITHM",
- "DIFFIE_HELLMAN_GROUP",
- "EXTENDED_SEQUENCE_NUMBERS");
-ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS);
-
ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS,
"NO_EXT_SEQ",
"EXT_SEQ",
@@ -585,227 +574,57 @@ static void check_proposal(private_proposal_t *this)
/**
* add a algorithm identified by a string to the proposal.
- * TODO: we could use gperf here.
*/
static status_t add_string_algo(private_proposal_t *this, chunk_t alg)
{
- if (strncmp(alg.ptr, "null", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_NULL, 0);
- }
- else if (strncmp(alg.ptr, "aes128", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128);
- }
- else if (strncmp(alg.ptr, "aes192", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192);
- }
- else if (strncmp(alg.ptr, "aes256", alg.len) == 0)
+ const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len);
+
+ if (token == NULL)
{
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256);
+ return FAILED;
}
- else if (strstr(alg.ptr, "ccm"))
- {
- u_int16_t key_size, icv_size;
- if (sscanf(alg.ptr, "aes%huccm%hu", &key_size, &icv_size) == 2)
- {
- if (key_size == 128 || key_size == 192 || key_size == 256)
- {
- switch (icv_size)
- {
- case 8: /* octets */
- case 64: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_CCM_ICV8, key_size);
- break;
- case 12: /* octets */
- case 96: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_CCM_ICV12, key_size);
- break;
- case 16: /* octets */
- case 128: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_CCM_ICV16, key_size);
- break;
- default:
- /* invalid ICV size */
- break;
- }
- }
- }
- }
- else if (strstr(alg.ptr, "gcm"))
- {
- u_int16_t key_size, icv_size;
+ add_algorithm(this, token->type, token->algorithm, token->keysize);
- if (sscanf(alg.ptr, "aes%hugcm%hu", &key_size, &icv_size) == 2)
- {
- if (key_size == 128 || key_size == 192 || key_size == 256)
- {
- switch (icv_size)
- {
- case 8: /* octets */
- case 64: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_GCM_ICV8, key_size);
- break;
- case 12: /* octets */
- case 96: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_GCM_ICV12, key_size);
- break;
- case 16: /* octets */
- case 128: /* bits */
- add_algorithm(this, ENCRYPTION_ALGORITHM,
- ENCR_AES_GCM_ICV16, key_size);
- break;
- default:
- /* invalid ICV size */
- break;
- }
- }
- }
- }
- else if (strncmp(alg.ptr, "3des", alg.len) == 0)
+ if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM)
{
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0);
- }
- /* blowfish only uses some predefined key sizes yet */
- else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128);
- }
- else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192);
- }
- else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0)
- {
- add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256);
- }
- else if (strncmp(alg.ptr, "sha", alg.len) == 0 ||
- strncmp(alg.ptr, "sha1", alg.len) == 0)
- {
- /* sha means we use SHA for both, PRF and AUTH */
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0);
- if (this->protocol == PROTO_IKE)
- {
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0);
- }
- }
- else if (strncmp(alg.ptr, "sha256", alg.len) == 0 ||
- strncmp(alg.ptr, "sha2_256", alg.len) == 0)
- {
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0);
- if (this->protocol == PROTO_IKE)
- {
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0);
- }
- }
- else if (strncmp(alg.ptr, "sha384", alg.len) == 0 ||
- strncmp(alg.ptr, "sha2_384", alg.len) == 0)
- {
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0);
- if (this->protocol == PROTO_IKE)
- {
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0);
- }
- }
- else if (strncmp(alg.ptr, "sha512", alg.len) == 0 ||
- strncmp(alg.ptr, "sha2_512", alg.len) == 0)
- {
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0);
- if (this->protocol == PROTO_IKE)
- {
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0);
- }
- }
- else if (strncmp(alg.ptr, "md5", alg.len) == 0)
- {
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0);
- if (this->protocol == PROTO_IKE)
+ pseudo_random_function_t prf;
+
+ switch (token->algorithm)
{
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0);
+ case AUTH_HMAC_SHA1_96:
+ prf = PRF_HMAC_SHA1;
+ break;
+ case AUTH_HMAC_SHA2_256_128:
+ prf = PRF_HMAC_SHA2_256;
+ break;
+ case AUTH_HMAC_SHA2_384_192:
+ prf = PRF_HMAC_SHA2_384;
+ break;
+ case AUTH_HMAC_SHA2_512_256:
+ prf = PRF_HMAC_SHA2_512;
+ break;
+ case AUTH_HMAC_MD5_96:
+ prf = PRF_HMAC_MD5;
+ break;
+ case AUTH_AES_XCBC_96:
+ prf = PRF_AES128_XCBC;
+ break;
+ default:
+ prf = PRF_UNDEFINED;
}
- }
- else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0)
- {
- add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0);
- if (this->protocol == PROTO_IKE)
+ if (prf != PRF_UNDEFINED)
{
- add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0);
+ add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0);
}
}
- else if (strncmp(alg.ptr, "modpnull", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0);
- }
- else if (strncmp(alg.ptr, "modp768", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp1024", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp1536", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp2048", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp3072", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp4096", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp6144", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0);
- }
- else if (strncmp(alg.ptr, "modp8192", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0);
- }
- else if (strncmp(alg.ptr, "ecp192", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0);
- }
- else if (strncmp(alg.ptr, "ecp224", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0);
- }
- else if (strncmp(alg.ptr, "ecp256", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0);
- }
- else if (strncmp(alg.ptr, "ecp384", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0);
- }
- else if (strncmp(alg.ptr, "ecp521", alg.len) == 0)
- {
- add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0);
- }
- else
- {
- return FAILED;
- }
return SUCCESS;
}
/**
* print all algorithms of a kind to buffer
*/
-static int print_alg(private_proposal_t *this, char **dst, int *len,
+static int print_alg(private_proposal_t *this, char **dst, size_t *len,
u_int kind, void *names, bool *first)
{
enumerator_t *enumerator;
@@ -826,7 +645,7 @@ static int print_alg(private_proposal_t *this, char **dst, int *len,
}
if (size)
{
- written += print_in_hook(*dst, *len, "-%d", size);
+ written += print_in_hook(*dst, *len, "_%u", size);
}
}
enumerator->destroy(enumerator);
diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h
index 6096158e6..bc7a8c5e7 100644
--- a/src/charon/config/proposal.h
+++ b/src/charon/config/proposal.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: proposal.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -24,7 +22,6 @@
#define PROPOSAL_H_
typedef enum protocol_id_t protocol_id_t;
-typedef enum transform_type_t transform_type_t;
typedef enum extended_sequence_numbers_t extended_sequence_numbers_t;
typedef struct proposal_t proposal_t;
@@ -32,6 +29,7 @@ typedef struct proposal_t proposal_t;
#include <utils/identification.h>
#include <utils/linked_list.h>
#include <utils/host.h>
+#include <crypto/transform.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
#include <crypto/diffie_hellman.h>
@@ -52,25 +50,6 @@ enum protocol_id_t {
*/
extern enum_name_t *protocol_id_names;
-
-/**
- * Type of a transform, as in IKEv2 RFC 3.3.2.
- */
-enum transform_type_t {
- UNDEFINED_TRANSFORM_TYPE = 241,
- ENCRYPTION_ALGORITHM = 1,
- PSEUDO_RANDOM_FUNCTION = 2,
- INTEGRITY_ALGORITHM = 3,
- DIFFIE_HELLMAN_GROUP = 4,
- EXTENDED_SEQUENCE_NUMBERS = 5
-};
-
-/**
- * enum names for transform_type_t.
- */
-extern enum_name_t *transform_type_names;
-
-
/**
* Extended sequence numbers, as in IKEv2 RFC 3.3.2.
*/
diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c
index b3bab900d..a8ea10008 100644
--- a/src/charon/config/traffic_selector.c
+++ b/src/charon/config/traffic_selector.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: traffic_selector.c 4936 2009-03-12 18:07:32Z tobias $
*/
#include <arpa/inet.h>
diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h
index 2721f8993..a57da43a8 100644
--- a/src/charon/config/traffic_selector.h
+++ b/src/charon/config/traffic_selector.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: traffic_selector.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/control/controller.c b/src/charon/control/controller.c
index 989167a53..021cb4fdd 100644
--- a/src/charon/control/controller.c
+++ b/src/charon/control/controller.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: controller.c 4704 2008-11-26 14:32:55Z martin $
*/
#include "controller.h"
@@ -172,15 +170,12 @@ static bool listener_child_state(interface_listener_t *this, ike_sa_t *ike_sa,
{
switch (state)
{
- case CHILD_ROUTED:
case CHILD_INSTALLED:
this->status = SUCCESS;
return FALSE;
case CHILD_DESTROYING:
switch (child_sa->get_state(child_sa))
{
- case CHILD_ROUTED:
- /* has been unrouted */
case CHILD_DELETING:
/* proper delete */
this->status = SUCCESS;
@@ -235,7 +230,7 @@ static status_t initiate_execute(interface_job_t *job)
}
peer_cfg->destroy(peer_cfg);
- if (ike_sa->initiate(ike_sa, listener->child_cfg) == SUCCESS)
+ if (ike_sa->initiate(ike_sa, listener->child_cfg, 0, NULL, NULL) == SUCCESS)
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
return SUCCESS;
@@ -426,125 +421,6 @@ static status_t terminate_child(controller_t *this, u_int32_t reqid,
}
/**
- * execute function for route
- */
-static status_t route_execute(interface_job_t *job)
-{
- interface_listener_t *listener = &job->listener;
- ike_sa_t *ike_sa = listener->ike_sa;
-
- charon->bus->set_sa(charon->bus, ike_sa);
- if (ike_sa->route(ike_sa, listener->child_cfg) != DESTROY_ME)
- {
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- return SUCCESS;
- }
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
- return FAILED;
-}
-
-/**
- * Implementation of controller_t.route.
- */
-static status_t route(controller_t *this,
- peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
- controller_cb_t callback, void *param)
-{
- ike_sa_t *ike_sa;
- interface_job_t job = {
- .listener = {
- .public = {
- .log = (void*)listener_log,
- .ike_state_change = (void*)listener_ike_state,
- .child_state_change = (void*)listener_child_state,
- },
- .callback = callback,
- .param = param,
- .status = FAILED,
- .peer_cfg = peer_cfg,
- .child_cfg = child_cfg,
- },
- .public = {
- .execute = (void*)route_execute,
- .destroy = (void*)recheckin,
- },
- };
-
- ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
- peer_cfg);
- if (ike_sa->get_peer_cfg(ike_sa) == NULL)
- {
- ike_sa->set_peer_cfg(ike_sa, peer_cfg);
- }
- job.listener.ike_sa = ike_sa;
- if (callback == NULL)
- {
- return route_execute(&job);
- }
- charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
- return job.listener.status;
-}
-
-/**
- * execute function for unroute
- */
-static status_t unroute_execute(interface_job_t *job)
-{
- interface_listener_t *listener = &job->listener;
- ike_sa_t *ike_sa = listener->ike_sa;
-
- if (ike_sa->unroute(ike_sa, listener->id) != DESTROY_ME)
- {
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- return SUCCESS;
- }
- charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
- return SUCCESS;
-}
-
-/**
- * Implementation of controller_t.unroute.
- */
-static status_t unroute(controller_t *this, u_int32_t reqid,
- controller_cb_t callback, void *param)
-{
- ike_sa_t *ike_sa;
- interface_job_t job = {
- .listener = {
- .public = {
- .log = (void*)listener_log,
- .ike_state_change = (void*)listener_ike_state,
- .child_state_change = (void*)listener_child_state,
- },
- .callback = callback,
- .param = param,
- .status = FAILED,
- .id = reqid,
- },
- .public = {
- .execute = (void*)unroute_execute,
- .destroy = (void*)recheckin,
- },
- };
-
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- reqid, TRUE);
- if (ike_sa == NULL)
- {
- DBG1(DBG_IKE, "unable to unroute, CHILD_SA with ID %d not found", reqid);
- return NOT_FOUND;
- }
- job.listener.ike_sa = ike_sa;
-
- if (callback == NULL)
- {
- return unroute_execute(&job);
- }
- charon->bus->listen(charon->bus, &job.listener.public, (job_t*)&job);
- return job.listener.status;
-}
-
-/**
* See header
*/
bool controller_cb_empty(void *param, debug_t group, level_t level,
@@ -572,8 +448,6 @@ controller_t *controller_create(void)
this->public.initiate = (status_t(*)(controller_t*,peer_cfg_t*,child_cfg_t*,controller_cb_t,void*))initiate;
this->public.terminate_ike = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void*))terminate_ike;
this->public.terminate_child = (status_t(*)(controller_t*,u_int32_t,controller_cb_t, void *param))terminate_child;
- this->public.route = (status_t(*)(controller_t*,peer_cfg_t*, child_cfg_t*,controller_cb_t,void*))route;
- this->public.unroute = (status_t(*)(controller_t*,u_int32_t,controller_cb_t,void*))unroute;
this->public.destroy = (void (*)(controller_t*))destroy;
return &this->public;
diff --git a/src/charon/control/controller.h b/src/charon/control/controller.h
index b2eaf480b..3c928d2ea 100644
--- a/src/charon/control/controller.h
+++ b/src/charon/control/controller.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: controller.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -126,38 +124,6 @@ struct controller_t {
controller_cb_t callback, void *param);
/**
- * Route a CHILD_SA (install triggering policies).
- *
- * @param peer_cfg peer_cfg to use for IKE_SA setup, if triggered
- * @param child_cfg child_cfg to route
- * @param cb logging callback
- * @param param parameter to include in each call of cb
- * @return
- * - SUCCESS, if CHILD_SA routed
- * - FAILED, if routing failed
- * - NEED_MORE, if callback returned FALSE
- */
- status_t (*route)(controller_t *this,
- peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
- controller_cb_t callback, void *param);
-
- /**
- * Unroute a routed CHILD_SA (uninstall triggering policies).
- *
- * Only the route is removed, not the CHILD_SAs the route triggered.
- *
- * @param reqid reqid of the CHILD_SA to unroute
- * @param cb logging callback
- * @param param parameter to include in each call of cb
- * @return
- * - SUCCESS, if CHILD_SA terminated
- * - NOT_FOUND, if no such CHILD_SA routed
- * - NEED_MORE, if callback returned FALSE
- */
- status_t (*unroute)(controller_t *this, u_int32_t reqid,
- controller_cb_t callback, void *param);
-
- /**
* Destroy a controller_t instance.
*/
void (*destroy) (controller_t *this);
diff --git a/src/charon/credentials/auth_info.c b/src/charon/credentials/auth_info.c
deleted file mode 100644
index ed725b889..000000000
--- a/src/charon/credentials/auth_info.c
+++ /dev/null
@@ -1,607 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- *
- * $Id: auth_info.c 4774 2008-12-09 14:34:15Z martin $
- */
-
-
-#include "auth_info.h"
-
-#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/identification.h>
-#include <credentials/certificates/certificate.h>
-
-ENUM(auth_item_names, AUTHN_CA_CERT, AUTHZ_AC_GROUP,
- "AUTHN_AUTH_CLASS",
- "AUTHN_EAP_TYPE",
- "AUTHN_EAP_VENDOR",
- "AUTHN_EAP_IDENTITY",
- "AUTHN_CA_CERT",
- "AUTHN_CA_CERT_KEYID",
- "AUTHN_CA_CERT_NAME",
- "AUTHN_IM_CERT",
- "AUTHN_SUBJECT_CERT",
- "AUTHN_IM_HASH_URL",
- "AUTHN_SUBJECT_HASH_URL",
- "AUTHZ_PUBKEY",
- "AUTHZ_PSK",
- "AUTHZ_EAP",
- "AUTHZ_CA_CERT",
- "AUTHZ_CA_CERT_NAME",
- "AUTHZ_IM_CERT",
- "AUTHZ_SUBJECT_CERT",
- "AUTHZ_CRL_VALIDATION",
- "AUTHZ_OCSP_VALIDATION",
- "AUTHZ_AC_GROUP",
-);
-
-typedef struct private_auth_info_t private_auth_info_t;
-
-/**
- * private data of item_set
- */
-struct private_auth_info_t {
-
- /**
- * public functions
- */
- auth_info_t public;
-
- /**
- * list of item_t's
- */
- linked_list_t *items;
-};
-
-typedef struct item_t item_t;
-
-struct item_t {
- /** type of this item */
- auth_item_t type;
- /** associated privlege value, if any */
- void *value;
-};
-
-/**
- * enumerator for auth_info_wrapper_t.create_cert_enumerator()
- */
-typedef struct {
- /** implements enumerator_t */
- enumerator_t public;
- /** inner enumerator from linked_list_t */
- enumerator_t *inner;
- /** the current item */
- item_t *item;
-} item_enumerator_t;
-
-/**
- * enumerate function for item_enumerator_t
- */
-static bool enumerate(item_enumerator_t *this, auth_item_t *type, void **value)
-{
- if (this->inner->enumerate(this->inner, &this->item))
- {
- *type = this->item->type;
- *value = this->item->value;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * destroy function for item_enumerator_t
- */
-static void item_enumerator_destroy(item_enumerator_t *this)
-{
- this->inner->destroy(this->inner);
- free(this);
-}
-
-/**
- * Implementation of auth_info_t.create_item_enumerator.
- */
-static enumerator_t* create_item_enumerator(private_auth_info_t *this)
-{
- item_enumerator_t *enumerator;
-
- enumerator = malloc_thing(item_enumerator_t);
- enumerator->item = NULL;
- enumerator->inner = this->items->create_enumerator(this->items);
- enumerator->public.enumerate = (void*)enumerate;
- enumerator->public.destroy = (void*)item_enumerator_destroy;
- return &enumerator->public;
-}
-
-static void destroy_item_value(item_t *item);
-
-/**
- * Implementation of auth_info_t.replace_item.
- */
-static void replace_item(item_enumerator_t *enumerator, auth_item_t type, void *value)
-{
- destroy_item_value(enumerator->item);
- enumerator->item->type = type;
- enumerator->item->value = value;
-}
-
-/**
- * Implementation of auth_info_t.get_item.
- */
-static bool get_item(private_auth_info_t *this, auth_item_t type, void** value)
-{
- enumerator_t *enumerator;
- void *current_value;
- auth_item_t current_type;
- bool found = FALSE;
-
- enumerator = create_item_enumerator(this);
- while (enumerator->enumerate(enumerator, &current_type, &current_value))
- {
- if (type == current_type)
- {
- *value = current_value;
- found = TRUE;
- break;
- }
- }
- enumerator->destroy(enumerator);
- return found;
-}
-
-/**
- * Implementation of auth_info_t.add_item.
- */
-static void add_item(private_auth_info_t *this, auth_item_t type, void *value)
-{
- item_t *item = malloc_thing(item_t);
-
- item->type = type;
- switch (type)
- {
- case AUTHZ_PUBKEY:
- {
- public_key_t *key = (public_key_t*)value;
-
- item->value = key->get_ref(key);
- break;
- }
- case AUTHZ_PSK:
- {
- shared_key_t *key = (shared_key_t*)value;
-
- item->value = key->get_ref(key);
- break;
- }
- case AUTHN_IM_HASH_URL:
- case AUTHN_SUBJECT_HASH_URL:
- {
- item->value = strdup(value);
- break;
- }
- case AUTHN_CA_CERT:
- case AUTHN_IM_CERT:
- case AUTHN_SUBJECT_CERT:
- case AUTHZ_CA_CERT:
- case AUTHZ_IM_CERT:
- case AUTHZ_SUBJECT_CERT:
- {
- certificate_t *cert = (certificate_t*)value;
-
- item->value = cert->get_ref(cert);
- break;
- }
- case AUTHZ_CRL_VALIDATION:
- case AUTHZ_OCSP_VALIDATION:
- {
- cert_validation_t *validation = malloc_thing(cert_validation_t);
-
- *validation = *(cert_validation_t*)value;
- item->value = validation;
- break;
- }
- case AUTHN_AUTH_CLASS:
- case AUTHN_EAP_TYPE:
- case AUTHN_EAP_VENDOR:
- case AUTHZ_EAP:
- {
- u_int *intval = malloc_thing(u_int);
-
- *intval = *(u_int*)value;
- item->value = intval;
- break;
- }
- case AUTHN_EAP_IDENTITY:
- case AUTHN_CA_CERT_KEYID:
- case AUTHN_CA_CERT_NAME:
- case AUTHZ_CA_CERT_NAME:
- case AUTHZ_AC_GROUP:
- {
- identification_t *id = (identification_t*)value;
-
- item->value = id->clone(id);
- break;
- }
- }
- this->items->insert_last(this->items, item);
-}
-
-
-/**
- * Implementation of auth_info_t.complies.
- */
-static bool complies(private_auth_info_t *this, auth_info_t *constraints)
-{
- enumerator_t *enumerator;
- bool success = TRUE;
- auth_item_t t1, t2;
- void *value;
-
- enumerator = constraints->create_item_enumerator(constraints);
- while (enumerator->enumerate(enumerator, &t1, &value))
- {
- switch (t1)
- {
- case AUTHN_AUTH_CLASS:
- case AUTHN_EAP_TYPE:
- case AUTHN_EAP_VENDOR:
- case AUTHN_EAP_IDENTITY:
- case AUTHN_CA_CERT_KEYID:
- case AUTHN_CA_CERT:
- case AUTHN_CA_CERT_NAME:
- case AUTHN_IM_CERT:
- case AUTHN_SUBJECT_CERT:
- case AUTHN_IM_HASH_URL:
- case AUTHN_SUBJECT_HASH_URL:
- { /* skip non-authorization tokens */
- continue;
- }
- case AUTHZ_CRL_VALIDATION:
- case AUTHZ_OCSP_VALIDATION:
- {
- cert_validation_t *valid;
-
- /* OCSP validation is also sufficient for CRL constraint, but
- * not vice-versa */
- if (!get_item(this, t1, (void**)&valid) &&
- t1 == AUTHZ_CRL_VALIDATION &&
- !get_item(this, AUTHZ_OCSP_VALIDATION, (void**)&valid))
- {
- DBG1(DBG_CFG, "constraint check failed: %N requires at "
- "least %N, but no check done", auth_item_names, t1,
- cert_validation_names, *(cert_validation_t*)value);
- success = FALSE;
- break;
- }
- switch (*(cert_validation_t*)value)
- {
- case VALIDATION_SKIPPED:
- if (*valid == VALIDATION_SKIPPED)
- {
- break;
- } /* FALL */
- case VALIDATION_GOOD:
- if (*valid == VALIDATION_GOOD)
- {
- break;
- } /* FALL */
- default:
- DBG1(DBG_CFG, "constraint check failed: %N is %N, but "
- "requires at least %N", auth_item_names, t1,
- cert_validation_names, *valid,
- cert_validation_names, *(cert_validation_t*)value);
- success = FALSE;
- break;
- }
- break;
- }
- case AUTHZ_CA_CERT:
- {
- enumerator_t *enumerator;
- certificate_t *c1, *c2;
-
- c1 = (certificate_t*)value;
-
- success = FALSE;
- enumerator = create_item_enumerator(this);
- while (enumerator->enumerate(enumerator, &t2, &c2))
- {
- if ((t2 == AUTHZ_CA_CERT || t2 == AUTHZ_IM_CERT) &&
- c1->equals(c1, c2))
- {
- success = TRUE;
- }
- }
- enumerator->destroy(enumerator);
- if (!success)
- {
- DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated by CA '%D'.", c1->get_subject(c1));
- }
- break;
- }
- case AUTHZ_CA_CERT_NAME:
- {
- enumerator_t *enumerator;
- certificate_t *cert;
- identification_t *id;
-
- id = (identification_t*)value;
- success = FALSE;
- enumerator = create_item_enumerator(this);
- while (enumerator->enumerate(enumerator, &t2, &cert))
- {
- if ((t2 == AUTHZ_CA_CERT || t2 == AUTHZ_IM_CERT) &&
- cert->has_subject(cert, id))
- {
- success = TRUE;
- }
- }
- enumerator->destroy(enumerator);
- if (!success)
- {
- DBG1(DBG_CFG, "constraint check failed: peer not "
- "authenticated by CA '%D'.", id);
- }
- break;
- }
- case AUTHZ_PUBKEY:
- case AUTHZ_PSK:
- case AUTHZ_IM_CERT:
- case AUTHZ_SUBJECT_CERT:
- case AUTHZ_EAP:
- case AUTHZ_AC_GROUP:
- {
- DBG1(DBG_CFG, "constraint check %N not implemented!",
- auth_item_names, t1);
- success = FALSE;
- break;
- }
- }
- if (!success)
- {
- break;
- }
- }
- enumerator->destroy(enumerator);
- return success;
-}
-
-/**
- * Implementation of auth_info_t.merge.
- */
-static void merge(private_auth_info_t *this, private_auth_info_t *other)
-{
- item_t *item;
-
- while (other->items->remove_first(other->items, (void**)&item) == SUCCESS)
- {
- this->items->insert_last(this->items, item);
- }
-}
-
-/**
- * Implementation of auth_info_t.equals.
- */
-static bool equals(private_auth_info_t *this, private_auth_info_t *other)
-{
- enumerator_t *e1, *e2;
- item_t *i1, *i2;
- bool equal = TRUE, found;
-
- e1 = this->items->create_enumerator(this->items);
- while (e1->enumerate(e1, &i1))
- {
- found = FALSE;
- e2 = other->items->create_enumerator(other->items);
- while (e2->enumerate(e2, &i2))
- {
- if (i1->type == i2->type)
- {
- switch (i1->type)
- {
- case AUTHZ_CRL_VALIDATION:
- case AUTHZ_OCSP_VALIDATION:
- {
- cert_validation_t c1, c2;
-
- c1 = *(cert_validation_t*)i1->value;
- c2 = *(cert_validation_t*)i2->value;
-
- if (c1 == c2)
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTHN_IM_HASH_URL:
- case AUTHN_SUBJECT_HASH_URL:
- {
- if (streq(i1->value, i2->value))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTHN_CA_CERT:
- case AUTHN_IM_CERT:
- case AUTHN_SUBJECT_CERT:
- case AUTHZ_CA_CERT:
- case AUTHZ_IM_CERT:
- case AUTHZ_SUBJECT_CERT:
- {
- certificate_t *c1, *c2;
-
- c1 = (certificate_t*)i1->value;
- c2 = (certificate_t*)i2->value;
-
- if (c1->equals(c1, c2))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTHN_EAP_IDENTITY:
- case AUTHN_CA_CERT_KEYID:
- case AUTHN_CA_CERT_NAME:
- case AUTHZ_CA_CERT_NAME:
- {
- identification_t *c1, *c2;
-
- c1 = (identification_t*)i1->value;
- c2 = (identification_t*)i2->value;
-
- if (c1->equals(c1, c2))
- {
- found = TRUE;
- break;
- }
- continue;
- }
- case AUTHN_AUTH_CLASS:
- case AUTHN_EAP_TYPE:
- case AUTHN_EAP_VENDOR:
- {
- if (*(u_int*)i1->value == *(u_int*)i2->value)
- {
- found = TRUE;
- break;
- }
- }
- case AUTHZ_PUBKEY:
- case AUTHZ_PSK:
- case AUTHZ_EAP:
- case AUTHZ_AC_GROUP:
- /* TODO: implement value comparison */
- break;
- }
- break;
- }
- }
- e2->destroy(e2);
- if (!found)
- {
- equal = FALSE;
- break;
- }
- }
- e1->destroy(e1);
- return equal;
-}
-
-/**
- * Destroy the value associated with an item
- */
-static void destroy_item_value(item_t *item)
-{
- switch (item->type)
- {
- case AUTHZ_PUBKEY:
- {
- public_key_t *key = (public_key_t*)item->value;
- key->destroy(key);
- break;
- }
- case AUTHZ_PSK:
- {
- shared_key_t *key = (shared_key_t*)item->value;
- key->destroy(key);
- break;
- }
- case AUTHN_CA_CERT:
- case AUTHN_IM_CERT:
- case AUTHN_SUBJECT_CERT:
- case AUTHZ_CA_CERT:
- case AUTHZ_IM_CERT:
- case AUTHZ_SUBJECT_CERT:
- {
- certificate_t *cert = (certificate_t*)item->value;
- cert->destroy(cert);
- break;
- }
- case AUTHN_AUTH_CLASS:
- case AUTHN_EAP_TYPE:
- case AUTHN_EAP_VENDOR:
- case AUTHN_IM_HASH_URL:
- case AUTHN_SUBJECT_HASH_URL:
- case AUTHZ_CRL_VALIDATION:
- case AUTHZ_OCSP_VALIDATION:
- case AUTHZ_EAP:
- {
- free(item->value);
- break;
- }
- case AUTHN_EAP_IDENTITY:
- case AUTHN_CA_CERT_KEYID:
- case AUTHN_CA_CERT_NAME:
- case AUTHZ_CA_CERT_NAME:
- case AUTHZ_AC_GROUP:
- {
- identification_t *id = (identification_t*)item->value;
- id->destroy(id);
- break;
- }
- }
-}
-
-/**
- * Implementation of auth_info_t.purge
- */
-static void purge(private_auth_info_t *this)
-{
- item_t *item;
-
- while (this->items->remove_last(this->items, (void**)&item) == SUCCESS)
- {
- destroy_item_value(item);
- free(item);
- }
-}
-
-/**
- * Implementation of auth_info_t.destroy
- */
-static void destroy(private_auth_info_t *this)
-{
- purge(this);
- this->items->destroy(this->items);
- free(this);
-}
-
-/*
- * see header file
- */
-auth_info_t *auth_info_create()
-{
- private_auth_info_t *this = malloc_thing(private_auth_info_t);
-
- this->public.add_item = (void(*)(auth_info_t*, auth_item_t type, void *value))add_item;
- this->public.get_item = (bool(*)(auth_info_t*, auth_item_t type, void **value))get_item;
- this->public.replace_item = (void(*)(enumerator_t*,auth_item_t,void*))replace_item;
- this->public.create_item_enumerator = (enumerator_t*(*)(auth_info_t*))create_item_enumerator;
- this->public.complies = (bool(*)(auth_info_t*, auth_info_t *))complies;
- this->public.merge = (void(*)(auth_info_t*, auth_info_t *other))merge;
- this->public.purge = (void(*)(auth_info_t*))purge;
- this->public.equals = (bool(*)(auth_info_t*, auth_info_t *other))equals;
- this->public.destroy = (void(*)(auth_info_t*))destroy;
-
- this->items = linked_list_create();
-
- return &this->public;
-}
-
diff --git a/src/charon/credentials/auth_info.h b/src/charon/credentials/auth_info.h
deleted file mode 100644
index f480a6e08..000000000
--- a/src/charon/credentials/auth_info.h
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup auth_info auth_info
- * @{ @ingroup ccredentials
- */
-
-#ifndef AUTH_INFO_H_
-#define AUTH_INFO_H_
-
-#include <utils/enumerator.h>
-
-typedef struct auth_info_t auth_info_t;
-typedef enum auth_item_t auth_item_t;
-
-/**
- * Authentication/Authorization process helper item.
- *
- * For the authentication process, further information may be needed. These
- * items are defined as auth_item_t and have a AUTHN prefix.
- * The authentication process returns important data for the authorization
- * process, these items are defined with a AUTHZ prefix.
- * Authentication uses AUTHN items and creates AUTHZ items during authentication,
- * authorization reads AUTHZ values to give out privileges.
- *
- * +---+ +---------------------+
- * | A | | A |
- * | u | | u +-----------+ |
- * | t | | t | Required | |
- * | h | | h | auth_info | |
- * | e | | o +-----------+ |
- * | n | | r | |
- * +-----------+ | t | | i | |
- * | Provided | | i | | z V |
- * | auth_info |--| c |-------------| a ----> match? ----|------->
- * +-----------+ | a | | t |
- * | t | | i |
- * | i | | o |
- * | o | | n |
- * | n | | |
- * +---+ +---------------------+
- */
-enum auth_item_t {
-
- /*
- * items provided to authentication process
- */
-
- /** authentication class to use, value is auth_class_t* */
- AUTHN_AUTH_CLASS,
- /** EAP method to request from peer, value is eap_type_t* */
- AUTHN_EAP_TYPE,
- /** EAP vendor to used in conjunction with EAP method, value is u_int32_t* */
- AUTHN_EAP_VENDOR,
- /** EAP identity to use within EAP-Identity exchange */
- AUTHN_EAP_IDENTITY,
- /** CA certificate to use for authentication, value is certificate_t* */
- AUTHN_CA_CERT,
- /** Keyid of a CA certificate to use, value is identification_t* */
- AUTHN_CA_CERT_KEYID,
- /** subject DN of a CA certificate to use, value is identification_t* */
- AUTHN_CA_CERT_NAME,
- /** intermediate certificate, value is certificate_t* */
- AUTHN_IM_CERT,
- /** certificate for trustchain verification, value is certificate_t* */
- AUTHN_SUBJECT_CERT,
- /** intermediate certificate supplied as hash and url */
- AUTHN_IM_HASH_URL,
- /** end-entity certificate supplied as hash and url */
- AUTHN_SUBJECT_HASH_URL,
-
- /*
- * item provided to authorization process
- */
-
- /** subject has been authenticated by public key, value is public_key_t* */
- AUTHZ_PUBKEY,
- /** subject has ben authenticated using preshared secrets, value is shared_key_t* */
- AUTHZ_PSK,
- /** subject has been authenticated using EAP, value is eap_type_t* */
- AUTHZ_EAP,
- /** certificate authority, value is certificate_t* */
- AUTHZ_CA_CERT,
- /** subject DN of a certificate authority, value is identification_t* */
- AUTHZ_CA_CERT_NAME,
- /** intermediate certificate in trustchain, value is certificate_t* */
- AUTHZ_IM_CERT,
- /** subject certificate, value is certificate_t* */
- AUTHZ_SUBJECT_CERT,
- /** result of a CRL validation, value is cert_validation_t */
- AUTHZ_CRL_VALIDATION,
- /** result of a OCSP validation, value is cert_validation_t */
- AUTHZ_OCSP_VALIDATION,
- /** subject is in attribute certificate group, value is identification_t* */
- AUTHZ_AC_GROUP,
-};
-
-
-/**
- * enum name for auth_item_t.
- */
-extern enum_name_t *auth_item_names;
-
-/**
- * The auth_info class contains auth_item_t's used for AA.
- *
- * A auth_info allows the separation of authentication and authorization.
- */
-struct auth_info_t {
-
- /**
- * Add an item to the set.
- *
- * @param type auth_info type
- * @param value associated value to auth_info type, if any
- */
- void (*add_item)(auth_info_t *this, auth_item_t type, void *value);
-
- /**
- * Get an item.
- *
- * @param type auth_info type to get
- * @param value pointer to a pointer receiving item
- * @return bool if item has been found
- */
- bool (*get_item)(auth_info_t *this, auth_item_t type, void **value);
-
- /**
- * Replace an item.
- *
- * @param type new auth_info type
- * @param value pointer to the new value
- */
- void (*replace_item)(enumerator_t *this, auth_item_t type, void *value);
-
- /**
- * Create an enumerator over all items.
- *
- * @return enumerator over (auth_item_t type, void *value)
- */
- enumerator_t* (*create_item_enumerator)(auth_info_t *this);
-
- /**
- * Check if this fulfills a set of required constraints.
- *
- * @param constraints required authorization infos
- * @return TRUE if this complies with constraints
- */
- bool (*complies)(auth_info_t *this, auth_info_t *constraints);
-
- /**
- * Merge items from other into this.
- *
- * Items do not get cloned, but moved from other to this.
- *
- * @param other items to read for merge
- */
- void (*merge)(auth_info_t *this, auth_info_t *other);
-
- /**
- * Purge all items in auth_info.
- */
- void (*purge)(auth_info_t *this);
-
- /**
- * Check two auth_infos for equality.
- *
- * @param other other item to compaire against this
- * @return TRUE if auth infos identical
- */
- bool (*equals)(auth_info_t *this, auth_info_t *other);
-
- /**
- * Destroy a auth_info instance with all associated values.
- */
- void (*destroy)(auth_info_t *this);
-};
-
-/**
- * Create a auth_info instance.
- */
-auth_info_t *auth_info_create();
-
-#endif /** AUTH_INFO_H_ @}*/
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 2841086b2..776dbe599 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: credential_manager.c 4936 2009-03-12 18:07:32Z tobias $
*/
#include <pthread.h>
@@ -23,7 +21,7 @@
#include <utils/mutex.h>
#include <utils/linked_list.h>
#include <credentials/sets/cert_cache.h>
-#include <credentials/sets/auth_info_wrapper.h>
+#include <credentials/sets/auth_cfg_wrapper.h>
#include <credentials/sets/ocsp_response_wrapper.h>
#include <credentials/certificates/x509.h>
#include <credentials/certificates/crl.h>
@@ -530,7 +528,7 @@ static bool verify_ocsp(private_credential_manager_t *this,
{
if (this->cache->issued_by(this->cache, subject, issuer))
{
- DBG1(DBG_CFG, " ocsp response correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"",
issuer->get_subject(issuer));
verified = TRUE;
break;
@@ -625,7 +623,7 @@ static certificate_t *get_better_ocsp(private_credential_manager_t *this,
*/
static cert_validation_t check_ocsp(private_credential_manager_t *this,
x509_t *subject, x509_t *issuer,
- auth_info_t *auth)
+ auth_cfg_t *auth)
{
enumerator_t *enumerator;
cert_validation_t valid = VALIDATION_SKIPPED;
@@ -706,7 +704,11 @@ static cert_validation_t check_ocsp(private_credential_manager_t *this,
}
if (auth)
{
- auth->add_item(auth, AUTHZ_OCSP_VALIDATION, &valid);
+ auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid);
+ if (valid == VALIDATION_GOOD)
+ { /* successful OCSP check fulfills also CRL constraint */
+ auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+ }
}
DESTROY_IF(best);
return valid;
@@ -728,6 +730,7 @@ static certificate_t* fetch_crl(private_credential_manager_t *this, char *url)
}
crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
+ chunk_free(&chunk);
if (!crl)
{
DBG1(DBG_CFG, "crl fetched successfully but parsing failed");
@@ -751,7 +754,7 @@ static bool verify_crl(private_credential_manager_t *this, certificate_t *crl)
{
if (this->cache->issued_by(this->cache, crl, issuer))
{
- DBG1(DBG_CFG, " crl correctly signed by \"%D\"",
+ DBG1(DBG_CFG, " crl correctly signed by \"%Y\"",
issuer->get_subject(issuer));
verified = TRUE;
break;
@@ -833,7 +836,7 @@ static certificate_t *get_better_crl(private_credential_manager_t *this,
*/
static cert_validation_t check_crl(private_credential_manager_t *this,
x509_t *subject, x509_t *issuer,
- auth_info_t *auth)
+ auth_cfg_t *auth)
{
cert_validation_t valid = VALIDATION_SKIPPED;
identification_t *keyid = NULL;
@@ -841,7 +844,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
certificate_t *current;
public_key_t *public;
enumerator_t *enumerator;
- char *uri;
+ char *uri = NULL;
/* derive the authorityKeyIdentifier from the issuer's public key */
current = &issuer->interface;
@@ -920,7 +923,16 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
}
if (auth)
{
- auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
+ if (valid == VALIDATION_SKIPPED)
+ { /* if we skipped CRL validation, we use the result of OCSP for
+ * constraint checking */
+ auth->add(auth, AUTH_RULE_CRL_VALIDATION,
+ auth->get(auth, AUTH_RULE_OCSP_VALIDATION));
+ }
+ else
+ {
+ auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid);
+ }
}
DESTROY_IF(best);
return valid;
@@ -931,7 +943,7 @@ static cert_validation_t check_crl(private_credential_manager_t *this,
*/
static bool check_certificate(private_credential_manager_t *this,
certificate_t *subject, certificate_t *issuer,
- bool crl, bool ocsp, auth_info_t *auth)
+ bool crl, bool ocsp, auth_cfg_t *auth)
{
time_t not_before, not_after;
@@ -952,7 +964,7 @@ static bool check_certificate(private_credential_manager_t *this,
{
if (ocsp || crl)
{
- DBG1(DBG_CFG, "checking certificate status of \"%D\"",
+ DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
}
if (ocsp)
@@ -963,7 +975,7 @@ static bool check_certificate(private_credential_manager_t *this,
DBG1(DBG_CFG, "certificate status is good");
return TRUE;
case VALIDATION_REVOKED:
- /* has already been logged */
+ /* has already been logged */
return FALSE;
case VALIDATION_SKIPPED:
DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
@@ -983,8 +995,8 @@ static bool check_certificate(private_credential_manager_t *this,
case VALIDATION_GOOD:
DBG1(DBG_CFG, "certificate status is good");
return TRUE;
- case VALIDATION_REVOKED:
- /* has already been logged */
+ case VALIDATION_REVOKED:
+ /* has already been logged */
return FALSE;
case VALIDATION_FAILED:
case VALIDATION_SKIPPED:
@@ -1050,14 +1062,14 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this,
* try to verify the trust chain of subject, return TRUE if trusted
*/
static bool verify_trust_chain(private_credential_manager_t *this,
- certificate_t *subject, auth_info_t *result,
+ certificate_t *subject, auth_cfg_t *result,
bool trusted, bool crl, bool ocsp)
{
certificate_t *current, *issuer;
- auth_info_t *auth;
+ auth_cfg_t *auth;
u_int level = 0;
- auth = auth_info_create();
+ auth = auth_cfg_create();
current = subject->get_ref(subject);
while (level++ < MAX_CA_LEVELS)
{
@@ -1067,16 +1079,16 @@ static bool verify_trust_chain(private_credential_manager_t *this,
/* accept only self-signed CAs as trust anchor */
if (this->cache->issued_by(this->cache, issuer, issuer))
{
- auth->add_item(auth, AUTHZ_CA_CERT, issuer);
- DBG1(DBG_CFG, " using trusted ca certificate \"%D\"",
+ auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
+ DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
issuer->get_subject(issuer));
trusted = TRUE;
}
else
{
- auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+ auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using trusted intermediate ca certificate "
- "\"%D\"", issuer->get_subject(issuer));
+ "\"%Y\"", issuer->get_subject(issuer));
}
}
else
@@ -1086,18 +1098,18 @@ static bool verify_trust_chain(private_credential_manager_t *this,
{
if (current->equals(current, issuer))
{
- DBG1(DBG_CFG, " self-signed certificate \"%D\" is not trusted",
+ DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted",
current->get_subject(current));
issuer->destroy(issuer);
break;
}
- auth->add_item(auth, AUTHZ_IM_CERT, issuer);
+ auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using untrusted intermediate certificate "
- "\"%D\"", issuer->get_subject(issuer));
+ "\"%Y\"", issuer->get_subject(issuer));
}
else
{
- DBG1(DBG_CFG, "no issuer certificate found for \"%D\"",
+ DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"",
current->get_subject(current));
break;
}
@@ -1123,7 +1135,7 @@ static bool verify_trust_chain(private_credential_manager_t *this,
}
if (trusted)
{
- result->merge(result, auth);
+ result->merge(result, auth, FALSE);
}
auth->destroy(auth);
return trusted;
@@ -1149,20 +1161,20 @@ typedef struct {
bool ocsp;
/** pretrusted certificate we have served at first invocation */
certificate_t *pretrusted;
- /** currently enumerating auth info */
- auth_info_t *auth;
+ /** currently enumerating auth config */
+ auth_cfg_t *auth;
} trusted_enumerator_t;
/**
* Implements trusted_enumerator_t.enumerate
*/
static bool trusted_enumerate(trusted_enumerator_t *this,
- certificate_t **cert, auth_info_t **auth)
+ certificate_t **cert, auth_cfg_t **auth)
{
certificate_t *current;
DESTROY_IF(this->auth);
- this->auth = auth_info_create();
+ this->auth = auth_cfg_create();
if (!this->candidates)
{
@@ -1181,8 +1193,9 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
verify_trust_chain(this->this, this->pretrusted, this->auth,
TRUE, this->crl, this->ocsp))
{
- this->auth->add_item(this->auth, AUTHZ_CA_CERT, this->pretrusted);
- DBG1(DBG_CFG, " using trusted certificate \"%D\"",
+ this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT,
+ this->pretrusted->get_ref(this->pretrusted));
+ DBG1(DBG_CFG, " using trusted certificate \"%Y\"",
this->pretrusted->get_subject(this->pretrusted));
*cert = this->pretrusted;
if (auth)
@@ -1202,7 +1215,7 @@ static bool trusted_enumerate(trusted_enumerator_t *this,
continue;
}
- DBG1(DBG_CFG, " using certificate \"%D\"",
+ DBG1(DBG_CFG, " using certificate \"%Y\"",
current->get_subject(current));
if (verify_trust_chain(this->this, current, this->auth, FALSE,
this->crl, this->ocsp))
@@ -1264,15 +1277,15 @@ typedef struct {
private_credential_manager_t *this;
/** currently enumerating key */
public_key_t *current;
- /** credset wrapper around auth */
- auth_info_wrapper_t *wrapper;
+ /** credset wrapper around auth config */
+ auth_cfg_wrapper_t *wrapper;
} public_enumerator_t;
/**
* Implements public_enumerator_t.enumerate
*/
static bool public_enumerate(public_enumerator_t *this,
- public_key_t **key, auth_info_t **auth)
+ public_key_t **key, auth_cfg_t **auth)
{
certificate_t *cert;
@@ -1312,7 +1325,7 @@ static void public_destroy(public_enumerator_t *this)
* Implementation of credential_manager_t.create_public_enumerator.
*/
static enumerator_t* create_public_enumerator(private_credential_manager_t *this,
- key_type_t type, identification_t *id, auth_info_t *auth)
+ key_type_t type, identification_t *id, auth_cfg_t *auth)
{
public_enumerator_t *enumerator = malloc_thing(public_enumerator_t);
@@ -1324,7 +1337,7 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
enumerator->wrapper = NULL;
if (auth)
{
- enumerator->wrapper = auth_info_wrapper_create(auth);
+ enumerator->wrapper = auth_cfg_wrapper_create(auth);
add_local_set(this, &enumerator->wrapper->set);
}
this->lock->read_lock(this->lock);
@@ -1334,40 +1347,22 @@ static enumerator_t* create_public_enumerator(private_credential_manager_t *this
/**
* Check if a certificate's keyid is contained in the auth helper
*/
-static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert)
+static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert)
{
enumerator_t *enumerator;
identification_t *value;
- auth_item_t type;
+ auth_rule_t type;
bool found = FALSE;
- enumerator = auth->create_item_enumerator(auth);
+ enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &type, &value))
{
- if (type == AUTHN_CA_CERT && cert->equals(cert, (certificate_t*)value))
+ if (type == AUTH_RULE_CA_CERT &&
+ cert->equals(cert, (certificate_t*)value))
{
found = TRUE;
break;
}
- if (type == AUTHN_CA_CERT_KEYID)
- {
- public_key_t *public;
- identification_t *certid, *keyid;
-
- public = cert->get_public_key(cert);
- if (public)
- {
- keyid = (identification_t*)value;
- certid = public->get_id(public, keyid->get_type(keyid));
- if (certid && certid->equals(certid, keyid))
- {
- public->destroy(public);
- found = TRUE;
- break;
- }
- public->destroy(public);
- }
- }
}
enumerator->destroy(enumerator);
return found;
@@ -1376,19 +1371,21 @@ static bool auth_contains_cacert(auth_info_t *auth, certificate_t *cert)
/**
* build a trustchain from subject up to a trust anchor in trusted
*/
-static auth_info_t *build_trustchain(private_credential_manager_t *this,
- certificate_t *subject, auth_info_t *auth)
+static auth_cfg_t *build_trustchain(private_credential_manager_t *this,
+ certificate_t *subject, auth_cfg_t *auth)
{
certificate_t *issuer, *current;
- auth_info_t *trustchain;
+ auth_cfg_t *trustchain;
u_int level = 0;
- trustchain = auth_info_create();
+ trustchain = auth_cfg_create();
- if (!auth->get_item(auth, AUTHN_CA_CERT, (void**)&current))
+ current = auth->get(auth, AUTH_RULE_CA_CERT);
+ if (!current)
{
/* no trust anchor specified, return this cert only */
- trustchain->add_item(trustchain, AUTHZ_SUBJECT_CERT, subject);
+ trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT,
+ subject->get_ref(subject));
return trustchain;
}
current = subject->get_ref(subject);
@@ -1396,26 +1393,23 @@ static auth_info_t *build_trustchain(private_credential_manager_t *this,
{
if (auth_contains_cacert(auth, current))
{
- trustchain->add_item(trustchain, AUTHZ_CA_CERT, current);
- current->destroy(current);
+ trustchain->add(trustchain, AUTH_RULE_CA_CERT, current);
return trustchain;
}
if (subject == current)
{
- trustchain->add_item(trustchain, AUTHZ_SUBJECT_CERT, current);
+ trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current);
}
else
{
- trustchain->add_item(trustchain, AUTHZ_IM_CERT, current);
+ trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
}
issuer = get_issuer_cert(this, current, FALSE);
if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS)
{
DESTROY_IF(issuer);
- current->destroy(current);
break;
}
- current->destroy(current);
current = issuer;
level++;
}
@@ -1451,12 +1445,12 @@ static private_key_t *get_private_by_cert(private_credential_manager_t *this,
*/
static private_key_t *get_private(private_credential_manager_t *this,
key_type_t type, identification_t *id,
- auth_info_t *auth)
+ auth_cfg_t *auth)
{
enumerator_t *enumerator;
certificate_t *cert;
private_key_t *private = NULL;
- auth_info_t *trustchain;
+ auth_cfg_t *trustchain;
/* check if this is a lookup by key ID, and do it if so */
if (id)
@@ -1471,8 +1465,25 @@ static private_key_t *get_private(private_credential_manager_t *this,
break;
}
}
-
- /* try to build a trustchain for each certificate found */
+
+ /* if a specific certificate is preferred, check for a matching key */
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (cert)
+ {
+ private = get_private_by_cert(this, cert, type);
+ if (private)
+ {
+ trustchain = build_trustchain(this, cert, auth);
+ if (trustchain)
+ {
+ auth->merge(auth, trustchain, FALSE);
+ trustchain->destroy(trustchain);
+ }
+ return private;
+ }
+ }
+
+ /* try to build a trust chain for each certificate found */
enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE);
while (enumerator->enumerate(enumerator, &cert))
{
@@ -1482,7 +1493,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
trustchain = build_trustchain(this, cert, auth);
if (trustchain)
{
- auth->merge(auth, trustchain);
+ auth->merge(auth, trustchain, FALSE);
trustchain->destroy(trustchain);
break;
}
@@ -1491,6 +1502,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
}
}
enumerator->destroy(enumerator);
+
/* if no valid trustchain was found, fall back to the first usable cert */
if (!private)
{
@@ -1500,7 +1512,7 @@ static private_key_t *get_private(private_credential_manager_t *this,
private = get_private_by_cert(this, cert, type);
if (private)
{
- auth->add_item(auth, AUTHZ_SUBJECT_CERT, cert);
+ auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
break;
}
}
@@ -1566,8 +1578,8 @@ credential_manager_t *credential_manager_create()
this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator;
this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert;
this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared;
- this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_info_t*))get_private;
- this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_info_t *aut))create_public_enumerator;
+ this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private;
+ this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator;
this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache;
this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert;
this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set;
diff --git a/src/charon/credentials/credential_manager.h b/src/charon/credentials/credential_manager.h
index ff2dc3645..0af54c0b1 100644
--- a/src/charon/credentials/credential_manager.h
+++ b/src/charon/credentials/credential_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2008 Martin Willi
+ * Copyright (C) 2007-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: credential_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -25,7 +23,7 @@
#include <utils/identification.h>
#include <utils/enumerator.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
#include <credentials/credential_set.h>
#include <credentials/keys/private_key.h>
#include <credentials/keys/shared_key.h>
@@ -122,7 +120,6 @@ struct credential_manager_t {
* @param type kind of requested shared key
* @param me own identity
* @param other peers identity
- * @param auth auth_info helper
* @return shared_key_t, NULL if none found
*/
shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type,
@@ -138,11 +135,11 @@ struct credential_manager_t {
*
* @param type type of the key to get
* @param id identification the key belongs to
- * @param auth auth_info helper, including trusted CA certificates
+ * @param auth auth config, including trusted CA certificates
* @return private_key_t, NULL if none found
*/
private_key_t* (*get_private)(credential_manager_t *this, key_type_t type,
- identification_t *id, auth_info_t *auth);
+ identification_t *id, auth_cfg_t *auth);
/**
* Create an enumerator over trusted public keys.
@@ -150,9 +147,8 @@ struct credential_manager_t {
* This method gets a an enumerator over trusted public keys to verify a
* signature created by id. The auth parameter contains additional
* authentication infos, e.g. peer and intermediate certificates.
- * The resulting enumerator enumerates over public_key_t *, auth_info_t *,
- * where the auth info contains gained privileges for the authorization
- * process.
+ * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *,
+ * where the auth config helper contains rules for constraint checks.
*
* @param type type of the key to get
* @param id owner of the key, signer of the signature
@@ -160,7 +156,7 @@ struct credential_manager_t {
* @return enumerator
*/
enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
- key_type_t type, identification_t *id, auth_info_t *auth);
+ key_type_t type, identification_t *id, auth_cfg_t *auth);
/**
* Cache a certificate by invoking cache_cert() on all registerd sets.
diff --git a/src/charon/credentials/credential_set.h b/src/charon/credentials/credential_set.h
index 14b2a8ebd..e9ad99bfd 100644
--- a/src/charon/credentials/credential_set.h
+++ b/src/charon/credentials/credential_set.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: credential_set.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/credentials/sets/auth_info_wrapper.c b/src/charon/credentials/sets/auth_cfg_wrapper.c
index 7ec75be15..b2cf5d960 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.c
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.c
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2008-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,42 +12,40 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include <daemon.h>
-#include "auth_info_wrapper.h"
+#include "auth_cfg_wrapper.h"
-typedef struct private_auth_info_wrapper_t private_auth_info_wrapper_t;
+typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t;
/**
- * private data of auth_info_wrapper
+ * private data of auth_cfg_wrapper
*/
-struct private_auth_info_wrapper_t {
+struct private_auth_cfg_wrapper_t {
/**
* public functions
*/
- auth_info_wrapper_t public;
+ auth_cfg_wrapper_t public;
/**
* wrapped auth info
*/
- auth_info_t *auth;
+ auth_cfg_t *auth;
};
/**
- * enumerator for auth_info_wrapper_t.create_cert_enumerator()
+ * enumerator for auth_cfg_wrapper_t.create_cert_enumerator()
*/
typedef struct {
/** implements enumerator_t */
enumerator_t public;
- /** inner enumerator from auth_info */
+ /** inner enumerator from auth_cfg */
enumerator_t *inner;
- /** wrapped auth info */
- auth_info_t *auth;
+ /** wrapped auth round */
+ auth_cfg_t *auth;
/** enumerated cert type */
certificate_type_t cert;
/** enumerated key type */
@@ -57,10 +55,11 @@ typedef struct {
} wrapper_enumerator_t;
/**
- * Tries to fetch a certificate that was supplied as "Hash and URL" (replaces the
- * item's type and value in place).
+ * Tries to fetch a certificate that was supplied as "Hash and URL"
+ * (replaces rule type and value in place).
*/
-static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void **value)
+static bool fetch_cert(wrapper_enumerator_t *enumerator,
+ auth_rule_t *rule, void **value)
{
char *url = (char*)*value;
if (!url)
@@ -77,29 +76,38 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
{
DBG1(DBG_CFG, " fetching certificate failed");
/* we set the item to NULL, so we can skip it */
- enumerator->auth->replace_item(enumerator->inner, *type, NULL);
+ enumerator->auth->replace(enumerator->auth, enumerator->inner,
+ *rule, NULL);
return FALSE;
}
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_BLOB_ASN1_DER, data, BUILD_END);
+ BUILD_BLOB_ASN1_DER, data, BUILD_END);
free(data.ptr);
if (!cert)
{
DBG1(DBG_CFG, " parsing fetched certificate failed");
/* we set the item to NULL, so we can skip it */
- enumerator->auth->replace_item(enumerator->inner, *type, NULL);
+ enumerator->auth->replace(enumerator->auth, enumerator->inner,
+ *rule, NULL);
return FALSE;
}
- DBG1(DBG_CFG, " fetched certificate \"%D\"", cert->get_subject(cert));
+ DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert));
charon->credentials->cache_cert(charon->credentials, cert);
- *type = (*type == AUTHN_IM_HASH_URL) ? AUTHN_IM_CERT : AUTHN_SUBJECT_CERT;
+ if (*rule == AUTH_HELPER_IM_HASH_URL)
+ {
+ *rule = AUTH_HELPER_IM_CERT;
+ }
+ else
+ {
+ *rule = AUTH_HELPER_SUBJECT_CERT;
+ }
*value = cert;
- enumerator->auth->replace_item(enumerator->inner, *type, cert);
-
+ enumerator->auth->replace(enumerator->auth, enumerator->inner,
+ *rule, cert->get_ref(cert));
return TRUE;
}
@@ -108,26 +116,25 @@ static bool fetch_cert(wrapper_enumerator_t *enumerator, auth_item_t *type, void
*/
static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert)
{
- auth_item_t type;
+ auth_rule_t rule;
certificate_t *current;
public_key_t *public;
- while (this->inner->enumerate(this->inner, &type, &current))
+ while (this->inner->enumerate(this->inner, &rule, &current))
{
- if (type == AUTHN_IM_HASH_URL ||
- type == AUTHN_SUBJECT_HASH_URL)
- {
- if (!fetch_cert(this, &type, (void**)&current))
+ if (rule == AUTH_HELPER_IM_HASH_URL ||
+ rule == AUTH_HELPER_SUBJECT_HASH_URL)
+ { /* on-demand fetching of hash and url certificates */
+ if (!fetch_cert(this, &rule, (void**)&current))
{
continue;
}
}
- else if (type != AUTHN_SUBJECT_CERT &&
- type != AUTHN_IM_CERT)
- {
+ else if (rule != AUTH_HELPER_SUBJECT_CERT &&
+ rule != AUTH_HELPER_IM_CERT)
+ { /* handle only HELPER certificates */
continue;
}
-
if (this->cert != CERT_ANY && this->cert != current->get_type(current))
{ /* CERT type requested, but does not match */
continue;
@@ -164,9 +171,9 @@ static void wrapper_enumerator_destroy(wrapper_enumerator_t *this)
}
/**
- * implementation of auth_info_wrapper_t.set.create_cert_enumerator
+ * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator
*/
-static enumerator_t *create_enumerator(private_auth_info_wrapper_t *this,
+static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this,
certificate_type_t cert, key_type_t key,
identification_t *id, bool trusted)
{
@@ -181,16 +188,16 @@ static enumerator_t *create_enumerator(private_auth_info_wrapper_t *this,
enumerator->cert = cert;
enumerator->key = key;
enumerator->id = id;
- enumerator->inner = this->auth->create_item_enumerator(this->auth);
+ enumerator->inner = this->auth->create_enumerator(this->auth);
enumerator->public.enumerate = (void*)enumerate;
enumerator->public.destroy = (void*)wrapper_enumerator_destroy;
return &enumerator->public;
}
/**
- * Implementation of auth_info_wrapper_t.destroy
+ * Implementation of auth_cfg_wrapper_t.destroy
*/
-static void destroy(private_auth_info_wrapper_t *this)
+static void destroy(private_auth_cfg_wrapper_t *this)
{
free(this);
}
@@ -198,16 +205,16 @@ static void destroy(private_auth_info_wrapper_t *this)
/*
* see header file
*/
-auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth)
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth)
{
- private_auth_info_wrapper_t *this = malloc_thing(private_auth_info_wrapper_t);
+ private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t);
this->public.set.create_private_enumerator = (void*)return_null;
this->public.set.create_cert_enumerator = (void*)create_enumerator;
this->public.set.create_shared_enumerator = (void*)return_null;
this->public.set.create_cdp_enumerator = (void*)return_null;
this->public.set.cache_cert = (void*)nop;
- this->public.destroy = (void(*)(auth_info_wrapper_t*))destroy;
+ this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy;
this->auth = auth;
diff --git a/src/charon/credentials/sets/auth_info_wrapper.h b/src/charon/credentials/sets/auth_cfg_wrapper.h
index 9186715f0..dd5e0fff6 100644
--- a/src/charon/credentials/sets/auth_info_wrapper.h
+++ b/src/charon/credentials/sets/auth_cfg_wrapper.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,27 +11,25 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
- * @defgroup auth_info_wrapper auth_info_wrapper
+ * @defgroup auth_cfg_wrapper auth_cfg_wrapper
* @{ @ingroup sets
*/
-#ifndef AUTH_INFO_WRAPPER_H_
-#define AUTH_INFO_WRAPPER_H_
+#ifndef AUTH_CFG_WRAPPER_H_
+#define AUTH_CFG_WRAPPER_H_
+#include <config/auth_cfg.h>
#include <credentials/credential_set.h>
-#include <credentials/auth_info.h>
-typedef struct auth_info_wrapper_t auth_info_wrapper_t;
+typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t;
/**
- * A wrapper around auth_info_t to handle it like a credential set.
+ * A wrapper around auth_cfg_t to handle it as a credential set.
*/
-struct auth_info_wrapper_t {
+struct auth_cfg_wrapper_t {
/**
* implements credential_set_t
@@ -39,17 +37,17 @@ struct auth_info_wrapper_t {
credential_set_t set;
/**
- * Destroy a auth_info_wrapper instance.
+ * Destroy a auth_cfg_wrapper instance.
*/
- void (*destroy)(auth_info_wrapper_t *this);
+ void (*destroy)(auth_cfg_wrapper_t *this);
};
/**
- * Create a auth_info_wrapper instance.
+ * Create a auth_cfg_wrapper instance.
*
* @param auth the wrapped auth info
* @return wrapper around auth
*/
-auth_info_wrapper_t *auth_info_wrapper_create(auth_info_t *auth);
+auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth);
-#endif /** AUTH_INFO_WRAPPER_H_ @}*/
+#endif /** AUTH_CFG_WRAPPER_H_ @}*/
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 83ba8263d..907f5072f 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "cert_cache.h"
diff --git a/src/charon/credentials/sets/cert_cache.h b/src/charon/credentials/sets/cert_cache.h
index 40e38e913..a2cae367c 100644
--- a/src/charon/credentials/sets/cert_cache.h
+++ b/src/charon/credentials/sets/cert_cache.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.c b/src/charon/credentials/sets/ocsp_response_wrapper.c
index c4d3a5b0f..e9faec472 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.c
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "ocsp_response_wrapper.h"
diff --git a/src/charon/credentials/sets/ocsp_response_wrapper.h b/src/charon/credentials/sets/ocsp_response_wrapper.h
index 068035884..8f141f7a1 100644
--- a/src/charon/credentials/sets/ocsp_response_wrapper.h
+++ b/src/charon/credentials/sets/ocsp_response_wrapper.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index 6dcb39a89..c646ef9b4 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2009 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -17,7 +17,9 @@
*/
#include <stdio.h>
+#ifdef HAVE_PRCTL
#include <sys/prctl.h>
+#endif
#include <signal.h>
#include <pthread.h>
#include <sys/stat.h>
@@ -178,6 +180,7 @@ static void destroy(private_daemon_t *this)
#ifdef CAPABILITIES
cap_free(this->caps);
#endif /* CAPABILITIES */
+ DESTROY_IF(this->public.traps);
DESTROY_IF(this->public.ike_sa_manager);
DESTROY_IF(this->public.kernel_interface);
DESTROY_IF(this->public.scheduler);
@@ -240,8 +243,10 @@ static void kill_daemon(private_daemon_t *this, char *reason)
* drop daemon capabilities
*/
static void drop_capabilities(private_daemon_t *this)
-{
+{
+#ifdef HAVE_PRCTL
prctl(PR_SET_KEEPCAPS, 1);
+#endif
if (setgid(charon->gid) != 0)
{
@@ -314,6 +319,7 @@ static void print_plugins()
int len = 0;
enumerator_t *enumerator;
+ buf[0] = '\0';
enumerator = lib->plugins->create_plugin_enumerator(lib->plugins);
while (len < sizeof(buf) && enumerator->enumerate(enumerator, &plugin))
{
@@ -461,7 +467,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
initialize_loggers(this, !syslog, levels);
- DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION);
+ DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
/* load secrets, ca certificates and crls */
this->public.processor = processor_create();
@@ -474,6 +480,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
this->public.attributes = attribute_manager_create();
this->public.kernel_interface = kernel_interface_create();
this->public.socket = socket_create();
+ this->public.traps = trap_manager_create();
/* load plugins, further infrastructure may need it */
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
@@ -481,9 +488,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
print_plugins();
- /* create the kernel interfaces */
- this->public.kernel_interface->create_interfaces(this->public.kernel_interface);
-
#ifdef INTEGRITY_TEST
DBG1(DBG_DMN, "integrity test of libstrongswan code");
if (fips_verify_hmac_signature(hmac_key, hmac_signature))
@@ -552,6 +556,7 @@ private_daemon_t *daemon_create(void)
/* NULL members for clean destruction */
this->public.socket = NULL;
this->public.ike_sa_manager = NULL;
+ this->public.traps = NULL;
this->public.credentials = NULL;
this->public.backends = NULL;
this->public.attributes = NULL;
@@ -604,6 +609,48 @@ private_daemon_t *daemon_create(void)
}
/**
+ * Check/create PID file, return TRUE if already running
+ */
+static bool check_pidfile()
+{
+ struct stat stb;
+ FILE *file;
+
+ if (stat(PID_FILE, &stb) == 0)
+ {
+ file = fopen(PID_FILE, "r");
+ if (file)
+ {
+ char buf[64];
+ pid_t pid = 0;
+
+ memset(buf, 0, sizeof(buf));
+ if (fread(buf, 1, sizeof(buf), file))
+ {
+ pid = atoi(buf);
+ }
+ fclose(file);
+ if (pid && kill(pid, 0) == 0)
+ { /* such a process is running */
+ return TRUE;
+ }
+ }
+ DBG1(DBG_DMN, "removing pidfile '"PID_FILE"', process not running");
+ unlink(PID_FILE);
+ }
+
+ /* create new pidfile */
+ file = fopen(PID_FILE, "w");
+ if (file)
+ {
+ fprintf(file, "%d\n", getpid());
+ ignore_result(fchown(fileno(file), charon->uid, charon->gid));
+ fclose(file);
+ }
+ return FALSE;
+}
+
+/**
* print command line usage and exit
*/
static void usage(const char *msg)
@@ -631,10 +678,7 @@ static void usage(const char *msg)
int main(int argc, char *argv[])
{
bool use_syslog = FALSE;
-
private_daemon_t *private_charon;
- FILE *pid_file;
- struct stat stb;
level_t levels[DBG_MAX];
int group;
@@ -715,21 +759,13 @@ int main(int argc, char *argv[])
destroy(private_charon);
exit(-1);
}
-
- /* check/setup PID file */
- if (stat(PID_FILE, &stb) == 0)
+
+ if (check_pidfile())
{
DBG1(DBG_DMN, "charon already running (\""PID_FILE"\" exists)");
destroy(private_charon);
exit(-1);
}
- pid_file = fopen(PID_FILE, "w");
- if (pid_file)
- {
- fprintf(pid_file, "%d\n", getpid());
- ignore_result(fchown(fileno(pid_file), charon->uid, charon->gid));
- fclose(pid_file);
- }
/* drop the capabilities we won't need */
drop_capabilities(private_charon);
diff --git a/src/charon/daemon.h b/src/charon/daemon.h
index d70a88010..023bae447 100644
--- a/src/charon/daemon.h
+++ b/src/charon/daemon.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: daemon.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -159,6 +157,7 @@ typedef struct daemon_t daemon_t;
#include <bus/listeners/file_logger.h>
#include <bus/listeners/sys_logger.h>
#include <sa/ike_sa_manager.h>
+#include <sa/trap_manager.h>
#include <config/backend_manager.h>
#include <config/attributes/attribute_manager.h>
#include <credentials/credential_manager.h>
@@ -205,13 +204,18 @@ struct daemon_t {
* A socket_t instance.
*/
socket_t *socket;
-
+
/**
* A ike_sa_manager_t instance.
*/
ike_sa_manager_t *ike_sa_manager;
/**
+ * Manager for triggering policies, called traps
+ */
+ trap_manager_t *traps;
+
+ /**
* Manager for the different configuration backends.
*/
backend_manager_t *backends;
diff --git a/src/charon/encoding/generator.c b/src/charon/encoding/generator.c
index dea4f0e21..406cfc688 100644
--- a/src/charon/encoding/generator.c
+++ b/src/charon/encoding/generator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: generator.c 4702 2008-11-26 10:42:54Z martin $
*/
#include <stdlib.h>
@@ -21,7 +19,6 @@
#include <arpa/inet.h>
#include <stdio.h>
-
#include "generator.h"
#include <library.h>
@@ -61,26 +58,26 @@ struct private_generator_t {
* Buffer used to generate the data into.
*/
u_int8_t *buffer;
-
+
/**
* Current write position in buffer (one byte aligned).
*/
u_int8_t *out_position;
-
+
/**
* Position of last byte in buffer.
*/
u_int8_t *roof_position;
-
+
/**
* Current bit writing to in current byte (between 0 and 7).
*/
- size_t current_bit;
-
+ u_int8_t current_bit;
+
/**
* Associated data struct to read informations from.
*/
- void * data_struct;
+ void *data_struct;
/*
* Last payload length position offset in the buffer.
@@ -115,7 +112,7 @@ struct private_generator_t {
/**
* Get size of current buffer in bytes.
*/
-static size_t get_current_buffer_size(private_generator_t *this)
+static int get_size(private_generator_t *this)
{
return this->roof_position - this->buffer;
}
@@ -123,7 +120,7 @@ static size_t get_current_buffer_size(private_generator_t *this)
/**
* Get free space of current buffer in bytes.
*/
-static size_t get_current_buffer_space(private_generator_t *this)
+static int get_space(private_generator_t *this)
{
return this->roof_position - this->out_position;
}
@@ -131,7 +128,7 @@ static size_t get_current_buffer_space(private_generator_t *this)
/**
* Get length of data in buffer (in bytes).
*/
-static size_t get_current_data_length(private_generator_t *this)
+static int get_length(private_generator_t *this)
{
return this->out_position - this->buffer;
}
@@ -139,7 +136,7 @@ static size_t get_current_data_length(private_generator_t *this)
/**
* Get current offset in buffer (in bytes).
*/
-static u_int32_t get_current_buffer_offset(private_generator_t *this)
+static u_int32_t get_offset(private_generator_t *this)
{
return this->out_position - this->buffer;
}
@@ -147,21 +144,20 @@ static u_int32_t get_current_buffer_offset(private_generator_t *this)
/**
* Makes sure enough space is available in buffer to store amount of bits.
*/
-static void make_space_available (private_generator_t *this, size_t bits)
+static void make_space_available(private_generator_t *this, int bits)
{
- while ((get_current_buffer_space(this) * 8 - this->current_bit) < bits)
+ while ((get_space(this) * 8 - this->current_bit) < bits)
{
- /* must increase buffer */
- size_t old_buffer_size = get_current_buffer_size(this);
- size_t new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
- size_t out_position_offset = ((this->out_position) - (this->buffer));
-
- DBG2(DBG_ENC, "increased gen buffer from %d to %d byte",
+ int old_buffer_size, new_buffer_size, out_position_offset;
+
+ old_buffer_size = get_size(this);
+ new_buffer_size = old_buffer_size + GENERATOR_DATA_BUFFER_INCREASE_VALUE;
+ out_position_offset = this->out_position - this->buffer;
+
+ DBG2(DBG_ENC, "increasing gen buffer from %d to %d byte",
old_buffer_size, new_buffer_size);
- /* Reallocate space for new buffer */
this->buffer = realloc(this->buffer,new_buffer_size);
-
this->out_position = (this->buffer + out_position_offset);
this->roof_position = (this->buffer + new_buffer_size);
}
@@ -170,11 +166,11 @@ static void make_space_available (private_generator_t *this, size_t bits)
/**
* Writes a specific amount of byte into the buffer.
*/
-static void write_bytes_to_buffer(private_generator_t *this, void * bytes,
- size_t number_of_bytes)
+static void write_bytes_to_buffer(private_generator_t *this, void *bytes,
+ int number_of_bytes)
{
int i;
- u_int8_t *read_position = (u_int8_t *) bytes;
+ u_int8_t *read_position = (u_int8_t *)bytes;
make_space_available(this, number_of_bytes * 8);
@@ -189,18 +185,19 @@ static void write_bytes_to_buffer(private_generator_t *this, void * bytes,
/**
* Writes a specific amount of byte into the buffer at a specific offset.
*/
-static void write_bytes_to_buffer_at_offset (private_generator_t *this,
- void *bytes, size_t number_of_bytes, u_int32_t offset)
+static void write_bytes_to_buffer_at_offset(private_generator_t *this,
+ void *bytes, int number_of_bytes, u_int32_t offset)
{
int i;
- u_int8_t *read_position = (u_int8_t *) bytes;
+ u_int8_t *read_position = (u_int8_t *)bytes;
u_int8_t *write_position;
- u_int32_t free_space_after_offset = get_current_buffer_size(this) - offset;
-
+ u_int32_t free_space_after_offset = get_size(this) - offset;
+
/* check first if enough space for new data is available */
if (number_of_bytes > free_space_after_offset)
{
- make_space_available(this, (number_of_bytes - free_space_after_offset) * 8);
+ make_space_available(this,
+ (number_of_bytes - free_space_after_offset) * 8);
}
write_position = this->buffer + offset;
@@ -214,98 +211,83 @@ static void write_bytes_to_buffer_at_offset (private_generator_t *this,
/**
* Generates a U_INT-Field type and writes it to buffer.
- *
- * @param this private_generator_t object
- * @param int_type type of U_INT field (U_INT_4, U_INT_8, etc.)
- * ATTRIBUTE_TYPE is also generated in this function
- * @param offset offset of value in data struct
- * @param generator_contexts generator_contexts_t object where the context is written or read from
*/
static void generate_u_int_type(private_generator_t *this,
encoding_type_t int_type,u_int32_t offset)
{
- size_t number_of_bits = 0;
-
- /* find out number of bits of each U_INT type to check for enough space
- in buffer */
+ int number_of_bits = 0;
+
+ /* find out number of bits of each U_INT type to check for enough space */
switch (int_type)
{
- case U_INT_4:
- number_of_bits = 4;
- break;
- case TS_TYPE:
- case U_INT_8:
- number_of_bits = 8;
- break;
- case U_INT_16:
- case CONFIGURATION_ATTRIBUTE_LENGTH:
- number_of_bits = 16;
- break;
- case U_INT_32:
- number_of_bits = 32;
- break;
- case U_INT_64:
- number_of_bits = 64;
- break;
- case ATTRIBUTE_TYPE:
- number_of_bits = 15;
- break;
- case IKE_SPI:
- number_of_bits = 64;
- break;
-
- default:
+ case U_INT_4:
+ number_of_bits = 4;
+ break;
+ case TS_TYPE:
+ case U_INT_8:
+ number_of_bits = 8;
+ break;
+ case U_INT_16:
+ case CONFIGURATION_ATTRIBUTE_LENGTH:
+ number_of_bits = 16;
+ break;
+ case U_INT_32:
+ number_of_bits = 32;
+ break;
+ case ATTRIBUTE_TYPE:
+ number_of_bits = 15;
+ break;
+ case IKE_SPI:
+ number_of_bits = 64;
+ break;
+ default:
DBG1(DBG_ENC, "U_INT Type %N is not supported",
encoding_type_names, int_type);
-
return;
}
- /* U_INT Types of multiple then 8 bits must be aligned */
- if (((number_of_bits % 8) == 0) && (this->current_bit != 0))
+ if ((number_of_bits % 8) == 0 && this->current_bit != 0)
{
DBG1(DBG_ENC, "U_INT Type %N is not 8 Bit aligned",
encoding_type_names, int_type);
- /* current bit has to be zero for values multiple of 8 bits */
return;
}
- /* make sure enough space is available in buffer */
make_space_available(this, number_of_bits);
- /* now handle each u int type differently */
switch (int_type)
{
case U_INT_4:
{
+ u_int8_t high, low;
+
if (this->current_bit == 0)
{
- /* highval of current byte in buffer has to be set to the new value*/
- u_int8_t high_val = *((u_int8_t *)(this->data_struct + offset)) << 4;
- /* lowval in buffer is not changed */
- u_int8_t low_val = *(this->out_position) & 0x0F;
- /* highval is set, low_val is not changed */
- *(this->out_position) = high_val | low_val;
+ /* high of current byte in buffer has to be set to the new value*/
+ high = *((u_int8_t *)(this->data_struct + offset)) << 4;
+ /* low in buffer is not changed */
+ low = *(this->out_position) & 0x0F;
+ /* high is set, low_val is not changed */
+ *(this->out_position) = high | low;
DBG3(DBG_ENC, " => %d", *(this->out_position));
/* write position is not changed, just bit position is moved */
this->current_bit = 4;
}
else if (this->current_bit == 4)
{
- /* highval in buffer is not changed */
- u_int high_val = *(this->out_position) & 0xF0;
- /* lowval of current byte in buffer has to be set to the new value*/
- u_int low_val = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
- *(this->out_position) = high_val | low_val;
+ /* high in buffer is not changed */
+ high = *(this->out_position) & 0xF0;
+ /* low of current byte in buffer has to be set to the new value*/
+ low = *((u_int8_t *)(this->data_struct + offset)) & 0x0F;
+ *(this->out_position) = high | low;
DBG3(DBG_ENC, " => %d", *(this->out_position));
this->out_position++;
this->current_bit = 0;
-
}
else
{
DBG1(DBG_ENC, "U_INT_4 Type is not 4 Bit aligned");
/* 4 Bit integers must have a 4 bit alignment */
return;
- };
+ }
break;
}
case TS_TYPE:
@@ -316,31 +298,31 @@ static void generate_u_int_type(private_generator_t *this,
DBG3(DBG_ENC, " => %d", *(this->out_position));
this->out_position++;
break;
-
}
case ATTRIBUTE_TYPE:
{
- /* attribute type must not change first bit uf current byte ! */
+ u_int8_t attribute_format_flag;
+ u_int16_t val;
+
+ /* attribute type must not change first bit of current byte */
if (this->current_bit != 1)
{
DBG1(DBG_ENC, "ATTRIBUTE FORMAT flag is not set");
- /* first bit has to be set! */
return;
}
- /* get value of attribute format flag */
- u_int8_t attribute_format_flag = *(this->out_position) & 0x80;
+ attribute_format_flag = *(this->out_position) & 0x80;
/* get attribute type value as 16 bit integer*/
- u_int16_t int16_val = *((u_int16_t*)(this->data_struct + offset));
+ val = *((u_int16_t*)(this->data_struct + offset));
/* unset most significant bit */
- int16_val &= 0x7FFF;
+ val &= 0x7FFF;
if (attribute_format_flag)
{
- int16_val |= 0x8000;
+ val |= 0x8000;
}
- int16_val = htons(int16_val);
- DBG3(DBG_ENC, " => %d", int16_val);
- /* write bytes to buffer (set bit is overwritten)*/
- write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
+ val = htons(val);
+ DBG3(DBG_ENC, " => %d", val);
+ /* write bytes to buffer (set bit is overwritten) */
+ write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
this->current_bit = 0;
break;
@@ -348,37 +330,25 @@ static void generate_u_int_type(private_generator_t *this,
case U_INT_16:
case CONFIGURATION_ATTRIBUTE_LENGTH:
{
- u_int16_t int16_val = htons(*((u_int16_t*)(this->data_struct + offset)));
- DBG3(DBG_ENC, " => %b", (void*)&int16_val, sizeof(int16_val));
- write_bytes_to_buffer(this, &int16_val, sizeof(u_int16_t));
+ u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset)));
+ DBG3(DBG_ENC, " => %b", &val, sizeof(u_int16_t));
+ write_bytes_to_buffer(this, &val, sizeof(u_int16_t));
break;
}
case U_INT_32:
{
- u_int32_t int32_val = htonl(*((u_int32_t*)(this->data_struct + offset)));
- DBG3(DBG_ENC, " => %b", (void*)&int32_val, sizeof(int32_val));
- write_bytes_to_buffer(this, &int32_val, sizeof(u_int32_t));
+ u_int32_t val = htonl(*((u_int32_t*)(this->data_struct + offset)));
+ DBG3(DBG_ENC, " => %b", &val, sizeof(u_int32_t));
+ write_bytes_to_buffer(this, &val, sizeof(u_int32_t));
break;
}
- case U_INT_64:
- {
- /* 64 bit integers are written as two 32 bit integers */
- u_int32_t int32_val_low = htonl(*((u_int32_t*)(this->data_struct + offset)));
- u_int32_t int32_val_high = htonl(*((u_int32_t*)(this->data_struct + offset) + 1));
- DBG3(DBG_ENC, " => %b %b",
- (void*)&int32_val_low, sizeof(int32_val_low),
- (void*)&int32_val_high, sizeof(int32_val_high));
- /* TODO add support for big endian machines */
- write_bytes_to_buffer(this, &int32_val_high, sizeof(u_int32_t));
- write_bytes_to_buffer(this, &int32_val_low, sizeof(u_int32_t));
- break;
- }
-
case IKE_SPI:
{
- /* 64 bit are written as they come :-) */
- write_bytes_to_buffer(this, this->data_struct + offset, sizeof(u_int64_t));
- DBG3(DBG_ENC, " => %b", (void*)(this->data_struct + offset), sizeof(u_int64_t));
+ /* 64 bit are written as-is, no host order conversion */
+ write_bytes_to_buffer(this, this->data_struct + offset,
+ sizeof(u_int64_t));
+ DBG3(DBG_ENC, " => %b", this->data_struct + offset,
+ sizeof(u_int64_t));
break;
}
default:
@@ -396,18 +366,17 @@ static void generate_u_int_type(private_generator_t *this,
static void generate_reserved_field(private_generator_t *this, int bits)
{
/* only one bit or 8 bit fields are supported */
- if ((bits != 1) && (bits != 8))
+ if (bits != 1 && bits != 8)
{
DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits);
return ;
}
- /* make sure enough space is available in buffer */
make_space_available(this, bits);
if (bits == 1)
- {
- /* one bit processing */
+ {
u_int8_t reserved_bit = ~(1 << (7 - this->current_bit));
+
*(this->out_position) = *(this->out_position) & reserved_bit;
if (this->current_bit == 0)
{
@@ -423,7 +392,6 @@ static void generate_reserved_field(private_generator_t *this, int bits)
}
else
{
- /* one byte processing*/
if (this->current_bit > 0)
{
DBG1(DBG_ENC, "reserved field cannot be written cause "
@@ -440,12 +408,9 @@ static void generate_reserved_field(private_generator_t *this, int bits)
*/
static void generate_flag(private_generator_t *this, u_int32_t offset)
{
- /* value of current flag */
u_int8_t flag_value;
- /* position of flag in current byte */
u_int8_t flag;
- /* if the value in the data_struct is TRUE, flag_value is set to 1, 0 otherwise */
flag_value = (*((bool *) (this->data_struct + offset))) ? 1 : 0;
/* get flag position */
flag = (flag_value << (7 - this->current_bit));
@@ -457,12 +422,10 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
/* memory must be zero */
*(this->out_position) = 0x00;
}
-
- *(this->out_position) = *(this->out_position) | flag;
+ *(this->out_position) = *(this->out_position) | flag;
+ DBG3(DBG_ENC, " => %d", *this->out_position);
- DBG3(DBG_ENC, " => %d", *(this->out_position));
-
this->current_bit++;
if (this->current_bit >= 8)
{
@@ -476,42 +439,42 @@ static void generate_flag(private_generator_t *this, u_int32_t offset)
*/
static void generate_from_chunk(private_generator_t *this, u_int32_t offset)
{
+ chunk_t *value;
+
if (this->current_bit != 0)
{
DBG1(DBG_ENC, "can not generate a chunk at Bitpos %d", this->current_bit);
return ;
}
- /* position in buffer */
- chunk_t *attribute_value = (chunk_t *)(this->data_struct + offset);
-
- DBG3(DBG_ENC, " => %B", attribute_value);
+ value = (chunk_t *)(this->data_struct + offset);
+ DBG3(DBG_ENC, " => %B", value);
- /* use write_bytes_to_buffer function to do the job */
- write_bytes_to_buffer(this, attribute_value->ptr, attribute_value->len);
+ write_bytes_to_buffer(this, value->ptr, value->len);
}
/**
* Implementation of private_generator_t.write_to_chunk.
*/
-static void write_to_chunk (private_generator_t *this,chunk_t *data)
+static void write_to_chunk(private_generator_t *this,chunk_t *data)
{
- size_t data_length = get_current_data_length(this);
+ int data_length = get_length(this);
u_int32_t header_length_field = data_length;
/* write length into header length field */
if (this->header_length_position_offset > 0)
{
- u_int32_t int32_val = htonl(header_length_field);
- write_bytes_to_buffer_at_offset(this, &int32_val, sizeof(u_int32_t),
+ u_int32_t val = htonl(header_length_field);
+ write_bytes_to_buffer_at_offset(this, &val, sizeof(u_int32_t),
this->header_length_position_offset);
}
-
+
if (this->current_bit > 0)
- data_length++;
- data->ptr = malloc(data_length);
- memcpy(data->ptr,this->buffer,data_length);
- data->len = data_length;
+ {
+ data_length++;
+ }
+ *data = chunk_alloc(data_length);
+ memcpy(data->ptr, this->buffer, data_length);
DBG3(DBG_ENC, "generated data of this generator %B", data);
}
@@ -521,26 +484,24 @@ static void write_to_chunk (private_generator_t *this,chunk_t *data)
*/
static void generate_payload (private_generator_t *this,payload_t *payload)
{
- int i;
- this->data_struct = payload;
+ int i, offset_start;
size_t rule_count;
encoding_rule_t *rules;
payload_type_t payload_type;
- u_int8_t *payload_start;
- /* get payload type */
+ this->data_struct = payload;
payload_type = payload->get_type(payload);
/* spi size has to get reseted */
this->last_spi_size = 0;
- payload_start = this->out_position;
+ offset_start = this->out_position - this->buffer;
DBG2(DBG_ENC, "generating payload of type %N",
payload_type_names, payload_type);
/* each payload has its own encoding rules */
- payload->get_encoding_rules(payload,&rules,&rule_count);
-
+ payload->get_encoding_rules(payload, &rules, &rule_count);
+
for (i = 0; i < rule_count;i++)
{
DBG2(DBG_ENC, " generating rule %d %N",
@@ -551,13 +512,12 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
case U_INT_8:
case U_INT_16:
case U_INT_32:
- case U_INT_64:
case IKE_SPI:
case TS_TYPE:
case ATTRIBUTE_TYPE:
case CONFIGURATION_ATTRIBUTE_LENGTH:
{
- generate_u_int_type(this, rules[i].type,rules[i].offset);
+ generate_u_int_type(this, rules[i].type, rules[i].offset);
break;
}
case RESERVED_BIT:
@@ -577,35 +537,28 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
}
case PAYLOAD_LENGTH:
{
- /* position of payload lenght field is temporary stored */
- this->last_payload_length_position_offset = get_current_buffer_offset(this);
- /* payload length is generated like an U_INT_16 */
+ this->last_payload_length_position_offset = get_offset(this);
generate_u_int_type(this, U_INT_16,rules[i].offset);
break;
}
case HEADER_LENGTH:
{
- /* position of header length field is temporary stored */
- this->header_length_position_offset = get_current_buffer_offset(this);
- /* header length is generated like an U_INT_32 */
+ this->header_length_position_offset = get_offset(this);
generate_u_int_type(this ,U_INT_32, rules[i].offset);
break;
}
case SPI_SIZE:
- /* spi size is handled as 8 bit unsigned integer */
generate_u_int_type(this, U_INT_8, rules[i].offset);
- /* last spi size is temporary stored */
- this->last_spi_size = *((u_int8_t *)(this->data_struct + rules[i].offset));
+ this->last_spi_size = *((u_int8_t *)(this->data_struct +
+ rules[i].offset));
break;
case ADDRESS:
{
- /* the Address value is generated from chunk */
generate_from_chunk(this, rules[i].offset);
break;
}
case SPI:
{
- /* the SPI value is generated from chunk */
generate_from_chunk(this, rules[i].offset);
break;
}
@@ -625,14 +578,15 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
u_int16_t length_of_payload;
u_int16_t header_length = 0;
u_int16_t length_in_network_order;
-
+
switch(rules[i].type)
{
case KEY_EXCHANGE_DATA:
header_length = KE_PAYLOAD_HEADER_LENGTH;
break;
case NOTIFICATION_DATA:
- header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + this->last_spi_size ;
+ header_length = NOTIFY_PAYLOAD_HEADER_LENGTH +
+ this->last_spi_size;
break;
case NONCE_DATA:
header_length = NONCE_PAYLOAD_HEADER_LENGTH;
@@ -664,47 +618,42 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
default:
break;
}
-
- /* the data value is generated from chunk */
generate_from_chunk(this, rules[i].offset);
- payload_length_position_offset = this->last_payload_length_position_offset;
+ payload_length_position_offset =
+ this->last_payload_length_position_offset;
+ length_of_payload = header_length +
+ ((chunk_t *)(this->data_struct + rules[i].offset))->len;
- /* Length of payload is calculated */
- length_of_payload = header_length + ((chunk_t *)(this->data_struct + rules[i].offset))->len;
-
- length_in_network_order = htons(length_of_payload);
+ length_in_network_order = htons(length_of_payload);
write_bytes_to_buffer_at_offset(this, &length_in_network_order,
- sizeof(u_int16_t),payload_length_position_offset);
+ sizeof(u_int16_t), payload_length_position_offset);
break;
}
case PROPOSALS:
{
- /* before iterative generate the transforms, store the current payload length position */
- u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
+ u_int32_t payload_length_position_offset =
+ this->last_payload_length_position_offset;
/* Length of SA_PAYLOAD is calculated */
u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH;
u_int16_t int16_val;
- /* proposals are stored in a linked list and so accessed */
- linked_list_t *proposals = *((linked_list_t **)(this->data_struct + rules[i].offset));
+ linked_list_t *proposals = *((linked_list_t **)
+ (this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_proposal;
- /* create forward iterator */
iterator = proposals->create_iterator(proposals,TRUE);
- /* every proposal is processed (iterative call )*/
while (iterator->iterate(iterator, (void**)&current_proposal))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
- before_generate_position_offset = get_current_buffer_offset(this);
- this->public.generate_payload(&(this->public),current_proposal);
- after_generate_position_offset = get_current_buffer_offset(this);
-
- /* increase size of transform */
- length_of_sa_payload += (after_generate_position_offset - before_generate_position_offset);
+ before_generate_position_offset = get_offset(this);
+ generate_payload(this, current_proposal);
+ after_generate_position_offset = get_offset(this);
+ length_of_sa_payload += (after_generate_position_offset -
+ before_generate_position_offset);
}
iterator->destroy(iterator);
@@ -715,60 +664,61 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
}
case TRANSFORMS:
{
- /* before iterative generate the transforms, store the current length position */
- u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
- u_int16_t length_of_proposal = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
+ u_int32_t payload_length_position_offset =
+ this->last_payload_length_position_offset;
+ u_int16_t length_of_proposal =
+ PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size;
u_int16_t int16_val;
- linked_list_t *transforms = *((linked_list_t **)(this->data_struct + rules[i].offset));
+ linked_list_t *transforms = *((linked_list_t **)
+ (this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_transform;
- /* create forward iterator */
iterator = transforms->create_iterator(transforms,TRUE);
while (iterator->iterate(iterator, (void**)&current_transform))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
- before_generate_position_offset = get_current_buffer_offset(this);
- this->public.generate_payload(&(this->public),current_transform);
- after_generate_position_offset = get_current_buffer_offset(this);
+ before_generate_position_offset = get_offset(this);
+ generate_payload(this, current_transform);
+ after_generate_position_offset = get_offset(this);
- /* increase size of transform */
- length_of_proposal += (after_generate_position_offset - before_generate_position_offset);
+ length_of_proposal += (after_generate_position_offset -
+ before_generate_position_offset);
}
-
iterator->destroy(iterator);
int16_val = htons(length_of_proposal);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t), payload_length_position_offset);
-
break;
}
case TRANSFORM_ATTRIBUTES:
{
- /* before iterative generate the transform attributes, store the current length position */
- u_int32_t transform_length_position_offset = this->last_payload_length_position_offset;
- u_int16_t length_of_transform = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
+ u_int32_t transform_length_position_offset =
+ this->last_payload_length_position_offset;
+ u_int16_t length_of_transform =
+ TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH;
u_int16_t int16_val;
- linked_list_t *transform_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+ linked_list_t *transform_attributes =*((linked_list_t **)
+ (this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_attribute;
- /* create forward iterator */
- iterator = transform_attributes->create_iterator(transform_attributes,TRUE);
+ iterator = transform_attributes->create_iterator(
+ transform_attributes, TRUE);
while (iterator->iterate(iterator, (void**)&current_attribute))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
- before_generate_position_offset = get_current_buffer_offset(this);
- this->public.generate_payload(&(this->public),current_attribute);
- after_generate_position_offset = get_current_buffer_offset(this);
+ before_generate_position_offset = get_offset(this);
+ generate_payload(this, current_attribute);
+ after_generate_position_offset = get_offset(this);
- /* increase size of transform */
- length_of_transform += (after_generate_position_offset - before_generate_position_offset);
+ length_of_transform += (after_generate_position_offset -
+ before_generate_position_offset);
}
iterator->destroy(iterator);
@@ -776,32 +726,32 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
int16_val = htons(length_of_transform);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),transform_length_position_offset);
-
break;
}
case CONFIGURATION_ATTRIBUTES:
{
- /* before iterative generate the configuration attributes, store the current length position */
- u_int32_t configurations_length_position_offset = this->last_payload_length_position_offset;
+ u_int32_t configurations_length_position_offset =
+ this->last_payload_length_position_offset;
u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH;
u_int16_t int16_val;
- linked_list_t *configuration_attributes =*((linked_list_t **)(this->data_struct + rules[i].offset));
+ linked_list_t *configuration_attributes = *((linked_list_t **)
+ (this->data_struct + rules[i].offset));
iterator_t *iterator;
payload_t *current_attribute;
- /* create forward iterator */
- iterator = configuration_attributes->create_iterator(configuration_attributes,TRUE);
+ iterator = configuration_attributes->create_iterator(
+ configuration_attributes,TRUE);
while (iterator->iterate(iterator, (void**)&current_attribute))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
- before_generate_position_offset = get_current_buffer_offset(this);
- this->public.generate_payload(&(this->public),current_attribute);
- after_generate_position_offset = get_current_buffer_offset(this);
+ before_generate_position_offset = get_offset(this);
+ generate_payload(this, current_attribute);
+ after_generate_position_offset = get_offset(this);
- /* increase size of transform */
- length_of_configurations += (after_generate_position_offset - before_generate_position_offset);
+ length_of_configurations += after_generate_position_offset -
+ before_generate_position_offset;
}
iterator->destroy(iterator);
@@ -809,14 +759,14 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
int16_val = htons(length_of_configurations);
write_bytes_to_buffer_at_offset(this, &int16_val,
sizeof(u_int16_t),configurations_length_position_offset);
-
break;
}
case ATTRIBUTE_FORMAT:
{
generate_flag(this, rules[i].offset);
/* Attribute format is a flag which is stored in context*/
- this->attribute_format = *((bool *) (this->data_struct + rules[i].offset));
+ this->attribute_format =
+ *((bool *)(this->data_struct + rules[i].offset));
break;
}
@@ -826,7 +776,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
{
generate_u_int_type(this, U_INT_16, rules[i].offset);
/* this field hold the length of the attribute */
- this->attribute_length = *((u_int16_t *)(this->data_struct + rules[i].offset));
+ this->attribute_length =
+ *((u_int16_t *)(this->data_struct + rules[i].offset));
}
else
{
@@ -846,30 +797,28 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
}
case TRAFFIC_SELECTORS:
{
- /* before iterative generate the traffic_selectors, store the current payload length position */
- u_int32_t payload_length_position_offset = this->last_payload_length_position_offset;
- /* Length of SA_PAYLOAD is calculated */
+ u_int32_t payload_length_position_offset =
+ this->last_payload_length_position_offset;
u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH;
u_int16_t int16_val;
- /* traffic selectors are stored in a linked list and so accessed */
- linked_list_t *traffic_selectors = *((linked_list_t **)(this->data_struct + rules[i].offset));
+ linked_list_t *traffic_selectors = *((linked_list_t **)
+ (this->data_struct + rules[i].offset));
iterator_t *iterator;
- payload_t *current_traffic_selector_substructure;
+ payload_t *current_tss;
- /* create forward iterator */
- iterator = traffic_selectors->create_iterator(traffic_selectors,TRUE);
- /* every proposal is processed (iterative call )*/
- while (iterator->iterate(iterator, (void **)&current_traffic_selector_substructure))
+ iterator = traffic_selectors->create_iterator(
+ traffic_selectors,TRUE);
+ while (iterator->iterate(iterator, (void **)&current_tss))
{
u_int32_t before_generate_position_offset;
u_int32_t after_generate_position_offset;
-
- before_generate_position_offset = get_current_buffer_offset(this);
- this->public.generate_payload(&(this->public),current_traffic_selector_substructure);
- after_generate_position_offset = get_current_buffer_offset(this);
- /* increase size of transform */
- length_of_ts_payload += (after_generate_position_offset - before_generate_position_offset);
+ before_generate_position_offset = get_offset(this);
+ generate_payload(this, current_tss);
+ after_generate_position_offset = get_offset(this);
+
+ length_of_ts_payload += (after_generate_position_offset -
+ before_generate_position_offset);
}
iterator->destroy(iterator);
@@ -893,7 +842,8 @@ static void generate_payload (private_generator_t *this,payload_t *payload)
DBG2(DBG_ENC, "generating %N payload finished",
payload_type_names, payload_type);
DBG3(DBG_ENC, "generated data for this payload %b",
- payload_start, this->out_position-payload_start);
+ this->buffer + offset_start,
+ this->out_position - this->buffer - offset_start);
}
/**
@@ -916,9 +866,9 @@ generator_t *generator_create()
this = malloc_thing(private_generator_t);
/* initiate public functions */
- this->public.generate_payload = (void(*)(generator_t*, payload_t *)) generate_payload;
+ this->public.generate_payload = (void(*)(generator_t*, payload_t *))generate_payload;
this->public.destroy = (void(*)(generator_t*)) destroy;
- this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *)) write_to_chunk;
+ this->public.write_to_chunk = (void (*) (generator_t *,chunk_t *))write_to_chunk;
/* allocate memory for buffer */
this->buffer = malloc(GENERATOR_DATA_BUFFER_SIZE);
diff --git a/src/charon/encoding/generator.h b/src/charon/encoding/generator.h
index 5c8755d04..f6fb8981c 100644
--- a/src/charon/encoding/generator.h
+++ b/src/charon/encoding/generator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: generator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -67,10 +65,10 @@ struct generator_t {
/**
* Writes all generated data of the generator to a chunk.
*
- * @param data chunk to write the data to
+ * @param data chunk to write the data to
*/
void (*write_to_chunk) (generator_t *this,chunk_t *data);
-
+
/**
* Destroys a generator_t object.
*/
diff --git a/src/charon/encoding/message.c b/src/charon/encoding/message.c
index 600fe97d9..7c6fdb499 100644
--- a/src/charon/encoding/message.c
+++ b/src/charon/encoding/message.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: message.c 4339 2008-09-11 11:14:09Z martin $
*/
#include <stdlib.h>
@@ -208,7 +206,7 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, FALSE},
{EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
{AUTHENTICATION, 0, 1, TRUE, TRUE},
- {ID_INITIATOR, 1, 1, TRUE, FALSE},
+ {ID_INITIATOR, 0, 1, TRUE, FALSE},
{CERTIFICATE, 0, 4, TRUE, FALSE},
{CERTIFICATE_REQUEST, 0, 1, TRUE, FALSE},
{ID_RESPONDER, 0, 1, TRUE, FALSE},
@@ -217,9 +215,9 @@ static payload_rule_t ike_auth_i_payload_rules[] = {
{TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
#else
- {SECURITY_ASSOCIATION, 1, 1, TRUE, FALSE},
- {TRAFFIC_SELECTOR_INITIATOR, 1, 1, TRUE, FALSE},
- {TRAFFIC_SELECTOR_RESPONDER, 1, 1, TRUE, FALSE},
+ {SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
+ {TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
+ {TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
#endif /* ME */
{CONFIGURATION, 0, 1, TRUE, FALSE},
{VENDOR_ID, 0, 10, TRUE, FALSE},
@@ -261,9 +259,9 @@ static payload_rule_t ike_auth_r_payload_rules[] = {
/* payload type min max encr suff */
{NOTIFY, 0, MAX_NOTIFY_PAYLOADS, TRUE, TRUE},
{EXTENSIBLE_AUTHENTICATION, 0, 1, TRUE, TRUE},
+ {AUTHENTICATION, 0, 1, TRUE, TRUE},
{CERTIFICATE, 0, 4, TRUE, FALSE},
{ID_RESPONDER, 0, 1, TRUE, FALSE},
- {AUTHENTICATION, 0, 1, TRUE, FALSE},
{SECURITY_ASSOCIATION, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_INITIATOR, 0, 1, TRUE, FALSE},
{TRAFFIC_SELECTOR_RESPONDER, 0, 1, TRUE, FALSE},
@@ -846,11 +844,11 @@ static host_t * get_destination(private_message_t *this)
}
/**
- * Implementation of message_t.get_payload_iterator.
+ * Implementation of message_t.create_payload_enumerator.
*/
-static iterator_t *get_payload_iterator(private_message_t *this)
+static enumerator_t *create_payload_enumerator(private_message_t *this)
{
- return this->payloads->create_iterator(this->payloads, TRUE);
+ return this->payloads->create_enumerator(this->payloads);
}
/**
@@ -859,10 +857,10 @@ static iterator_t *get_payload_iterator(private_message_t *this)
static payload_t *get_payload(private_message_t *this, payload_type_t type)
{
payload_t *current, *found = NULL;
- iterator_t *iterator;
+ enumerator_t *enumerator;
- iterator = this->payloads->create_iterator(this->payloads, TRUE);
- while (iterator->iterate(iterator, (void**)&current))
+ enumerator = create_payload_enumerator(this);
+ while (enumerator->enumerate(enumerator, &current))
{
if (current->get_type(current) == type)
{
@@ -870,16 +868,42 @@ static payload_t *get_payload(private_message_t *this, payload_type_t type)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return found;
}
/**
+ * Implementation of message_t.get_notify
+ */
+static notify_payload_t* get_notify(private_message_t *this, notify_type_t type)
+{
+ enumerator_t *enumerator;
+ notify_payload_t *notify = NULL;
+ payload_t *payload;
+
+ enumerator = create_payload_enumerator(this);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify = (notify_payload_t*)payload;
+ if (notify->get_notify_type(notify) == type)
+ {
+ break;
+ }
+ notify = NULL;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return notify;
+}
+
+/**
* get a string representation of the message
*/
static char* get_string(private_message_t *this, char *buf, int len)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
int written;
char *pos = buf;
@@ -898,8 +922,8 @@ static char* get_string(private_message_t *this, char *buf, int len)
pos += written;
len -= written;
- iterator = this->payloads->create_iterator(this->payloads, TRUE);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = create_payload_enumerator(this);
+ while (enumerator->enumerate(enumerator, &payload))
{
written = snprintf(pos, len, " %N", payload_type_short_names,
payload->get_type(payload));
@@ -922,7 +946,7 @@ static char* get_string(private_message_t *this, char *buf, int len)
len -= written;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
/* remove last space */
snprintf(pos, len, " ]");
@@ -1076,7 +1100,7 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
generator_t *generator;
ike_header_t *ike_header;
payload_t *payload, *next_payload;
- iterator_t *iterator;
+ enumerator_t *enumerator;
status_t status;
chunk_t packet_data;
char str[256];
@@ -1131,21 +1155,20 @@ static status_t generate(private_message_t *this, crypter_t *crypter,
ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id));
ike_header->set_initiator_spi(ike_header, this->ike_sa_id->get_initiator_spi(this->ike_sa_id));
ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id));
-
+
generator = generator_create();
payload = (payload_t*)ike_header;
-
/* generate every payload expect last one, this is done later*/
- iterator = this->payloads->create_iterator(this->payloads, TRUE);
- while(iterator->iterate(iterator, (void**)&next_payload))
+ enumerator = create_payload_enumerator(this);
+ while (enumerator->enumerate(enumerator, &next_payload))
{
payload->set_next_type(payload, next_payload->get_type(next_payload));
generator->generate_payload(generator, payload);
payload = next_payload;
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
/* last payload has no next payload*/
payload->set_next_type(payload, NO_PAYLOAD);
@@ -1411,72 +1434,78 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
static status_t verify(private_message_t *this)
{
int i;
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *current_payload;
size_t total_found_payloads = 0;
DBG2(DBG_ENC, "verifying message structure");
- iterator = this->payloads->create_iterator(this->payloads,TRUE);
/* check for payloads with wrong count*/
- for (i = 0; i < this->message_rule->payload_rule_count;i++)
+ for (i = 0; i < this->message_rule->payload_rule_count; i++)
{
size_t found_payloads = 0;
-
- /* check all payloads for specific rule */
- iterator->reset(iterator);
+ payload_rule_t *rule;
- while(iterator->iterate(iterator,(void **)&current_payload))
+ rule = &this->message_rule->payload_rules[i];
+ enumerator = create_payload_enumerator(this);
+
+ /* check all payloads for specific rule */
+ while (enumerator->enumerate(enumerator, &current_payload))
{
payload_type_t current_payload_type;
+ unknown_payload_t *unknown_payload;
current_payload_type = current_payload->get_type(current_payload);
if (current_payload_type == UNKNOWN_PAYLOAD)
{
/* unknown payloads are ignored, IF they are not critical */
- unknown_payload_t *unknown_payload = (unknown_payload_t*)current_payload;
+ unknown_payload = (unknown_payload_t*)current_payload;
if (unknown_payload->is_critical(unknown_payload))
{
DBG1(DBG_ENC, "%N is not supported, but its critical!",
payload_type_names, current_payload_type);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return NOT_SUPPORTED;
}
}
- else if (current_payload_type == this->message_rule->payload_rules[i].payload_type)
+ else if (current_payload_type == rule->payload_type)
{
found_payloads++;
total_found_payloads++;
- DBG2(DBG_ENC, "found payload of type %N",
- payload_type_names, this->message_rule->payload_rules[i].payload_type);
+ DBG2(DBG_ENC, "found payload of type %N", payload_type_names,
+ rule->payload_type);
- /* as soon as ohe payload occures more then specified, the verification fails */
- if (found_payloads > this->message_rule->payload_rules[i].max_occurence)
+ /* as soon as ohe payload occures more then specified,
+ * the verification fails */
+ if (found_payloads >
+ rule->max_occurence)
{
- DBG1(DBG_ENC, "payload of type %N more than %d times (%d) occured in current message",
- payload_type_names, current_payload_type,
- this->message_rule->payload_rules[i].max_occurence, found_payloads);
- iterator->destroy(iterator);
+ DBG1(DBG_ENC, "payload of type %N more than %d times (%d) "
+ "occured in current message", payload_type_names,
+ current_payload_type, rule->max_occurence,
+ found_payloads);
+ enumerator->destroy(enumerator);
return VERIFY_ERROR;
}
}
}
- if (found_payloads < this->message_rule->payload_rules[i].min_occurence)
+ if (found_payloads < rule->min_occurence)
{
DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)",
- payload_type_names, this->message_rule->payload_rules[i].payload_type,
- this->message_rule->payload_rules[i].min_occurence, found_payloads);
- iterator->destroy(iterator);
+ payload_type_names, rule->payload_type, rule->min_occurence,
+ found_payloads);
+ enumerator->destroy(enumerator);
return VERIFY_ERROR;
}
- if ((this->message_rule->payload_rules[i].sufficient) && (this->payloads->get_count(this->payloads) == total_found_payloads))
+ if (rule->sufficient &&
+ this->payloads->get_count(this->payloads) == total_found_payloads)
{
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return SUCCESS;
}
+ enumerator->destroy(enumerator);
}
- iterator->destroy(iterator);
return SUCCESS;
}
@@ -1604,8 +1633,9 @@ message_t *message_create_from_packet(packet_t *packet)
this->public.get_source = (host_t * (*) (message_t*)) get_source;
this->public.set_destination = (void (*) (message_t*,host_t*)) set_destination;
this->public.get_destination = (host_t * (*) (message_t*)) get_destination;
- this->public.get_payload_iterator = (iterator_t * (*) (message_t *)) get_payload_iterator;
+ this->public.create_payload_enumerator = (enumerator_t * (*) (message_t *)) create_payload_enumerator;
this->public.get_payload = (payload_t * (*) (message_t *, payload_type_t)) get_payload;
+ this->public.get_notify = (notify_payload_t*(*)(message_t*, notify_type_t type))get_notify;
this->public.parse_header = (status_t (*) (message_t *)) parse_header;
this->public.parse_body = (status_t (*) (message_t *,crypter_t*,signer_t*)) parse_body;
this->public.get_packet = (packet_t * (*) (message_t*)) get_packet;
diff --git a/src/charon/encoding/message.h b/src/charon/encoding/message.h
index 40941c2c9..1db3ea0cc 100644
--- a/src/charon/encoding/message.h
+++ b/src/charon/encoding/message.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2007 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: message.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -286,14 +284,11 @@ struct message_t {
void (*set_destination) (message_t *this, host_t *host);
/**
- * Returns an iterator on all stored payloads.
- *
- * @warning Don't insert payloads over this iterator.
- * Use add_payload() instead.
+ * Create an enumerator over all payloads.
*
- * @return iterator_t object which has to get destroyd by the caller
+ * @return enumerator over payload_t
*/
- iterator_t * (*get_payload_iterator) (message_t *this);
+ enumerator_t * (*create_payload_enumerator) (message_t *this);
/**
* Find a payload of a specific type.
@@ -306,6 +301,14 @@ struct message_t {
payload_t* (*get_payload) (message_t *this, payload_type_t type);
/**
+ * Get the first notify payload of a specific type.
+ *
+ * @param type type of notification payload
+ * @return notify payload, NULL if no such notify found
+ */
+ notify_payload_t* (*get_notify)(message_t *this, notify_type_t type);
+
+ /**
* Returns a clone of the internal stored packet_t object.
*
* @return packet_t object as clone of internal one
diff --git a/src/charon/encoding/parser.c b/src/charon/encoding/parser.c
index 396054810..ac2b78c28 100644
--- a/src/charon/encoding/parser.c
+++ b/src/charon/encoding/parser.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: parser.c 4703 2008-11-26 10:54:08Z martin $
*/
#include <stdlib.h>
@@ -88,29 +86,52 @@ struct private_parser_t {
};
/**
+ * Forward declaration
+ */
+static status_t parse_payload(private_parser_t *this,
+ payload_type_t payload_type, payload_t **payload);
+
+/**
+ * Log invalid length error
+ */
+static bool short_input(private_parser_t *this, int number)
+{
+ DBG1(DBG_ENC, " not enough input to parse rule %d %N",
+ number, encoding_type_names, this->rules[number].type);
+ return FALSE;
+}
+
+/**
+ * Log unaligned rules
+ */
+static bool bad_bitpos(private_parser_t *this, int number)
+{
+ DBG1(DBG_ENC, " found rule %d %N on bitpos %d",
+ number, encoding_type_names, this->rules[number].type, this->bit_pos);
+ return FALSE;
+}
+
+/**
* Parse a 4-Bit unsigned integer from the current parsing position.
*/
-static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+static bool parse_uint4(private_parser_t *this, int rule_number,
+ u_int8_t *output_pos)
{
- if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+ if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
switch (this->bit_pos)
{
case 0:
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
*output_pos = *(this->byte_pos) >> 4;
}
this->bit_pos = 4;
break;
- case 4:
- /* caller interested in result ? */
- if (output_pos != NULL)
+ case 4:
+ if (output_pos)
{
*output_pos = *(this->byte_pos) & 0x0F;
}
@@ -118,311 +139,240 @@ static status_t parse_uint4(private_parser_t *this, int rule_number, u_int8_t *o
this->byte_pos++;
break;
default:
- DBG2(DBG_ENC, " found rule %d %N on bitpos %d",
- rule_number, encoding_type_names,
- this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
-
- if (output_pos != NULL)
+ if (output_pos)
{
DBG3(DBG_ENC, " => %d", *output_pos);
}
-
- return SUCCESS;
+ return TRUE;
}
/**
* Parse a 8-Bit unsigned integer from the current parsing position.
*/
-static status_t parse_uint8(private_parser_t *this, int rule_number, u_int8_t *output_pos)
+static bool parse_uint8(private_parser_t *this, int rule_number,
+ u_int8_t *output_pos)
{
- if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
+ if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d",
- rule_number, encoding_type_names,
- this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
-
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
*output_pos = *(this->byte_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->byte_pos++;
-
- return SUCCESS;
+ return TRUE;
}
/**
* Parse a 15-Bit unsigned integer from the current parsing position.
*/
-static status_t parse_uint15(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+static bool parse_uint15(private_parser_t *this, int rule_number,
+ u_int16_t *output_pos)
{
if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos != 1)
{
- DBG2(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
- *output_pos = ntohs(*((u_int16_t*)this->byte_pos)) & ~0x8000;
+ memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+ *output_pos = ntohs(*output_pos) & ~0x8000;
DBG3(DBG_ENC, " => %d", *output_pos);
}
- this->byte_pos += 2;
+ this->byte_pos += sizeof(u_int16_t);
this->bit_pos = 0;
-
- return SUCCESS;
+ return TRUE;
}
/**
* Parse a 16-Bit unsigned integer from the current parsing position.
*/
-static status_t parse_uint16(private_parser_t *this, int rule_number, u_int16_t *output_pos)
+static bool parse_uint16(private_parser_t *this, int rule_number,
+ u_int16_t *output_pos)
{
if (this->byte_pos + sizeof(u_int16_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
- *output_pos = ntohs(*((u_int16_t*)this->byte_pos));
-
+ memcpy(output_pos, this->byte_pos, sizeof(u_int16_t));
+ *output_pos = ntohs(*output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
- this->byte_pos += 2;
-
- return SUCCESS;
+ this->byte_pos += sizeof(u_int16_t);
+ return TRUE;
}
/**
* Parse a 32-Bit unsigned integer from the current parsing position.
*/
-static status_t parse_uint32(private_parser_t *this, int rule_number, u_int32_t *output_pos)
+static bool parse_uint32(private_parser_t *this, int rule_number,
+ u_int32_t *output_pos)
{
if (this->byte_pos + sizeof(u_int32_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
- *output_pos = ntohl(*((u_int32_t*)this->byte_pos));
-
+ memcpy(output_pos, this->byte_pos, sizeof(u_int32_t));
+ *output_pos = ntohl(*output_pos);
DBG3(DBG_ENC, " => %d", *output_pos);
}
- this->byte_pos += 4;
-
- return SUCCESS;
-}
-
-/**
- * Parse a 64-Bit unsigned integer from the current parsing position.
- */
-static status_t parse_uint64(private_parser_t *this, int rule_number, u_int64_t *output_pos)
-{
- if (this->byte_pos + sizeof(u_int64_t) > this->input_roof)
- {
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
- }
- if (this->bit_pos)
- {
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
- }
- /* caller interested in result ? */
- if (output_pos != NULL)
- {
- /* assuming little endian host order */
- *(output_pos + 1) = ntohl(*((u_int32_t*)this->byte_pos));
- *output_pos = ntohl(*(((u_int32_t*)this->byte_pos) + 1));
-
- DBG3(DBG_ENC, " => %b", (void*)output_pos, sizeof(u_int64_t));
- }
- this->byte_pos += 8;
-
- return SUCCESS;
+ this->byte_pos += sizeof(u_int32_t);
+ return TRUE;
}
/**
* Parse a given amount of bytes and writes them to a specific location
*/
-static status_t parse_bytes (private_parser_t *this, int rule_number, u_int8_t *output_pos,size_t bytes)
+static bool parse_bytes(private_parser_t *this, int rule_number,
+ u_int8_t *output_pos, int bytes)
{
if (this->byte_pos + bytes > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
-
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
- memcpy(output_pos,this->byte_pos,bytes);
-
- DBG3(DBG_ENC, " => %b", (void*)output_pos, bytes);
+ memcpy(output_pos, this->byte_pos, bytes);
+ DBG3(DBG_ENC, " => %b", output_pos, bytes);
}
this->byte_pos += bytes;
-
- return SUCCESS;
+ return TRUE;
}
/**
* Parse a single Bit from the current parsing position
*/
-static status_t parse_bit(private_parser_t *this, int rule_number, bool *output_pos)
+static bool parse_bit(private_parser_t *this, int rule_number,
+ bool *output_pos)
{
if (this->byte_pos + sizeof(u_int8_t) > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input to parse rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
- /* caller interested in result ? */
- if (output_pos != NULL)
+ if (output_pos)
{
u_int8_t mask;
mask = 0x01 << (7 - this->bit_pos);
*output_pos = *this->byte_pos & mask;
-
+
if (*output_pos)
- {
- /* set to a "clean", comparable true */
+ { /* set to a "clean", comparable true */
*output_pos = TRUE;
}
-
DBG3(DBG_ENC, " => %d", *output_pos);
}
this->bit_pos = (this->bit_pos + 1) % 8;
- if (this->bit_pos == 0)
+ if (this->bit_pos == 0)
{
- this->byte_pos++;
+ this->byte_pos++;
}
-
- return SUCCESS;
+ return TRUE;
}
/**
* Parse substructures in a list.
*/
-static status_t parse_list(private_parser_t *this, int rule_number, linked_list_t **output_pos, payload_type_t payload_type, size_t length)
+static bool parse_list(private_parser_t *this, int rule_number,
+ linked_list_t **output_pos, payload_type_t payload_type, int length)
{
- linked_list_t * list = *output_pos;
+ linked_list_t *list = *output_pos;
if (length < 0)
{
- DBG1(DBG_ENC, " invalid length for rule %d %N",
- rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
-
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
-
while (length > 0)
{
u_int8_t *pos_before = this->byte_pos;
payload_t *payload;
- status_t status;
+
DBG2(DBG_ENC, " %d bytes left, parsing recursively %N",
length, payload_type_names, payload_type);
- status = this->public.parse_payload((parser_t*)this, payload_type, &payload);
- if (status != SUCCESS)
+
+ if (parse_payload(this, payload_type, &payload) != SUCCESS)
{
DBG1(DBG_ENC, " parsing of a %N substructure failed",
payload_type_names, payload_type);
- return status;
+ return FALSE;
}
list->insert_last(list, payload);
length -= this->byte_pos - pos_before;
}
+ if (length != 0)
+ { /* must yield exactly to zero */
+ DBG1(DBG_ENC, " length of %N substructure list invalid",
+ payload_type_names, payload_type);
+ return FALSE;
+ }
*output_pos = list;
- return SUCCESS;
+ return TRUE;
}
/**
* Parse data from current parsing position in a chunk.
*/
-static status_t parse_chunk(private_parser_t *this, int rule_number, chunk_t *output_pos, size_t length)
+static bool parse_chunk(private_parser_t *this, int rule_number,
+ chunk_t *output_pos, int length)
{
if (this->byte_pos + length > this->input_roof)
{
- DBG1(DBG_ENC, " not enough input (%d bytes) to parse rule %d %N",
- length, rule_number, encoding_type_names, this->rules[rule_number].type);
- return PARSE_ERROR;
+ return short_input(this, rule_number);
}
if (this->bit_pos)
{
- DBG1(DBG_ENC, " found rule %d %N on bitpos %d", rule_number,
- encoding_type_names, this->rules[rule_number].type, this->bit_pos);
- return PARSE_ERROR;
+ return bad_bitpos(this, rule_number);
}
- if (output_pos != NULL)
+ if (output_pos)
{
- output_pos->len = length;
- output_pos->ptr = malloc(length);
+ *output_pos = chunk_alloc(length);
memcpy(output_pos->ptr, this->byte_pos, length);
+ DBG3(DBG_ENC, " => %b", output_pos->ptr, length);
}
this->byte_pos += length;
- DBG3(DBG_ENC, " => %b", (void*)output_pos->ptr, length);
-
- return SUCCESS;
+ return TRUE;
}
/**
* Implementation of parser_t.parse_payload.
*/
-static status_t parse_payload(private_parser_t *this, payload_type_t payload_type, payload_t **payload)
+static status_t parse_payload(private_parser_t *this,
+ payload_type_t payload_type, payload_t **payload)
{
payload_t *pld;
void *output;
- size_t rule_count, payload_length = 0, spi_size = 0, attribute_length = 0;
+ size_t rule_count;
+ int payload_length = 0, spi_size = 0, attribute_length = 0;
u_int16_t ts_type = 0;
bool attribute_format = FALSE;
int rule_number;
@@ -435,7 +385,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
payload_type_names, payload_type, this->input_roof - this->byte_pos);
DBG3(DBG_ENC, "parsing payload from %b",
- this->byte_pos, this->input_roof-this->byte_pos);
+ this->byte_pos, this->input_roof - this->byte_pos);
if (pld->get_type(pld) == UNKNOWN_PAYLOAD)
{
@@ -447,7 +397,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
output = pld;
/* parse the payload with its own rulse */
- pld->get_encoding_rules(pld, &(this->rules), &rule_count);
+ pld->get_encoding_rules(pld, &this->rules, &rule_count);
for (rule_number = 0; rule_number < rule_count; rule_number++)
{
rule = &(this->rules[rule_number]);
@@ -457,7 +407,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
{
case U_INT_4:
{
- if (parse_uint4(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint4(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -466,7 +416,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case U_INT_8:
{
- if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint8(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -475,7 +425,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case U_INT_16:
{
- if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint16(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -484,16 +434,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case U_INT_32:
{
- if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS)
- {
- pld->destroy(pld);
- return PARSE_ERROR;
- }
- break;
- }
- case U_INT_64:
- {
- if (parse_uint64(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint32(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -502,7 +443,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case IKE_SPI:
{
- if (parse_bytes(this, rule_number, output + rule->offset,8) != SUCCESS)
+ if (!parse_bytes(this, rule_number, output + rule->offset, 8))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -511,7 +452,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case RESERVED_BIT:
{
- if (parse_bit(this, rule_number, NULL) != SUCCESS)
+ if (!parse_bit(this, rule_number, NULL))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -520,7 +461,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case RESERVED_BYTE:
{
- if (parse_uint8(this, rule_number, NULL) != SUCCESS)
+ if (!parse_uint8(this, rule_number, NULL))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -529,7 +470,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case FLAG:
{
- if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_bit(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -538,11 +479,12 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case PAYLOAD_LENGTH:
{
- if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint16(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
}
+ /* parsed u_int16 should be aligned */
payload_length = *(u_int16_t*)(output + rule->offset);
if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH)
{
@@ -553,7 +495,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case HEADER_LENGTH:
{
- if (parse_uint32(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint32(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -562,7 +504,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case SPI_SIZE:
{
- if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint8(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -572,7 +514,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case SPI:
{
- if (parse_chunk(this, rule_number, output + rule->offset, spi_size) != SUCCESS)
+ if (!parse_chunk(this, rule_number, output + rule->offset,
+ spi_size))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -582,8 +525,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case PROPOSALS:
{
if (payload_length < SA_PAYLOAD_HEADER_LENGTH ||
- parse_list(this, rule_number, output + rule->offset, PROPOSAL_SUBSTRUCTURE,
- payload_length - SA_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_list(this, rule_number, output + rule->offset,
+ PROPOSAL_SUBSTRUCTURE,
+ payload_length - SA_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -592,9 +536,11 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case TRANSFORMS:
{
- if (payload_length < spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
- parse_list(this, rule_number, output + rule->offset, TRANSFORM_SUBSTRUCTURE,
- payload_length - spi_size - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
+ if (payload_length <
+ spi_size + PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH ||
+ !parse_list(this, rule_number, output + rule->offset,
+ TRANSFORM_SUBSTRUCTURE, payload_length - spi_size -
+ PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -604,8 +550,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case TRANSFORM_ATTRIBUTES:
{
if (payload_length < TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH ||
- parse_list(this, rule_number, output + rule->offset, TRANSFORM_ATTRIBUTE,
- payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH) != SUCCESS)
+ !parse_list(this, rule_number, output + rule->offset,
+ TRANSFORM_ATTRIBUTE,
+ payload_length - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -615,8 +562,9 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case CONFIGURATION_ATTRIBUTES:
{
if (payload_length < CP_PAYLOAD_HEADER_LENGTH ||
- parse_list(this, rule_number, output + rule->offset, CONFIGURATION_ATTRIBUTE,
- payload_length - CP_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_list(this, rule_number, output + rule->offset,
+ CONFIGURATION_ATTRIBUTE,
+ payload_length - CP_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -625,7 +573,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case ATTRIBUTE_FORMAT:
{
- if (parse_bit(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_bit(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -635,17 +583,16 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case ATTRIBUTE_TYPE:
{
- if (parse_uint15(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint15(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
}
- attribute_format = *(bool*)(output + rule->offset);
break;
}
case CONFIGURATION_ATTRIBUTE_LENGTH:
{
- if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint16(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -654,8 +601,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
break;
}
case ATTRIBUTE_LENGTH_OR_VALUE:
- {
- if (parse_uint16(this, rule_number, output + rule->offset) != SUCCESS)
+ {
+ if (!parse_uint16(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -665,43 +612,42 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
}
case ATTRIBUTE_VALUE:
{
- if (attribute_format == FALSE)
+ if (attribute_format == FALSE &&
+ !parse_chunk(this, rule_number, output + rule->offset,
+ attribute_length))
{
- if (parse_chunk(this, rule_number, output + rule->offset, attribute_length) != SUCCESS)
- {
- pld->destroy(pld);
- return PARSE_ERROR;
- }
+ pld->destroy(pld);
+ return PARSE_ERROR;
}
break;
}
case NONCE_DATA:
{
if (payload_length < NONCE_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - NONCE_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - NONCE_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
+ }
break;
}
case ID_DATA:
{
if (payload_length < ID_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - ID_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - ID_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
+ }
break;
}
case AUTH_DATA:
{
if (payload_length < AUTH_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - AUTH_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - AUTH_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -711,8 +657,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case CERT_DATA:
{
if (payload_length < CERT_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - CERT_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - CERT_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -722,8 +668,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case CERTREQ_DATA:
{
if (payload_length < CERTREQ_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - CERTREQ_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -733,8 +679,8 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case EAP_DATA:
{
if (payload_length < EAP_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - EAP_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - EAP_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
@@ -744,109 +690,112 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
case SPIS:
{
if (payload_length < DELETE_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - DELETE_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - DELETE_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case VID_DATA:
{
if (payload_length < VENDOR_ID_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - VENDOR_ID_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case CONFIGURATION_ATTRIBUTE_VALUE:
{
- size_t data_length = attribute_length;
- if (parse_chunk(this, rule_number, output + rule->offset, data_length) != SUCCESS)
+ if (!parse_chunk(this, rule_number, output + rule->offset,
+ attribute_length))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case KEY_EXCHANGE_DATA:
{
if (payload_length < KE_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - KE_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - KE_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case NOTIFICATION_DATA:
{
if (payload_length < NOTIFY_PAYLOAD_HEADER_LENGTH + spi_size ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - NOTIFY_PAYLOAD_HEADER_LENGTH - spi_size))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case ENCRYPTED_DATA:
- {
+ {
if (payload_length < ENCRYPTION_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - ENCRYPTION_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
- }
- break;
+ }
+ break;
}
case TS_TYPE:
{
- if (parse_uint8(this, rule_number, output + rule->offset) != SUCCESS)
+ if (!parse_uint8(this, rule_number, output + rule->offset))
{
pld->destroy(pld);
return PARSE_ERROR;
}
ts_type = *(u_int8_t*)(output + rule->offset);
- break;
+ break;
}
case ADDRESS:
{
- size_t address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
- if (parse_chunk(this, rule_number, output + rule->offset,address_length) != SUCCESS)
+ int address_length = (ts_type == TS_IPV4_ADDR_RANGE) ? 4 : 16;
+
+ if (!parse_chunk(this, rule_number, output + rule->offset,
+ address_length))
{
pld->destroy(pld);
return PARSE_ERROR;
}
- break;
+ break;
}
case TRAFFIC_SELECTORS:
{
if (payload_length < TS_PAYLOAD_HEADER_LENGTH ||
- parse_list(this, rule_number, output + rule->offset, TRAFFIC_SELECTOR_SUBSTRUCTURE,
- payload_length - TS_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_list(this, rule_number, output + rule->offset,
+ TRAFFIC_SELECTOR_SUBSTRUCTURE,
+ payload_length - TS_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
}
- break;
+ break;
}
case UNKNOWN_DATA:
{
if (payload_length < UNKNOWN_PAYLOAD_HEADER_LENGTH ||
- parse_chunk(this, rule_number, output + rule->offset,
- payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH) != SUCCESS)
+ !parse_chunk(this, rule_number, output + rule->offset,
+ payload_length - UNKNOWN_PAYLOAD_HEADER_LENGTH))
{
pld->destroy(pld);
return PARSE_ERROR;
}
- break;
+ break;
}
default:
{
@@ -871,8 +820,7 @@ static status_t parse_payload(private_parser_t *this, payload_type_t payload_typ
*/
static int get_remaining_byte_count (private_parser_t *this)
{
- int count = (this->input_roof - this->byte_pos);
- return count;
+ return this->input_roof - this->byte_pos;
}
/**
@@ -889,7 +837,7 @@ static void reset_context (private_parser_t *this)
*/
static void destroy(private_parser_t *this)
{
- free(this);
+ free(this);
}
/*
@@ -899,7 +847,7 @@ parser_t *parser_create(chunk_t data)
{
private_parser_t *this = malloc_thing(private_parser_t);
- this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**)) parse_payload;
+ this->public.parse_payload = (status_t(*)(parser_t*,payload_type_t,payload_t**))parse_payload;
this->public.reset_context = (void(*)(parser_t*)) reset_context;
this->public.get_remaining_byte_count = (int (*) (parser_t *))get_remaining_byte_count;
this->public.destroy = (void(*)(parser_t*)) destroy;
@@ -909,5 +857,6 @@ parser_t *parser_create(chunk_t data)
this->bit_pos = 0;
this->input_roof = data.ptr + data.len;
- return (parser_t*)this;
+ return &this->public;
}
+
diff --git a/src/charon/encoding/parser.h b/src/charon/encoding/parser.h
index 222e328d1..230492438 100644
--- a/src/charon/encoding/parser.h
+++ b/src/charon/encoding/parser.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: parser.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/auth_payload.c b/src/charon/encoding/payloads/auth_payload.c
index f9ca23236..53406f564 100644
--- a/src/charon/encoding/payloads/auth_payload.c
+++ b/src/charon/encoding/payloads/auth_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: auth_payload.c 4051 2008-06-10 09:08:27Z tobias $
*/
#include "auth_payload.h"
diff --git a/src/charon/encoding/payloads/auth_payload.h b/src/charon/encoding/payloads/auth_payload.h
index 26375a398..4287f14d9 100644
--- a/src/charon/encoding/payloads/auth_payload.h
+++ b/src/charon/encoding/payloads/auth_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: auth_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/cert_payload.c b/src/charon/encoding/payloads/cert_payload.c
index 7ff334006..54a8c1392 100644
--- a/src/charon/encoding/payloads/cert_payload.c
+++ b/src/charon/encoding/payloads/cert_payload.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: cert_payload.c 4317 2008-09-02 11:00:13Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/cert_payload.h b/src/charon/encoding/payloads/cert_payload.h
index d6e328850..fba404ee2 100644
--- a/src/charon/encoding/payloads/cert_payload.h
+++ b/src/charon/encoding/payloads/cert_payload.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: cert_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/certreq_payload.c b/src/charon/encoding/payloads/certreq_payload.c
index 1b499e9e8..50adedb28 100644
--- a/src/charon/encoding/payloads/certreq_payload.c
+++ b/src/charon/encoding/payloads/certreq_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: certreq_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/certreq_payload.h b/src/charon/encoding/payloads/certreq_payload.h
index a246f0e93..ff9814f8a 100644
--- a/src/charon/encoding/payloads/certreq_payload.h
+++ b/src/charon/encoding/payloads/certreq_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: certreq_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/configuration_attribute.c b/src/charon/encoding/payloads/configuration_attribute.c
index ad8177e1f..674feeddd 100644
--- a/src/charon/encoding/payloads/configuration_attribute.c
+++ b/src/charon/encoding/payloads/configuration_attribute.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: configuration_attribute.c 4844 2009-01-20 22:55:13Z andreas $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/configuration_attribute.h b/src/charon/encoding/payloads/configuration_attribute.h
index 13aaa0e90..404130114 100644
--- a/src/charon/encoding/payloads/configuration_attribute.h
+++ b/src/charon/encoding/payloads/configuration_attribute.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: configuration_attribute.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/cp_payload.c b/src/charon/encoding/payloads/cp_payload.c
index d39dc2a47..b5f1b35c7 100644
--- a/src/charon/encoding/payloads/cp_payload.c
+++ b/src/charon/encoding/payloads/cp_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: cp_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/cp_payload.h b/src/charon/encoding/payloads/cp_payload.h
index c31b1667d..6ffcca708 100644
--- a/src/charon/encoding/payloads/cp_payload.h
+++ b/src/charon/encoding/payloads/cp_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: cp_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/delete_payload.c b/src/charon/encoding/payloads/delete_payload.c
index 01ee7f027..c2be1e8b5 100644
--- a/src/charon/encoding/payloads/delete_payload.c
+++ b/src/charon/encoding/payloads/delete_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/delete_payload.h b/src/charon/encoding/payloads/delete_payload.h
index 862deb9dc..58840741a 100644
--- a/src/charon/encoding/payloads/delete_payload.h
+++ b/src/charon/encoding/payloads/delete_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/eap_payload.c b/src/charon/encoding/payloads/eap_payload.c
index d9a6fe6dd..1199bac45 100644
--- a/src/charon/encoding/payloads/eap_payload.c
+++ b/src/charon/encoding/payloads/eap_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/eap_payload.h b/src/charon/encoding/payloads/eap_payload.h
index 337f82e12..a4d8a38c6 100644
--- a/src/charon/encoding/payloads/eap_payload.h
+++ b/src/charon/encoding/payloads/eap_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/encodings.c b/src/charon/encoding/payloads/encodings.c
index 66c1fd999..85caeda82 100644
--- a/src/charon/encoding/payloads/encodings.c
+++ b/src/charon/encoding/payloads/encodings.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: encodings.c 3589 2008-03-13 14:14:44Z martin $
*/
@@ -24,7 +22,6 @@ ENUM(encoding_type_names, U_INT_4, ENCRYPTED_DATA,
"U_INT_8",
"U_INT_16",
"U_INT_32",
- "U_INT_64",
"RESERVED_BIT",
"RESERVED_BYTE",
"FLAG",
diff --git a/src/charon/encoding/payloads/encodings.h b/src/charon/encoding/payloads/encodings.h
index ad98874a2..03554f0af 100644
--- a/src/charon/encoding/payloads/encodings.h
+++ b/src/charon/encoding/payloads/encodings.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: encodings.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -99,19 +97,6 @@ enum encoding_type_t {
U_INT_32,
/**
- * Representing a 64 Bit unsigned int value.
- *
- * When generating it must be changed from host to network order.
- * The value is read from the associated data struct.
- * The current write position is moved 64 bit forward afterwards.
- *
- * When parsing it must be changed from network to host order.
- * The value is written to the associated data struct.
- * The current read pointer is moved 64 bit forward afterwards.
- */
- U_INT_64,
-
- /**
* represents a RESERVED_BIT used in FLAG-Bytes.
*
* When generating, the next bit is set to zero and the current write
diff --git a/src/charon/encoding/payloads/encryption_payload.c b/src/charon/encoding/payloads/encryption_payload.c
index 7237c69c5..55a37bb25 100644
--- a/src/charon/encoding/payloads/encryption_payload.c
+++ b/src/charon/encoding/payloads/encryption_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: encryption_payload.c 3862 2008-04-22 07:14:24Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/encryption_payload.h b/src/charon/encoding/payloads/encryption_payload.h
index 1d3eeb793..3b94587ec 100644
--- a/src/charon/encoding/payloads/encryption_payload.h
+++ b/src/charon/encoding/payloads/encryption_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: encryption_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/endpoint_notify.c b/src/charon/encoding/payloads/endpoint_notify.c
index c9ef47afb..c30d29942 100644
--- a/src/charon/encoding/payloads/endpoint_notify.c
+++ b/src/charon/encoding/payloads/endpoint_notify.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: endpoint_notify.c 3735 2008-04-02 18:21:03Z tobias $
*/
#include "endpoint_notify.h"
diff --git a/src/charon/encoding/payloads/endpoint_notify.h b/src/charon/encoding/payloads/endpoint_notify.h
index 36f483c67..66aabc683 100644
--- a/src/charon/encoding/payloads/endpoint_notify.h
+++ b/src/charon/encoding/payloads/endpoint_notify.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: endpoint_notify.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/id_payload.c b/src/charon/encoding/payloads/id_payload.c
index 347ad7563..4a527cb24 100644
--- a/src/charon/encoding/payloads/id_payload.c
+++ b/src/charon/encoding/payloads/id_payload.c
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: id_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/id_payload.h b/src/charon/encoding/payloads/id_payload.h
index 9de21cc6a..555b1324b 100644
--- a/src/charon/encoding/payloads/id_payload.h
+++ b/src/charon/encoding/payloads/id_payload.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: id_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/ike_header.c b/src/charon/encoding/payloads/ike_header.c
index 1db64f0e3..d27bfb82c 100644
--- a/src/charon/encoding/payloads/ike_header.c
+++ b/src/charon/encoding/payloads/ike_header.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_header.c 3666 2008-03-26 18:40:19Z tobias $
*/
/* offsetof macro */
diff --git a/src/charon/encoding/payloads/ike_header.h b/src/charon/encoding/payloads/ike_header.h
index 7292c2c9c..8de316d19 100644
--- a/src/charon/encoding/payloads/ike_header.h
+++ b/src/charon/encoding/payloads/ike_header.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_header.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/ke_payload.c b/src/charon/encoding/payloads/ke_payload.c
index 2f718e49c..aa3e075ca 100644
--- a/src/charon/encoding/payloads/ke_payload.c
+++ b/src/charon/encoding/payloads/ke_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ke_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/ke_payload.h b/src/charon/encoding/payloads/ke_payload.h
index bc5c9224a..7e182d970 100644
--- a/src/charon/encoding/payloads/ke_payload.h
+++ b/src/charon/encoding/payloads/ke_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ke_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/nonce_payload.c b/src/charon/encoding/payloads/nonce_payload.c
index da68ce4ab..f9e075380 100644
--- a/src/charon/encoding/payloads/nonce_payload.c
+++ b/src/charon/encoding/payloads/nonce_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: nonce_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
/* offsetof macro */
diff --git a/src/charon/encoding/payloads/nonce_payload.h b/src/charon/encoding/payloads/nonce_payload.h
index b433c7023..4adaba481 100644
--- a/src/charon/encoding/payloads/nonce_payload.h
+++ b/src/charon/encoding/payloads/nonce_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: nonce_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/notify_payload.c b/src/charon/encoding/payloads/notify_payload.c
index a4377c275..d2a995ace 100644
--- a/src/charon/encoding/payloads/notify_payload.c
+++ b/src/charon/encoding/payloads/notify_payload.c
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: notify_payload.c 4842 2009-01-19 12:32:42Z andreas $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/notify_payload.h b/src/charon/encoding/payloads/notify_payload.h
index 9f7577c26..a5f501dca 100644
--- a/src/charon/encoding/payloads/notify_payload.h
+++ b/src/charon/encoding/payloads/notify_payload.h
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: notify_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/payload.c b/src/charon/encoding/payloads/payload.c
index 71350458f..1cee6d2aa 100644
--- a/src/charon/encoding/payloads/payload.c
+++ b/src/charon/encoding/payloads/payload.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: payload.c 4618 2008-11-11 09:22:00Z tobias $
*/
diff --git a/src/charon/encoding/payloads/payload.h b/src/charon/encoding/payloads/payload.h
index 7cb1b7735..78f5b7b97 100644
--- a/src/charon/encoding/payloads/payload.h
+++ b/src/charon/encoding/payloads/payload.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c
index daa015d3e..a8166023c 100644
--- a/src/charon/encoding/payloads/proposal_substructure.c
+++ b/src/charon/encoding/payloads/proposal_substructure.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: proposal_substructure.c 3658 2008-03-26 10:06:45Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h
index 212366d77..8ccb917d6 100644
--- a/src/charon/encoding/payloads/proposal_substructure.h
+++ b/src/charon/encoding/payloads/proposal_substructure.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: proposal_substructure.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/sa_payload.c b/src/charon/encoding/payloads/sa_payload.c
index ecc3b0f60..3ca2f08c8 100644
--- a/src/charon/encoding/payloads/sa_payload.c
+++ b/src/charon/encoding/payloads/sa_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sa_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/sa_payload.h b/src/charon/encoding/payloads/sa_payload.h
index 237432422..58ae72544 100644
--- a/src/charon/encoding/payloads/sa_payload.h
+++ b/src/charon/encoding/payloads/sa_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sa_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.c b/src/charon/encoding/payloads/traffic_selector_substructure.c
index eb5bbc626..7dcdce6aa 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.c
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: traffic_selector_substructure.c 4639 2008-11-12 15:09:24Z martin $
*/
#include "traffic_selector_substructure.h"
diff --git a/src/charon/encoding/payloads/traffic_selector_substructure.h b/src/charon/encoding/payloads/traffic_selector_substructure.h
index 9179d1478..ee3e204a0 100644
--- a/src/charon/encoding/payloads/traffic_selector_substructure.h
+++ b/src/charon/encoding/payloads/traffic_selector_substructure.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: traffic_selector_substructure.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/transform_attribute.c b/src/charon/encoding/payloads/transform_attribute.c
index b9b5ff879..507d04a34 100644
--- a/src/charon/encoding/payloads/transform_attribute.c
+++ b/src/charon/encoding/payloads/transform_attribute.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: transform_attribute.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <string.h>
@@ -248,7 +246,7 @@ static u_int16_t get_attribute_type (private_transform_attribute_t *this)
/**
* Implementation of transform_attribute_t.clone.
*/
-static transform_attribute_t * clone(private_transform_attribute_t *this)
+static transform_attribute_t * _clone(private_transform_attribute_t *this)
{
private_transform_attribute_t *new_clone;
@@ -302,7 +300,7 @@ transform_attribute_t *transform_attribute_create()
this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value;
this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type;
this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type;
- this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) clone;
+ this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone;
this->public.destroy = (void (*) (transform_attribute_t *)) destroy;
/* set default values of the fields */
diff --git a/src/charon/encoding/payloads/transform_attribute.h b/src/charon/encoding/payloads/transform_attribute.h
index 6755ff74c..f7d71a9df 100644
--- a/src/charon/encoding/payloads/transform_attribute.h
+++ b/src/charon/encoding/payloads/transform_attribute.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: transform_attribute.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/transform_substructure.c b/src/charon/encoding/payloads/transform_substructure.c
index 7c3d6421a..497bd53b2 100644
--- a/src/charon/encoding/payloads/transform_substructure.c
+++ b/src/charon/encoding/payloads/transform_substructure.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: transform_substructure.c 3971 2008-05-16 13:27:21Z tobias $
*/
#include <stddef.h>
@@ -382,37 +380,23 @@ transform_substructure_t *transform_substructure_create()
/*
* Described in header
*/
-transform_substructure_t *transform_substructure_create_type(transform_type_t transform_type, u_int16_t transform_id, u_int16_t key_length)
+transform_substructure_t *transform_substructure_create_type(
+ transform_type_t transform_type,
+ u_int16_t transform_id, u_int16_t key_length)
{
transform_substructure_t *transform = transform_substructure_create();
transform->set_transform_type(transform,transform_type);
transform->set_transform_id(transform,transform_id);
- /* a keylength attribute is only created for variable length algos */
- if (transform_type == ENCRYPTION_ALGORITHM)
+ if (key_length)
{
- switch(transform_id)
- {
- case ENCR_AES_CBC:
- case ENCR_IDEA:
- case ENCR_CAST:
- case ENCR_BLOWFISH:
- case ENCR_AES_CCM_ICV8:
- case ENCR_AES_CCM_ICV12:
- case ENCR_AES_CCM_ICV16:
- case ENCR_AES_GCM_ICV8:
- case ENCR_AES_GCM_ICV12:
- case ENCR_AES_GCM_ICV16:
- {
- transform_attribute_t *attribute = transform_attribute_create_key_length(key_length);
- transform->add_transform_attribute(transform,attribute);
- break;
- }
- default:
- break;
- }
+ transform_attribute_t *attribute;
+
+ attribute = transform_attribute_create_key_length(key_length);
+ transform->add_transform_attribute(transform, attribute);
+
}
-
return transform;
}
+
diff --git a/src/charon/encoding/payloads/transform_substructure.h b/src/charon/encoding/payloads/transform_substructure.h
index cc8adc38a..b02a94a6c 100644
--- a/src/charon/encoding/payloads/transform_substructure.h
+++ b/src/charon/encoding/payloads/transform_substructure.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: transform_substructure.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/ts_payload.c b/src/charon/encoding/payloads/ts_payload.c
index 5d53793b1..92ddc380f 100644
--- a/src/charon/encoding/payloads/ts_payload.c
+++ b/src/charon/encoding/payloads/ts_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ts_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/ts_payload.h b/src/charon/encoding/payloads/ts_payload.h
index 91f26f55d..3c8a6d595 100644
--- a/src/charon/encoding/payloads/ts_payload.h
+++ b/src/charon/encoding/payloads/ts_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ts_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/unknown_payload.c b/src/charon/encoding/payloads/unknown_payload.c
index 8a8db308d..309663233 100644
--- a/src/charon/encoding/payloads/unknown_payload.c
+++ b/src/charon/encoding/payloads/unknown_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: unknown_payload.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/unknown_payload.h b/src/charon/encoding/payloads/unknown_payload.h
index 03894c619..44b6e1a71 100644
--- a/src/charon/encoding/payloads/unknown_payload.h
+++ b/src/charon/encoding/payloads/unknown_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: unknown_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/encoding/payloads/vendor_id_payload.c b/src/charon/encoding/payloads/vendor_id_payload.c
index 3e47b9348..52d9e12a5 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.c
+++ b/src/charon/encoding/payloads/vendor_id_payload.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: vendor_id_payload.c 4120 2008-06-27 15:22:27Z andreas $
*/
#include <stddef.h>
diff --git a/src/charon/encoding/payloads/vendor_id_payload.h b/src/charon/encoding/payloads/vendor_id_payload.h
index b8798f24e..9ee9ea1d4 100644
--- a/src/charon/encoding/payloads/vendor_id_payload.h
+++ b/src/charon/encoding/payloads/vendor_id_payload.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: vendor_id_payload.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index f099a94ac..5188b79fe 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_interface.c 4997 2009-03-24 10:24:58Z martin $
*/
#include "kernel_interface.h"
@@ -20,8 +18,6 @@
#include <pthread.h>
#include <daemon.h>
-#include <utils/linked_list.h>
-#include <utils/mutex.h>
typedef struct private_kernel_interface_t private_kernel_interface_t;
@@ -36,16 +32,6 @@ struct private_kernel_interface_t {
kernel_interface_t public;
/**
- * list of registered ipsec kernel interfaces
- */
- linked_list_t *ipsec_interfaces;
-
- /**
- * list of registered network kernel interfaces
- */
- linked_list_t *net_interfaces;
-
- /**
* ipsec interface
*/
kernel_ipsec_t *ipsec;
@@ -54,11 +40,6 @@ struct private_kernel_interface_t {
* network interface
*/
kernel_net_t *net;
-
- /**
- * locking mutex
- */
- mutex_t *mutex;
};
/**
@@ -67,6 +48,10 @@ struct private_kernel_interface_t {
static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->get_spi(this->ipsec, src, dst, protocol, reqid, spi);
}
@@ -76,6 +61,10 @@ static status_t get_spi(private_kernel_interface_t *this, host_t *src, host_t *d
static status_t get_cpi(private_kernel_interface_t *this, host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->get_cpi(this->ipsec, src, dst, reqid, cpi);
}
@@ -90,6 +79,10 @@ static status_t add_sa(private_kernel_interface_t *this, host_t *src, host_t *ds
ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap,
bool inbound)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid,
expire_soft, expire_hard, enc_alg, enc_key, int_alg, int_key,
mode, ipcomp, cpi, encap, inbound);
@@ -102,6 +95,10 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst, bool encap, bool new_encap)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst,
new_src, new_dst, encap, new_encap);
}
@@ -109,10 +106,14 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
/**
* Implementation of kernel_interface_t.del_sa
*/
-static status_t del_sa(private_kernel_interface_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
{
- return this->ipsec->del_sa(this->ipsec, dst, spi, protocol, cpi);
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
+ return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi);
}
/**
@@ -124,6 +125,10 @@ static status_t add_policy(private_kernel_interface_t *this, host_t *src, host_t
u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
bool routed)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts,
direction, spi, protocol, reqid, mode, ipcomp, cpi, routed);
}
@@ -135,6 +140,10 @@ static status_t query_policy(private_kernel_interface_t *this,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, direction, use_time);
}
@@ -145,6 +154,10 @@ static status_t del_policy(private_kernel_interface_t *this,
traffic_selector_t *src_ts, traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, direction, unrouted);
}
@@ -154,6 +167,10 @@ static status_t del_policy(private_kernel_interface_t *this,
static host_t *get_source_addr(private_kernel_interface_t *this,
host_t *dest, host_t *src)
{
+ if (!this->net)
+ {
+ return NULL;
+ }
return this->net->get_source_addr(this->net, dest, src);
}
@@ -162,6 +179,10 @@ static host_t *get_source_addr(private_kernel_interface_t *this,
*/
static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
{
+ if (!this->net)
+ {
+ return NULL;
+ }
return this->net->get_nexthop(this->net, dest);
}
@@ -170,6 +191,10 @@ static host_t *get_nexthop(private_kernel_interface_t *this, host_t *dest)
*/
static char* get_interface(private_kernel_interface_t *this, host_t *host)
{
+ if (!this->net)
+ {
+ return NULL;
+ }
return this->net->get_interface(this->net, host);
}
@@ -179,6 +204,10 @@ static char* get_interface(private_kernel_interface_t *this, host_t *host)
static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
bool include_down_ifaces, bool include_virtual_ips)
{
+ if (!this->net)
+ {
+ return enumerator_create_empty();
+ }
return this->net->create_address_enumerator(this->net, include_down_ifaces,
include_virtual_ips);
}
@@ -189,6 +218,10 @@ static enumerator_t *create_address_enumerator(private_kernel_interface_t *this,
static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
host_t *iface_ip)
{
+ if (!this->net)
+ {
+ return NOT_SUPPORTED;
+ }
return this->net->add_ip(this->net, virtual_ip, iface_ip);
}
@@ -197,6 +230,10 @@ static status_t add_ip(private_kernel_interface_t *this, host_t *virtual_ip,
*/
static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
{
+ if (!this->net)
+ {
+ return NOT_SUPPORTED;
+ }
return this->net->del_ip(this->net, virtual_ip);
}
@@ -206,6 +243,10 @@ static status_t del_ip(private_kernel_interface_t *this, host_t *virtual_ip)
static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
+ if (!this->net)
+ {
+ return NOT_SUPPORTED;
+ }
return this->net->add_route(this->net, dst_net, prefixlen, gateway, src_ip,
if_name);
}
@@ -216,6 +257,10 @@ static status_t add_route(private_kernel_interface_t *this, chunk_t dst_net,
static status_t del_route(private_kernel_interface_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
+ if (!this->net)
+ {
+ return NOT_SUPPORTED;
+ }
return this->net->del_route(this->net, dst_net, prefixlen, gateway, src_ip,
if_name);
}
@@ -283,70 +328,42 @@ static status_t get_address_by_ts(private_kernel_interface_t *this,
* Implementation of kernel_interface_t.add_ipsec_interface.
*/
static void add_ipsec_interface(private_kernel_interface_t *this,
- kernel_ipsec_constructor_t *create)
+ kernel_ipsec_constructor_t constructor)
{
- this->mutex->lock(this->mutex);
- this->ipsec_interfaces->insert_last(this->ipsec_interfaces, create);
- this->mutex->unlock(this->mutex);
+ if (!this->ipsec)
+ {
+ this->ipsec = constructor();
+ }
}
/**
* Implementation of kernel_interface_t.remove_ipsec_interface.
*/
static void remove_ipsec_interface(private_kernel_interface_t *this,
- kernel_ipsec_constructor_t *create)
+ kernel_ipsec_constructor_t constructor)
{
- this->mutex->lock(this->mutex);
- this->ipsec_interfaces->remove(this->ipsec_interfaces, create, NULL);
- this->mutex->unlock(this->mutex);
+ /* TODO: replace if interface currently in use */
}
/**
* Implementation of kernel_interface_t.add_net_interface.
*/
static void add_net_interface(private_kernel_interface_t *this,
- kernel_net_constructor_t *create)
+ kernel_net_constructor_t constructor)
{
- this->mutex->lock(this->mutex);
- this->net_interfaces->insert_last(this->net_interfaces, create);
- this->mutex->unlock(this->mutex);
+ if (!this->net)
+ {
+ this->net = constructor();
+ }
}
/**
* Implementation of kernel_interface_t.remove_net_interface.
*/
static void remove_net_interface(private_kernel_interface_t *this,
- kernel_net_constructor_t *create)
-{
- this->mutex->lock(this->mutex);
- this->net_interfaces->remove(this->net_interfaces, create, NULL);
- this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of kernel_interface_t.create_interfaces.
- */
-static void create_interfaces(private_kernel_interface_t *this)
+ kernel_net_constructor_t constructor)
{
- kernel_ipsec_constructor_t create_ipsec;
- kernel_net_constructor_t create_net;
-
- this->mutex->lock(this->mutex);
- if (this->ipsec_interfaces->get_first(this->ipsec_interfaces, (void**)&create_ipsec) != SUCCESS)
- {
- this->mutex->unlock(this->mutex);
- charon->kill(charon, "no ipsec kernel interface loaded");
- }
-
- if (this->net_interfaces->get_first(this->net_interfaces, (void**)&create_net) != SUCCESS)
- {
- this->mutex->unlock(this->mutex);
- charon->kill(charon, "no network kernel interface loaded");
- }
- this->mutex->unlock(this->mutex);
-
- this->ipsec = create_ipsec();
- this->net = create_net();
+ /* TODO: replace if interface currently in use */
}
/**
@@ -356,9 +373,6 @@ static void destroy(private_kernel_interface_t *this)
{
DESTROY_IF(this->ipsec);
DESTROY_IF(this->net);
- this->ipsec_interfaces->destroy(this->ipsec_interfaces);
- this->net_interfaces->destroy(this->net_interfaces);
- this->mutex->destroy(this->mutex);
free(this);
}
@@ -373,7 +387,7 @@ kernel_interface_t *kernel_interface_create()
this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
@@ -394,12 +408,8 @@ kernel_interface_t *kernel_interface_create()
this->public.add_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))add_net_interface;
this->public.remove_net_interface = (void(*)(kernel_interface_t*, kernel_net_constructor_t))remove_net_interface;
- this->public.create_interfaces = (void (*)(kernel_interface_t*))create_interfaces;
this->public.destroy = (void (*)(kernel_interface_t*))destroy;
- this->ipsec_interfaces = linked_list_create();
- this->net_interfaces = linked_list_create();
- this->mutex = mutex_create(MUTEX_RECURSIVE);
this->ipsec = NULL;
this->net = NULL;
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 29a07f74f..8c58c959a 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_interface.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -145,14 +143,15 @@ struct kernel_interface_t {
/**
* Delete a previously installed SA from the SAD.
*
+ * @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param cpi CPI for IPComp or 0
* @return SUCCESS if operation completed
*/
- status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi);
+ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
/**
* Add a policy to the SPD.
@@ -364,11 +363,6 @@ struct kernel_interface_t {
void (*remove_net_interface)(kernel_interface_t *this, kernel_net_constructor_t create);
/**
- * Create the kernel interfaces classes.
- */
- void (*create_interfaces)(kernel_interface_t *this);
-
- /**
* Destroys a kernel_interface_manager_t object.
*/
void (*destroy) (kernel_interface_t *this);
diff --git a/src/charon/kernel/kernel_ipsec.c b/src/charon/kernel/kernel_ipsec.c
index 1fef2acca..45eef4907 100644
--- a/src/charon/kernel/kernel_ipsec.c
+++ b/src/charon/kernel/kernel_ipsec.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_ipsec.c 4430 2008-10-14 08:46:31Z tobias $
*/
#include "kernel_ipsec.h"
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 24834c4b1..6e8c5bc63 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_ipsec.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -35,17 +33,15 @@ typedef struct kernel_ipsec_t kernel_ipsec_t;
#include <encoding/payloads/proposal_substructure.h>
/**
- * Mode of an CHILD_SA.
- *
- * These are equal to those defined in XFRM, so don't change.
+ * Mode of a CHILD_SA.
*/
enum ipsec_mode_t {
/** transport mode, no inner address */
- MODE_TRANSPORT = 0,
+ MODE_TRANSPORT = 1,
/** tunnel mode, inner and outer addresses */
- MODE_TUNNEL = 1,
+ MODE_TUNNEL,
/** BEET mode, tunnel mode but fixed, bound inner addresses */
- MODE_BEET = 4,
+ MODE_BEET,
};
/**
@@ -177,14 +173,15 @@ struct kernel_ipsec_t {
/**
* Delete a previusly installed SA from the SAD.
*
+ * @param src source address for this SA
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param cpi CPI for IPComp or 0
* @return SUCCESS if operation completed
*/
- status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
- protocol_id_t protocol, u_int16_t cpi);
+ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int16_t cpi);
/**
* Add a policy to the SPD.
diff --git a/src/charon/kernel/kernel_net.h b/src/charon/kernel/kernel_net.h
index df73bc1f9..02242f3a8 100644
--- a/src/charon/kernel/kernel_net.h
+++ b/src/charon/kernel/kernel_net.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_net.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/network/packet.c b/src/charon/network/packet.c
index b47e6322f..fd3a274bd 100644
--- a/src/charon/network/packet.c
+++ b/src/charon/network/packet.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: packet.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "packet.h"
diff --git a/src/charon/network/packet.h b/src/charon/network/packet.h
index 8c1a07ab5..aacb203e9 100644
--- a/src/charon/network/packet.h
+++ b/src/charon/network/packet.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: packet.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/network/receiver.c b/src/charon/network/receiver.c
index 7f55df4d2..ab4d6d592 100644
--- a/src/charon/network/receiver.c
+++ b/src/charon/network/receiver.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: receiver.c 4699 2008-11-26 09:22:19Z tobias $
*/
#include <stdlib.h>
@@ -57,56 +55,56 @@ struct private_receiver_t {
* Threads job receiving packets
*/
callback_job_t *job;
-
+
/**
* Assigned thread.
*/
pthread_t assigned_thread;
- /**
- * current secret to use for cookie calculation
- */
- char secret[SECRET_LENGTH];
-
- /**
- * previous secret used to verify older cookies
- */
- char secret_old[SECRET_LENGTH];
-
- /**
- * how many times we have used "secret" so far
- */
- u_int32_t secret_used;
-
- /**
- * time we did the cookie switch
- */
- u_int32_t secret_switch;
-
- /**
- * time offset to use, hides our system time
- */
- u_int32_t secret_offset;
-
- /**
- * the RNG to use for secret generation
- */
- rng_t *rng;
-
- /**
- * hasher to use for cookie calculation
- */
- hasher_t *hasher;
-
- /**
- * require cookies after this many half open IKE_SAs
- */
- u_int32_t cookie_threshold;
-
- /**
- * how many half open IKE_SAs per peer before blocking
- */
- u_int32_t block_threshold;
+ /**
+ * current secret to use for cookie calculation
+ */
+ char secret[SECRET_LENGTH];
+
+ /**
+ * previous secret used to verify older cookies
+ */
+ char secret_old[SECRET_LENGTH];
+
+ /**
+ * how many times we have used "secret" so far
+ */
+ u_int32_t secret_used;
+
+ /**
+ * time we did the cookie switch
+ */
+ u_int32_t secret_switch;
+
+ /**
+ * time offset to use, hides our system time
+ */
+ u_int32_t secret_offset;
+
+ /**
+ * the RNG to use for secret generation
+ */
+ rng_t *rng;
+
+ /**
+ * hasher to use for cookie calculation
+ */
+ hasher_t *hasher;
+
+ /**
+ * require cookies after this many half open IKE_SAs
+ */
+ u_int32_t cookie_threshold;
+
+ /**
+ * how many half open IKE_SAs per peer before blocking
+ */
+ u_int32_t block_threshold;
};
/**
@@ -169,10 +167,10 @@ static bool cookie_verify(private_receiver_t *this, message_t *message,
u_int32_t t, now;
chunk_t reference;
chunk_t secret;
-
+
now = time(NULL);
t = *(u_int32_t*)cookie.ptr;
-
+
if (cookie.len != sizeof(u_int32_t) +
this->hasher->get_hash_size(this->hasher) ||
t < now - this->secret_offset - COOKIE_LIFETIME)
@@ -355,7 +353,7 @@ receiver_t *receiver_create()
{
private_receiver_t *this = malloc_thing(private_receiver_t);
u_int32_t now = time(NULL);
-
+
this->public.destroy = (void(*)(receiver_t*)) destroy;
this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
@@ -387,7 +385,7 @@ receiver_t *receiver_create()
this->cookie_threshold = 0;
this->block_threshold = 0;
}
-
+
this->job = callback_job_create((callback_job_cb_t)receive_packets,
this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h
index 36a57df79..87797634e 100644
--- a/src/charon/network/receiver.h
+++ b/src/charon/network/receiver.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: receiver.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 3295ec2df..4910fe2e8 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sender.c 4582 2008-11-05 12:24:36Z martin $
*/
#include <stdlib.h>
diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h
index 0c92017e4..55f67af70 100644
--- a/src/charon/network/sender.h
+++ b/src/charon/network/sender.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sender.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/network/socket-raw.c b/src/charon/network/socket-raw.c
index 40218f67d..148be486c 100644
--- a/src/charon/network/socket-raw.c
+++ b/src/charon/network/socket-raw.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: socket-raw.c 4646 2008-11-13 07:15:45Z martin $
*/
/* for struct in6_pktinfo */
@@ -374,7 +372,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
msg.msg_iovlen = 1;
msg.msg_flags = 0;
- if (!dst->is_anyaddr(dst))
+ if (!src->is_anyaddr(src))
{
if (family == AF_INET)
{
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 8c516a9da..8627ca76d 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: socket.c 4688 2008-11-24 08:22:05Z martin $
*/
/* for struct in6_pktinfo */
@@ -30,12 +28,11 @@
#include <stdlib.h>
#include <fcntl.h>
#include <sys/ioctl.h>
+#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
-#include <linux/types.h>
-#include <linux/filter.h>
#include <net/if.h>
#include "socket.h"
@@ -54,10 +51,23 @@
#define UDP_ENCAP_ESPINUDP 2
#endif /*UDP_ENCAP_ESPINUDP*/
-/* needed for older kernel headers */
-#ifndef IPV6_2292PKTINFO
-#define IPV6_2292PKTINFO 2
-#endif /*IPV6_2292PKTINFO*/
+/* these are not defined on some platforms */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#endif
+#ifndef SOL_IPV6
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+#ifndef SOL_UDP
+#define SOL_UDP IPPROTO_UDP
+#endif
+
+/* IPV6_RECVPKTINFO is defined in RFC 3542 which obsoletes RFC 2292 that
+ * previously defined IPV6_PKTINFO */
+#ifndef IPV6_RECVPKTINFO
+#define IPV6_RECVPKTINFO IPV6_PKTINFO;
+#endif
+
typedef struct private_socket_t private_socket_t;
@@ -68,27 +78,27 @@ struct private_socket_t {
/**
* public functions
*/
- socket_t public;
-
- /**
- * IPv4 socket (500)
- */
- int ipv4;
-
- /**
- * IPv4 socket for NATT (4500)
- */
- int ipv4_natt;
-
- /**
- * IPv6 socket (500)
- */
- int ipv6;
+ socket_t public;
+
+ /**
+ * IPv4 socket (500)
+ */
+ int ipv4;
- /**
- * IPv6 socket for NATT (4500)
- */
- int ipv6_natt;
+ /**
+ * IPv4 socket for NATT (4500)
+ */
+ int ipv4_natt;
+
+ /**
+ * IPv6 socket (500)
+ */
+ int ipv6;
+
+ /**
+ * IPv6 socket for NATT (4500)
+ */
+ int ipv6_natt;
};
/**
@@ -104,8 +114,8 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
int data_offset, oldstate;
fd_set rfds;
int max_fd = 0, selected = 0;
- u_int16_t port;
-
+ u_int16_t port = 0;
+
FD_ZERO(&rfds);
if (this->ipv4)
@@ -201,7 +211,7 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
}
if (cmsgptr->cmsg_level == SOL_IPV6 &&
- cmsgptr->cmsg_type == IPV6_2292PKTINFO)
+ cmsgptr->cmsg_type == IPV6_PKTINFO)
{
struct in6_pktinfo *pktinfo;
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsgptr);
@@ -214,14 +224,28 @@ static status_t receiver(private_socket_t *this, packet_t **packet)
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
}
if (cmsgptr->cmsg_level == SOL_IP &&
- cmsgptr->cmsg_type == IP_PKTINFO)
- {
+#ifdef IP_PKTINFO
+ cmsgptr->cmsg_type == IP_PKTINFO
+#elif defined(IP_RECVDSTADDR)
+ cmsgptr->cmsg_type == IP_RECVDSTADDR
+#else
+ FALSE
+#endif
+ )
+ {
+ struct in_addr *addr;
+ struct sockaddr_in dst;
+
+#ifdef IP_PKTINFO
struct in_pktinfo *pktinfo;
pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsgptr);
- struct sockaddr_in dst;
-
+ addr = &pktinfo->ipi_addr;
+#elif defined(IP_RECVDSTADDR)
+ addr = (struct in_addr*)CMSG_DATA(cmsgptr);
+#endif
memset(&dst, 0, sizeof(dst));
- memcpy(&dst.sin_addr, &pktinfo->ipi_addr, sizeof(dst.sin_addr));
+ memcpy(&dst.sin_addr, addr, sizeof(dst.sin_addr));
+
dst.sin_family = AF_INET;
dst.sin_port = htons(port);
dest = host_create_from_sockaddr((sockaddr_t*)&dst);
@@ -340,24 +364,37 @@ status_t sender(private_socket_t *this, packet_t *packet)
msg.msg_iovlen = 1;
msg.msg_flags = 0;
- if (!dst->is_anyaddr(dst))
+ if (!src->is_anyaddr(src))
{
if (family == AF_INET)
{
+#if defined(IP_PKTINFO) || defined(IP_SENDSRCADDR)
+ struct in_addr *addr;
+ struct sockaddr_in *sin;
+#ifdef IP_PKTINFO
char buf[CMSG_SPACE(sizeof(struct in_pktinfo))];
struct in_pktinfo *pktinfo;
- struct sockaddr_in *sin;
-
+#elif defined(IP_SENDSRCADDR)
+ char buf[CMSG_SPACE(sizeof(struct in_addr))];
+#endif
msg.msg_control = buf;
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IP;
+#ifdef IP_PKTINFO
cmsg->cmsg_type = IP_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
pktinfo = (struct in_pktinfo*)CMSG_DATA(cmsg);
memset(pktinfo, 0, sizeof(struct in_pktinfo));
+ addr = &pktinfo->ipi_spec_dst;
+#elif defined(IP_SENDSRCADDR)
+ cmsg->cmsg_type = IP_SENDSRCADDR;
+ cmsg->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
+ addr = (struct in_addr*)CMSG_DATA(cmsg);
+#endif
sin = (struct sockaddr_in*)src->get_sockaddr(src);
- memcpy(&pktinfo->ipi_spec_dst, &sin->sin_addr, sizeof(struct in_addr));
+ memcpy(addr, &sin->sin_addr, sizeof(struct in_addr));
+#endif /* IP_PKTINFO || IP_SENDSRCADDR */
}
else
{
@@ -369,7 +406,7 @@ status_t sender(private_socket_t *this, packet_t *packet)
msg.msg_controllen = sizeof(buf);
cmsg = CMSG_FIRSTHDR(&msg);
cmsg->cmsg_level = SOL_IPV6;
- cmsg->cmsg_type = IPV6_2292PKTINFO;
+ cmsg->cmsg_type = IPV6_PKTINFO;
cmsg->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
pktinfo = (struct in6_pktinfo*)CMSG_DATA(cmsg);
memset(pktinfo, 0, sizeof(struct in6_pktinfo));
@@ -389,14 +426,15 @@ status_t sender(private_socket_t *this, packet_t *packet)
}
/**
- * open a socket to send packets
+ * open a socket to send and receive packets
*/
static int open_socket(private_socket_t *this, int family, u_int16_t port)
{
int on = TRUE;
int type = UDP_ENCAP_ESPINUDP;
struct sockaddr_storage addr;
- u_int sol, pktinfo;
+ socklen_t addrlen;
+ u_int sol, pktinfo = 0;
int skt;
memset(&addr, 0, sizeof(addr));
@@ -409,8 +447,13 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
sin->sin_family = AF_INET;
sin->sin_addr.s_addr = INADDR_ANY;
sin->sin_port = htons(port);
+ addrlen = sizeof(struct sockaddr_in);
sol = SOL_IP;
+#ifdef IP_PKTINFO
pktinfo = IP_PKTINFO;
+#elif defined(IP_RECVDSTADDR)
+ pktinfo = IP_RECVDSTADDR;
+#endif
break;
}
case AF_INET6:
@@ -419,8 +462,9 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
sin6->sin6_family = AF_INET6;
memcpy(&sin6->sin6_addr, &in6addr_any, sizeof(in6addr_any));
sin6->sin6_port = htons(port);
+ addrlen = sizeof(struct sockaddr_in6);
sol = SOL_IPV6;
- pktinfo = IPV6_2292PKTINFO;
+ pktinfo = IPV6_RECVPKTINFO;
break;
}
default:
@@ -440,8 +484,8 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
return 0;
}
- /* bind the send socket */
- if (bind(skt, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+ /* bind the socket */
+ if (bind(skt, (struct sockaddr *)&addr, addrlen) < 0)
{
DBG1(DBG_NET, "unable to bind socket: %s", strerror(errno));
close(skt);
@@ -449,11 +493,14 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
}
/* get additional packet info on receive */
- if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
+ if (pktinfo > 0)
{
- DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
- close(skt);
- return 0;
+ if (setsockopt(skt, sol, pktinfo, &on, sizeof(on)) < 0)
+ {
+ DBG1(DBG_NET, "unable to set IP_PKTINFO on socket: %s", strerror(errno));
+ close(skt);
+ return 0;
+ }
}
/* enable UDP decapsulation globally, only for one socket needed */
@@ -578,7 +625,7 @@ socket_t *socket_create()
DBG1(DBG_NET, "could not open IPv4 NAT-T socket");
}
}
-
+
this->ipv6 = open_socket(this, AF_INET6, IKEV2_UDP_PORT);
if (this->ipv6 == 0)
{
diff --git a/src/charon/network/socket.h b/src/charon/network/socket.h
index af5d64edf..81f2ec5fe 100644
--- a/src/charon/network/socket.h
+++ b/src/charon/network/socket.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: socket.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am
new file mode 100644
index 000000000..d5eb99d9f
--- /dev/null
+++ b/src/charon/plugins/attr/Makefile.am
@@ -0,0 +1,9 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-attr.la
+libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
+ attr_provider.h attr_provider.c
+libstrongswan_attr_la_LDFLAGS = -module
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
new file mode 100644
index 000000000..c0467054e
--- /dev/null
+++ b/src/charon/plugins/attr/Makefile.in
@@ -0,0 +1,507 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/attr
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_attr_la_LIBADD =
+am_libstrongswan_attr_la_OBJECTS = attr_plugin.lo attr_provider.lo
+libstrongswan_attr_la_OBJECTS = $(am_libstrongswan_attr_la_OBJECTS)
+libstrongswan_attr_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_attr_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_attr_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_attr_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-attr.la
+libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
+ attr_provider.h attr_provider.c
+
+libstrongswan_attr_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/attr/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-attr.la: $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_DEPENDENCIES)
+ $(libstrongswan_attr_la_LINK) -rpath $(plugindir) $(libstrongswan_attr_la_OBJECTS) $(libstrongswan_attr_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_plugin.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_provider.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/attr/attr_plugin.c b/src/charon/plugins/attr/attr_plugin.c
new file mode 100644
index 000000000..9d5532310
--- /dev/null
+++ b/src/charon/plugins/attr/attr_plugin.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_plugin.h"
+#include "attr_provider.h"
+
+#include <daemon.h>
+
+typedef struct private_attr_plugin_t private_attr_plugin_t;
+
+/**
+ * private data of attr plugin
+ */
+struct private_attr_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ attr_plugin_t public;
+
+ /**
+ * CFG attributes provider
+ */
+ attr_provider_t *provider;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_attr_plugin_t *this)
+{
+ charon->attributes->remove_provider(charon->attributes, &this->provider->provider);
+ this->provider->destroy(this->provider);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ this->provider = attr_provider_create();
+ charon->attributes->add_provider(charon->attributes, &this->provider->provider);
+
+ return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/attr/attr_plugin.h b/src/charon/plugins/attr/attr_plugin.h
new file mode 100644
index 000000000..9cbbd8bf5
--- /dev/null
+++ b/src/charon/plugins/attr/attr_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr attr
+ * @ingroup cplugins
+ *
+ * @defgroup attr_plugin attr_plugin
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PLUGIN_H_
+#define ATTR_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct attr_plugin_t attr_plugin_t;
+
+/**
+ * Plugin providing configuration attribute through strongswan.conf.
+ */
+struct attr_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a attr_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** ATTR_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/attr/attr_provider.c b/src/charon/plugins/attr/attr_provider.c
new file mode 100644
index 000000000..02fa11327
--- /dev/null
+++ b/src/charon/plugins/attr/attr_provider.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "attr_provider.h"
+
+#include <time.h>
+
+#include <daemon.h>
+
+#define SERVER_MAX 2
+
+typedef struct private_attr_provider_t private_attr_provider_t;
+typedef struct attribute_entry_t attribute_entry_t;
+
+/**
+ * private data of attr_provider
+ */
+struct private_attr_provider_t {
+
+ /**
+ * public functions
+ */
+ attr_provider_t public;
+
+ /**
+ * List of attributes, attribute_entry_t
+ */
+ linked_list_t *attributes;
+};
+
+struct attribute_entry_t {
+ /** type of attribute */
+ configuration_attribute_type_t type;
+ /** attribute value */
+ chunk_t value;
+};
+
+/**
+ * convert enumerator value from attribute_entry
+ */
+static bool attr_enum_filter(void *null, attribute_entry_t **in,
+ configuration_attribute_type_t *type, void* none, chunk_t *value)
+{
+ *type = (*in)->type;
+ *value = (*in)->value;
+ return TRUE;
+}
+
+/**
+ * Implementation of attribute_provider_t.create_attribute_enumerator
+ */
+static enumerator_t* create_attribute_enumerator(
+ private_attr_provider_t *this, identification_t *id)
+{
+ return enumerator_create_filter(
+ this->attributes->create_enumerator(this->attributes),
+ (void*)attr_enum_filter, NULL, NULL);
+}
+
+/**
+ * Implementation of attr_provider_t.destroy
+ */
+static void destroy(private_attr_provider_t *this)
+{
+ attribute_entry_t *entry;
+
+ while (this->attributes->remove_last(this->attributes,
+ (void**)&entry) == SUCCESS)
+ {
+ free(entry->value.ptr);
+ free(entry);
+ }
+ this->attributes->destroy(this->attributes);
+ free(this);
+}
+
+/**
+ * Add an attribute entry to the list
+ */
+static void add_entry(private_attr_provider_t *this, char *key, int nr,
+ configuration_attribute_type_t type)
+{
+ attribute_entry_t *entry;
+ host_t *host;
+ char *str;
+
+ str = lib->settings->get_str(lib->settings, "charon.%s%d", NULL, key, nr);
+ if (str)
+ {
+ host = host_create_from_string(str, 0);
+ if (host)
+ {
+ entry = malloc_thing(attribute_entry_t);
+
+ if (host->get_family(host) == AF_INET6)
+ {
+ switch (type)
+ {
+ case INTERNAL_IP4_DNS:
+ type = INTERNAL_IP6_DNS;
+ break;
+ case INTERNAL_IP4_NBNS:
+ type = INTERNAL_IP6_NBNS;
+ break;
+ default:
+ break;
+ }
+ }
+ entry->type = type;
+ entry->value = chunk_clone(host->get_address(host));
+ host->destroy(host);
+ this->attributes->insert_last(this->attributes, entry);
+ }
+ }
+}
+
+/*
+ * see header file
+ */
+attr_provider_t *attr_provider_create(database_t *db)
+{
+ private_attr_provider_t *this;
+ int i;
+
+ this = malloc_thing(private_attr_provider_t);
+
+ this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null;
+ this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false;
+ this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))create_attribute_enumerator;
+ this->public.destroy = (void(*)(attr_provider_t*))destroy;
+
+ this->attributes = linked_list_create();
+
+ for (i = 1; i <= SERVER_MAX; i++)
+ {
+ add_entry(this, "dns", i, INTERNAL_IP4_DNS);
+ add_entry(this, "nbns", i, INTERNAL_IP4_NBNS);
+ }
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/attr/attr_provider.h b/src/charon/plugins/attr/attr_provider.h
new file mode 100644
index 000000000..03cbadb4e
--- /dev/null
+++ b/src/charon/plugins/attr/attr_provider.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup attr_provider attr_provider
+ * @{ @ingroup attr
+ */
+
+#ifndef ATTR_PROVIDER_H_
+#define ATTR_PROVIDER_H_
+
+#include <config/attributes/attribute_provider.h>
+
+typedef struct attr_provider_t attr_provider_t;
+
+/**
+ * Provide configuration attributes through static strongswan.conf definition.
+ */
+struct attr_provider_t {
+
+ /**
+ * Implements attribute provider interface
+ */
+ attribute_provider_t provider;
+
+ /**
+ * Destroy a attr_provider instance.
+ */
+ void (*destroy)(attr_provider_t *this);
+};
+
+/**
+ * Create a attr_provider instance.
+ */
+attr_provider_t *attr_provider_create();
+
+#endif /** ATTR_PROVIDER @}*/
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 47eece7ab..74d49ac73 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -319,7 +328,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_aka/eap_aka.c b/src/charon/plugins/eap_aka/eap_aka.c
index bb3825d3d..82ee6c3f0 100644
--- a/src/charon/plugins/eap_aka/eap_aka.c
+++ b/src/charon/plugins/eap_aka/eap_aka.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_aka.c 4628 2008-11-11 15:19:13Z martin $
*/
@@ -880,7 +878,7 @@ static status_t server_initiate_challenge(private_eap_aka_t *this, chunk_t sqn,
/* Get the shared key K: */
if (load_key(this->server, this->peer, &this->k) != SUCCESS)
{
- DBG1(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+ DBG1(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
"with EAP-AKA", this->server, this->peer);
return FAILED;
}
@@ -1202,7 +1200,7 @@ static status_t peer_process_challenge(private_eap_aka_t *this,
{
*out = build_aka_payload(this, EAP_RESPONSE, identifier,
AKA_AUTHENTICATION_REJECT, AT_END);
- DBG3(DBG_IKE, "no shared key found for IDs '%D' - '%D' to authenticate "
+ DBG3(DBG_IKE, "no shared key found for IDs '%Y' - '%Y' to authenticate "
"with EAP-AKA, sending %N", this->peer, this->server,
aka_subtype_names, AKA_AUTHENTICATION_REJECT);
return NEED_MORE;
diff --git a/src/charon/plugins/eap_aka/eap_aka.h b/src/charon/plugins/eap_aka/eap_aka.h
index 196eaf429..7686802cf 100644
--- a/src/charon/plugins/eap_aka/eap_aka.h
+++ b/src/charon/plugins/eap_aka/eap_aka.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_aka.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.c b/src/charon/plugins/eap_aka/eap_aka_plugin.c
index 5c15b6d7e..e4a5326fe 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.c
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_aka_plugin.c 3491 2008-02-22 14:04:00Z martin $
*/
#include "eap_aka_plugin.h"
diff --git a/src/charon/plugins/eap_aka/eap_aka_plugin.h b/src/charon/plugins/eap_aka/eap_aka_plugin.h
index 5fdc5c768..2c086ca80 100644
--- a/src/charon/plugins/eap_aka/eap_aka_plugin.h
+++ b/src/charon/plugins/eap_aka/eap_aka_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_aka_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 0e8245804..19d648bbd 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.c b/src/charon/plugins/eap_gtc/eap_gtc.c
index 0a93a90f6..cb4ab2e59 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_gtc.c 3806 2008-04-15 05:56:35Z martin $
*/
#include "eap_gtc.h"
@@ -174,7 +172,7 @@ static status_t process_peer(private_eap_gtc_t *this,
this->peer, this->server);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'",
this->peer, this->server);
return FAILED;
}
diff --git a/src/charon/plugins/eap_gtc/eap_gtc.h b/src/charon/plugins/eap_gtc/eap_gtc.h
index 722881249..2eb8482f8 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_gtc.h 3589 2008-03-13 14:14:44Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
index cea88ef9f..fda6c744a 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_gtc_plugin.h"
diff --git a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
index f858f0d15..abb6bdcb6 100644
--- a/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
+++ b/src/charon/plugins/eap_gtc/eap_gtc_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index 212df3a94..f275cd770 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_identity/eap_identity.c b/src/charon/plugins/eap_identity/eap_identity.c
index deaa183f4..e43c50c50 100644
--- a/src/charon/plugins/eap_identity/eap_identity.c
+++ b/src/charon/plugins/eap_identity/eap_identity.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_identity.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "eap_identity.h"
diff --git a/src/charon/plugins/eap_identity/eap_identity.h b/src/charon/plugins/eap_identity/eap_identity.h
index 60f62e17c..7364a8bda 100644
--- a/src/charon/plugins/eap_identity/eap_identity.h
+++ b/src/charon/plugins/eap_identity/eap_identity.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_identity.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.c b/src/charon/plugins/eap_identity/eap_identity_plugin.c
index 1393a21a0..809254ccb 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.c
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_identity_plugin.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "eap_identity_plugin.h"
diff --git a/src/charon/plugins/eap_identity/eap_identity_plugin.h b/src/charon/plugins/eap_identity/eap_identity_plugin.h
index ddb3ed457..0a7fb8228 100644
--- a/src/charon/plugins/eap_identity/eap_identity_plugin.h
+++ b/src/charon/plugins/eap_identity/eap_identity_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_identity_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index 7009f6488..372b80b3e 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -222,8 +231,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_md5/eap_md5.c b/src/charon/plugins/eap_md5/eap_md5.c
index 0781e024b..36d726947 100644
--- a/src/charon/plugins/eap_md5/eap_md5.c
+++ b/src/charon/plugins/eap_md5/eap_md5.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_md5.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "eap_md5.h"
@@ -90,7 +88,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response)
this->server, this->peer);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
this->server, this->peer);
return NOT_FOUND;
}
diff --git a/src/charon/plugins/eap_md5/eap_md5.h b/src/charon/plugins/eap_md5/eap_md5.h
index 2617b9aea..3cff0dd79 100644
--- a/src/charon/plugins/eap_md5/eap_md5.h
+++ b/src/charon/plugins/eap_md5/eap_md5.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_md5.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.c b/src/charon/plugins/eap_md5/eap_md5_plugin.c
index cb6a9bd7c..e30152fc5 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.c
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_md5_plugin.c 3491 2008-02-22 14:04:00Z martin $
*/
#include "eap_md5_plugin.h"
diff --git a/src/charon/plugins/eap_md5/eap_md5_plugin.h b/src/charon/plugins/eap_md5/eap_md5_plugin.h
index 3adbcfe27..eb5b38e94 100644
--- a/src/charon/plugins/eap_md5/eap_md5_plugin.h
+++ b/src/charon/plugins/eap_md5/eap_md5_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_md5_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
index e9dcae03e..5ae41d896 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -323,7 +332,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
index 07ca48e6f..0e3fac780 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.c
@@ -11,12 +11,13 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_mschapv2.c 4896 2009-02-24 13:39:50Z martin $
*/
#include "eap_mschapv2.h"
+#include <ctype.h>
+#include <unistd.h>
+
#include <daemon.h>
#include <library.h>
#include <utils/enumerator.h>
@@ -141,7 +142,7 @@ ENUM_END(mschapv2_error_names, ERROR_CHANGING_PASSWORD);
/* Name we send as authenticator */
#define MSCHAPV2_HOST_NAME "strongSwan"
/* Message sent on success */
-#define SUCCESS_MESSAGE " M=Welcome to strongSwan"
+#define SUCCESS_MESSAGE " M=Welcome2strongSwan"
/* Message sent on failure */
#define FAILURE_MESSAGE "E=691 R=1 C="
/* Length of the complete failure message */
@@ -366,7 +367,6 @@ static status_t AuthenticatorResponse(chunk_t password_hash_hash,
static const chunk_t magic1 = chunk_from_buf(magic1_data);
static const chunk_t magic2 = chunk_from_buf(magic2_data);
- status_t status = FAILED;
chunk_t digest = chunk_empty, concat;
hasher_t *hasher;
@@ -456,7 +456,7 @@ static status_t GenerateMSK(chunk_t password_hash_hash,
hasher->allocate_hash(hasher, concat, &master_send_key);
master_send_key.len = 16;
- *msk = chunk_cat("cccc", master_receive_key, keypad, master_send_key, keypad);
+ *msk = chunk_cat("cccc", master_receive_key, master_send_key, keypad, keypad);
hasher->destroy(hasher);
chunk_free(&master_key);
@@ -527,6 +527,24 @@ static chunk_t ascii_to_unicode(chunk_t ascii)
}
/**
+ * sanitize a string for printing
+ */
+static char* sanitize(char *str)
+{
+ char *pos = str;
+
+ while (pos && *pos)
+ {
+ if (!isprint(*pos))
+ {
+ *pos = '?';
+ }
+ pos++;
+ }
+ return str;
+}
+
+/**
* Returns a chunk of just the username part of the given user identity.
* Note: the chunk points to internal data of the identification.
*/
@@ -535,7 +553,7 @@ static chunk_t extract_username(identification_t* identification)
char *has_domain;
chunk_t id;
id = identification->get_encoding(identification);
- has_domain = (char*)memrchr(id.ptr, '\\', id.len);
+ has_domain = (char*)memchr(id.ptr, '\\', id.len);
if (has_domain)
{
int len;
@@ -546,6 +564,14 @@ static chunk_t extract_username(identification_t* identification)
return id;
}
+/**
+ * Set the ms_length field using aligned write
+ */
+static void set_ms_length(eap_mschapv2_header_t *eap, u_int16_t len)
+{
+ len = htons(len - 5);
+ memcpy(&eap->ms_length, &len, sizeof(u_int16_t));
+}
/**
* Implementation of eap_method_t.initiate for the peer
@@ -567,8 +593,6 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
const char *name = MSCHAPV2_HOST_NAME;
u_int16_t len = CHALLENGE_PAYLOAD_LEN + sizeof(MSCHAPV2_HOST_NAME) - 1;
- DBG1(DBG_IKE, "initiating EAP-MS-CHAPv2");
-
rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
if (!rng)
{
@@ -585,7 +609,7 @@ static status_t initiate_server(private_eap_mschapv2_t *this, eap_payload_t **ou
eap->type = EAP_MSCHAPV2;
eap->opcode = MSCHAPV2_CHALLENGE;
eap->ms_chapv2_id = this->mschapv2id;
- eap->ms_length = htons(len - 5);
+ set_ms_length(eap, len);
cha = (eap_mschapv2_challenge_t*)eap->data;
cha->value_size = CHALLENGE_LEN;
@@ -625,7 +649,8 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
if (cha->value_size != CHALLENGE_LEN)
{
- DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge size");
+ DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+ "invalid challenge size");
return FAILED;
}
@@ -643,11 +668,11 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
rng->destroy(rng);
shared = charon->credentials->get_shared(charon->credentials,
- SHARED_EAP, this->peer, this->server);
+ SHARED_EAP, this->peer, this->server);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
- this->server, this->peer);
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
+ this->server, this->peer);
return NOT_FOUND;
}
@@ -672,7 +697,7 @@ static status_t process_peer_challenge(private_eap_mschapv2_t *this,
eap->type = EAP_MSCHAPV2;
eap->opcode = MSCHAPV2_RESPONSE;
eap->ms_chapv2_id = this->mschapv2id;
- eap->ms_length = htons(len - 5);
+ set_ms_length(eap, len);
res = (eap_mschapv2_response_t*)eap->data;
res->value_size = RESPONSE_LEN;
@@ -725,7 +750,8 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
token += 2;
if (strlen(token) != AUTH_RESPONSE_LEN - 2)
{
- DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid auth string");
+ DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+ "invalid auth string");
goto error;
}
hex = chunk_create(token, AUTH_RESPONSE_LEN - 2);
@@ -741,7 +767,8 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
if (auth_string.ptr == NULL)
{
- DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: auth string missing");
+ DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+ "auth string missing");
goto error;
}
@@ -751,7 +778,7 @@ static status_t process_peer_success(private_eap_mschapv2_t *this,
goto error;
}
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", msg);
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 succeeded: '%s'", sanitize(msg));
eap = alloca(len);
eap->code = EAP_RESPONSE;
@@ -780,7 +807,6 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
char *message, *token, *msg = NULL;
int message_len, error, retryable;
chunk_t challenge = chunk_empty;
- u_int16_t len = SHORT_HEADER_LEN;
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
@@ -816,7 +842,8 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
token += 2;
if (strlen(token) != 2 * CHALLENGE_LEN)
{
- DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: invalid challenge");
+ DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message:"
+ "invalid challenge");
goto error;
}
hex = chunk_create(token, 2 * CHALLENGE_LEN);
@@ -836,7 +863,8 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this,
}
enumerator->destroy(enumerator);
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'", mschapv2_error_names, error, msg);
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 failed with error %N: '%s'",
+ mschapv2_error_names, error, sanitize(msg));
/**
* at this point, if the error is retryable, we MAY retry the authentication
@@ -898,8 +926,8 @@ static status_t process_peer(private_eap_mschapv2_t *this, eap_payload_t *in,
}
default:
{
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
- mschapv2_opcode_names, eap->opcode);
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+ "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
break;
}
}
@@ -925,7 +953,8 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
* so, to clean up our state we just fail with an EAP-Failure.
* this gives an unknown error on the windows side, but is also fine
* with the standard. */
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: maximum number of retries reached");
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed: "
+ "maximum number of retries reached");
return FAILED;
}
@@ -951,7 +980,7 @@ static status_t process_server_retry(private_eap_mschapv2_t *this,
eap->type = EAP_MSCHAPV2;
eap->opcode = MSCHAPV2_FAILURE;
eap->ms_chapv2_id = this->mschapv2id++; /* increase for each retry */
- eap->ms_length = htons(len - 5);
+ set_ms_length(eap, len);
hex = chunk_to_hex(this->challenge, NULL, TRUE);
snprintf(msg, FAILURE_MESSAGE_LEN, "%s%s", FAILURE_MESSAGE, hex.ptr);
@@ -977,6 +1006,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
identification_t *userid;
shared_key_t *shared;
int name_len;
+ char buf[256];
data = in->get_data(in);
eap = (eap_mschapv2_header_t*)data.ptr;
@@ -991,16 +1021,16 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
peer_challenge = chunk_create(res->response.peer_challenge, CHALLENGE_LEN);
name_len = min(data.len - RESPONSE_PAYLOAD_LEN, 255);
- userid = identification_create_from_encoding(ID_EAP,
- chunk_create(res->name, name_len));
+ snprintf(buf, sizeof(buf), "%.*s", name_len, res->name);
+ userid = identification_create_from_string(buf);
+ DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%Y'", userid);
username = extract_username(userid);
- DBG2(DBG_IKE, "EAP-MS-CHAPv2 username: '%.*s'", name_len, res->name);
shared = charon->credentials->get_shared(charon->credentials,
SHARED_EAP, this->server, userid);
if (shared == NULL)
{
- DBG1(DBG_IKE, "no EAP key found for hosts '%D' - '%D'",
+ DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'",
this->server, userid);
/* FIXME: windows 7 always sends the username that is first entered in
* the username box, even, if the user changes it during retries (probably
@@ -1015,7 +1045,8 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
password = ascii_to_unicode(shared->get_key(shared));
shared->destroy(shared);
- if (GenerateStuff(this, this->challenge, peer_challenge, username, password) != SUCCESS)
+ if (GenerateStuff(this, this->challenge, peer_challenge,
+ username, password) != SUCCESS)
{
DBG1(DBG_IKE, "EAP-MS-CHAPv2 verification failed");
userid->destroy(userid);
@@ -1038,7 +1069,7 @@ static status_t process_server_response(private_eap_mschapv2_t *this,
eap->type = EAP_MSCHAPV2;
eap->opcode = MSCHAPV2_SUCCESS;
eap->ms_chapv2_id = this->mschapv2id;
- eap->ms_length = htons(len - 5);
+ set_ms_length(eap, len);
hex = chunk_to_hex(this->auth_response, NULL, TRUE);
snprintf(msg, AUTH_RESPONSE_LEN + sizeof(SUCCESS_MESSAGE),
@@ -1063,7 +1094,8 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
if (this->identifier != in->get_identifier(in))
{
- DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: unexpected identifier");
+ DBG1(DBG_IKE, "received invalid EAP-MS-CHAPv2 message: "
+ "unexpected identifier");
return FAILED;
}
@@ -1092,8 +1124,8 @@ static status_t process_server(private_eap_mschapv2_t *this, eap_payload_t *in,
}
default:
{
- DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported OpCode (%N)!",
- mschapv2_opcode_names, eap->opcode);
+ DBG1(DBG_IKE, "EAP-MS-CHAPv2 received packet with unsupported "
+ "OpCode (%N)!", mschapv2_opcode_names, eap->opcode);
break;
}
}
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
index d5638db00..34cc1141e 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_mschapv2.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
index 4303a3a7a..d0995c477 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_mschapv2_plugin.c 4882 2009-02-18 19:57:15Z tobias $
*/
#include "eap_mschapv2_plugin.h"
diff --git a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
index 0e671c3d6..9048fc64e 100644
--- a/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
+++ b/src/charon/plugins/eap_mschapv2/eap_mschapv2_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_mschapv2_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
index 329ff981b..e7a4cd0f8 100644
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -229,8 +238,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -327,7 +336,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index 1a02c5acf..ee2477440 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_radius.h"
@@ -22,7 +20,6 @@
#include <daemon.h>
-
typedef struct private_eap_radius_t private_eap_radius_t;
/**
@@ -64,6 +61,11 @@ struct private_eap_radius_t {
* RADIUS client instance
*/
radius_client_t *client;
+
+ /**
+ * TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
+ */
+ bool eap_start;
};
/**
@@ -137,7 +139,16 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
request = radius_message_create_request();
request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
- add_eap_identity(this, request);
+
+ if (this->eap_start)
+ {
+ request->add(request, RAT_EAP_MESSAGE, chunk_empty);
+ }
+ else
+ {
+ add_eap_identity(this, request);
+ }
+
response = this->client->request(this->client, request);
if (response)
{
@@ -270,6 +281,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
this->type = EAP_RADIUS;
this->vendor = 0;
this->msk = chunk_empty;
+ this->eap_start = lib->settings->get_bool(lib->settings,
+ "charon.plugins.eap_radius.eap_start", FALSE);
return &this->public;
}
diff --git a/src/charon/plugins/eap_radius/eap_radius.h b/src/charon/plugins/eap_radius/eap_radius.h
index 7cb0a8615..8eb9e8c2d 100644
--- a/src/charon/plugins/eap_radius/eap_radius.h
+++ b/src/charon/plugins/eap_radius/eap_radius.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.c b/src/charon/plugins/eap_radius/eap_radius_plugin.c
index a429859a7..7c6a3c9ff 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.c
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_radius_plugin.h"
diff --git a/src/charon/plugins/eap_radius/eap_radius_plugin.h b/src/charon/plugins/eap_radius/eap_radius_plugin.h
index 3ed194619..a79640796 100644
--- a/src/charon/plugins/eap_radius/eap_radius_plugin.h
+++ b/src/charon/plugins/eap_radius/eap_radius_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index a3ab1dd78..57d3f8f21 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "radius_client.h"
diff --git a/src/charon/plugins/eap_radius/radius_client.h b/src/charon/plugins/eap_radius/radius_client.h
index 2207b8713..889861a16 100644
--- a/src/charon/plugins/eap_radius/radius_client.h
+++ b/src/charon/plugins/eap_radius/radius_client.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_radius/radius_message.c b/src/charon/plugins/eap_radius/radius_message.c
index a95d2bb93..59a639f31 100644
--- a/src/charon/plugins/eap_radius/radius_message.c
+++ b/src/charon/plugins/eap_radius/radius_message.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "radius_message.h"
diff --git a/src/charon/plugins/eap_radius/radius_message.h b/src/charon/plugins/eap_radius/radius_message.h
index d195bbe23..d4eec8590 100644
--- a/src/charon/plugins/eap_radius/radius_message.h
+++ b/src/charon/plugins/eap_radius/radius_message.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index be84728a4..2374567bc 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -224,8 +233,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -320,7 +329,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_sim/eap_sim.c b/src/charon/plugins/eap_sim/eap_sim.c
index 6110e823c..2dd6e534b 100644
--- a/src/charon/plugins/eap_sim/eap_sim.c
+++ b/src/charon/plugins/eap_sim/eap_sim.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_sim.c 4755 2008-12-04 10:10:37Z martin $
*/
#include "eap_sim.h"
@@ -571,7 +569,7 @@ static bool get_card_triplet(private_eap_sim_t *this,
enumerator->destroy(enumerator);
if (!card)
{
- DBG1(DBG_IKE, "no SIM card found matching '%D'", this->peer);
+ DBG1(DBG_IKE, "no SIM card found matching '%Y'", this->peer);
}
return success;
}
@@ -775,7 +773,7 @@ static bool get_provider_triplet(private_eap_sim_t *this,
tried++;
}
enumerator->destroy(enumerator);
- DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%D'",
+ DBG1(DBG_IKE, "tried %d SIM providers, but none had a triplet for '%Y'",
tried, this->peer);
return FALSE;
}
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.c b/src/charon/plugins/eap_sim/eap_sim_plugin.c
index d937c57b4..cf18007c0 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.c
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_sim_plugin.c 3491 2008-02-22 14:04:00Z martin $
*/
#include "eap_sim_plugin.h"
diff --git a/src/charon/plugins/eap_sim/eap_sim_plugin.h b/src/charon/plugins/eap_sim/eap_sim_plugin.h
index d90a72092..767eb65a5 100644
--- a/src/charon/plugins/eap_sim/eap_sim_plugin.h
+++ b/src/charon/plugins/eap_sim/eap_sim_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_sim_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index 9396b98cf..554b3a7bc 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -91,6 +91,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -113,6 +114,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -124,6 +128,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -137,6 +142,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -197,6 +204,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -208,6 +216,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -230,8 +239,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -328,7 +337,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
index 7969007d0..7d441ffb2 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_sim_file_card.h"
@@ -52,13 +50,13 @@ static bool get_triplet(private_eap_sim_file_card_t *this,
identification_t *id;
char *c_rand, *c_sres, *c_kc;
-
- DBG1(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
+ DBG2(DBG_CFG, "looking for rand: %b", rand, RAND_LEN);
enumerator = this->triplets->create_enumerator(this->triplets);
while (enumerator->enumerate(enumerator, &id, &c_rand, &c_sres, &c_kc))
{
- DBG1(DBG_CFG, "found triplet: %b %b %b", c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
+ DBG2(DBG_CFG, "found triplet: rand %b\nsres %b\n kc %b",
+ c_rand, RAND_LEN, c_sres, SRES_LEN, c_kc, KC_LEN);
if (memeq(c_rand, rand, RAND_LEN))
{
memcpy(sres, c_sres, SRES_LEN);
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
index 9f28aa8fc..e7160a33b 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_card.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
index 6129ebb72..eb6fb4c9c 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_sim_file_plugin.h"
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
index 8e603258f..24857d0b0 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
index ffb4b2901..89866ade6 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_sim_file_provider.h"
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
index efd73802a..ec3bfb469 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_provider.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index 409e9cbd5..d093851c2 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "eap_sim_file_triplets.h"
@@ -45,16 +43,16 @@ struct private_eap_sim_file_triplets_t {
* mutex to lock triplets list
*/
mutex_t *mutex;
-};
+};
/**
* A single triplet
- */
-typedef struct {
- identification_t *imsi;
- char rand[RAND_LEN];
- char sres[SRES_LEN];
- char kc[KC_LEN];
+ */
+typedef struct {
+ identification_t *imsi;
+ char rand[RAND_LEN];
+ char sres[SRES_LEN];
+ char kc[KC_LEN];
} triplet_t;
/**
@@ -105,7 +103,7 @@ static bool enumerator_enumerate(triplet_enumerator_t *e, identification_t **ims
char **rand, char **sres, char **kc)
{
triplet_t *triplet;
-
+
if (e->inner->enumerate(e->inner, &triplet))
{
e->current = triplet;
@@ -148,45 +146,45 @@ static void parse_token(char *to, char *from, size_t len)
memset(to, 0, len);
memcpy(to + len - chunk.len, chunk.ptr, chunk.len);
free(chunk.ptr);
-}
-
-/**
- * Read the triplets from the file
- */
-static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
-{
- char line[512];
- FILE *file;
- int i, nr = 0;
-
- file = fopen(path, "r");
- if (file == NULL)
- {
+}
+
+/**
+ * Read the triplets from the file
+ */
+static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
+{
+ char line[512];
+ FILE *file;
+ int i, nr = 0;
+
+ file = fopen(path, "r");
+ if (file == NULL)
+ {
DBG1(DBG_CFG, "opening triplet file %s failed: %s",
- path, strerror(errno));
- return;
- }
-
- /* read line by line */
- while (fgets(line, sizeof(line), file))
- {
+ path, strerror(errno));
+ return;
+ }
+
+ /* read line by line */
+ while (fgets(line, sizeof(line), file))
+ {
triplet_t *triplet;
enumerator_t *enumerator;
char *token;
-
- nr++;
- /* skip comments, empty lines */
- switch (line[0])
- {
- case '\n':
- case '\r':
- case '#':
- case '\0':
- continue;
- default:
- break;
+
+ nr++;
+ /* skip comments, empty lines */
+ switch (line[0])
+ {
+ case '\n':
+ case '\r':
+ case '#':
+ case '\0':
+ continue;
+ default:
+ break;
}
- triplet = malloc_thing(triplet_t);
+ triplet = malloc_thing(triplet_t);
memset(triplet, 0, sizeof(triplet_t));
i = 0;
@@ -196,8 +194,7 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
switch (i++)
{
case 0: /* IMSI */
- triplet->imsi = identification_create_from_encoding(ID_EAP,
- chunk_create(token, strlen(token)));
+ triplet->imsi = identification_create_from_string(token);
continue;
case 1: /* rand */
parse_token(triplet->rand, token, RAND_LEN);
@@ -215,22 +212,22 @@ static void read_triplets(private_eap_sim_file_triplets_t *this, char *path)
}
enumerator->destroy(enumerator);
if (i < 4)
- {
+ {
DBG1(DBG_CFG, "error in triplet file, line %d", nr);
triplet_destroy(triplet);
continue;
- }
-
- DBG1(DBG_CFG, "triplet: imsi %D\nrand %b\nsres %b\nkc %b",
- triplet->imsi, triplet->rand, RAND_LEN,
+ }
+
+ DBG2(DBG_CFG, "triplet: imsi %Y\nrand %b\nsres %b\nkc %b",
+ triplet->imsi, triplet->rand, RAND_LEN,
triplet->sres, SRES_LEN, triplet->kc, KC_LEN);
- this->triplets->insert_last(this->triplets, triplet);
- }
+ this->triplets->insert_last(this->triplets, triplet);
+ }
fclose(file);
-
+
DBG1(DBG_CFG, "read %d triplets from %s",
- this->triplets->get_count(this->triplets), path);
+ this->triplets->get_count(this->triplets), path);
}
/**
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
index a6e9188a5..d4ff2a781 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -28,17 +26,17 @@
/**
* size of RAND value
- */
+ */
#define RAND_LEN 16
/**
* size of SRES value
- */
+ */
#define SRES_LEN 4
/**
* size of KC value
- */
+ */
#define KC_LEN 8
typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
@@ -46,7 +44,7 @@ typedef struct eap_sim_file_triplets_t eap_sim_file_triplets_t;
/**
* Reads triplets from a triplets.dat file.
*
- * The file is in freeradius triplet file syntax:
+ * The file is in freeradius triplet file syntax:
* http://www.freeradius.org/radiusd/doc/rlm_sim_triplets
*/
struct eap_sim_file_triplets_t {
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index 4e3312f2b..a1efe9d5a 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index b2811aa9d..c69ce4c9a 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_klips_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
*/
#include <sys/types.h>
@@ -1530,7 +1528,7 @@ static void schedule_expire(private_kernel_klips_ipsec_t *this,
expire->reqid = reqid;
expire->type = type;
job = callback_job_create((callback_job_cb_t)sa_expires, expire, free, NULL);
- charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, time);
}
/**
@@ -1938,8 +1936,9 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
@@ -2610,7 +2609,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
index 4d4e33813..306ec0ada 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_klips_ipsec.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
index 42d7307ec..d153ea8af 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_klips_plugin.c 4617 2008-11-11 08:45:19Z tobias $
*/
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
index 8dd2f1895..123550bf5 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
+++ b/src/charon/plugins/kernel_klips/kernel_klips_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_klips_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index b3b161315..b97738bff 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -91,6 +91,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -113,6 +114,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -124,6 +128,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -137,6 +142,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -197,6 +204,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -208,6 +216,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -228,8 +237,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -326,7 +335,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index ee47914d3..9322d8dfe 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -16,8 +16,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_ipsec.c 4997 2009-03-24 10:24:58Z martin $
*/
#include <sys/types.h>
@@ -170,14 +168,20 @@ static kernel_algorithm_t encryption_algs[] = {
/* {ENCR_DES_IV32, "***" }, */
{ENCR_NULL, "cipher_null" },
{ENCR_AES_CBC, "aes" },
-/* {ENCR_AES_CTR, "***" }, */
+ {ENCR_AES_CTR, "rfc3686(ctr(aes))" },
{ENCR_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
{ENCR_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
{ENCR_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
{ENCR_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
{ENCR_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
- {END_OF_LIST, NULL },
+/* {ENCR_NULL_AUTH_AES_GMAC, "***" }, */
+ {ENCR_CAMELLIA_CBC, "cbc(camellia)" },
+/* {ENCR_CAMELLIA_CTR, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV8, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV12, "***" }, */
+/* {ENCR_CAMELLIA_CCM_ICV16, "***" }, */
+ {END_OF_LIST, NULL }
};
/**
@@ -192,7 +196,7 @@ static kernel_algorithm_t integrity_algs[] = {
/* {AUTH_DES_MAC, "***" }, */
/* {AUTH_KPDK_MD5, "***" }, */
{AUTH_AES_XCBC_96, "xcbc(aes)" },
- {END_OF_LIST, NULL },
+ {END_OF_LIST, NULL }
};
/**
@@ -203,7 +207,7 @@ static kernel_algorithm_t compression_algs[] = {
{IPCOMP_DEFLATE, "deflate" },
{IPCOMP_LZS, "lzs" },
{IPCOMP_LZJH, "lzjh" },
- {END_OF_LIST, NULL },
+ {END_OF_LIST, NULL }
};
/**
@@ -369,6 +373,24 @@ static protocol_id_t proto_kernel2ike(u_int8_t proto)
}
/**
+ * convert the general ipsec mode to the one defined in xfrm.h
+ */
+static u_int8_t mode2kernel(ipsec_mode_t mode)
+{
+ switch (mode)
+ {
+ case MODE_TRANSPORT:
+ return XFRM_MODE_TRANSPORT;
+ case MODE_TUNNEL:
+ return XFRM_MODE_TUNNEL;
+ case MODE_BEET:
+ return XFRM_MODE_BEET;
+ default:
+ return mode;
+ }
+}
+
+/**
* convert a host_t to a struct xfrm_address
*/
static void host2xfrm(host_t *host, xfrm_address_t *xfrm)
@@ -797,7 +819,7 @@ static status_t get_spi_internal(private_kernel_netlink_ipsec_t *this,
host2xfrm(src, &userspi->info.saddr);
host2xfrm(dst, &userspi->info.id.daddr);
userspi->info.id.proto = proto;
- userspi->info.mode = TRUE; /* tunnel mode */
+ userspi->info.mode = XFRM_MODE_TUNNEL;
userspi->info.reqid = reqid;
userspi->info.family = src->get_family(src);
userspi->min = min;
@@ -935,7 +957,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
sa->id.spi = spi;
sa->id.proto = proto_ike2kernel(protocol);
sa->family = src->get_family(src);
- sa->mode = mode;
+ sa->mode = mode2kernel(mode);
if (mode == MODE_TUNNEL)
{
sa->flags |= XFRM_STATE_AF_UNSPEC;
@@ -1210,8 +1232,9 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
netlink_buf_t request;
struct nlmsghdr *hdr;
@@ -1220,7 +1243,7 @@ static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *dst,
/* if IPComp was used, we first delete the additional IPComp SA */
if (cpi)
{
- del_sa(this, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
+ del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0);
}
memset(&request, 0, sizeof(request));
@@ -1333,7 +1356,7 @@ static status_t update_sa(private_kernel_netlink_ipsec_t *this,
}
/* delete the old SA (without affecting the IPComp SA) */
- if (del_sa(this, dst, spi, protocol, 0) != SUCCESS)
+ if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS)
{
DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi));
free(out);
@@ -1520,7 +1543,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
tmpl->reqid = reqid;
tmpl->id.proto = IPPROTO_COMP;
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
- tmpl->mode = mode;
+ tmpl->mode = mode2kernel(mode);
tmpl->optional = direction != POLICY_OUT;
tmpl->family = src->get_family(src);
@@ -1541,7 +1564,7 @@ static status_t add_policy(private_kernel_netlink_ipsec_t *this,
tmpl->reqid = reqid;
tmpl->id.proto = proto_ike2kernel(protocol);
tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0;
- tmpl->mode = mode;
+ tmpl->mode = mode2kernel(mode);
tmpl->family = src->get_family(src);
host2xfrm(src, &tmpl->saddr);
@@ -1865,7 +1888,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
index 0b65c5213..3a45cce06 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_ipsec.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index 6e4ddffe5..32154a7ea 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_net.c 4671 2008-11-18 09:52:28Z martin $
*/
#include <sys/socket.h>
@@ -163,7 +161,11 @@ struct private_kernel_netlink_net_t {
* whether to react to RTM_NEWROUTE or RTM_DELROUTE events
*/
bool process_route;
-
+
+ /**
+ * whether to actually install virtual IPs
+ */
+ bool install_virtual_ip;
};
/**
@@ -219,7 +221,7 @@ static void fire_roam_job(private_kernel_netlink_net_t *this, bool address)
now.tv_usec -= 1000000;
}
this->last_roam = now;
- charon->scheduler->schedule_job(charon->scheduler,
+ charon->scheduler->schedule_job_ms(charon->scheduler,
(job_t*)roam_job_create(address), ROAM_DELAY);
}
}
@@ -985,7 +987,12 @@ static status_t add_ip(private_kernel_netlink_net_t *this,
addr_entry_t *addr;
enumerator_t *addrs, *ifaces;
int ifindex;
-
+
+ if (!this->install_virtual_ip)
+ { /* disabled by config */
+ return SUCCESS;
+ }
+
DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip);
this->mutex->lock(this->mutex);
@@ -1059,7 +1066,12 @@ static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip)
enumerator_t *addrs, *ifaces;
status_t status;
int ifindex;
-
+
+ if (!this->install_virtual_ip)
+ { /* disabled by config */
+ return SUCCESS;
+ }
+
DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip);
this->mutex->lock(this->mutex);
@@ -1175,7 +1187,7 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty
/**
* Implementation of kernel_net_t.add_route.
*/
-status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL,
@@ -1185,7 +1197,7 @@ status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
/**
* Implementation of kernel_net_t.del_route.
*/
-status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
+static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net,
u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
{
return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen,
@@ -1367,6 +1379,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
"charon.routing_table_prio", IPSEC_ROUTING_TABLE_PRIO);
this->process_route = lib->settings->get_bool(lib->settings,
"charon.process_route", TRUE);
+ this->install_virtual_ip = lib->settings->get_bool(lib->settings,
+ "charon.install_virtual_ip", TRUE);
this->socket = netlink_socket_create(NETLINK_ROUTE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
index 39b96837b..ff9831d3c 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_net.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
index adc3d585f..77005e871 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_plugin.c 4350 2008-09-18 15:16:43Z tobias $
*/
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
index f08dbc023..ec6036b98 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 05bd4e397..7ef7cc56e 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_shared.c 4831 2009-01-09 09:37:13Z andreas $
*/
#include <sys/socket.h>
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
index 90e464796..5a70e4d9b 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_netlink_shared.h 4660 2008-11-14 14:23:11Z martin $
*/
#ifndef KERNEL_NETLINK_SHARED_H_
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index d606f4a23..df2492ef7 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,6 +215,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 656c83083..56f0320dc 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* Hochschule fuer Technik Rapperswil
*
@@ -12,16 +12,38 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_pfkey_ipsec.c 4793 2008-12-11 13:39:30Z tobias $
*/
#include <sys/types.h>
#include <sys/socket.h>
+
+#ifdef HAVE_NET_PFKEYV2_H
+#include <net/pfkeyv2.h>
+#else
#include <stdint.h>
-#include <linux/ipsec.h>
#include <linux/pfkeyv2.h>
+#endif
+
+#ifdef SADB_X_EXT_NAT_T_TYPE
+#define HAVE_NATT
+#endif
+
+#ifdef HAVE_NETIPSEC_IPSEC_H
+#include <netipsec/ipsec.h>
+#elif defined(HAVE_NETINET6_IPSEC_H)
+#include <netinet6/ipsec.h>
+#else
+#include <linux/ipsec.h>
+#endif
+
+#ifdef HAVE_NATT
+#ifdef HAVE_NETINET_UDP_H
+#include <netinet/udp.h>
+#else
#include <linux/udp.h>
+#endif /*HAVE_NETINET_UDP_H*/
+#endif /*HAVE_NATT*/
+
#include <unistd.h>
#include <pthread.h>
#include <errno.h>
@@ -38,6 +60,30 @@
#include <processing/jobs/delete_child_sa_job.h>
#include <processing/jobs/update_sa_job.h>
+/** non linux specific */
+#ifndef IPPROTO_COMP
+#define IPPROTO_COMP IPPROTO_IPCOMP
+#endif
+
+#ifndef SADB_X_AALG_SHA2_256HMAC
+#define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256
+#define SADB_X_AALG_SHA2_384HMAC SADB_X_AALG_SHA2_384
+#define SADB_X_AALG_SHA2_512HMAC SADB_X_AALG_SHA2_512
+#endif
+
+#ifndef SADB_X_EALG_AESCBC
+#define SADB_X_EALG_AESCBC SADB_X_EALG_AES
+#endif
+
+#ifndef SADB_X_EALG_CASTCBC
+#define SADB_X_EALG_CASTCBC SADB_X_EALG_CAST128CBC
+#endif
+
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#define SOL_IPV6 IPPROTO_IPV6
+#endif
+
/** from linux/in.h */
#ifndef IP_IPSEC_POLICY
#define IP_IPSEC_POLICY 16
@@ -46,7 +92,7 @@
/* missing on uclibc */
#ifndef IPV6_IPSEC_POLICY
#define IPV6_IPSEC_POLICY 34
-#endif /*IPV6_IPSEC_POLICY*/
+#endif
/** default priority of installed policies */
#define PRIO_LOW 3000
@@ -160,8 +206,8 @@ struct route_entry_t {
static void route_entry_destroy(route_entry_t *this)
{
free(this->if_name);
- this->src_ip->destroy(this->src_ip);
- this->gateway->destroy(this->gateway);
+ DESTROY_IF(this->src_ip);
+ DESTROY_IF(this->gateway);
chunk_free(&this->dst_net);
free(this);
}
@@ -217,7 +263,7 @@ static policy_entry_t *create_policy_entry(traffic_selector_t *src_ts,
/* src or dest proto may be "any" (0), use more restrictive one */
policy->src.proto = max(src_ts->get_protocol(src_ts), dst_ts->get_protocol(dst_ts));
- policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
+ policy->src.proto = policy->src.proto ? policy->src.proto : IPSEC_PROTO_ANY;
policy->dst.proto = policy->src.proto;
return policy;
@@ -268,7 +314,6 @@ struct pfkey_msg_t
*/
struct sadb_msg *msg;
-
/**
* PF_KEY message extensions
*/
@@ -305,7 +350,7 @@ struct pfkey_msg_t
};
};
-ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
+ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_EXT_MAX,
"SADB_EXT_RESERVED",
"SADB_EXT_SA",
"SADB_EXT_LIFETIME_CURRENT",
@@ -333,6 +378,7 @@ ENUM(sadb_ext_type_names, SADB_EXT_RESERVED, SADB_X_EXT_KMADDRESS,
"SADB_X_EXT_SEC_CTX",
"SADB_X_EXT_KMADDRESS"
);
+
/**
* convert a IKEv2 specific protocol identifier to the PF_KEY sa type
*/
@@ -396,8 +442,10 @@ static u_int8_t mode2kernel(ipsec_mode_t mode)
return IPSEC_MODE_TRANSPORT;
case MODE_TUNNEL:
return IPSEC_MODE_TUNNEL;
+#ifdef HAVE_IPSEC_MODE_BEET
case MODE_BEET:
return IPSEC_MODE_BEET;
+#endif
default:
return mode;
}
@@ -414,13 +462,16 @@ static u_int8_t dir2kernel(policy_dir_t dir)
return IPSEC_DIR_INBOUND;
case POLICY_OUT:
return IPSEC_DIR_OUTBOUND;
+#ifdef HAVE_IPSEC_DIR_FWD
case POLICY_FWD:
return IPSEC_DIR_FWD;
+#endif
default:
return dir;
}
}
+#ifdef SADB_X_MIGRATE
/**
* convert the policy direction in ipsec.h to the general one.
*/
@@ -432,12 +483,16 @@ static policy_dir_t kernel2dir(u_int8_t dir)
return POLICY_IN;
case IPSEC_DIR_OUTBOUND:
return POLICY_OUT;
+#ifdef HAVE_IPSEC_DIR_FWD
case IPSEC_DIR_FWD:
return POLICY_FWD;
+#endif
default:
return dir;
}
}
+#endif /*SADB_X_MIGRATE*/
+
typedef struct kernel_algorithm_t kernel_algorithm_t;
/**
@@ -461,40 +516,42 @@ struct kernel_algorithm_t {
* Algorithms for encryption
*/
static kernel_algorithm_t encryption_algs[] = {
-/* {ENCR_DES_IV64, 0 }, */
- {ENCR_DES, SADB_EALG_DESCBC },
- {ENCR_3DES, SADB_EALG_3DESCBC },
-/* {ENCR_RC5, 0 }, */
-/* {ENCR_IDEA, 0 }, */
- {ENCR_CAST, SADB_X_EALG_CASTCBC },
- {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
-/* {ENCR_3IDEA, 0 }, */
-/* {ENCR_DES_IV32, 0 }, */
- {ENCR_NULL, SADB_EALG_NULL },
- {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
-/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
+/* {ENCR_DES_IV64, 0 }, */
+ {ENCR_DES, SADB_EALG_DESCBC },
+ {ENCR_3DES, SADB_EALG_3DESCBC },
+/* {ENCR_RC5, 0 }, */
+/* {ENCR_IDEA, 0 }, */
+ {ENCR_CAST, SADB_X_EALG_CASTCBC },
+ {ENCR_BLOWFISH, SADB_X_EALG_BLOWFISHCBC },
+/* {ENCR_3IDEA, 0 }, */
+/* {ENCR_DES_IV32, 0 }, */
+ {ENCR_NULL, SADB_EALG_NULL },
+ {ENCR_AES_CBC, SADB_X_EALG_AESCBC },
+/* {ENCR_AES_CTR, SADB_X_EALG_AESCTR }, */
/* {ENCR_AES_CCM_ICV8, SADB_X_EALG_AES_CCM_ICV8 }, */
/* {ENCR_AES_CCM_ICV12, SADB_X_EALG_AES_CCM_ICV12 }, */
/* {ENCR_AES_CCM_ICV16, SADB_X_EALG_AES_CCM_ICV16 }, */
/* {ENCR_AES_GCM_ICV8, SADB_X_EALG_AES_GCM_ICV8 }, */
/* {ENCR_AES_GCM_ICV12, SADB_X_EALG_AES_GCM_ICV12 }, */
/* {ENCR_AES_GCM_ICV16, SADB_X_EALG_AES_GCM_ICV16 }, */
- {END_OF_LIST, 0 },
+ {END_OF_LIST, 0 },
};
/**
* Algorithms for integrity protection
*/
static kernel_algorithm_t integrity_algs[] = {
- {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
+ {AUTH_HMAC_MD5_96, SADB_AALG_MD5HMAC },
{AUTH_HMAC_SHA1_96, SADB_AALG_SHA1HMAC },
{AUTH_HMAC_SHA2_256_128, SADB_X_AALG_SHA2_256HMAC },
{AUTH_HMAC_SHA2_384_192, SADB_X_AALG_SHA2_384HMAC },
{AUTH_HMAC_SHA2_512_256, SADB_X_AALG_SHA2_512HMAC },
/* {AUTH_DES_MAC, 0, }, */
/* {AUTH_KPDK_MD5, 0, }, */
+#ifdef SADB_X_AALG_AES_XCBC_MAC
{AUTH_AES_XCBC_96, SADB_X_AALG_AES_XCBC_MAC, },
- {END_OF_LIST, 0, },
+#endif
+ {END_OF_LIST, 0, },
};
#if 0
@@ -502,11 +559,11 @@ static kernel_algorithm_t integrity_algs[] = {
* Algorithms for IPComp, unused yet
*/
static kernel_algorithm_t compression_algs[] = {
-/* {IPCOMP_OUI, 0 }, */
+/* {IPCOMP_OUI, 0 }, */
{IPCOMP_DEFLATE, SADB_X_CALG_DEFLATE },
{IPCOMP_LZS, SADB_X_CALG_LZS },
{IPCOMP_LZJH, SADB_X_CALG_LZJH },
- {END_OF_LIST, 0 },
+ {END_OF_LIST, 0 },
};
#endif
@@ -533,8 +590,11 @@ static void host2ext(host_t *host, struct sadb_address *ext)
{
sockaddr_t *host_addr = host->get_sockaddr(host);
socklen_t *len = host->get_sockaddr_len(host);
- memcpy((char*)(ext + 1), host_addr, *len);
- ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ host_addr->sa_len = *len;
+#endif
+ memcpy((char*)(ext + 1), host_addr, *len);
+ ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len);
}
/**
@@ -562,10 +622,14 @@ static void add_anyaddr_ext(struct sadb_msg *msg, int family, u_int8_t type)
addr->sadb_address_exttype = type;
sockaddr_t *saddr = (sockaddr_t*)(addr + 1);
saddr->sa_family = family;
- addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
+#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN
+ saddr->sa_len = len;
+#endif
+ addr->sadb_address_len = PFKEY_LEN(sizeof(*addr) + len);
PFKEY_EXT_ADD(msg, addr);
}
+#ifdef HAVE_NATT
/**
* add udp encap extensions to a sadb_msg
*/
@@ -592,6 +656,7 @@ static void add_encap_ext(struct sadb_msg *msg, host_t *src, host_t *dst)
nat_port->sadb_x_nat_t_port_port = htons(dst->get_port(dst));
PFKEY_EXT_ADD(msg, nat_port);
}
+#endif /*HAVE_NATT*/
/**
* Convert a sadb_address to a traffic_selector
@@ -606,7 +671,7 @@ static traffic_selector_t* sadb_address2ts(struct sadb_address *address)
*/
host = host_create_from_sockaddr((sockaddr_t*)&address[1]) ;
ts = traffic_selector_create_from_subnet(host, address->sadb_address_prefixlen,
- address->sadb_address_proto, host->get_port(host));
+ address->sadb_address_proto, host->get_port(host));
return ts;
}
@@ -645,7 +710,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
if (out->ext[ext->sadb_ext_type])
{
- DBG1(DBG_KNL, "duplicate %N extension",
+ DBG1(DBG_KNL, "duplicate %N extension",
sadb_ext_type_names, ext->sadb_ext_type);
break;
}
@@ -699,7 +764,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
}
while (TRUE)
- {
+ {
msg = (struct sadb_msg*)buf;
len = recv(socket, buf, sizeof(buf), 0);
@@ -757,7 +822,7 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
*out_len = len;
*out = (struct sadb_msg*)malloc(len);
memcpy(*out, buf, len);
-
+
this->mutex_pfkey->unlock(this->mutex_pfkey);
return SUCCESS;
@@ -868,8 +933,9 @@ static void process_expire(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
charon->processor->queue_job(charon->processor, job);
}
+#ifdef SADB_X_MIGRATE
/**
- * Process a SADB_MIGRATE message from the kernel
+ * Process a SADB_X_MIGRATE message from the kernel
*/
static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* msg)
{
@@ -893,7 +959,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
DBG2(DBG_KNL, " policy %R === %R %N, id %u", src_ts, dst_ts,
policy_dir_names, dir);
- /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
+ /* SADB_X_EXT_KMADDRESS is not present in unpatched kernels < 2.6.28 */
if (response.x_kmaddress)
{
sockaddr_t *local_addr, *remote_addr;
@@ -924,7 +990,9 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
DESTROY_IF(remote);
}
}
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
/**
* Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel
*/
@@ -980,6 +1048,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg*
}
}
}
+#endif /*HAVE_NATT*/
/**
* Receives events from kernel
@@ -991,7 +1060,7 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
int len, oldstate;
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- len = recv(this->socket_events, buf, sizeof(buf), 0);
+ len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
pthread_setcancelstate(oldstate, NULL);
if (len < 0)
@@ -1035,12 +1104,16 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
case SADB_EXPIRE:
process_expire(this, msg);
break;
+#ifdef SADB_X_MIGRATE
case SADB_X_MIGRATE:
process_migrate(this, msg);
break;
+#endif /*SADB_X_MIGRATE*/
+#ifdef HAVE_NATT
case SADB_X_NAT_T_NEW_MAPPING:
process_mapping(this, msg);
break;
+#endif /*HAVE_NATT*/
default:
break;
}
@@ -1051,8 +1124,8 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this)
/**
* Implementation of kernel_interface_t.get_spi.
*/
-static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid,
u_int32_t *spi)
{
@@ -1099,7 +1172,7 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
{
received_spi = response.sa->sadb_sa_spi;
}
- free(out);
+ free(out);
}
if (received_spi == 0)
@@ -1114,8 +1187,8 @@ static status_t get_spi(private_kernel_pfkey_ipsec_t *this,
/**
* Implementation of kernel_interface_t.get_cpi.
*/
-static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
- host_t *src, host_t *dst,
+static status_t get_cpi(private_kernel_pfkey_ipsec_t *this,
+ host_t *src, host_t *dst,
u_int32_t reqid, u_int16_t *cpi)
{
return FAILED;
@@ -1226,11 +1299,13 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
{
/*TODO*/
}
-
+
+#ifdef HAVE_NATT
if (encap)
{
add_encap_ext(msg, src, dst);
}
+#endif /*HAVE_NATT*/
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
{
@@ -1346,11 +1421,13 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
{
PFKEY_EXT_COPY(msg, response.key_auth);
}
-
+
+#ifdef HAVE_NATT
if (new_encap)
{
add_encap_ext(msg, new_src, new_dst);
}
+#endif /*HAVE_NATT*/
free(out);
@@ -1374,8 +1451,9 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
unsigned char request[PFKEY_BUFFER_SIZE];
struct sadb_msg *msg, *out;
@@ -1398,9 +1476,8 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
- /* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
- * it is not used for anything. */
- add_anyaddr_ext(msg, dst->get_family(dst), SADB_EXT_ADDRESS_SRC);
+ /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1424,7 +1501,7 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *dst,
/**
* Implementation of kernel_interface_t.add_policy.
*/
-static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
+static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
host_t *src, host_t *dst,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
@@ -1463,7 +1540,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
this->policies->insert_last(this->policies, policy);
policy->refcount = 1;
}
-
+
memset(&request, 0, sizeof(request));
DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts,
@@ -1480,12 +1557,14 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
pol->sadb_x_policy_len = PFKEY_LEN(sizeof(struct sadb_x_policy));
pol->sadb_x_policy_id = 0;
pol->sadb_x_policy_dir = dir2kernel(direction);
+ pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY
/* calculate priority based on source selector size, small size = high prio */
pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH;
pol->sadb_x_policy_priority -= policy->src.mask * 10;
pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0;
pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0;
- pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
+#endif
/* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */
req = (struct sadb_x_ipsecrequest*)(pol + 1);
@@ -1599,9 +1678,9 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
{
free(route);
}
- }
+ }
- this->mutex->unlock(this->mutex);
+ this->mutex->unlock(this->mutex);
return SUCCESS;
}
@@ -1610,7 +1689,7 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
* Implementation of kernel_interface_t.query_policy.
*/
static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, u_int32_t *use_time)
{
@@ -1689,7 +1768,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
*use_time = response.lft_current->sadb_lifetime_usetime;
free(out);
-
+
return SUCCESS;
}
@@ -1697,7 +1776,7 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
* Implementation of kernel_interface_t.del_policy.
*/
static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
- traffic_selector_t *src_ts,
+ traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, bool unrouted)
{
@@ -1722,7 +1801,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
if (--found->refcount > 0)
{
/* is used by more SAs, keep in kernel */
- DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
+ DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed");
policy_entry_destroy(policy);
this->mutex->unlock(this->mutex);
return SUCCESS;
@@ -1741,7 +1820,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
return NOT_FOUND;
}
this->mutex->unlock(this->mutex);
-
+
memset(&request, 0, sizeof(request));
msg = (struct sadb_msg*)request;
@@ -1791,7 +1870,7 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
DBG1(DBG_KNL, "error uninstalling route installed with "
"policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
- }
+ }
route_entry_destroy(route);
}
@@ -1863,22 +1942,26 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
switch (family)
{
case AF_INET:
+ {
sol = SOL_IP;
ipsec_policy = IP_IPSEC_POLICY;
break;
+ }
case AF_INET6:
{
sol = SOL_IPV6;
ipsec_policy = IPV6_IPSEC_POLICY;
break;
}
+ default:
+ continue;
}
memset(&policy, 0, sizeof(policy));
policy.sadb_x_policy_len = sizeof(policy) / sizeof(u_int64_t);
policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-
+
policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
@@ -1890,7 +1973,7 @@ static bool add_bypass_policies(private_kernel_pfkey_ipsec_t *this)
policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
if (setsockopt(fd, sol, ipsec_policy, &policy, sizeof(policy)) < 0)
{
- DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
+ DBG1(DBG_KNL, "unable to set IPSEC_POLICY on socket: %s",
strerror(errno));
status = FALSE;
break;
@@ -1912,7 +1995,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
index db05462f4..649f93733 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_pfkey_ipsec.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
index 93015d75a..09dc4780d 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_pfkey_plugin.c 4361 2008-10-01 16:47:51Z tobias $
*/
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
index f091c6d81..2f168aa9c 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: kernel_pfkey_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
new file mode 100644
index 000000000..3ad445c09
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -0,0 +1,10 @@
+
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+ kernel_pfroute_net.h kernel_pfroute_net.c
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
new file mode 100644
index 000000000..e585a7db2
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/Makefile.in
@@ -0,0 +1,510 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/kernel_pfroute
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_kernel_pfroute_la_LIBADD =
+am_libstrongswan_kernel_pfroute_la_OBJECTS = kernel_pfroute_plugin.lo \
+ kernel_pfroute_net.lo
+libstrongswan_kernel_pfroute_la_OBJECTS = \
+ $(am_libstrongswan_kernel_pfroute_la_OBJECTS)
+libstrongswan_kernel_pfroute_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) \
+ $(libstrongswan_kernel_pfroute_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_kernel_pfroute_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic
+plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
+libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
+ kernel_pfroute_net.h kernel_pfroute_net.c
+
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/kernel_pfroute/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-kernel-pfroute.la: $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_DEPENDENCIES)
+ $(libstrongswan_kernel_pfroute_la_LINK) -rpath $(plugindir) $(libstrongswan_kernel_pfroute_la_OBJECTS) $(libstrongswan_kernel_pfroute_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_net.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kernel_pfroute_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
new file mode 100644
index 000000000..c2b35a5ce
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -0,0 +1,713 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+#include <ifaddrs.h>
+#include <net/route.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <errno.h>
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+#include <utils/host.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+#include <processing/jobs/callback_job.h>
+#include <processing/jobs/roam_job.h>
+
+#ifndef HAVE_STRUCT_SOCKADDR_SA_LEN
+#error Cannot compile this plugin on systems where 'struct sockaddr' has no sa_len member.
+#endif
+
+/** delay before firing roam jobs (ms) */
+#define ROAM_DELAY 100
+
+/** buffer size for PF_ROUTE messages */
+#define PFROUTE_BUFFER_SIZE 4096
+
+typedef struct addr_entry_t addr_entry_t;
+
+/**
+ * IP address in an inface_entry_t
+ */
+struct addr_entry_t {
+
+ /** The ip address */
+ host_t *ip;
+
+ /** virtual IP managed by us */
+ bool virtual;
+
+ /** Number of times this IP is used, if virtual */
+ u_int refcount;
+};
+
+/**
+ * destroy a addr_entry_t object
+ */
+static void addr_entry_destroy(addr_entry_t *this)
+{
+ this->ip->destroy(this->ip);
+ free(this);
+}
+
+typedef struct iface_entry_t iface_entry_t;
+
+/**
+ * A network interface on this system, containing addr_entry_t's
+ */
+struct iface_entry_t {
+
+ /** interface index */
+ int ifindex;
+
+ /** name of the interface */
+ char ifname[IFNAMSIZ];
+
+ /** interface flags, as in netdevice(7) SIOCGIFFLAGS */
+ u_int flags;
+
+ /** list of addresses as host_t */
+ linked_list_t *addrs;
+};
+
+/**
+ * destroy an interface entry
+ */
+static void iface_entry_destroy(iface_entry_t *this)
+{
+ this->addrs->destroy_function(this->addrs, (void*)addr_entry_destroy);
+ free(this);
+}
+
+
+typedef struct private_kernel_pfroute_net_t private_kernel_pfroute_net_t;
+
+/**
+ * Private variables and functions of kernel_pfroute class.
+ */
+struct private_kernel_pfroute_net_t
+{
+ /**
+ * Public part of the kernel_pfroute_t object.
+ */
+ kernel_pfroute_net_t public;
+
+ /**
+ * mutex to lock access to various lists
+ */
+ mutex_t *mutex;
+
+ /**
+ * Cached list of interfaces and their addresses (iface_entry_t)
+ */
+ linked_list_t *ifaces;
+
+ /**
+ * job receiving PF_ROUTE events
+ */
+ callback_job_t *job;
+
+ /**
+ * mutex to lock access to the PF_ROUTE socket
+ */
+ mutex_t *mutex_pfroute;
+
+ /**
+ * PF_ROUTE socket to communicate with the kernel
+ */
+ int socket;
+
+ /**
+ * PF_ROUTE socket to receive events
+ */
+ int socket_events;
+
+ /**
+ * sequence number for messages sent to the kernel
+ */
+ int seq;
+
+ /**
+ * time of last roam job
+ */
+ struct timeval last_roam;
+};
+
+/**
+ * Start a roaming job. We delay it a bit and fire only one job
+ * for multiple events. Otherwise we would create too many jobs.
+ */
+static void fire_roam_job(private_kernel_pfroute_net_t *this, bool address)
+{
+ struct timeval now;
+
+ if (gettimeofday(&now, NULL) == 0)
+ {
+ if (timercmp(&now, &this->last_roam, >))
+ {
+ now.tv_usec += ROAM_DELAY * 1000;
+ while (now.tv_usec > 1000000)
+ {
+ now.tv_sec++;
+ now.tv_usec -= 1000000;
+ }
+ this->last_roam = now;
+ charon->scheduler->schedule_job_ms(charon->scheduler,
+ (job_t*)roam_job_create(address), ROAM_DELAY);
+ }
+ }
+}
+
+/**
+ * Process an RTM_*ADDR message from the kernel
+ */
+static void process_addr(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *msg)
+{
+ struct ifa_msghdr *ifa = (struct ifa_msghdr*)msg;
+ sockaddr_t *sockaddr = (sockaddr_t*)(ifa + 1);
+ host_t *host = NULL;
+ enumerator_t *ifaces, *addrs;
+ iface_entry_t *iface;
+ addr_entry_t *addr;
+ bool found = FALSE, changed = FALSE, roam = FALSE;
+ int i;
+
+ for (i = 1; i < (1 << RTAX_MAX); i <<= 1)
+ {
+ if (ifa->ifam_addrs & i)
+ {
+ if (RTA_IFA & i)
+ {
+ host = host_create_from_sockaddr(sockaddr);
+ break;
+ }
+ sockaddr = (sockaddr_t*)((char*)sockaddr + sockaddr->sa_len);
+ }
+ }
+
+ if (!host)
+ {
+ return;
+ }
+
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->ifindex == ifa->ifam_index)
+ {
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
+ {
+ if (host->ip_equals(host, addr->ip))
+ {
+ found = TRUE;
+ if (ifa->ifam_type == RTM_DELADDR)
+ {
+ iface->addrs->remove_at(iface->addrs, addrs);
+ if (!addr->virtual)
+ {
+ changed = TRUE;
+ DBG1(DBG_KNL, "%H disappeared from %s",
+ host, iface->ifname);
+ }
+ addr_entry_destroy(addr);
+ }
+ else if (ifa->ifam_type == RTM_NEWADDR && addr->virtual)
+ {
+ addr->refcount = 1;
+ }
+ }
+ }
+ addrs->destroy(addrs);
+
+ if (!found && ifa->ifam_type == RTM_NEWADDR)
+ {
+ changed = TRUE;
+ addr = malloc_thing(addr_entry_t);
+ addr->ip = host->clone(host);
+ addr->virtual = FALSE;
+ addr->refcount = 1;
+ iface->addrs->insert_last(iface->addrs, addr);
+ DBG1(DBG_KNL, "%H appeared on %s", host, iface->ifname);
+ }
+
+ if (changed && (iface->flags & IFF_UP))
+ {
+ roam = TRUE;
+ }
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
+ host->destroy(host);
+
+ if (roam)
+ {
+ fire_roam_job(this, TRUE);
+ }
+}
+
+/**
+ * Process an RTM_IFINFO message from the kernel
+ */
+static void process_link(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *hdr)
+{
+ struct if_msghdr *msg = (struct if_msghdr*)hdr;
+ enumerator_t *enumerator;
+ iface_entry_t *iface;
+ bool roam = FALSE;
+
+ if (msg->ifm_flags & IFF_LOOPBACK)
+ { /* ignore loopback interfaces */
+ return;
+ }
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->ifaces->create_enumerator(this->ifaces);
+ while (enumerator->enumerate(enumerator, &iface))
+ {
+ if (iface->ifindex == msg->ifm_index)
+ {
+ if (!(iface->flags & IFF_UP) && (msg->ifm_flags & IFF_UP))
+ {
+ roam = TRUE;
+ DBG1(DBG_KNL, "interface %s activated", iface->ifname);
+ }
+ else if ((iface->flags & IFF_UP) && !(msg->ifm_flags & IFF_UP))
+ {
+ roam = TRUE;
+ DBG1(DBG_KNL, "interface %s deactivated", iface->ifname);
+ }
+ iface->flags = msg->ifm_flags;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+
+ if (roam)
+ {
+ fire_roam_job(this, TRUE);
+ }
+}
+
+/**
+ * Process an RTM_*ROUTE message from the kernel
+ */
+static void process_route(private_kernel_pfroute_net_t *this,
+ struct rt_msghdr *msg)
+{
+
+}
+
+/**
+ * Receives events from kernel
+ */
+static job_requeue_t receive_events(private_kernel_pfroute_net_t *this)
+{
+ unsigned char buf[PFROUTE_BUFFER_SIZE];
+ struct rt_msghdr *msg = (struct rt_msghdr*)buf;
+ int len, oldstate;
+
+ pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
+ len = recvfrom(this->socket_events, buf, sizeof(buf), 0, NULL, 0);
+ pthread_setcancelstate(oldstate, NULL);
+
+ if (len < 0)
+ {
+ switch (errno)
+ {
+ case EINTR:
+ /* interrupted, try again */
+ return JOB_REQUEUE_DIRECT;
+ case EAGAIN:
+ /* no data ready, select again */
+ return JOB_REQUEUE_DIRECT;
+ default:
+ DBG1(DBG_KNL, "unable to receive from PF_ROUTE event socket");
+ sleep(1);
+ return JOB_REQUEUE_FAIR;
+ }
+ }
+
+ if (len < sizeof(msg->rtm_msglen) || len < msg->rtm_msglen ||
+ msg->rtm_version != RTM_VERSION)
+ {
+ DBG2(DBG_KNL, "received corrupted PF_ROUTE message");
+ return JOB_REQUEUE_DIRECT;
+ }
+
+ switch (msg->rtm_type)
+ {
+ case RTM_NEWADDR:
+ case RTM_DELADDR:
+ process_addr(this, msg);
+ break;
+ case RTM_IFINFO:
+ /*case RTM_IFANNOUNCE <- what about this*/
+ process_link(this, msg);
+ break;
+ case RTM_ADD:
+ case RTM_DELETE:
+ process_route(this, msg);
+ default:
+ break;
+ }
+
+ return JOB_REQUEUE_DIRECT;
+}
+
+
+/** enumerator over addresses */
+typedef struct {
+ private_kernel_pfroute_net_t* this;
+ /** whether to enumerate down interfaces */
+ bool include_down_ifaces;
+ /** whether to enumerate virtual ip addresses */
+ bool include_virtual_ips;
+} address_enumerator_t;
+
+/**
+ * cleanup function for address enumerator
+ */
+static void address_enumerator_destroy(address_enumerator_t *data)
+{
+ data->this->mutex->unlock(data->this->mutex);
+ free(data);
+}
+
+/**
+ * filter for addresses
+ */
+static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out)
+{
+ host_t *ip;
+ if (!data->include_virtual_ips && (*in)->virtual)
+ { /* skip virtual interfaces added by us */
+ return FALSE;
+ }
+ ip = (*in)->ip;
+ if (ip->get_family(ip) == AF_INET6)
+ {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)ip->get_sockaddr(ip);
+ if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+ { /* skip addresses with a unusable scope */
+ return FALSE;
+ }
+ }
+ *out = ip;
+ return TRUE;
+}
+
+/**
+ * enumerator constructor for interfaces
+ */
+static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data)
+{
+ return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs),
+ (void*)filter_addresses, data, NULL);
+}
+
+/**
+ * filter for interfaces
+ */
+static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out)
+{
+ if (!data->include_down_ifaces && !((*in)->flags & IFF_UP))
+ { /* skip interfaces not up */
+ return FALSE;
+ }
+ *out = *in;
+ return TRUE;
+}
+
+/**
+ * implementation of kernel_net_t.create_address_enumerator
+ */
+static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this,
+ bool include_down_ifaces, bool include_virtual_ips)
+{
+ address_enumerator_t *data = malloc_thing(address_enumerator_t);
+ data->this = this;
+ data->include_down_ifaces = include_down_ifaces;
+ data->include_virtual_ips = include_virtual_ips;
+
+ this->mutex->lock(this->mutex);
+ return enumerator_create_nested(
+ enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces),
+ (void*)filter_interfaces, data, NULL),
+ (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy);
+}
+
+/**
+ * implementation of kernel_net_t.get_interface_name
+ */
+static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip)
+{
+ enumerator_t *ifaces, *addrs;
+ iface_entry_t *iface;
+ addr_entry_t *addr;
+ char *name = NULL;
+
+ DBG2(DBG_KNL, "getting interface name for %H", ip);
+
+ this->mutex->lock(this->mutex);
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, &addr))
+ {
+ if (ip->ip_equals(ip, addr->ip))
+ {
+ name = strdup(iface->ifname);
+ break;
+ }
+ }
+ addrs->destroy(addrs);
+ if (name)
+ {
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+ this->mutex->unlock(this->mutex);
+
+ if (name)
+ {
+ DBG2(DBG_KNL, "%H is on interface %s", ip, name);
+ }
+ else
+ {
+ DBG2(DBG_KNL, "%H is not a local address", ip);
+ }
+ return name;
+}
+
+/**
+ * Implementation of kernel_net_t.get_source_addr.
+ */
+static host_t* get_source_addr(private_kernel_pfroute_net_t *this,
+ host_t *dest, host_t *src)
+{
+ return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.get_nexthop.
+ */
+static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest)
+{
+ return NULL;
+}
+
+/**
+ * Implementation of kernel_net_t.add_ip.
+ */
+static status_t add_ip(private_kernel_pfroute_net_t *this,
+ host_t *virtual_ip, host_t *iface_ip)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_ip.
+ */
+static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.add_route.
+ */
+static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+ u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+ return FAILED;
+}
+
+/**
+ * Implementation of kernel_net_t.del_route.
+ */
+static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net,
+ u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name)
+{
+ return FAILED;
+}
+
+/**
+ * Initialize a list of local addresses.
+ */
+static status_t init_address_list(private_kernel_pfroute_net_t *this)
+{
+ struct ifaddrs *ifap, *ifa;
+ iface_entry_t *iface, *current;
+ addr_entry_t *addr;
+ enumerator_t *ifaces, *addrs;
+
+ DBG1(DBG_KNL, "listening on interfaces:");
+
+ if (getifaddrs(&ifap) < 0)
+ {
+ DBG1(DBG_KNL, " failed to get interfaces!");
+ return FAILED;
+ }
+
+ for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next)
+ {
+ if (ifa->ifa_addr == NULL)
+ {
+ continue;
+ }
+ switch(ifa->ifa_addr->sa_family)
+ {
+ case AF_LINK:
+ case AF_INET:
+ case AF_INET6:
+ {
+ if (ifa->ifa_flags & IFF_LOOPBACK)
+ { /* ignore loopback interfaces */
+ continue;
+ }
+
+ iface = NULL;
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &current))
+ {
+ if (streq(current->ifname, ifa->ifa_name))
+ {
+ iface = current;
+ break;
+ }
+ }
+ ifaces->destroy(ifaces);
+
+ if (!iface)
+ {
+ iface = malloc_thing(iface_entry_t);
+ memcpy(iface->ifname, ifa->ifa_name, IFNAMSIZ);
+ iface->ifindex = if_nametoindex(ifa->ifa_name);
+ iface->flags = ifa->ifa_flags;
+ iface->addrs = linked_list_create();
+ this->ifaces->insert_last(this->ifaces, iface);
+ }
+
+ if (ifa->ifa_addr->sa_family != AF_LINK)
+ {
+ addr = malloc_thing(addr_entry_t);
+ addr->ip = host_create_from_sockaddr(ifa->ifa_addr);
+ addr->virtual = FALSE;
+ addr->refcount = 1;
+ iface->addrs->insert_last(iface->addrs, addr);
+ }
+ }
+ }
+ }
+ freeifaddrs(ifap);
+
+ ifaces = this->ifaces->create_enumerator(this->ifaces);
+ while (ifaces->enumerate(ifaces, &iface))
+ {
+ if (iface->flags & IFF_UP)
+ {
+ DBG1(DBG_KNL, " %s", iface->ifname);
+ addrs = iface->addrs->create_enumerator(iface->addrs);
+ while (addrs->enumerate(addrs, (void**)&addr))
+ {
+ DBG1(DBG_KNL, " %H", addr->ip);
+ }
+ addrs->destroy(addrs);
+ }
+ }
+ ifaces->destroy(ifaces);
+
+ return SUCCESS;
+}
+
+/**
+ * Implementation of kernel_netlink_net_t.destroy.
+ */
+static void destroy(private_kernel_pfroute_net_t *this)
+{
+ this->job->cancel(this->job);
+ close(this->socket);
+ close(this->socket_events);
+ this->ifaces->destroy_function(this->ifaces, (void*)iface_entry_destroy);
+ this->mutex->destroy(this->mutex);
+ this->mutex_pfroute->destroy(this->mutex_pfroute);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create()
+{
+ private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t);
+
+ /* public functions */
+ this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name;
+ this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator;
+ this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr;
+ this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop;
+ this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip;
+ this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip;
+ this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route;
+ this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route;
+
+ this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy;
+
+ /* private members */
+ this->ifaces = linked_list_create();
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+
+ this->seq = 0;
+
+ /* create a PF_ROUTE socket to communicate with the kernel */
+ this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+ if (this->socket <= 0)
+ {
+ charon->kill(charon, "unable to create PF_ROUTE socket");
+ }
+
+ /* create a PF_ROUTE socket to receive events */
+ this->socket_events = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
+ if (this->socket_events <= 0)
+ {
+ charon->kill(charon, "unable to create PF_ROUTE event socket");
+ }
+
+ this->job = callback_job_create((callback_job_cb_t)receive_events,
+ this, NULL, NULL);
+ charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+ if (init_address_list(this) != SUCCESS)
+ {
+ charon->kill(charon, "unable to get interface list");
+ }
+
+ return &this->public;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
new file mode 100644
index 000000000..10c3c9eb7
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute_net_i kernel_pfroute_net
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_NET_H_
+#define KERNEL_PFROUTE_NET_H_
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_pfroute_net_t kernel_pfroute_net_t;
+
+/**
+ * Implementation of the kernel net interface using PF_ROUTE.
+ */
+struct kernel_pfroute_net_t {
+
+ /**
+ * Implements kernel_net_t interface
+ */
+ kernel_net_t interface;
+};
+
+/**
+ * Create a PF_ROUTE kernel net interface instance.
+ *
+ * @return kernel_pfroute_net_t instance
+ */
+kernel_pfroute_net_t *kernel_pfroute_net_create();
+
+#endif /** KERNEL_PFROUTE_NET_H_ @}*/
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
new file mode 100644
index 000000000..767049bb0
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "kernel_pfroute_plugin.h"
+
+#include "kernel_pfroute_net.h"
+
+#include <daemon.h>
+
+typedef struct private_kernel_pfroute_plugin_t private_kernel_pfroute_plugin_t;
+
+/**
+ * private data of kernel PF_ROUTE plugin
+ */
+struct private_kernel_pfroute_plugin_t {
+ /**
+ * implements plugin interface
+ */
+ kernel_pfroute_plugin_t public;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_kernel_pfroute_plugin_t *this)
+{
+ charon->kernel_interface->remove_net_interface(charon->kernel_interface,
+ (kernel_net_constructor_t)kernel_pfroute_net_create);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ charon->kernel_interface->add_net_interface(charon->kernel_interface,
+ (kernel_net_constructor_t)kernel_pfroute_net_create);
+
+ return &this->public.plugin;
+}
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
new file mode 100644
index 000000000..6caf097c6
--- /dev/null
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup kernel_pfroute kernel_pfroute
+ * @ingroup cplugins
+ *
+ * @defgroup kernel_pfroute_plugin kernel_pfroute_plugin
+ * @{ @ingroup kernel_pfroute
+ */
+
+#ifndef KERNEL_PFROUTE_PLUGIN_H_
+#define KERNEL_PFROUTE_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_pfroute_plugin_t kernel_pfroute_plugin_t;
+
+/**
+ * PF_ROUTE kernel interface plugin
+ */
+struct kernel_pfroute_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a kernel_pfroute_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** KERNEL_PFROUTE_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index 5a24e83e9..056ac16d3 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -92,6 +92,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -114,6 +115,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -125,6 +129,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -138,6 +143,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -198,6 +205,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -209,6 +217,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -233,8 +242,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -333,7 +342,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/load_tester/load_tester_config.c b/src/charon/plugins/load_tester/load_tester_config.c
index f3cd33b61..963f7cc01 100644
--- a/src/charon/plugins/load_tester/load_tester_config.c
+++ b/src/charon/plugins/load_tester/load_tester_config.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_config.h"
@@ -57,9 +55,24 @@ struct private_load_tester_config_t {
proposal_t *proposal;
/**
- * Authentication method to use
+ * Authentication method(s) to use/expect from initiator
*/
- auth_class_t class;
+ char *initiator_auth;
+
+ /**
+ * Authentication method(s) use/expected from responder
+ */
+ char *responder_auth;
+
+ /**
+ * IKE_SA rekeying delay
+ */
+ u_int ike_rekey;
+
+ /**
+ * CHILD_SA rekeying delay
+ */
+ u_int child_rekey;
/**
* incremental numbering of generated configs
@@ -68,6 +81,97 @@ struct private_load_tester_config_t {
};
/**
+ * Generate auth config from string
+ */
+static void generate_auth_cfg(private_load_tester_config_t *this, char *str,
+ peer_cfg_t *peer_cfg, bool local, int num)
+{
+ enumerator_t *enumerator;
+ auth_cfg_t *auth;
+ identification_t *id;
+ auth_class_t class;
+ eap_type_t type;
+ char buf[128];
+ int rnd = 0;
+
+ enumerator = enumerator_create_token(str, "|", " ");
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ auth = auth_cfg_create();
+ rnd++;
+
+ if (streq(str, "psk"))
+ { /* PSK authentication, use FQDNs */
+ class = AUTH_CLASS_PSK;
+ if ((local && !num) || (!local && num))
+ {
+ id = identification_create_from_string("srv.strongswan.org");
+ }
+ else if (local)
+ {
+ snprintf(buf, sizeof(buf), "c%d-r%d.strongswan.org", num, rnd);
+ id = identification_create_from_string(buf);
+ }
+ else
+ {
+ id = identification_create_from_string("*.strongswan.org");
+ }
+ }
+ else if (strneq(str, "eap", strlen("eap")))
+ { /* EAP authentication, use a NAI */
+ class = AUTH_CLASS_EAP;
+ if (*(str + strlen("eap")) == '-')
+ {
+ type = eap_type_from_string(str + strlen("eap-"));
+ if (type)
+ {
+ auth->add(auth, AUTH_RULE_EAP_TYPE, type);
+ }
+ }
+ if (local && num)
+ {
+ snprintf(buf, sizeof(buf), "1%.10d%.4d@strongswan.org", num, rnd);
+ id = identification_create_from_string(buf);
+ }
+ else
+ {
+ id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ }
+ }
+ else
+ {
+ if (!streq(str, "pubkey"))
+ {
+ DBG1(DBG_CFG, "invalid authentication: '%s', fallback to pubkey",
+ str);
+ }
+ /* certificate authentication, use distinguished names */
+ class = AUTH_CLASS_PUBKEY;
+ if ((local && !num) || (!local && num))
+ {
+ id = identification_create_from_string(
+ "CN=srv, OU=load-test, O=strongSwan");
+ }
+ else if (local)
+ {
+ snprintf(buf, sizeof(buf),
+ "CN=c%d-r%d, OU=load-test, O=strongSwan", num, rnd);
+ id = identification_create_from_string(buf);
+ }
+ else
+ {
+ id = identification_create_from_string(
+ "CN=*, OU=load-test, O=strongSwan");
+ }
+ }
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
+ auth->add(auth, AUTH_RULE_IDENTITY, id);
+ peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
* Generate a new initiator config, num = 0 for responder config
*/
static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
@@ -76,36 +180,29 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num)
child_cfg_t *child_cfg;
peer_cfg_t *peer_cfg;
traffic_selector_t *ts;
- auth_info_t *auth;
- identification_t *local, *remote;
proposal_t *proposal;
- char buf[128];
+ ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
+ ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
+ peer_cfg = peer_cfg_create("load-test", 2, ike_cfg,
+ CERT_SEND_IF_ASKED, UNIQUE_NO, 1, /* keytries */
+ this->ike_rekey, 0, /* rekey, reauth */
+ 0, this->ike_rekey, /* jitter, overtime */
+ FALSE, 0, /* mobike, dpddelay */
+ this->vip ? this->vip->clone(this->vip) : NULL,
+ this->pool, FALSE, NULL, NULL);
if (num)
{ /* initiator */
- snprintf(buf, sizeof(buf), "CN=cli-%d, OU=load-test, O=strongSwan", num);
- local = identification_create_from_string(buf);
- snprintf(buf, sizeof(buf), "CN=srv, OU=load-test, O=strongSwan", num);
- remote = identification_create_from_string(buf);
+ generate_auth_cfg(this, this->initiator_auth, peer_cfg, TRUE, num);
+ generate_auth_cfg(this, this->responder_auth, peer_cfg, FALSE, num);
}
else
{ /* responder */
- local = identification_create_from_string(
- "CN=srv, OU=load-test, O=strongSwan");
- remote = identification_create_from_string(
- "CN=*, OU=load-test, O=strongSwan");
+ generate_auth_cfg(this, this->responder_auth, peer_cfg, TRUE, num);
+ generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num);
}
-
- ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", this->remote);
- ike_cfg->add_proposal(ike_cfg, this->proposal->clone(this->proposal));
- peer_cfg = peer_cfg_create("load-test", 2, ike_cfg, local, remote,
- CERT_SEND_IF_ASKED, UNIQUE_NO, 1, 0, 0, /* keytries, rekey, reauth */
- 0, 0, FALSE, 0, /* jitter, overtime, mobike, dpddelay */
- this->vip ? this->vip->clone(this->vip) : NULL,
- this->pool, FALSE, NULL, NULL);
- auth = peer_cfg->get_auth(peer_cfg);
- auth->add_item(auth, AUTHN_AUTH_CLASS, &this->class);
- child_cfg = child_cfg_create("load-test", 600, 400, 100, NULL, TRUE,
+ child_cfg = child_cfg_create("load-test", this->child_rekey * 2,
+ this->child_rekey, 0, NULL, TRUE,
MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1");
child_cfg->add_proposal(child_cfg, proposal);
@@ -169,7 +266,6 @@ static void destroy(private_load_tester_config_t *this)
load_tester_config_t *load_tester_config_create()
{
private_load_tester_config_t *this = malloc_thing(private_load_tester_config_t);
- char *authstr;
this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator;
this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator;
@@ -195,16 +291,15 @@ load_tester_config_t *load_tester_config_create()
this->proposal = proposal_create_from_string(PROTO_IKE,
"aes128-sha1-modp768");
}
- authstr = lib->settings->get_str(lib->settings,
- "charon.plugins.load_tester.auth", "pubkey");
- if (streq(authstr, "psk"))
- {
- this->class = AUTH_CLASS_PSK;
- }
- else
- {
- this->class = AUTH_CLASS_PUBKEY;
- }
+ this->ike_rekey = lib->settings->get_int(lib->settings,
+ "charon.plugins.load_tester.ike_rekey", 0);
+ this->child_rekey = lib->settings->get_int(lib->settings,
+ "charon.plugins.load_tester.child_rekey", 600);
+
+ this->initiator_auth = lib->settings->get_str(lib->settings,
+ "charon.plugins.load_tester.initiator_auth", "pubkey");
+ this->responder_auth = lib->settings->get_str(lib->settings,
+ "charon.plugins.load_tester.responder_auth", "pubkey");
this->num = 1;
this->peer_cfg = generate_config(this, 0);
diff --git a/src/charon/plugins/load_tester/load_tester_config.h b/src/charon/plugins/load_tester/load_tester_config.h
index 92a0ff95b..f09a3f832 100644
--- a/src/charon/plugins/load_tester/load_tester_config.h
+++ b/src/charon/plugins/load_tester/load_tester_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/load_tester/load_tester_creds.c b/src/charon/plugins/load_tester/load_tester_creds.c
index 476a90b9f..fdb5fa370 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.c
+++ b/src/charon/plugins/load_tester/load_tester_creds.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_creds.h"
diff --git a/src/charon/plugins/load_tester/load_tester_creds.h b/src/charon/plugins/load_tester/load_tester_creds.h
index ed73f14c3..60cf67795 100644
--- a/src/charon/plugins/load_tester/load_tester_creds.h
+++ b/src/charon/plugins/load_tester/load_tester_creds.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
index 4cc9dbc48..87d9ef42b 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_diffie_hellman.h"
diff --git a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
index 422428a54..045c4bb4a 100644
--- a/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
+++ b/src/charon/plugins/load_tester/load_tester_diffie_hellman.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index 9abd65195..d37f7a7bd 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_ipsec.h"
@@ -88,8 +86,9 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
/**
* Implementation of kernel_interface_t.del_sa.
*/
-static status_t del_sa(private_load_tester_ipsec_t *this, host_t *dst,
- u_int32_t spi, protocol_id_t protocol, u_int16_t cpi)
+static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int16_t cpi)
{
return SUCCESS;
}
@@ -152,7 +151,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
- this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
+ this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy;
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.h b/src/charon/plugins/load_tester/load_tester_ipsec.h
index 4f374032f..1e1bff84a 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.h
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/load_tester/load_tester_listener.c b/src/charon/plugins/load_tester/load_tester_listener.c
index fe9e16fe7..fe9a90aed 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.c
+++ b/src/charon/plugins/load_tester/load_tester_listener.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_listener.h"
diff --git a/src/charon/plugins/load_tester/load_tester_listener.h b/src/charon/plugins/load_tester/load_tester_listener.h
index b61da0cb3..6842b3532 100644
--- a/src/charon/plugins/load_tester/load_tester_listener.h
+++ b/src/charon/plugins/load_tester/load_tester_listener.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index 444a92e2b..12ac7b090 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "load_tester_plugin.h"
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.h b/src/charon/plugins/load_tester/load_tester_plugin.h
index e0b64cfef..87e8914e0 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.h
+++ b/src/charon/plugins/load_tester/load_tester_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index 33c08eea8..cef486411 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -325,7 +334,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/medcli/medcli_config.c b/src/charon/plugins/medcli/medcli_config.c
index d1e6c0c9e..3b3332549 100644
--- a/src/charon/plugins/medcli/medcli_config.c
+++ b/src/charon/plugins/medcli/medcli_config.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#define _GNU_SOURCE
@@ -97,6 +95,7 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
{
enumerator_t *e;
peer_cfg_t *peer_cfg, *med_cfg;
+ auth_cfg_t *auth;
ike_cfg_t *ike_cfg;
child_cfg_t *child_cfg;
chunk_t me, other;
@@ -118,8 +117,6 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
med_cfg = peer_cfg_create(
"mediation", 2, ike_cfg,
- identification_create_from_encoding(ID_KEY_ID, me),
- identification_create_from_encoding(ID_KEY_ID, other),
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
@@ -128,6 +125,17 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, me));
+ med_cfg->add_auth_cfg(med_cfg, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, other));
+ med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
+
/* query mediated config:
* - use any-any ike_cfg
* - build peer_cfg on-the-fly using med_cfg
@@ -146,8 +154,6 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
}
peer_cfg = peer_cfg_create(
name, 2, this->ike->get_ref(this->ike),
- identification_create_from_encoding(ID_KEY_ID, me),
- identification_create_from_encoding(ID_KEY_ID, other),
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
@@ -156,6 +162,17 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam
FALSE, med_cfg, /* mediation, med by */
identification_create_from_encoding(ID_KEY_ID, other));
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, me));
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, other));
+ peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
child_cfg = child_cfg_create(name, this->rekey*60 + this->rekey,
this->rekey*60, this->rekey, NULL, TRUE,
MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
@@ -199,7 +216,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
char *name, *local_net, *remote_net;
chunk_t me, other;
child_cfg_t *child_cfg;
-
+ auth_cfg_t *auth;
+
DESTROY_IF(this->current);
if (!this->inner->enumerate(this->inner, &name, &me, &other,
&local_net, &remote_net))
@@ -209,14 +227,24 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
}
this->current = peer_cfg_create(
name, 2, this->ike->get_ref(this->ike),
- identification_create_from_encoding(ID_KEY_ID, me),
- identification_create_from_encoding(ID_KEY_ID, other),
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
TRUE, this->dpd, /* mobike, dpddelay */
NULL, NULL, /* vip, pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
+
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, me));
+ this->current->add_auth_cfg(this->current, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_encoding(ID_KEY_ID, other));
+ this->current->add_auth_cfg(this->current, auth, FALSE);
+
child_cfg = child_cfg_create(
name, this->rekey*60 + this->rekey,
this->rekey*60, this->rekey, NULL, TRUE,
diff --git a/src/charon/plugins/medcli/medcli_config.h b/src/charon/plugins/medcli/medcli_config.h
index 9c0357a26..a37280bd0 100644
--- a/src/charon/plugins/medcli/medcli_config.h
+++ b/src/charon/plugins/medcli/medcli_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medcli/medcli_creds.c b/src/charon/plugins/medcli/medcli_creds.c
index 1e99f6990..d3c66ae35 100644
--- a/src/charon/plugins/medcli/medcli_creds.c
+++ b/src/charon/plugins/medcli/medcli_creds.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "medcli_creds.h"
@@ -96,7 +94,7 @@ static enumerator_t* create_private_enumerator(private_medcli_creds_t *this,
if ((type != KEY_RSA && type != KEY_ANY) ||
id == NULL || id->get_type(id) != ID_KEY_ID)
{
- DBG1(DBG_CFG, "%N - %D", key_type_names, type, id);
+ DBG1(DBG_CFG, "%N - %Y", key_type_names, type, id);
return NULL;
}
diff --git a/src/charon/plugins/medcli/medcli_creds.h b/src/charon/plugins/medcli/medcli_creds.h
index 4e563b4ac..97bf1c226 100644
--- a/src/charon/plugins/medcli/medcli_creds.h
+++ b/src/charon/plugins/medcli/medcli_creds.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medcli/medcli_listener.c b/src/charon/plugins/medcli/medcli_listener.c
index c057ea2b5..4d058c0cd 100644
--- a/src/charon/plugins/medcli/medcli_listener.c
+++ b/src/charon/plugins/medcli/medcli_listener.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "medcli_listener.h"
diff --git a/src/charon/plugins/medcli/medcli_listener.h b/src/charon/plugins/medcli/medcli_listener.h
index 291e66097..c6881f88a 100644
--- a/src/charon/plugins/medcli/medcli_listener.h
+++ b/src/charon/plugins/medcli/medcli_listener.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medcli/medcli_plugin.c b/src/charon/plugins/medcli/medcli_plugin.c
index 1642ed2fe..908b144f0 100644
--- a/src/charon/plugins/medcli/medcli_plugin.c
+++ b/src/charon/plugins/medcli/medcli_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "medcli_plugin.h"
diff --git a/src/charon/plugins/medcli/medcli_plugin.h b/src/charon/plugins/medcli/medcli_plugin.h
index 791a5cea5..06f674b37 100644
--- a/src/charon/plugins/medcli/medcli_plugin.h
+++ b/src/charon/plugins/medcli/medcli_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index 2e97ca503..ec537e505 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -323,7 +332,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/medsrv/medsrv_config.c b/src/charon/plugins/medsrv/medsrv_config.c
index bec6837c0..1ab7f3864 100644
--- a/src/charon/plugins/medsrv/medsrv_config.c
+++ b/src/charon/plugins/medsrv/medsrv_config.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include <string.h>
@@ -92,13 +90,13 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
if (e)
{
peer_cfg_t *peer_cfg;
+ auth_cfg_t *auth;
char *name;
if (e->enumerate(e, &name))
{
peer_cfg = peer_cfg_create(
name, 2, this->ike->get_ref(this->ike),
- me->clone(me), other->clone(other),
CERT_NEVER_SEND, UNIQUE_REPLACE,
1, this->rekey*60, 0, /* keytries, rekey, reauth */
this->rekey*5, this->rekey*3, /* jitter, overtime */
@@ -106,6 +104,16 @@ static enumerator_t* create_peer_cfg_enumerator(private_medsrv_config_t *this,
NULL, NULL, /* vip, pool */
TRUE, NULL, NULL); /* mediation, med by, peer id */
e->destroy(e);
+
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY, me->clone(me));
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY, other->clone(other));
+ peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
return enumerator_create_single(peer_cfg, (void*)peer_cfg->destroy);
}
e->destroy(e);
diff --git a/src/charon/plugins/medsrv/medsrv_config.h b/src/charon/plugins/medsrv/medsrv_config.h
index a92780144..2ed63bca7 100644
--- a/src/charon/plugins/medsrv/medsrv_config.h
+++ b/src/charon/plugins/medsrv/medsrv_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/medsrv/medsrv_creds.c b/src/charon/plugins/medsrv/medsrv_creds.c
index 5d2d46e53..7dac37f1f 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.c
+++ b/src/charon/plugins/medsrv/medsrv_creds.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: medsrv_creds.c 4317 2008-09-02 11:00:13Z martin $
*/
#include "medsrv_creds.h"
diff --git a/src/charon/plugins/medsrv/medsrv_creds.h b/src/charon/plugins/medsrv/medsrv_creds.h
index 0ce77167c..da23220c2 100644
--- a/src/charon/plugins/medsrv/medsrv_creds.h
+++ b/src/charon/plugins/medsrv/medsrv_creds.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: medsrv_creds.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.c b/src/charon/plugins/medsrv/medsrv_plugin.c
index e34a1d4de..4340d7991 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.c
+++ b/src/charon/plugins/medsrv/medsrv_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: medsrv_plugin.c 4137 2008-07-01 13:57:47Z martin $
*/
#include "medsrv_plugin.h"
diff --git a/src/charon/plugins/medsrv/medsrv_plugin.h b/src/charon/plugins/medsrv/medsrv_plugin.h
index fbe04021f..4b183994f 100644
--- a/src/charon/plugins/medsrv/medsrv_plugin.h
+++ b/src/charon/plugins/medsrv/medsrv_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: medsrv_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 9c8c64fe1..9a0b48cd2 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -5,6 +5,9 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-nm.la
libstrongswan_nm_la_SOURCES = \
- nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+ nm_plugin.h nm_plugin.c \
+ nm_service.h nm_service.c \
+ nm_creds.h nm_creds.c \
+ nm_handler.h nm_handler.c
libstrongswan_nm_la_LDFLAGS = -module
libstrongswan_nm_la_LIBADD = ${nm_LIBS}
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index b3990fab1..a75af8a0f 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -52,7 +52,7 @@ LTLIBRARIES = $(plugin_LTLIBRARIES)
am__DEPENDENCIES_1 =
libstrongswan_nm_la_DEPENDENCIES = $(am__DEPENDENCIES_1)
am_libstrongswan_nm_la_OBJECTS = nm_plugin.lo nm_service.lo \
- nm_creds.lo
+ nm_creds.lo nm_handler.lo
libstrongswan_nm_la_OBJECTS = $(am_libstrongswan_nm_la_OBJECTS)
libstrongswan_nm_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -214,7 +223,10 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFL
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-nm.la
libstrongswan_nm_la_SOURCES = \
- nm_plugin.h nm_plugin.c nm_service.h nm_service.c nm_creds.h nm_creds.c
+ nm_plugin.h nm_plugin.c \
+ nm_service.h nm_service.c \
+ nm_creds.h nm_creds.c \
+ nm_handler.h nm_handler.c
libstrongswan_nm_la_LDFLAGS = -module
libstrongswan_nm_la_LIBADD = ${nm_LIBS}
@@ -226,8 +238,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -288,6 +300,7 @@ distclean-compile:
-rm -f *.tab.c
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_creds.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_handler.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_plugin.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nm_service.Plo@am__quote@
@@ -323,7 +336,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index e7cd640a7..d93b81c9a 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "nm_creds.h"
@@ -259,9 +257,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id
{
this->lock->write_lock(this->lock);
DESTROY_IF(this->user);
- /* for EAP authentication, we use always use ID_EAP type */
- this->user = identification_create_from_encoding(ID_EAP,
- id->get_encoding(id));
+ this->user = id->clone(id);
free(this->pass);
this->pass = password ? strdup(password) : NULL;
this->lock->unlock(this->lock);
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
index b0cc7a098..421442c81 100644
--- a/src/charon/plugins/nm/nm_creds.h
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -23,6 +21,7 @@
#ifndef NM_CREDS_H_
#define NM_CREDS_H_
+#include <credentials/keys/private_key.h>
#include <credentials/credential_set.h>
typedef struct nm_creds_t nm_creds_t;
diff --git a/src/charon/plugins/nm/nm_handler.c b/src/charon/plugins/nm/nm_handler.c
new file mode 100644
index 000000000..026c47af2
--- /dev/null
+++ b/src/charon/plugins/nm/nm_handler.c
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "nm_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_nm_handler_t private_nm_handler_t;
+
+/**
+ * Private data of an nm_handler_t object.
+ */
+struct private_nm_handler_t {
+
+ /**
+ * Public nm_handler_t interface.
+ */
+ nm_handler_t public;
+
+ /**
+ * list of received DNS server attributes, pointer to 4 byte data
+ */
+ linked_list_t *dns;
+
+ /**
+ * list of received NBNS server attributes, pointer to 4 byte data
+ */
+ linked_list_t *nbns;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_nm_handler_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data)
+{
+ linked_list_t *list;
+
+ switch (type)
+ {
+ case INTERNAL_IP4_DNS:
+ list = this->dns;
+ break;
+ case INTERNAL_IP4_NBNS:
+ list = this->nbns;
+ break;
+ default:
+ return FALSE;
+ }
+ if (data.len != 4)
+ {
+ return FALSE;
+ }
+ list->insert_last(list, chunk_clone(data).ptr);
+ return TRUE;
+}
+
+/**
+ * convert plain byte ptrs to handy chunk during enumeration
+ */
+static bool filter_chunks(void* null, char **in, chunk_t *out)
+{
+ *out = chunk_create(*in, 4);
+ return TRUE;
+}
+
+/**
+ * Implementation of nm_handler_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_nm_handler_t *this,
+ configuration_attribute_type_t type)
+{
+ linked_list_t *list;
+
+ switch (type)
+ {
+ case INTERNAL_IP4_DNS:
+ list = this->dns;
+ break;
+ case INTERNAL_IP4_NBNS:
+ list = this->nbns;
+ break;
+ default:
+ return enumerator_create_empty();
+ }
+ return enumerator_create_filter(list->create_enumerator(list),
+ (void*)filter_chunks, NULL, NULL);
+}
+
+/**
+ * Implementation of nm_handler_t.reset
+ */
+static void reset(private_nm_handler_t *this)
+{
+ void *data;
+
+ while (this->dns->remove_last(this->dns, (void**)&data) == SUCCESS)
+ {
+ free(data);
+ }
+ while (this->nbns->remove_last(this->nbns, (void**)&data) == SUCCESS)
+ {
+ free(data);
+ }
+}
+
+/**
+ * Implementation of nm_handler_t.destroy.
+ */
+static void destroy(private_nm_handler_t *this)
+{
+ reset(this);
+ this->dns->destroy(this->dns);
+ this->nbns->destroy(this->nbns);
+ free(this);
+}
+
+/**
+ * See header
+ */
+nm_handler_t *nm_handler_create()
+{
+ private_nm_handler_t *this = malloc_thing(private_nm_handler_t);
+
+ this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
+ this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))nop;
+ this->public.create_enumerator = (enumerator_t*(*)(nm_handler_t*, configuration_attribute_type_t type))create_enumerator;
+ this->public.reset = (void(*)(nm_handler_t*))reset;
+ this->public.destroy = (void(*)(nm_handler_t*))destroy;
+
+ this->dns = linked_list_create();
+ this->nbns = linked_list_create();
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/nm/nm_handler.h b/src/charon/plugins/nm/nm_handler.h
new file mode 100644
index 000000000..d537bb8de
--- /dev/null
+++ b/src/charon/plugins/nm/nm_handler.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup nm_handler nm_handler
+ * @{ @ingroup nm
+ */
+
+#ifndef NM_HANDLER_H_
+#define NM_HANDLER_H_
+
+#include <config/attributes/attribute_handler.h>
+
+typedef struct nm_handler_t nm_handler_t;
+
+/**
+ * Handles DNS/NBNS attributes to pass to NM.
+ */
+struct nm_handler_t {
+
+ /**
+ * Implements attribute handler interface
+ */
+ attribute_handler_t handler;
+
+ /**
+ * Create an enumerator over received attributes of a given kind.
+ *
+ * @param type type of attributes to enumerate
+ * @return enumerator over attribute data (chunk_t)
+ */
+ enumerator_t* (*create_enumerator)(nm_handler_t *this,
+ configuration_attribute_type_t type);
+ /**
+ * Reset state, flush all received attributes.
+ */
+ void (*reset)(nm_handler_t *this);
+
+ /**
+ * Destroy a nm_handler_t.
+ */
+ void (*destroy)(nm_handler_t *this);
+};
+
+/**
+ * Create a nm_handler instance.
+ */
+nm_handler_t *nm_handler_create();
+
+#endif /* NM_HANDLER_ @}*/
diff --git a/src/charon/plugins/nm/nm_plugin.c b/src/charon/plugins/nm/nm_plugin.c
index 1336293f4..1fb46f814 100644
--- a/src/charon/plugins/nm/nm_plugin.c
+++ b/src/charon/plugins/nm/nm_plugin.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,13 +11,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "nm_plugin.h"
#include "nm_service.h"
#include "nm_creds.h"
+#include "nm_handler.h"
#include <daemon.h>
#include <processing/jobs/callback_job.h>
@@ -50,6 +49,11 @@ struct private_nm_plugin_t {
* credential set registered at the daemon
*/
nm_creds_t *creds;
+
+ /**
+ * attribute handler regeisterd at the daemon
+ */
+ nm_handler_t *handler;
};
/**
@@ -59,8 +63,6 @@ static job_requeue_t run(private_nm_plugin_t *this)
{
this->loop = g_main_loop_new(NULL, FALSE);
g_main_loop_run(this->loop);
- g_main_loop_unref(this->loop);
-
return JOB_REQUEUE_NONE;
}
@@ -71,7 +73,11 @@ static void destroy(private_nm_plugin_t *this)
{
if (this->loop)
{
- g_main_loop_quit(this->loop);
+ if (g_main_loop_is_running(this->loop))
+ {
+ g_main_loop_quit(this->loop);
+ }
+ g_main_loop_unref(this->loop);
}
if (this->plugin)
{
@@ -79,6 +85,8 @@ static void destroy(private_nm_plugin_t *this)
}
charon->credentials->remove_set(charon->credentials, &this->creds->set);
this->creds->destroy(this->creds);
+ charon->attributes->remove_handler(charon->attributes, &this->handler->handler);
+ this->handler->destroy(this->handler);
free(this);
}
@@ -99,8 +107,10 @@ plugin_t *plugin_create()
}
this->creds = nm_creds_create();
+ this->handler = nm_handler_create();
charon->credentials->add_set(charon->credentials, &this->creds->set);
- this->plugin = nm_strongswan_plugin_new(this->creds);
+ charon->attributes->add_handler(charon->attributes, &this->handler->handler);
+ this->plugin = nm_strongswan_plugin_new(this->creds, this->handler);
if (!this->plugin)
{
DBG1(DBG_CFG, "DBUS binding failed");
diff --git a/src/charon/plugins/nm/nm_plugin.h b/src/charon/plugins/nm/nm_plugin.h
index fadcbfb96..18d053e11 100644
--- a/src/charon/plugins/nm/nm_plugin.h
+++ b/src/charon/plugins/nm/nm_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 72744b784..bca4d9e09 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include <nm-setting-vpn.h>
@@ -23,6 +21,7 @@
#include <utils/host.h>
#include <utils/identification.h>
#include <config/peer_cfg.h>
+#include <credentials/certificates/x509.h>
#include <stdio.h>
@@ -34,10 +33,16 @@ G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
* Private data of NMStrongswanPlugin
*/
typedef struct {
+ /* implements bus listener interface */
listener_t listener;
+ /* IKE_SA we are listening on */
ike_sa_t *ike_sa;
+ /* backref to public plugin */
NMVPNPlugin *plugin;
+ /* credentials to use for authentication */
nm_creds_t *creds;
+ /* attribute handler for DNS/NBNS server information */
+ nm_handler_t *handler;
} NMStrongswanPluginPrivate;
#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
@@ -45,6 +50,31 @@ typedef struct {
NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
/**
+ * convert enumerated handler chunks to a UINT_ARRAY GValue
+ */
+static GValue* handler_to_val(nm_handler_t *handler,
+ configuration_attribute_type_t type)
+{
+ GValue *val;
+ GArray *array;
+ enumerator_t *enumerator;
+ chunk_t chunk;
+
+ enumerator = handler->create_enumerator(handler, type);
+ array = g_array_new (FALSE, TRUE, sizeof (guint32));
+ while (enumerator->enumerate(enumerator, &chunk))
+ {
+ g_array_append_val (array, *(u_int32_t*)chunk.ptr);
+ }
+ enumerator->destroy(enumerator);
+ val = g_slice_new0 (GValue);
+ g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
+ g_value_set_boxed (val, array);
+
+ return val;
+}
+
+/**
* signal IPv4 config to NM, set connection as established
*/
static void signal_ipv4_config(NMVPNPlugin *plugin,
@@ -53,10 +83,12 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
GValue *val;
GHashTable *config;
host_t *me, *other;
+ nm_handler_t *handler;
config = g_hash_table_new(g_str_hash, g_str_equal);
me = ike_sa->get_my_host(ike_sa);
other = ike_sa->get_other_host(ike_sa);
+ handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
/* NM requires a tundev, but netkey does not use one. Passing an invalid
* iface makes NM complain, but it accepts it without fiddling on eth0. */
@@ -75,6 +107,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
g_value_set_uint(val, me->get_address(me).len * 8);
g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+ val = handler_to_val(handler, INTERNAL_IP4_DNS);
+ g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
+
+ val = handler_to_val(handler, INTERNAL_IP4_NBNS);
+ g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
+
+ handler->reset(handler);
+
nm_vpn_plugin_set_ip4_config(plugin, config);
}
@@ -83,6 +123,10 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
*/
static void signal_failure(NMVPNPlugin *plugin)
{
+ nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+
+ handler->reset(handler);
+
/* TODO: NM does not handle this failure!? */
nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
@@ -151,9 +195,10 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
child_cfg_t *child_cfg;
traffic_selector_t *ts;
ike_sa_t *ike_sa;
- auth_info_t *auth;
+ auth_cfg_t *auth;
auth_class_t auth_class = AUTH_CLASS_EAP;
certificate_t *cert = NULL;
+ x509_t *x509;
bool agent = FALSE;
/**
@@ -201,7 +246,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
creds->clear(creds);
- /* gateway cert */
+ /* gateway/CA cert */
str = nm_setting_vpn_get_data_item(settings, "certificate");
if (str)
{
@@ -215,7 +260,21 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
"Loading gateway certificate failed.");
return FALSE;
}
- gateway = cert->get_subject(cert);
+ x509 = (x509_t*)cert;
+ if (x509->get_flags(x509) & X509_CA)
+ { /* If the user configured a CA certificate, we use the IP/DNS
+ * of the gateway as its identity. This identity will be used for
+ * certificate lookup and requires the configured IP/DNS to be
+ * included in the gateway certificate. */
+ gateway = identification_create_from_string((char*)address);
+ DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+ }
+ else
+ { /* For a gateway certificate, we use the cert subject as identity. */
+ gateway = cert->get_subject(cert);
+ gateway = gateway->clone(gateway);
+ DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+ }
if (auth_class == AUTH_CLASS_EAP)
{
@@ -223,8 +282,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
str = nm_setting_vpn_get_data_item(settings, "user");
if (str)
{
- user = identification_create_from_encoding(ID_KEY_ID,
- chunk_create(str, strlen(str)));
+ user = identification_create_from_string((char*)str);
str = nm_setting_vpn_get_secret(settings, "password");
creds->set_username_password(creds, user, (char*)str);
}
@@ -240,12 +298,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
private_key_t *private = NULL;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, str, BUILD_END);
+ BUILD_FROM_FILE, str, BUILD_END);
if (!cert)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Loading peer certificate failed.");
+ gateway->destroy(gateway);
return FALSE;
}
/* try agent */
@@ -304,6 +363,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
else
{
DESTROY_IF(cert);
+ gateway->destroy(gateway);
return FALSE;
}
}
@@ -313,6 +373,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Configuration parameters missing.");
+ gateway->destroy(gateway);
return FALSE;
}
@@ -322,15 +383,21 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
- user, gateway->clone(gateway),
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
TRUE, 0, /* mobike, DPD */
virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
NULL, FALSE, NULL, NULL); /* pool, mediation */
- auth = peer_cfg->get_auth(peer_cfg);
- auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_class);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
+ auth->add(auth, AUTH_RULE_IDENTITY, user);
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+ peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
+
child_cfg = child_cfg_create(CONFIG_NAME,
10800, 10200, /* lifetime 3h, rekey 2h50min */
300, /* jitter 5min */
@@ -358,7 +425,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
{
peer_cfg->destroy(peer_cfg);
}
- if (ike_sa->initiate(ike_sa, child_cfg) != SUCCESS)
+ if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
{
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
@@ -489,7 +556,8 @@ static void nm_strongswan_plugin_class_init(
/**
* Object constructor
*/
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds)
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+ nm_handler_t *handler)
{
NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
NM_TYPE_STRONGSWAN_PLUGIN,
@@ -498,6 +566,7 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds)
if (plugin)
{
NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
+ NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler;
}
return plugin;
}
diff --git a/src/charon/plugins/nm/nm_service.h b/src/charon/plugins/nm/nm_service.h
index bc6ebcf99..b00000b6f 100644
--- a/src/charon/plugins/nm/nm_service.h
+++ b/src/charon/plugins/nm/nm_service.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Martin Willi
+ * Copyright (C) 2008-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -28,6 +26,7 @@
#include <nm-vpn-plugin.h>
#include "nm_creds.h"
+#include "nm_handler.h"
#define NM_TYPE_STRONGSWAN_PLUGIN (nm_strongswan_plugin_get_type ())
#define NM_STRONGSWAN_PLUGIN(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), NM_TYPE_STRONGSWAN_PLUGIN, NMSTRONGSWANPlugin))
@@ -50,6 +49,7 @@ typedef struct {
GType nm_strongswan_plugin_get_type(void);
-NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds);
+NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
+ nm_handler_t *handler);
#endif /** NM_SERVICE_H_ @}*/
diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am
new file mode 100644
index 000000000..917964f93
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/Makefile.am
@@ -0,0 +1,13 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+
+AM_CFLAGS = -rdynamic \
+ -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
+libstrongswan_resolv_conf_la_SOURCES = \
+ resolv_conf_plugin.h resolv_conf_plugin.c \
+ resolv_conf_handler.h resolv_conf_handler.c
+libstrongswan_resolv_conf_la_LDFLAGS = -module
+
+
diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in
new file mode 100644
index 000000000..91ddae582
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/Makefile.in
@@ -0,0 +1,513 @@
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/charon/plugins/resolv_conf
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(plugindir)"
+pluginLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(plugin_LTLIBRARIES)
+libstrongswan_resolv_conf_la_LIBADD =
+am_libstrongswan_resolv_conf_la_OBJECTS = resolv_conf_plugin.lo \
+ resolv_conf_handler.lo
+libstrongswan_resolv_conf_la_OBJECTS = \
+ $(am_libstrongswan_resolv_conf_la_OBJECTS)
+libstrongswan_resolv_conf_la_LINK = $(LIBTOOL) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_resolv_conf_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+ $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+ $(LDFLAGS) -o $@
+SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_resolv_conf_la_SOURCES)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPSEC_ROUTING_TABLE = @IPSEC_ROUTING_TABLE@
+IPSEC_ROUTING_TABLE_PRIO = @IPSEC_ROUTING_TABLE_PRIO@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LINUX_HEADERS = @LINUX_HEADERS@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+confdir = @confdir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libstrongswan_plugins = @libstrongswan_plugins@
+linuxdir = @linuxdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+lt_ECHO = @lt_ECHO@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+piddir = @piddir@
+plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+resolv_conf = @resolv_conf@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+simreader = @simreader@
+srcdir = @srcdir@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
+AM_CFLAGS = -rdynamic \
+ -DRESOLV_CONF=\"${resolv_conf}\"
+
+plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
+libstrongswan_resolv_conf_la_SOURCES = \
+ resolv_conf_plugin.h resolv_conf_plugin.c \
+ resolv_conf_handler.h resolv_conf_handler.c
+
+libstrongswan_resolv_conf_la_LDFLAGS = -module
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/charon/plugins/resolv_conf/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/charon/plugins/resolv_conf/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)"
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(pluginLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(plugindir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$p"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libstrongswan-resolv-conf.la: $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_DEPENDENCIES)
+ $(libstrongswan_resolv_conf_la_LINK) -rpath $(plugindir) $(libstrongswan_resolv_conf_la_OBJECTS) $(libstrongswan_resolv_conf_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_handler.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolv_conf_plugin.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in files) print i; }; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \
+ mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-pluginLTLIBRARIES ctags distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-pdf install-pdf-am install-pluginLTLIBRARIES \
+ install-ps install-ps-am install-strip installcheck \
+ installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-compile \
+ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+ tags uninstall uninstall-am uninstall-pluginLTLIBRARIES
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
new file mode 100644
index 000000000..19e3b3275
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolv_conf_handler.h"
+
+#include <unistd.h>
+
+#include <daemon.h>
+#include <utils/mutex.h>
+
+typedef struct private_resolv_conf_handler_t private_resolv_conf_handler_t;
+
+/**
+ * Private data of an resolv_conf_handler_t object.
+ */
+struct private_resolv_conf_handler_t {
+
+ /**
+ * Public resolv_conf_handler_t interface.
+ */
+ resolv_conf_handler_t public;
+
+ /**
+ * resolv.conf file to use
+ */
+ char *file;
+
+ /**
+ * Mutex to access file exclusively
+ */
+ mutex_t *mutex;
+};
+
+/**
+ * Implementation of attribute_handler_t.handle
+ */
+static bool handle(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data)
+{
+ FILE *in, *out;
+ char buf[1024];
+ host_t *addr;
+ int family;
+ size_t len;
+ bool handled = FALSE;
+
+ switch (type)
+ {
+ case INTERNAL_IP4_DNS:
+ family = AF_INET;
+ break;
+ case INTERNAL_IP6_DNS:
+ family = AF_INET6;
+ break;
+ default:
+ return FALSE;
+ }
+
+ this->mutex->lock(this->mutex);
+
+ in = fopen(this->file, "r");
+ /* allows us to stream from in to out */
+ unlink(this->file);
+ out = fopen(this->file, "w");
+ if (out)
+ {
+ addr = host_create_from_chunk(family, data, 0);
+ fprintf(out, "nameserver %H # by strongSwan, from %Y\n",
+ addr, ike_sa->get_other_id(ike_sa));
+ DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file);
+ addr->destroy(addr);
+ handled = TRUE;
+
+ /* copy rest of the file */
+ if (in)
+ {
+ while ((len = fread(buf, 1, sizeof(buf), in)))
+ {
+ ignore_result(fwrite(buf, 1, len, out));
+ }
+ fclose(in);
+ }
+ fclose(out);
+ }
+
+ if (!handled)
+ {
+ DBG1(DBG_IKE, "adding DNS server failed", this->file);
+ }
+ this->mutex->unlock(this->mutex);
+ return handled;
+}
+
+/**
+ * Implementation of attribute_handler_t.release
+ */
+static void release(private_resolv_conf_handler_t *this, ike_sa_t *ike_sa,
+ configuration_attribute_type_t type, chunk_t data)
+{
+ FILE *in, *out;
+ char line[1024], matcher[512], *pos;
+ host_t *addr;
+ int family;
+
+ switch (type)
+ {
+ case INTERNAL_IP4_DNS:
+ family = AF_INET;
+ break;
+ case INTERNAL_IP6_DNS:
+ family = AF_INET6;
+ break;
+ default:
+ return;
+ }
+
+ this->mutex->lock(this->mutex);
+
+ in = fopen(this->file, "r");
+ if (in)
+ {
+ /* allows us to stream from in to out */
+ unlink(this->file);
+ out = fopen(this->file, "w");
+ if (out)
+ {
+ addr = host_create_from_chunk(family, data, 0);
+ snprintf(matcher, sizeof(matcher),
+ "nameserver %H # by strongSwan, from %Y\n",
+ addr, ike_sa->get_other_id(ike_sa));
+
+ /* copy all, but matching line */
+ while ((pos = fgets(line, sizeof(line), in)))
+ {
+ if (strneq(line, matcher, strlen(matcher)))
+ {
+ DBG1(DBG_IKE, "removing DNS server %H from %s",
+ addr, this->file);
+ }
+ else
+ {
+ fputs(line, out);
+ }
+ }
+ addr->destroy(addr);
+ fclose(out);
+ }
+ fclose(in);
+ }
+
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of resolv_conf_handler_t.destroy.
+ */
+static void destroy(private_resolv_conf_handler_t *this)
+{
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/**
+ * See header
+ */
+resolv_conf_handler_t *resolv_conf_handler_create()
+{
+ private_resolv_conf_handler_t *this = malloc_thing(private_resolv_conf_handler_t);
+
+ this->public.handler.handle = (bool(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))handle;
+ this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
+ this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
+
+ this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->file = lib->settings->get_str(lib->settings,
+ "charon.plugins.resolv-conf.file", RESOLV_CONF);
+
+ return &this->public;
+}
+
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.h b/src/charon/plugins/resolv_conf/resolv_conf_handler.h
new file mode 100644
index 000000000..2635bb802
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolv_conf_handler resolv_conf_handler
+ * @{ @ingroup resolv_conf
+ */
+
+#ifndef RESOLV_CONF_HANDLER_H_
+#define RESOLV_CONF_HANDLER_H_
+
+#include <config/attributes/attribute_handler.h>
+
+typedef struct resolv_conf_handler_t resolv_conf_handler_t;
+
+/**
+ * Handle DNS configuration attributes by mangling a resolv.conf file.
+ */
+struct resolv_conf_handler_t {
+
+ /**
+ * Implements the attribute_handler_t interface
+ */
+ attribute_handler_t handler;
+
+ /**
+ * Destroy a resolv_conf_handler_t.
+ */
+ void (*destroy)(resolv_conf_handler_t *this);
+};
+
+/**
+ * Create a resolv_conf_handler instance.
+ */
+resolv_conf_handler_t *resolv_conf_handler_create();
+
+#endif /* RESOLV_CONF_HANDLER_ @}*/
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.c b/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
new file mode 100644
index 000000000..ff9d96eb3
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_plugin.c
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "resolv_conf_plugin.h"
+#include "resolv_conf_handler.h"
+
+#include <daemon.h>
+
+typedef struct private_resolv_conf_plugin_t private_resolv_conf_plugin_t;
+
+/**
+ * private data of resolv_conf plugin
+ */
+struct private_resolv_conf_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ resolv_conf_plugin_t public;
+
+ /**
+ * The registerd DNS attribute handler
+ */
+ resolv_conf_handler_t *handler;
+};
+
+/**
+ * Implementation of plugin_t.destroy
+ */
+static void destroy(private_resolv_conf_plugin_t *this)
+{
+ charon->attributes->remove_handler(charon->attributes,
+ &this->handler->handler);
+ this->handler->destroy(this->handler);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *plugin_create()
+{
+ private_resolv_conf_plugin_t *this = malloc_thing(private_resolv_conf_plugin_t);
+
+ this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+
+ this->handler = resolv_conf_handler_create();
+ charon->attributes->add_handler(charon->attributes, &this->handler->handler);
+
+ return &this->public.plugin;
+}
+
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_plugin.h b/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
new file mode 100644
index 000000000..f5943d9a3
--- /dev/null
+++ b/src/charon/plugins/resolv_conf/resolv_conf_plugin.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup resolv_conf resolv_conf
+ * @ingroup cplugins
+ *
+ * @defgroup resolv_conf_plugin resolv_conf_plugin
+ * @{ @ingroup resolv_conf
+ */
+
+#ifndef RESOLV_CONF_PLUGIN_H_
+#define RESOLV_CONF_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct resolv_conf_plugin_t resolv_conf_plugin_t;
+
+/**
+ * Plugin that writes received DNS servers in a resolv.conf file.
+ */
+struct resolv_conf_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+/**
+ * Create a resolv_conf_plugin instance.
+ */
+plugin_t *plugin_create();
+
+#endif /** RESOLV_CONF_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index 428da0ec9..f06321ba7 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -223,8 +232,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -318,7 +327,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/smp/smp.c b/src/charon/plugins/smp/smp.c
index 237e9d86a..562add06d 100644
--- a/src/charon/plugins/smp/smp.c
+++ b/src/charon/plugins/smp/smp.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: smp.c 4446 2008-10-15 12:24:44Z martin $
*/
#include <stdlib.h>
@@ -109,7 +107,7 @@ static void write_id(xmlTextWriterPtr writer, char *element, identification_t *i
break;
}
xmlTextWriterWriteAttribute(writer, "type", type);
- xmlTextWriterWriteFormatString(writer, "%D", id);
+ xmlTextWriterWriteFormatString(writer, "%Y", id);
break;
}
default:
@@ -294,8 +292,9 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
/* <configlist> */
xmlTextWriterStartElement(writer, "configlist");
- enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends);
- while (enumerator->enumerate(enumerator, (void**)&peer_cfg))
+ enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ NULL, NULL, NULL, NULL);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
{
enumerator_t *children;
child_cfg_t *child_cfg;
@@ -310,8 +309,8 @@ static void request_query_config(xmlTextReaderPtr reader, xmlTextWriterPtr write
/* <peerconfig> */
xmlTextWriterStartElement(writer, "peerconfig");
xmlTextWriterWriteElement(writer, "name", peer_cfg->get_name(peer_cfg));
- write_id(writer, "local", peer_cfg->get_my_id(peer_cfg));
- write_id(writer, "remote", peer_cfg->get_other_id(peer_cfg));
+
+ /* TODO: write auth_cfgs */
/* <ikeconfig> */
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
diff --git a/src/charon/plugins/smp/smp.h b/src/charon/plugins/smp/smp.h
index 1f45befa6..5ec9f3bf8 100644
--- a/src/charon/plugins/smp/smp.h
+++ b/src/charon/plugins/smp/smp.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: smp.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 3673af659..0848ea0dd 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -96,6 +96,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -118,6 +119,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -129,6 +133,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -142,6 +147,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -202,6 +209,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -213,6 +221,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -239,8 +248,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -370,7 +379,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 9761e88e9..7d393b6f7 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#define _GNU_SOURCE
@@ -24,6 +22,7 @@
#include <debug.h>
#include <library.h>
#include <utils/host.h>
+#include <utils/identification.h>
/**
* global database handle
@@ -401,11 +400,6 @@ static enumerator_t *create_lease_query(char *filter)
{
id = identification_create_from_string(value);
}
- if (!id)
- {
- fprintf(stderr, "invalid 'id' in filter string.\n");
- exit(-1);
- }
break;
case FIL_ADDR:
if (value)
@@ -567,7 +561,7 @@ static void leases(char *filter, bool utc)
printf(" ");
}
}
- printf("%D\n", identity);
+ printf("%Y\n", identity);
DESTROY_IF(address);
identity->destroy(identity);
}
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 826aa8318..95d0d30d4 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "sql_attribute.h"
@@ -179,7 +177,7 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
*/
static host_t* acquire_address(private_sql_attribute_t *this,
char *name, identification_t *id,
- auth_info_t *auth, host_t *requested)
+ host_t *requested)
{
enumerator_t *enumerator;
u_int pool, timeout, identity;
@@ -263,8 +261,9 @@ sql_attribute_t *sql_attribute_create(database_t *db)
private_sql_attribute_t *this = malloc_thing(private_sql_attribute_t);
time_t now = time(NULL);
- this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
+ this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+ this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
this->public.destroy = (void(*)(sql_attribute_t*))destroy;
this->db = db;
diff --git a/src/charon/plugins/sql/sql_attribute.h b/src/charon/plugins/sql/sql_attribute.h
index 57db4617e..23700dea9 100644
--- a/src/charon/plugins/sql/sql_attribute.h
+++ b/src/charon/plugins/sql/sql_attribute.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index d530f9fde..3e5efce34 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_config.c 4860 2009-02-11 13:09:52Z martin $
*/
#include <string.h>
@@ -267,7 +265,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
peer_cfg_t *peer_cfg, *mediated_cfg;
ike_cfg_t *ike;
host_t *vip = NULL;
- auth_info_t *auth;
+ auth_cfg_t *auth;
local_id = identification_create_from_encoding(l_type, l_data);
remote_id = identification_create_from_encoding(r_type, r_data);
@@ -291,20 +289,26 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
if (ike)
{
peer_cfg = peer_cfg_create(
- name, 2, ike, local_id, remote_id, cert_policy, uniqueid,
+ name, 2, ike, cert_policy, uniqueid,
keyingtries, rekeytime, reauthtime, jitter, overtime,
mobike, dpd_delay, vip, pool,
mediation, mediated_cfg, peer_id);
- auth = peer_cfg->get_auth(peer_cfg);
- auth->add_item(auth, AUTHN_AUTH_CLASS, &auth_method);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
+ auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id));
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id));
if (eap_type)
{
- auth->add_item(auth, AUTHN_EAP_TYPE, &eap_type);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+ auth->add(auth, AUTH_RULE_EAP_TYPE, eap_type);
if (eap_vendor)
{
- auth->add_item(auth, AUTHN_EAP_VENDOR, &eap_vendor);
+ auth->add(auth, AUTH_RULE_EAP_VENDOR, eap_vendor);
}
}
+ peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
add_child_cfgs(this, peer_cfg, id);
return peer_cfg;
}
diff --git a/src/charon/plugins/sql/sql_config.h b/src/charon/plugins/sql/sql_config.h
index bfcd7a7c1..abc6ef382 100644
--- a/src/charon/plugins/sql/sql_config.h
+++ b/src/charon/plugins/sql/sql_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_config.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/sql/sql_cred.c b/src/charon/plugins/sql/sql_cred.c
index 7313b7eb8..f8b7a35c1 100644
--- a/src/charon/plugins/sql/sql_cred.c
+++ b/src/charon/plugins/sql/sql_cred.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_cred.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <string.h>
diff --git a/src/charon/plugins/sql/sql_cred.h b/src/charon/plugins/sql/sql_cred.h
index a614f0cba..2a9a96df1 100644
--- a/src/charon/plugins/sql/sql_cred.h
+++ b/src/charon/plugins/sql/sql_cred.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_cred.h 3594 2008-03-13 14:53:57Z martin $
*/
/**
diff --git a/src/charon/plugins/sql/sql_logger.c b/src/charon/plugins/sql/sql_logger.c
index 4cbaaa3e6..20d42662b 100644
--- a/src/charon/plugins/sql/sql_logger.c
+++ b/src/charon/plugins/sql/sql_logger.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_logger.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <string.h>
diff --git a/src/charon/plugins/sql/sql_logger.h b/src/charon/plugins/sql/sql_logger.h
index 3346430a1..3636c2293 100644
--- a/src/charon/plugins/sql/sql_logger.h
+++ b/src/charon/plugins/sql/sql_logger.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_logger.h 3594 2008-03-13 14:53:57Z martin $
*/
/**
diff --git a/src/charon/plugins/sql/sql_plugin.c b/src/charon/plugins/sql/sql_plugin.c
index 24680ba5e..e5a4afd1d 100644
--- a/src/charon/plugins/sql/sql_plugin.c
+++ b/src/charon/plugins/sql/sql_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_plugin.c 4711 2008-11-27 14:33:41Z martin $
*/
#include "sql_plugin.h"
diff --git a/src/charon/plugins/sql/sql_plugin.h b/src/charon/plugins/sql/sql_plugin.h
index d4f2d29f2..8de04a891 100644
--- a/src/charon/plugins/sql/sql_plugin.h
+++ b/src/charon/plugins/sql/sql_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: sql_plugin.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index 7a341102b..fb58ba62b 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -1,7 +1,10 @@
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
plugin_LTLIBRARIES = libstrongswan-stroke.la
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index 645ae2a48..f246286a0 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -90,6 +90,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -112,6 +113,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -123,6 +127,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -136,6 +141,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -196,6 +203,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -207,12 +215,17 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon -I$(top_srcdir)/src/stroke
-AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\"
+AM_CFLAGS = \
+-rdynamic \
+-DIPSEC_CONFDIR=\"${confdir}\" \
+-DIPSEC_PIDDIR=\"${piddir}\"
+
plugin_LTLIBRARIES = libstrongswan-stroke.la
libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
stroke_socket.h stroke_socket.c \
@@ -233,8 +246,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -336,7 +349,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index f850b5320..a7925ce3e 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_attribute.h"
@@ -191,7 +189,7 @@ int host2offset(pool_t *pool, host_t *addr)
*/
static host_t* acquire_address(private_stroke_attribute_t *this,
char *name, identification_t *id,
- auth_info_t *auth, host_t *requested)
+ host_t *requested)
{
pool_t *pool;
uintptr_t offset = 0;
@@ -208,8 +206,9 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
this->mutex->unlock(this->mutex);
return requested->clone(requested);
}
-
- if (requested->get_family(requested) !=
+
+ if (!requested->is_anyaddr(requested) &&
+ requested->get_family(requested) !=
pool->base->get_family(pool->base))
{
DBG1(DBG_CFG, "IP pool address family mismatch");
@@ -223,7 +222,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
id = pool->ids->get(pool->ids, id);
if (id)
{
- DBG1(DBG_CFG, "reassigning offline lease to %D", id);
+ DBG1(DBG_CFG, "reassigning offline lease to '%Y'", id);
pool->online->put(pool->online, id, (void*)offset);
break;
}
@@ -233,7 +232,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
offset = (uintptr_t)pool->online->get(pool->online, id);
if (offset && offset == host2offset(pool, requested))
{
- DBG1(DBG_CFG, "reassigning online lease to %D", id);
+ DBG1(DBG_CFG, "reassigning online lease to '%Y'", id);
break;
}
@@ -245,7 +244,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
id = id->clone(id);
pool->ids->put(pool->ids, id, id);
pool->online->put(pool->online, id, (void*)offset);
- DBG1(DBG_CFG, "assigning new lease to %D", id);
+ DBG1(DBG_CFG, "assigning new lease to '%Y'", id);
break;
}
/* no more addresses, replace the first found offline lease */
@@ -257,7 +256,7 @@ static host_t* acquire_address(private_stroke_attribute_t *this,
{
/* destroy reference to old ID */
old_id = pool->ids->remove(pool->ids, old_id);
- DBG1(DBG_CFG, "reassigning existing offline lease of %D to %D",
+ DBG1(DBG_CFG, "reassigning existing offline lease by '%Y' to '%Y'",
old_id, id);
if (old_id)
{
@@ -305,7 +304,7 @@ static bool release_address(private_stroke_attribute_t *this,
id = pool->ids->get(pool->ids, id);
if (id)
{
- DBG1(DBG_CFG, "lease %H of %D went offline", address, id);
+ DBG1(DBG_CFG, "lease %H by '%Y' went offline", address, id);
pool->offline->put(pool->offline, id, (void*)offset);
found = TRUE;
}
@@ -530,8 +529,9 @@ stroke_attribute_t *stroke_attribute_create()
{
private_stroke_attribute_t *this = malloc_thing(private_stroke_attribute_t);
- this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,auth_info_t *, host_t *))acquire_address;
+ this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *,host_t *))acquire_address;
this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address;
+ this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id))enumerator_create_empty;
this->public.add_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))add_pool;
this->public.del_pool = (void(*)(stroke_attribute_t*, stroke_msg_t *msg))del_pool;
this->public.create_pool_enumerator = (enumerator_t*(*)(stroke_attribute_t*))create_pool_enumerator;
diff --git a/src/charon/plugins/stroke/stroke_attribute.h b/src/charon/plugins/stroke/stroke_attribute.h
index 41ab6299b..fc273d1cb 100644
--- a/src/charon/plugins/stroke/stroke_attribute.h
+++ b/src/charon/plugins/stroke/stroke_attribute.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index 54356436f..fab06e6c5 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_ca.h"
@@ -398,14 +396,14 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
first = FALSE;
}
fprintf(out, "\n");
- fprintf(out, " authname: \"%D\"\n", cert->get_subject(cert));
+ fprintf(out, " authname: \"%Y\"\n", cert->get_subject(cert));
/* list authkey and keyid */
if (public)
{
- fprintf(out, " authkey: %D\n",
+ fprintf(out, " authkey: %Y\n",
public->get_id(public, ID_PUBKEY_SHA1));
- fprintf(out, " keyid: %D\n",
+ fprintf(out, " keyid: %Y\n",
public->get_id(public, ID_PUBKEY_INFO_SHA1));
public->destroy(public);
}
diff --git a/src/charon/plugins/stroke/stroke_ca.h b/src/charon/plugins/stroke/stroke_ca.h
index ee759ff4e..c882d7b4e 100644
--- a/src/charon/plugins/stroke/stroke_ca.h
+++ b/src/charon/plugins/stroke/stroke_ca.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 59c58ca0d..028e71e71 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_config.h"
@@ -55,90 +53,21 @@ struct private_stroke_config_t {
};
/**
- * data to pass peer_filter
- */
-typedef struct {
- private_stroke_config_t *this;
- identification_t *me;
- identification_t *other;
-} peer_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void peer_data_destroy(peer_data_t *data)
-{
- data->this->mutex->unlock(data->this->mutex);
- free(data);
-}
-
-/**
- * filter function for peer configs
- */
-static bool peer_filter(peer_data_t *data, peer_cfg_t **in, peer_cfg_t **out)
-{
- bool match_me = FALSE, match_other = FALSE;
- identification_t *me, *other;
-
- me = (*in)->get_my_id(*in);
- other = (*in)->get_other_id(*in);
-
- /* own ID may have wildcards in data (no IDr payload) or in config */
- match_me = (!data->me || data->me->matches(data->me, me) ||
- me->matches(me, data->me));
- /* others ID has wildcards in config only */
- match_other = (!data->other || data->other->matches(data->other, other));
-
- if (match_me && match_other)
- {
- *out = *in;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
* Implementation of backend_t.create_peer_cfg_enumerator.
*/
static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this,
identification_t *me,
identification_t *other)
{
- peer_data_t *data;
-
- data = malloc_thing(peer_data_t);
- data->this = this;
- data->me = me;
- data->other = other;
-
this->mutex->lock(this->mutex);
- return enumerator_create_filter(this->list->create_enumerator(this->list),
- (void*)peer_filter, data,
- (void*)peer_data_destroy);
-}
-
-/**
- * data to pass ike_filter
- */
-typedef struct {
- private_stroke_config_t *this;
- host_t *me;
- host_t *other;
-} ike_data_t;
-
-/**
- * destroy id enumerator data and unlock list
- */
-static void ike_data_destroy(ike_data_t *data)
-{
- data->this->mutex->unlock(data->this->mutex);
- free(data);
+ return enumerator_create_cleaner(this->list->create_enumerator(this->list),
+ (void*)this->mutex->unlock, this->mutex);
}
/**
* filter function for ike configs
*/
-static bool ike_filter(ike_data_t *data, peer_cfg_t **in, ike_cfg_t **out)
+static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out)
{
*out = (*in)->get_ike_cfg(*in);
return TRUE;
@@ -150,17 +79,10 @@ static bool ike_filter(ike_data_t *data, peer_cfg_t **in, ike_cfg_t **out)
static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this,
host_t *me, host_t *other)
{
- ike_data_t *data;
-
- data = malloc_thing(ike_data_t);
- data->this = this;
- data->me = me;
- data->other = other;
-
this->mutex->lock(this->mutex);
return enumerator_create_filter(this->list->create_enumerator(this->list),
- (void*)ike_filter, data,
- (void*)ike_data_destroy);
+ (void*)ike_filter, this->mutex,
+ (void*)this->mutex->unlock);
}
/**
@@ -171,34 +93,34 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
enumerator_t *e1, *e2;
peer_cfg_t *current, *found = NULL;
child_cfg_t *child;
-
+
this->mutex->lock(this->mutex);
e1 = this->list->create_enumerator(this->list);
while (e1->enumerate(e1, &current))
{
- /* compare peer_cfgs name first */
- if (streq(current->get_name(current), name))
- {
- found = current;
- found->get_ref(found);
- break;
- }
- /* compare all child_cfg names otherwise */
- e2 = current->create_child_cfg_enumerator(current);
- while (e2->enumerate(e2, &child))
- {
- if (streq(child->get_name(child), name))
- {
- found = current;
- found->get_ref(found);
- break;
- }
- }
- e2->destroy(e2);
- if (found)
- {
- break;
- }
+ /* compare peer_cfgs name first */
+ if (streq(current->get_name(current), name))
+ {
+ found = current;
+ found->get_ref(found);
+ break;
+ }
+ /* compare all child_cfg names otherwise */
+ e2 = current->create_child_cfg_enumerator(current);
+ while (e2->enumerate(e2, &child))
+ {
+ if (streq(child->get_name(child), name))
+ {
+ found = current;
+ found->get_ref(found);
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (found)
+ {
+ break;
+ }
}
e1->destroy(e1);
this->mutex->unlock(this->mutex);
@@ -206,22 +128,6 @@ static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *nam
}
/**
- * check if a certificate has an ID
- */
-static identification_t *update_peerid(certificate_t *cert, identification_t *id)
-{
- if (id->get_type(id) == ID_ANY || !cert->has_subject(cert, id))
- {
- DBG1(DBG_CFG, " peerid %D not confirmed by certificate, "
- "defaulting to subject DN", id);
- id->destroy(id);
- id = cert->get_subject(cert);
- return id->clone(id);
- }
- return id;
-}
-
-/**
* parse a proposal string, either into ike_cfg or child_cfg
*/
static void add_proposals(private_stroke_config_t *this, char *string,
@@ -332,45 +238,303 @@ static ike_cfg_t *build_ike_cfg(private_stroke_config_t *this, stroke_msg_t *msg
add_proposals(this, msg->add_conn.algorithms.ike, ike_cfg, NULL);
return ike_cfg;
}
+
/**
- * build a peer_cfg from a stroke msg
+ * Add CRL constraint to config
*/
-static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
- stroke_msg_t *msg, ike_cfg_t *ike_cfg,
- identification_t **my_issuer,
- identification_t **other_issuer)
+static void build_crl_policy(auth_cfg_t *cfg, bool local, int policy)
{
- identification_t *me, *other, *peer_id = NULL;
- peer_cfg_t *mediated_by = NULL;
- host_t *vip = NULL;
- certificate_t *cert;
- unique_policy_t unique;
- u_int32_t rekey = 0, reauth = 0, over, jitter;
+ /* CRL/OCSP policy, for remote config only */
+ if (!local)
+ {
+ switch (policy)
+ {
+ case CRL_STRICT_YES:
+ /* if yes, we require a GOOD validation */
+ cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD);
+ break;
+ case CRL_STRICT_IFURI:
+ /* for ifuri, a SKIPPED validation is sufficient */
+ cfg->add(cfg, AUTH_RULE_CRL_VALIDATION, VALIDATION_SKIPPED);
+ break;
+ default:
+ break;
+ }
+ }
+}
+
+/**
+ * build authentication config
+ */
+static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
+ stroke_msg_t *msg, bool local, bool primary)
+{
+ identification_t *identity;
+ certificate_t *certificate;
+ char *auth, *id, *cert, *ca;
+ stroke_end_t *end, *other_end;
+ auth_cfg_t *cfg;
+ char eap_buf[32];
- me = identification_create_from_string(msg->add_conn.me.id ?
- msg->add_conn.me.id : msg->add_conn.me.address);
- if (!me)
+ /* select strings */
+ if (local)
{
- DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id);
- return NULL;
+ end = &msg->add_conn.me;
+ other_end = &msg->add_conn.other;
}
- other = identification_create_from_string(msg->add_conn.other.id ?
- msg->add_conn.other.id : msg->add_conn.other.address);
- if (!other)
+ else
{
- DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id);
- me->destroy(me);
- return NULL;
+ end = &msg->add_conn.other;
+ other_end = &msg->add_conn.me;
+ }
+ if (primary)
+ {
+ auth = end->auth;
+ id = end->id;
+ if (!id)
+ { /* leftid/rightid fallback to address */
+ id = end->address;
+ }
+ cert = end->cert;
+ ca = end->ca;
+ if (ca && streq(ca, "%same"))
+ {
+ ca = other_end->ca;
+ }
+ }
+ else
+ {
+ auth = end->auth2;
+ id = end->id2;
+ if (local && !id)
+ { /* leftid2 falls back to leftid */
+ id = end->id;
+ }
+ cert = end->cert2;
+ ca = end->ca2;
+ if (ca && streq(ca, "%same"))
+ {
+ ca = other_end->ca2;
+ }
+ }
+
+ if (!auth)
+ {
+ if (primary)
+ {
+ if (local)
+ { /* "leftauth" not defined, fall back to deprecated "authby" */
+ switch (msg->add_conn.auth_method)
+ {
+ default:
+ case AUTH_CLASS_PUBKEY:
+ auth = "pubkey";
+ break;
+ case AUTH_CLASS_PSK:
+ auth = "psk";
+ break;
+ case AUTH_CLASS_EAP:
+ auth = "eap";
+ break;
+ }
+ }
+ else
+ { /* "rightauth" not defined, fall back to deprecated "eap" */
+ if (msg->add_conn.eap_type)
+ {
+ if (msg->add_conn.eap_vendor)
+ {
+ snprintf(eap_buf, sizeof(eap_buf), "eap-%d-%d",
+ msg->add_conn.eap_type,
+ msg->add_conn.eap_vendor);
+ }
+ else
+ {
+ snprintf(eap_buf, sizeof(eap_buf), "eap-%d",
+ msg->add_conn.eap_type);
+ }
+ auth = eap_buf;
+ }
+ else
+ { /* not EAP => no constraints for this peer */
+ auth = "any";
+ }
+ }
+ }
+ else
+ { /* no second authentication round, fine */
+ return NULL;
+ }
}
+ cfg = auth_cfg_create();
+
+ /* add identity and peer certifcate */
+ identity = identification_create_from_string(id);
+ if (cert)
+ {
+ certificate = this->cred->load_peer(this->cred, cert);
+ if (certificate)
+ {
+ if (local)
+ {
+ this->ca->check_for_hash_and_url(this->ca, certificate);
+ }
+ cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+ if (identity->get_type(identity) == ID_ANY ||
+ !certificate->has_subject(certificate, identity))
+ {
+ DBG1(DBG_CFG, " peerid %Y not confirmed by certificate, "
+ "defaulting to subject DN: %Y", identity,
+ certificate->get_subject(certificate));
+ identity->destroy(identity);
+ identity = certificate->get_subject(certificate);
+ identity = identity->clone(identity);
+ }
+ }
+ }
+ cfg->add(cfg, AUTH_RULE_IDENTITY, identity);
+
+ /* CA constraint */
+ if (ca)
+ {
+ identity = identification_create_from_string(ca);
+ certificate = charon->credentials->get_cert(charon->credentials,
+ CERT_X509, KEY_ANY, identity, TRUE);
+ identity->destroy(identity);
+ if (certificate)
+ {
+ cfg->add(cfg, AUTH_RULE_CA_CERT, certificate);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "CA certificate %s not found, discarding CA "
+ "constraint", ca);
+ }
+ }
+
+ /* AC groups */
+ if (end->groups)
+ {
+ enumerator_t *enumerator;
+ char *group;
+
+ enumerator = enumerator_create_token(end->groups, ",", " ");
+ while (enumerator->enumerate(enumerator, &group))
+ {
+ identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
+ chunk_create(group, strlen(group)));
+ cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ /* authentication metod (class, actually) */
+ if (streq(auth, "pubkey") ||
+ streq(auth, "rsasig") || streq(auth, "rsa") ||
+ streq(auth, "ecdsasig") || streq(auth, "ecdsa"))
+ {
+ cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+ }
+ else if (streq(auth, "psk") || streq(auth, "secret"))
+ {
+ cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+ }
+ else if (strneq(auth, "eap", 3))
+ {
+ enumerator_t *enumerator;
+ char *str;
+ int i = 0, type = 0, vendor;
+
+ cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+
+ /* parse EAP string, format: eap[-type[-vendor]] */
+ enumerator = enumerator_create_token(auth, "-", " ");
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ switch (i)
+ {
+ case 1:
+ type = eap_type_from_string(str);
+ if (!type)
+ {
+ type = atoi(str);
+ if (!type)
+ {
+ DBG1(DBG_CFG, "unknown EAP method: %s", str);
+ break;
+ }
+ }
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+ break;
+ case 2:
+ if (type)
+ {
+ vendor = atoi(str);
+ if (vendor)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "unknown EAP vendor: %s", str);
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ i++;
+ }
+ enumerator->destroy(enumerator);
+
+ if (msg->add_conn.eap_identity)
+ {
+ if (streq(msg->add_conn.eap_identity, "%identity"))
+ {
+ identity = identification_create_from_encoding(ID_ANY,
+ chunk_empty);
+ }
+ else
+ {
+ identity = identification_create_from_string(
+ msg->add_conn.eap_identity);
+ }
+ cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, identity);
+ }
+ }
+ else
+ {
+ if (!streq(auth, "any"))
+ {
+ DBG1(DBG_CFG, "authentication method %s unknown, fallback to any",
+ auth);
+ }
+ build_crl_policy(cfg, local, msg->add_conn.crl_policy);
+ }
+ return cfg;
+}
+
+/**
+ * build a peer_cfg from a stroke msg
+ */
+static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
+ stroke_msg_t *msg, ike_cfg_t *ike_cfg)
+{
+ identification_t *peer_id = NULL;
+ peer_cfg_t *mediated_by = NULL;
+ host_t *vip = NULL;
+ unique_policy_t unique;
+ u_int32_t rekey = 0, reauth = 0, over, jitter;
+ peer_cfg_t *peer_cfg;
+ auth_cfg_t *auth_cfg;
#ifdef ME
if (msg->add_conn.ikeme.mediation && msg->add_conn.ikeme.mediated_by)
{
DBG1(DBG_CFG, "a mediation connection cannot be a"
" mediated connection at the same time, aborting");
- me->destroy(me);
- other->destroy(other);
return NULL;
}
@@ -388,8 +552,6 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
{
DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
msg->add_conn.ikeme.mediated_by);
- me->destroy(me);
- other->destroy(other);
return NULL;
}
@@ -399,56 +561,19 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
"no mediation connection, aborting",
msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
mediated_by->destroy(mediated_by);
- me->destroy(me);
- other->destroy(other);
return NULL;
}
- }
-
- if (msg->add_conn.ikeme.peerid)
- {
- peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
- if (!peer_id)
- {
- DBG1(DBG_CFG, "invalid peer ID: %s\n", msg->add_conn.ikeme.peerid);
- mediated_by->destroy(mediated_by);
- me->destroy(me);
- other->destroy(other);
- return NULL;
- }
- }
- else
- {
- /* no peer ID supplied, assume right ID */
- peer_id = other->clone(other);
- }
-#endif /* ME */
-
- if (msg->add_conn.me.cert)
- {
- cert = this->cred->load_peer(this->cred, msg->add_conn.me.cert);
- if (cert)
+ if (msg->add_conn.ikeme.peerid)
{
- identification_t *issuer = cert->get_issuer(cert);
-
- *my_issuer = issuer->clone(issuer);
- this->ca->check_for_hash_and_url(this->ca, cert);
- me = update_peerid(cert, me);
- cert->destroy(cert);
+ peer_id = identification_create_from_string(msg->add_conn.ikeme.peerid);
}
- }
- if (msg->add_conn.other.cert)
- {
- cert = this->cred->load_peer(this->cred, msg->add_conn.other.cert);
- if (cert)
+ else if (msg->add_conn.other.id)
{
- identification_t *issuer = cert->get_issuer(cert);
-
- *other_issuer = issuer->clone(issuer);
- other = update_peerid(cert, other);
- cert->destroy(cert);
+ peer_id = identification_create_from_string(msg->add_conn.other.id);
}
}
+#endif /* ME */
+
jitter = msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100;
over = msg->add_conn.rekey.margin;
if (msg->add_conn.rekey.reauth)
@@ -512,179 +637,45 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
/* other.sourceip is managed in stroke_attributes. If it is set, we define
* the pool name as the connection name, which the attribute provider
* uses to serve pool addresses. */
- return peer_cfg_create(msg->add_conn.name,
- msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other,
+ peer_cfg = peer_cfg_create(msg->add_conn.name,
+ msg->add_conn.ikev2 ? 2 : 1, ike_cfg,
msg->add_conn.me.sendcert, unique,
msg->add_conn.rekey.tries, rekey, reauth, jitter, over,
msg->add_conn.mobike, msg->add_conn.dpd.delay,
vip, msg->add_conn.other.sourceip_size ?
msg->add_conn.name : msg->add_conn.other.sourceip,
msg->add_conn.ikeme.mediation, mediated_by, peer_id);
-}
-
-/**
- * fill in auth_info from stroke message
- */
-static void build_auth_info(private_stroke_config_t *this,
- stroke_msg_t *msg, auth_info_t *auth,
- identification_t *my_ca,
- identification_t *other_ca)
-{
- identification_t *id;
- bool my_ca_same = FALSE;
- bool other_ca_same = FALSE;
- cert_validation_t valid;
-
- switch (msg->add_conn.crl_policy)
- {
- case CRL_STRICT_YES:
- valid = VALIDATION_GOOD;
- auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
- break;
- case CRL_STRICT_IFURI:
- valid = VALIDATION_SKIPPED;
- auth->add_item(auth, AUTHZ_CRL_VALIDATION, &valid);
- break;
- default:
- break;
- }
- if (msg->add_conn.me.ca)
+ /* build leftauth= */
+ auth_cfg = build_auth_cfg(this, msg, TRUE, TRUE);
+ if (auth_cfg)
{
- if (my_ca)
- {
- my_ca->destroy(my_ca);
- my_ca = NULL;
- }
- if (streq(msg->add_conn.me.ca, "%same"))
- {
- my_ca_same = TRUE;
- }
- else
- {
- my_ca = identification_create_from_string(msg->add_conn.me.ca);
- }
+ peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
}
-
- if (msg->add_conn.other.ca)
- {
- if (other_ca)
- {
- other_ca->destroy(other_ca);
- other_ca = NULL;
- }
- if (streq(msg->add_conn.other.ca, "%same"))
- {
- other_ca_same = TRUE;
- }
- else
- {
- other_ca = identification_create_from_string(msg->add_conn.other.ca);
- }
- }
-
- if (other_ca_same && my_ca)
- {
- other_ca = my_ca->clone(my_ca);
- }
- else if (my_ca_same && other_ca)
- {
- my_ca = other_ca->clone(other_ca);
- }
-
- if (other_ca)
- {
- DBG2(DBG_CFG, " other ca: %D", other_ca);
- certificate_t *cert = charon->credentials->get_cert(charon->credentials,
- CERT_X509, KEY_ANY, other_ca, TRUE);
- if (cert)
- {
- auth->add_item(auth, AUTHZ_CA_CERT, cert);
- cert->destroy(cert);
- }
- else
- {
- auth->add_item(auth, AUTHZ_CA_CERT_NAME, other_ca);
- }
- other_ca->destroy(other_ca);
+ else
+ { /* we require at least one config on our side */
+ peer_cfg->destroy(peer_cfg);
+ return NULL;
}
-
- if (my_ca)
+ /* build leftauth2= */
+ auth_cfg = build_auth_cfg(this, msg, TRUE, FALSE);
+ if (auth_cfg)
{
- DBG2(DBG_CFG, " my ca: %D", my_ca);
- certificate_t *cert = charon->credentials->get_cert(charon->credentials,
- CERT_X509, KEY_ANY, my_ca, TRUE);
- if (cert)
- {
- auth->add_item(auth, AUTHN_CA_CERT, cert);
- cert->destroy(cert);
- }
- else
- {
- auth->add_item(auth, AUTHN_CA_CERT_NAME, my_ca);
- }
- my_ca->destroy(my_ca);
+ peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
}
- auth->add_item(auth, AUTHN_AUTH_CLASS, &msg->add_conn.auth_method);
- if (msg->add_conn.eap_type)
+ /* build rightauth= */
+ auth_cfg = build_auth_cfg(this, msg, FALSE, TRUE);
+ if (auth_cfg)
{
- auth->add_item(auth, AUTHN_EAP_TYPE, &msg->add_conn.eap_type);
- if (msg->add_conn.eap_vendor)
- {
- auth->add_item(auth, AUTHN_EAP_VENDOR, &msg->add_conn.eap_vendor);
- }
+ peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
}
-
- if (msg->add_conn.eap_identity)
+ /* build rightauth2= */
+ auth_cfg = build_auth_cfg(this, msg, FALSE, FALSE);
+ if (auth_cfg)
{
- if (streq(msg->add_conn.eap_identity, "%identity"))
- {
- id = identification_create_from_encoding(ID_ANY, chunk_empty);
- }
- else
- {
- id = identification_create_from_encoding(ID_EAP, chunk_create(
- msg->add_conn.eap_identity,
- strlen(msg->add_conn.eap_identity)));
- }
- auth->add_item(auth, AUTHN_EAP_IDENTITY, id);
- id->destroy(id);
- }
-
- if (msg->add_conn.other.groups)
- {
- chunk_t line = { msg->add_conn.other.groups,
- strlen(msg->add_conn.other.groups) };
-
- while (eat_whitespace(&line))
- {
- chunk_t group;
-
- /* extract the next comma-separated group attribute */
- if (!extract_token(&group, ',', &line))
- {
- group = line;
- line.len = 0;
- }
-
- /* remove any trailing spaces */
- while (group.len > 0 && *(group.ptr + group.len - 1) == ' ')
- {
- group.len--;
- }
-
- /* add the group attribute to the list */
- if (group.len > 0)
- {
- identification_t *ac_group;
-
- ac_group = identification_create_from_encoding(
- ID_IETF_ATTR_STRING, group);
- auth->add_item(auth, AUTHZ_AC_GROUP, ac_group);
- ac_group->destroy(ac_group);
- }
- }
+ peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
}
+ return peer_cfg;
}
/**
@@ -799,7 +790,6 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
ike_cfg_t *ike_cfg, *existing_ike;
peer_cfg_t *peer_cfg, *existing;
child_cfg_t *child_cfg;
- identification_t *my_issuer = NULL, *other_issuer = NULL;
enumerator_t *enumerator;
bool use_existing = FALSE;
@@ -808,15 +798,13 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
{
return;
}
- peer_cfg = build_peer_cfg(this, msg, ike_cfg, &my_issuer, &other_issuer);
+ peer_cfg = build_peer_cfg(this, msg, ike_cfg);
if (!peer_cfg)
{
ike_cfg->destroy(ike_cfg);
return;
}
- build_auth_info(this, msg, peer_cfg->get_auth(peer_cfg),
- my_issuer, other_issuer);
enumerator = create_peer_cfg_enumerator(this, NULL, NULL);
while (enumerator->enumerate(enumerator, &existing))
{
@@ -850,9 +838,7 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg)
else
{
/* add config to backend */
- DBG1(DBG_CFG, "added configuration '%s': %s[%D]...%s[%D]", msg->add_conn.name,
- ike_cfg->get_my_addr(ike_cfg), peer_cfg->get_my_id(peer_cfg),
- ike_cfg->get_other_addr(ike_cfg), peer_cfg->get_other_id(peer_cfg));
+ DBG1(DBG_CFG, "added configuration '%s'", msg->add_conn.name);
this->mutex->lock(this->mutex);
this->list->insert_last(this->list, peer_cfg);
this->mutex->unlock(this->mutex);
@@ -867,34 +853,50 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg)
enumerator_t *enumerator, *children;
peer_cfg_t *peer;
child_cfg_t *child;
+ bool deleted = FALSE;
this->mutex->lock(this->mutex);
enumerator = this->list->create_enumerator(this->list);
while (enumerator->enumerate(enumerator, (void**)&peer))
{
- /* remove peer config with such a name */
- if (streq(peer->get_name(peer), msg->del_conn.name))
- {
- this->list->remove_at(this->list, enumerator);
- peer->destroy(peer);
- continue;
- }
+ bool keep = FALSE;
+
/* remove any child with such a name */
children = peer->create_child_cfg_enumerator(peer);
while (children->enumerate(children, &child))
{
if (streq(child->get_name(child), msg->del_conn.name))
{
- peer->remove_child_cfg(peer, enumerator);
+ peer->remove_child_cfg(peer, children);
child->destroy(child);
+ deleted = TRUE;
+ }
+ else
+ {
+ keep = TRUE;
}
}
children->destroy(children);
+
+ /* if peer config matches, or has no children anymore, remove it */
+ if (!keep || streq(peer->get_name(peer), msg->del_conn.name))
+ {
+ this->list->remove_at(this->list, enumerator);
+ peer->destroy(peer);
+ deleted = TRUE;
+ }
}
enumerator->destroy(enumerator);
this->mutex->unlock(this->mutex);
- DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
+ if (deleted)
+ {
+ DBG1(DBG_CFG, "deleted connection '%s'", msg->del_conn.name);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "connection '%s' not found", msg->del_conn.name);
+ }
}
/**
diff --git a/src/charon/plugins/stroke/stroke_config.h b/src/charon/plugins/stroke/stroke_config.h
index 12eb11a8f..270795e4a 100644
--- a/src/charon/plugins/stroke/stroke_config.h
+++ b/src/charon/plugins/stroke/stroke_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_control.c b/src/charon/plugins/stroke/stroke_control.c
index 08d50519c..c572117a2 100644
--- a/src/charon/plugins/stroke/stroke_control.c
+++ b/src/charon/plugins/stroke/stroke_control.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_control.h"
@@ -145,11 +143,13 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
{
char *string, *pos = NULL, *name = NULL;
u_int32_t id = 0;
- bool child;
+ bool child, all = FALSE;
int len;
ike_sa_t *ike_sa;
enumerator_t *enumerator;
+ linked_list_t *ike_list, *child_list;
stroke_log_info_t info;
+ uintptr_t del;
string = msg->terminate.name;
@@ -185,19 +185,44 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
name = string;
}
else
- { /* is name[123] or name{23} */
- string[len-1] = '\0';
- id = atoi(pos + 1);
- if (id == 0)
- {
- DBG1(DBG_CFG, "error parsing string");
- return;
+ {
+ if (*(pos + 1) == '*')
+ { /* is name[*] */
+ all = TRUE;
+ *pos = '\0';
+ name = string;
+ }
+ else
+ { /* is name[123] or name{23} */
+ id = atoi(pos + 1);
+ if (id == 0)
+ {
+ DBG1(DBG_CFG, "error parsing string");
+ return;
+ }
}
}
info.out = out;
info.level = msg->output_verbosity;
+ if (id)
+ {
+ if (child)
+ {
+ charon->controller->terminate_child(charon->controller, id,
+ (controller_cb_t)stroke_log, &info);
+ }
+ else
+ {
+ charon->controller->terminate_ike(charon->controller, id,
+ (controller_cb_t)stroke_log, &info);
+ }
+ return;
+ }
+
+ ike_list = linked_list_create();
+ child_list = linked_list_create();
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
@@ -209,35 +234,58 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o
children = ike_sa->create_child_sa_iterator(ike_sa);
while (children->iterate(children, (void**)&child_sa))
{
- if ((name && streq(name, child_sa->get_name(child_sa))) ||
- (id && id == child_sa->get_reqid(child_sa)))
+ if (streq(name, child_sa->get_name(child_sa)))
{
- id = child_sa->get_reqid(child_sa);
- children->destroy(children);
- enumerator->destroy(enumerator);
-
- charon->controller->terminate_child(charon->controller, id,
- (controller_cb_t)stroke_log, &info);
- return;
+ child_list->insert_last(child_list,
+ (void*)(uintptr_t)child_sa->get_reqid(child_sa));
+ if (!all)
+ {
+ break;
+ }
}
}
children->destroy(children);
+ if (child_list->get_count(child_list) && !all)
+ {
+ break;
+ }
}
- else if ((name && streq(name, ike_sa->get_name(ike_sa))) ||
- (id && id == ike_sa->get_unique_id(ike_sa)))
+ else if (streq(name, ike_sa->get_name(ike_sa)))
{
- id = ike_sa->get_unique_id(ike_sa);
- /* unlock manager first */
- enumerator->destroy(enumerator);
-
- charon->controller->terminate_ike(charon->controller, id,
- (controller_cb_t)stroke_log, &info);
- return;
+ ike_list->insert_last(ike_list,
+ (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+ if (!all)
+ {
+ break;
+ }
}
-
}
enumerator->destroy(enumerator);
- DBG1(DBG_CFG, "no such SA found");
+
+ enumerator = child_list->create_enumerator(child_list);
+ while (enumerator->enumerate(enumerator, &del))
+ {
+ charon->controller->terminate_child(charon->controller, del,
+ (controller_cb_t)stroke_log, &info);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = ike_list->create_enumerator(ike_list);
+ while (enumerator->enumerate(enumerator, &del))
+ {
+ charon->controller->terminate_ike(charon->controller, del,
+ (controller_cb_t)stroke_log, &info);
+ }
+ enumerator->destroy(enumerator);
+
+ if (child_list->get_count(child_list) == 0 &&
+ ike_list->get_count(ike_list) == 0)
+ {
+ DBG1(DBG_CFG, "no %s_SA named '%s' found",
+ child ? "CHILD" : "IKE", name);
+ }
+ ike_list->destroy(ike_list);
+ child_list->destroy(child_list);
}
/**
@@ -249,7 +297,7 @@ static void terminate_srcip(private_stroke_control_t *this,
enumerator_t *enumerator;
ike_sa_t *ike_sa;
host_t *start = NULL, *end = NULL, *vip;
- chunk_t chunk_start, chunk_end, chunk_vip;
+ chunk_t chunk_start, chunk_end = chunk_empty, chunk_vip;
if (msg->terminate_srcip.start)
{
@@ -310,13 +358,52 @@ static void terminate_srcip(private_stroke_control_t *this,
}
/**
+ * Implementation of stroke_control_t.purge_ike
+ */
+static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
+{
+ enumerator_t *enumerator;
+ iterator_t *iterator;
+ ike_sa_t *ike_sa;
+ child_sa_t *child_sa;
+ linked_list_t *list;
+ uintptr_t del;
+ stroke_log_info_t info;
+
+ info.out = out;
+ info.level = msg->output_verbosity;
+
+ list = linked_list_create();
+ enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
+ while (enumerator->enumerate(enumerator, &ike_sa))
+ {
+ iterator = ike_sa->create_child_sa_iterator(ike_sa);
+ if (!iterator->iterate(iterator, (void**)&child_sa))
+ {
+ list->insert_last(list,
+ (void*)(uintptr_t)ike_sa->get_unique_id(ike_sa));
+ }
+ iterator->destroy(iterator);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &del))
+ {
+ charon->controller->terminate_ike(charon->controller, del,
+ (controller_cb_t)stroke_log, &info);
+ }
+ enumerator->destroy(enumerator);
+ list->destroy(list);
+}
+
+/**
* Implementation of stroke_control_t.route.
*/
static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
- stroke_log_info_t info;
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
msg->route.name);
@@ -339,10 +426,14 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
return;
}
- info.out = out;
- info.level = msg->output_verbosity;
- charon->controller->route(charon->controller, peer_cfg, child_cfg,
- (controller_cb_t)stroke_log, &info);
+ if (charon->traps->install(charon->traps, peer_cfg, child_cfg))
+ {
+ fprintf(out, "configuration '%s' routed\n", msg->route.name);
+ }
+ else
+ {
+ fprintf(out, "routing configuration '%s' failed\n", msg->route.name);
+ }
peer_cfg->destroy(peer_cfg);
child_cfg->destroy(child_cfg);
}
@@ -352,41 +443,24 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
*/
static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
- char *name;
- ike_sa_t *ike_sa;
+ child_sa_t *child_sa;
enumerator_t *enumerator;
- stroke_log_info_t info;
+ u_int32_t id;
- name = msg->terminate.name;
-
- info.out = out;
- info.level = msg->output_verbosity;
-
- enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
- while (enumerator->enumerate(enumerator, &ike_sa))
+ enumerator = charon->traps->create_enumerator(charon->traps);
+ while (enumerator->enumerate(enumerator, NULL, &child_sa))
{
- child_sa_t *child_sa;
- iterator_t *children;
- u_int32_t id;
-
- children = ike_sa->create_child_sa_iterator(ike_sa);
- while (children->iterate(children, (void**)&child_sa))
+ if (streq(msg->unroute.name, child_sa->get_name(child_sa)))
{
- if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
- streq(name, child_sa->get_name(child_sa)))
- {
- id = child_sa->get_reqid(child_sa);
- children->destroy(children);
- enumerator->destroy(enumerator);
- charon->controller->unroute(charon->controller, id,
- (controller_cb_t)stroke_log, &info);
- return;
- }
+ id = child_sa->get_reqid(child_sa);
+ enumerator->destroy(enumerator);
+ charon->traps->uninstall(charon->traps, id);
+ fprintf(out, "configuration '%s' unrouted\n", msg->unroute.name);
+ return;
}
- children->destroy(children);
}
enumerator->destroy(enumerator);
- DBG1(DBG_CFG, "no such SA found");
+ fprintf(out, "configuration '%s' not found\n", msg->unroute.name);
}
/**
@@ -407,6 +481,7 @@ stroke_control_t *stroke_control_create()
this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate;
this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate;
this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip;
+ this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike;
this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route;
this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute;
this->public.destroy = (void(*)(stroke_control_t*))destroy;
diff --git a/src/charon/plugins/stroke/stroke_control.h b/src/charon/plugins/stroke/stroke_control.h
index 26dc99b94..5a61a90a4 100644
--- a/src/charon/plugins/stroke/stroke_control.h
+++ b/src/charon/plugins/stroke/stroke_control.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
@@ -56,6 +54,13 @@ struct stroke_control_t {
void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
/**
+ * Delete IKE_SAs without a CHILD_SA.
+ *
+ * @param msg stroke message
+ */
+ void (*purge_ike)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
+
+ /**
* Route a connection.
*
* @param msg stroke message
@@ -70,9 +75,9 @@ struct stroke_control_t {
void (*unroute)(stroke_control_t *this, stroke_msg_t *msg, FILE *out);
/**
- * Destroy a stroke_control instance.
- */
- void (*destroy)(stroke_control_t *this);
+ * Destroy a stroke_control instance.
+ */
+ void (*destroy)(stroke_control_t *this);
};
/**
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index 434aec22b..dc73299b8 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include <sys/stat.h>
@@ -382,10 +380,18 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename)
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path,
- BUILD_X509_FLAG, X509_CA,
BUILD_END);
if (cert)
{
+ x509_t *x509 = (x509_t*)cert;
+
+ if (!(x509->get_flags(x509) & X509_CA))
+ {
+ cert->destroy(cert);
+ DBG1(DBG_CFG, " ca certificate must have ca basic constraint set, "
+ "discarded");
+ return NULL;
+ }
return (certificate_t*)add_cert(this, cert);
}
return NULL;
@@ -524,11 +530,32 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
switch (type)
{
case CERT_X509:
- cert = lib->creds->create(lib->creds,
- CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, file,
- BUILD_X509_FLAG, flag,
- BUILD_END);
+ if (flag & X509_CA)
+ { /* for CA certificates, we strictly require CA
+ * basicconstraints to be set */
+ cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file, BUILD_END);
+ if (cert)
+ {
+ x509_t *x509 = (x509_t*)cert;
+
+ if (!(x509->get_flags(x509) & X509_CA))
+ {
+ DBG1(DBG_CFG, " ca certificate must have ca "
+ "basic constraint set, discarded");
+ cert->destroy(cert);
+ cert = NULL;
+ }
+ }
+ }
+ else
+ { /* for all other flags, we add them to the certificate. */
+ cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, file,
+ BUILD_X509_FLAG, flag, BUILD_END);
+ }
if (cert)
{
add_cert(this, cert);
@@ -568,13 +595,13 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
{
if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
{
- /* CRLs get written to /etc/ipsec.d/crls/authkeyId.crl */
+ /* CRLs get written to /etc/ipsec.d/crls/<authkeyId>.crl */
crl_t *crl = (crl_t*)cert;
cert->get_ref(cert);
if (add_crl(this, crl))
{
- char buf[256];
+ char buf[BUF_LEN];
chunk_t chunk, hex;
identification_t *id;
@@ -585,14 +612,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert)
free(hex.ptr);
chunk = cert->get_encoding(cert);
- if (chunk_write(chunk, buf, 022, TRUE))
- {
- DBG1(DBG_CFG, " written crl to '%s'", buf);
- }
- else
- {
- DBG1(DBG_CFG, " writing crl to '%s' failed", buf);
- }
+ chunk_write(chunk, buf, "crl", 022, TRUE);
free(chunk.ptr);
}
}
@@ -905,26 +925,13 @@ static void load_secrets(private_stroke_cred_t *this)
continue;
}
- if (type == SHARED_EAP)
+ /* NULL terminate the ID string */
+ *(id.ptr + id.len) = '\0';
+ peer_id = identification_create_from_string(id.ptr);
+ if (peer_id->get_type(peer_id) == ID_ANY)
{
- /* we use a special EAP identity type for EAP secrets */
- peer_id = identification_create_from_encoding(ID_EAP, id);
- }
- else
- {
- /* NULL terminate the ID string */
- *(id.ptr + id.len) = '\0';
- peer_id = identification_create_from_string(id.ptr);
- if (peer_id == NULL)
- {
- DBG1(DBG_CFG, "line %d: malformed ID: %s", line_nr, id.ptr);
- goto error;
- }
- if (peer_id->get_type(peer_id) == ID_ANY)
- {
- peer_id->destroy(peer_id);
- continue;
- }
+ peer_id->destroy(peer_id);
+ continue;
}
shared_key->add_owner(shared_key, peer_id);
diff --git a/src/charon/plugins/stroke/stroke_cred.h b/src/charon/plugins/stroke/stroke_cred.h
index fc7121622..8bc042f13 100644
--- a/src/charon/plugins/stroke/stroke_cred.h
+++ b/src/charon/plugins/stroke/stroke_cred.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 94b3def3a..564a511a1 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_list.h"
@@ -55,23 +53,6 @@ struct private_stroke_list_t {
};
/**
- * get the authentication class of a config
- */
-auth_class_t get_auth_class(peer_cfg_t *config)
-{
- auth_class_t *class;
- auth_info_t *auth_info;
-
- auth_info = config->get_auth(config);
- if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
- {
- return *class;
- }
- /* fallback to pubkey authentication */
- return AUTH_CLASS_PUBKEY;
-}
-
-/**
* log an IKE_SA to out
*/
static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
@@ -91,7 +72,7 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
fprintf(out, " %V ago", &now, &established);
}
- fprintf(out, ", %H[%D]...%H[%D]\n",
+ fprintf(out, ", %H[%Y]...%H[%Y]\n",
ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa),
ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa));
@@ -110,9 +91,11 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED)
{
time_t rekey, reauth;
+ peer_cfg_t *peer_cfg;
rekey = ike_sa->get_statistic(ike_sa, STAT_REKEY);
reauth = ike_sa->get_statistic(ike_sa, STAT_REAUTH);
+ peer_cfg = ike_sa->get_peer_cfg(ike_sa);
if (rekey)
{
@@ -120,9 +103,24 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
}
if (reauth)
{
- fprintf(out, ", %N reauthentication in %V", auth_class_names,
- get_auth_class(ike_sa->get_peer_cfg(ike_sa)),
- &reauth, &now);
+ bool first = TRUE;
+ enumerator_t *enumerator;
+ auth_cfg_t *auth;
+
+ fprintf(out, ", ");
+ enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, TRUE);
+ while (enumerator->enumerate(enumerator, &auth))
+ {
+ if (!first)
+ {
+ fprintf(out, "+");
+ }
+ first = FALSE;
+ fprintf(out, "%N", auth_class_names,
+ auth->get(auth, AUTH_RULE_AUTH_CLASS));
+ }
+ enumerator->destroy(enumerator);
+ fprintf(out, " reauthentication in %V", &reauth, &now);
}
if (!rekey && !reauth)
{
@@ -195,7 +193,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
fprintf(out, "%N", encryption_algorithm_names, encr_alg);
if (encr_size)
{
- fprintf(out, "-%d", encr_size);
+ fprintf(out, "_%u", encr_size);
}
}
if (int_alg != AUTH_UNDEFINED)
@@ -203,7 +201,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
fprintf(out, "/%N", integrity_algorithm_names, int_alg);
if (int_size)
{
- fprintf(out, "-%d", int_size);
+ fprintf(out, "_%u", int_size);
}
}
}
@@ -212,7 +210,14 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
- fprintf(out, "in %V", &now, &rekey);
+ if (now > rekey)
+ {
+ fprintf(out, "active");
+ }
+ else
+ {
+ fprintf(out, "in %V", &now, &rekey);
+ }
}
else
{
@@ -248,6 +253,107 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
/**
+ * Log a configs local or remote authentication config to out
+ */
+static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local)
+{
+ enumerator_t *enumerator, *rules;
+ auth_rule_t rule;
+ auth_cfg_t *auth;
+ auth_class_t auth_class;
+ identification_t *id;
+ certificate_t *cert;
+ cert_validation_t valid;
+ char *name;
+
+ name = peer_cfg->get_name(peer_cfg);
+
+ enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, local);
+ while (enumerator->enumerate(enumerator, &auth))
+ {
+ fprintf(out, "%12s: %s [%Y] uses ", name, local ? "local: " : "remote:",
+ auth->get(auth, AUTH_RULE_IDENTITY));
+
+ auth_class = (uintptr_t)auth->get(auth, AUTH_RULE_AUTH_CLASS);
+ if (auth_class != AUTH_CLASS_EAP)
+ {
+ fprintf(out, "%N authentication\n", auth_class_names, auth_class);
+ }
+ else
+ {
+ if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE) == EAP_NAK)
+ {
+ fprintf(out, "EAP authentication");
+ }
+ else
+ {
+ if ((uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR))
+ {
+ fprintf(out, "EAP_%d-%d authentication",
+ (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE),
+ (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR));
+ }
+ else
+ {
+ fprintf(out, "%N authentication", eap_type_names,
+ (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE));
+ }
+ }
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (id)
+ {
+ fprintf(out, " with EAP identity '%Y'", id);
+ }
+ fprintf(out, "\n");
+ }
+
+ cert = auth->get(auth, AUTH_RULE_CA_CERT);
+ if (cert)
+ {
+ fprintf(out, "%12s: ca: \"%Y\"\n", name, cert->get_subject(cert));
+ }
+
+ cert = auth->get(auth, AUTH_RULE_IM_CERT);
+ if (cert)
+ {
+ fprintf(out, "%12s: im-ca: \"%Y\"\n", name, cert->get_subject(cert));
+ }
+
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (cert)
+ {
+ fprintf(out, "%12s: cert: \"%Y\"\n", name,
+ cert->get_subject(cert));
+ }
+
+ valid = (uintptr_t)auth->get(auth, AUTH_RULE_OCSP_VALIDATION);
+ if (valid != VALIDATION_FAILED)
+ {
+ fprintf(out, "%12s: ocsp: status must be GOOD%s\n", name,
+ (valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+ }
+
+ valid = (uintptr_t)auth->get(auth, AUTH_RULE_CRL_VALIDATION);
+ if (valid != VALIDATION_FAILED)
+ {
+ fprintf(out, "%12s: crl: status must be GOOD%s\n", name,
+ (valid == VALIDATION_SKIPPED) ? " or SKIPPED" : "");
+ }
+
+ rules = auth->create_enumerator(auth);
+ while (rules->enumerate(rules, &rule, &id))
+ {
+ if (rule == AUTH_RULE_AC_GROUP)
+ {
+ fprintf(out, "%12s: group: %Y\n", name, id);
+ }
+ }
+ rules->destroy(rules);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
* Implementation of stroke_list_t.status.
*/
static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all)
@@ -255,8 +361,9 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
enumerator_t *enumerator, *children;
ike_cfg_t *ike_cfg;
child_cfg_t *child_cfg;
+ child_sa_t *child_sa;
ike_sa_t *ike_sa;
- bool found = FALSE;
+ bool first, found = FALSE;
char *name = msg->status.name;
if (all)
@@ -266,10 +373,9 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
host_t *host;
u_int32_t dpd;
time_t now = time(NULL);
- bool first = TRUE;
u_int size, online, offline;
- fprintf(out, "Performance:\n");
+ fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n");
fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &this->uptime, FALSE);
fprintf(out, " worker threads: %d idle of %d,",
charon->processor->get_idle_threads(charon->processor),
@@ -287,6 +393,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
enumerator->destroy(enumerator);
fprintf(out, "\n");
+ first = TRUE;
enumerator = this->attribute->create_pool_enumerator(this->attribute);
while (enumerator->enumerate(enumerator, &pool, &size, &online, &offline))
{
@@ -299,7 +406,7 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
first = FALSE;
fprintf(out, "Virtual IP pools (size/online/offline):\n");
}
- fprintf(out, " %s: %lu/%lu/%lu\n", pool, size, online, offline);
+ fprintf(out, " %s: %u/%u/%u\n", pool, size, online, offline);
}
enumerator->destroy(enumerator);
@@ -313,138 +420,42 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
enumerator->destroy(enumerator);
fprintf(out, "Connections:\n");
- enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends);
- while (enumerator->enumerate(enumerator, (void**)&peer_cfg))
+ enumerator = charon->backends->create_peer_cfg_enumerator(
+ charon->backends, NULL, NULL, NULL, NULL);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
{
- void *ptr;
- certificate_t *cert;
- auth_item_t item;
- auth_info_t *auth;
- enumerator_t *auth_enumerator;
- identification_t *my_ca = NULL, *other_ca = NULL;
- identification_t *eap_identity = NULL;
- u_int32_t *eap_type = NULL;
- bool ac_groups = FALSE;
-
if (peer_cfg->get_ike_version(peer_cfg) != 2 ||
(name && !streq(name, peer_cfg->get_name(peer_cfg))))
{
continue;
}
- /* determine any required CAs, EAP type, EAP identity,
- * and the presence of AC groups
- */
- auth = peer_cfg->get_auth(peer_cfg);
- auth_enumerator = auth->create_item_enumerator(auth);
- while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
- {
- switch (item)
- {
- case AUTHN_EAP_TYPE:
- eap_type = (u_int32_t *)ptr;
- break;
- case AUTHN_EAP_IDENTITY:
- eap_identity = (identification_t *)ptr;
- break;
- case AUTHN_CA_CERT:
- cert = (certificate_t *)ptr;
- my_ca = cert->get_subject(cert);
- break;
- case AUTHN_CA_CERT_NAME:
- my_ca = (identification_t *)ptr;
- break;
- case AUTHZ_CA_CERT:
- cert = (certificate_t *)ptr;
- other_ca = cert->get_subject(cert);
- break;
- case AUTHZ_CA_CERT_NAME:
- other_ca = (identification_t *)ptr;
- break;
- case AUTHZ_AC_GROUP:
- ac_groups = TRUE;
- break;
- default:
- break;
- }
- }
- auth_enumerator->destroy(auth_enumerator);
-
ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
- fprintf(out, "%12s: %s[%D]...%s[%D]\n", peer_cfg->get_name(peer_cfg),
- ike_cfg->get_my_addr(ike_cfg), peer_cfg->get_my_id(peer_cfg),
- ike_cfg->get_other_addr(ike_cfg), peer_cfg->get_other_id(peer_cfg));
- if (my_ca || other_ca)
- {
- fprintf(out, "%12s: CAs: ", peer_cfg->get_name(peer_cfg));
- if (my_ca)
- {
- fprintf(out, "\"%D\"...", my_ca);
- }
- else
- {
- fprintf(out, "%%any...");
- }
- if (other_ca)
- {
- fprintf(out, "\"%D\"\n", other_ca);
- }
- else
- {
- fprintf(out, "%%any\n");
- }
- }
-
- if (ac_groups)
- {
- bool first = TRUE;
-
- fprintf(out, "%12s: groups: ", peer_cfg->get_name(peer_cfg));
- auth_enumerator = auth->create_item_enumerator(auth);
- while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
- {
- if (item == AUTHZ_AC_GROUP)
- {
- identification_t *group = (identification_t *)ptr;
-
- fprintf(out, "%s%D", first? "":", ", group);
- first = FALSE;
- }
- }
- auth_enumerator->destroy(auth_enumerator);
- fprintf(out, "\n");
- }
-
- fprintf(out, "%12s: %N ", peer_cfg->get_name(peer_cfg),
- auth_class_names, get_auth_class(peer_cfg));
- if (eap_type)
- {
- fprintf(out, "and %N ", eap_type_names, *eap_type);
- }
- fprintf(out, "authentication");
- if (eap_identity)
- {
- fprintf(out, ", EAP identity: '%D'", eap_identity);
- }
+ fprintf(out, "%12s: %s...%s", peer_cfg->get_name(peer_cfg),
+ ike_cfg->get_my_addr(ike_cfg), ike_cfg->get_other_addr(ike_cfg));
+
dpd = peer_cfg->get_dpd(peer_cfg);
if (dpd)
{
fprintf(out, ", dpddelay=%us", dpd);
}
fprintf(out, "\n");
-
+
+ log_auth_cfgs(out, peer_cfg, TRUE);
+ log_auth_cfgs(out, peer_cfg, FALSE);
+
children = peer_cfg->create_child_cfg_enumerator(peer_cfg);
while (children->enumerate(children, &child_cfg))
{
linked_list_t *my_ts, *other_ts;
-
+
my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, NULL);
other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, NULL);
- fprintf(out, "%12s: %#R=== %#R", child_cfg->get_name(child_cfg),
+ fprintf(out, "%12s: child: %#R=== %#R", child_cfg->get_name(child_cfg),
my_ts, other_ts);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
-
+
if (dpd)
{
fprintf(out, ", dpdaction=%N", action_names,
@@ -456,13 +467,25 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo
}
enumerator->destroy(enumerator);
}
+
+ first = TRUE;
+ enumerator = charon->traps->create_enumerator(charon->traps);
+ while (enumerator->enumerate(enumerator, NULL, &child_sa))
+ {
+ if (first)
+ {
+ fprintf(out, "Routed Connections:\n");
+ first = FALSE;
+ }
+ log_child_sa(out, child_sa, all);
+ }
+ enumerator->destroy(enumerator);
fprintf(out, "Security Associations:\n");
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
bool ike_printed = FALSE;
- child_sa_t *child_sa;
iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa);
if (name == NULL || streq(name, ike_sa->get_name(ike_sa)))
@@ -588,8 +611,8 @@ static void stroke_list_pubkeys(linked_list_t *list, bool utc, FILE *out)
key_type_names, public->get_type(public),
public->get_keysize(public) * 8,
private ? ", has private key" : "");
- fprintf(out, " keyid: %D\n", keyid);
- fprintf(out, " subjkey: %D\n", id);
+ fprintf(out, " keyid: %Y\n", keyid);
+ fprintf(out, " subjkey: %Y\n", id);
DESTROY_IF(private);
public->destroy(public);
}
@@ -645,7 +668,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
{
fprintf(out, ", ");
}
- fprintf(out, "%D", altName);
+ fprintf(out, "%Y", altName);
}
if (!first_altName)
{
@@ -653,8 +676,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
}
enumerator->destroy(enumerator);
- fprintf(out, " subject: \"%D\"\n", cert->get_subject(cert));
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " subject: \"%Y\"\n", cert->get_subject(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
fprintf(out, " serial: %#B\n", &serial);
/* list validity */
@@ -699,8 +722,8 @@ static void stroke_list_certs(linked_list_t *list, char *label,
key_type_names, public->get_type(public),
public->get_keysize(public) * 8,
private ? ", has private key" : "");
- fprintf(out, " keyid: %D\n", keyid);
- fprintf(out, " subjkey: %D\n", id);
+ fprintf(out, " keyid: %Y\n", keyid);
+ fprintf(out, " subjkey: %Y\n", id);
DESTROY_IF(private);
public->destroy(public);
}
@@ -708,7 +731,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
}
@@ -744,17 +767,17 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
if (entityName)
{
- fprintf(out, " holder: \"%D\"\n", entityName);
+ fprintf(out, " holder: \"%Y\"\n", entityName);
}
if (holderIssuer)
{
- fprintf(out, " hissuer: \"%D\"\n", holderIssuer);
+ fprintf(out, " hissuer: \"%Y\"\n", holderIssuer);
}
if (holderSerial.ptr)
{
fprintf(out, " hserial: %#B\n", &holderSerial);
}
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
fprintf(out, " serial: %#B\n", &serial);
/* list validity */
@@ -778,7 +801,7 @@ static void stroke_list_acerts(linked_list_t *list, bool utc, FILE *out)
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
enumerator->destroy(enumerator);
@@ -808,7 +831,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
}
fprintf(out, "\n");
- fprintf(out, " issuer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " issuer: \"%Y\"\n", cert->get_issuer(cert));
/* list optional crlNumber */
if (serial.ptr)
@@ -851,7 +874,7 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out)
/* list optional authorityKeyIdentifier */
if (authkey)
{
- fprintf(out, " authkey: %D\n", authkey);
+ fprintf(out, " authkey: %Y\n", authkey);
}
}
enumerator->destroy(enumerator);
@@ -876,7 +899,7 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out)
first = FALSE;
}
- fprintf(out, " signer: \"%D\"\n", cert->get_issuer(cert));
+ fprintf(out, " signer: \"%Y\"\n", cert->get_issuer(cert));
}
enumerator->destroy(enumerator);
}
@@ -1019,7 +1042,7 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool,
{
if (!address || address->ip_equals(address, lease))
{
- fprintf(out, " %15H %s '%D'\n",
+ fprintf(out, " %15H %s '%Y'\n",
lease, on ? "online" : "offline", id);
found++;
}
diff --git a/src/charon/plugins/stroke/stroke_list.h b/src/charon/plugins/stroke/stroke_list.h
index 73a6ff6e4..2430abfbb 100644
--- a/src/charon/plugins/stroke/stroke_list.h
+++ b/src/charon/plugins/stroke/stroke_list.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_plugin.c b/src/charon/plugins/stroke/stroke_plugin.c
index 6933fc074..22c1125a1 100644
--- a/src/charon/plugins/stroke/stroke_plugin.c
+++ b/src/charon/plugins/stroke/stroke_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_plugin.h"
diff --git a/src/charon/plugins/stroke/stroke_plugin.h b/src/charon/plugins/stroke/stroke_plugin.h
index b4c367c6e..6e9d556ad 100644
--- a/src/charon/plugins/stroke/stroke_plugin.h
+++ b/src/charon/plugins/stroke/stroke_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: stroke.h 3589 2008-03-13 14:14:44Z martin $
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_shared_key.c b/src/charon/plugins/stroke/stroke_shared_key.c
index 9c21eb830..8f53f509d 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.c
+++ b/src/charon/plugins/stroke/stroke_shared_key.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_shared_key.h"
diff --git a/src/charon/plugins/stroke/stroke_shared_key.h b/src/charon/plugins/stroke/stroke_shared_key.h
index b456095ae..224062100 100644
--- a/src/charon/plugins/stroke/stroke_shared_key.h
+++ b/src/charon/plugins/stroke/stroke_shared_key.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index 53edde031..f61171e22 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "stroke_socket.h"
@@ -143,18 +141,28 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
pop_string(msg, &end->address);
pop_string(msg, &end->subnets);
pop_string(msg, &end->sourceip);
+ pop_string(msg, &end->auth);
+ pop_string(msg, &end->auth2);
pop_string(msg, &end->id);
+ pop_string(msg, &end->id2);
pop_string(msg, &end->cert);
+ pop_string(msg, &end->cert2);
pop_string(msg, &end->ca);
+ pop_string(msg, &end->ca2);
pop_string(msg, &end->groups);
pop_string(msg, &end->updown);
DBG2(DBG_CFG, " %s=%s", label, end->address);
DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets);
DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip);
+ DBG2(DBG_CFG, " %sauth=%s", label, end->auth);
+ DBG2(DBG_CFG, " %sauth2=%s", label, end->auth2);
DBG2(DBG_CFG, " %sid=%s", label, end->id);
+ DBG2(DBG_CFG, " %sid2=%s", label, end->id2);
DBG2(DBG_CFG, " %scert=%s", label, end->cert);
+ DBG2(DBG_CFG, " %scert2=%s", label, end->cert2);
DBG2(DBG_CFG, " %sca=%s", label, end->ca);
+ DBG2(DBG_CFG, " %sca2=%s", label, end->ca2);
DBG2(DBG_CFG, " %sgroups=%s", label, end->groups);
DBG2(DBG_CFG, " %supdown=%s", label, end->updown);
}
@@ -333,8 +341,15 @@ static void stroke_reread(private_stroke_socket_t *this,
static void stroke_purge(private_stroke_socket_t *this,
stroke_msg_t *msg, FILE *out)
{
- charon->credentials->flush_cache(charon->credentials,
- CERT_X509_OCSP_RESPONSE);
+ if (msg->purge.flags & PURGE_OCSP)
+ {
+ charon->credentials->flush_cache(charon->credentials,
+ CERT_X509_OCSP_RESPONSE);
+ }
+ if (msg->purge.flags & PURGE_IKE)
+ {
+ this->control->purge_ike(this->control, msg, out);
+ }
}
/**
@@ -351,16 +366,16 @@ static void stroke_leases(private_stroke_socket_t *this,
debug_t get_group_from_name(char *type)
{
- if (strcasecmp(type, "any") == 0) return DBG_ANY;
- else if (strcasecmp(type, "mgr") == 0) return DBG_MGR;
- else if (strcasecmp(type, "ike") == 0) return DBG_IKE;
- else if (strcasecmp(type, "chd") == 0) return DBG_CHD;
- else if (strcasecmp(type, "job") == 0) return DBG_JOB;
- else if (strcasecmp(type, "cfg") == 0) return DBG_CFG;
- else if (strcasecmp(type, "knl") == 0) return DBG_KNL;
- else if (strcasecmp(type, "net") == 0) return DBG_NET;
- else if (strcasecmp(type, "enc") == 0) return DBG_ENC;
- else if (strcasecmp(type, "lib") == 0) return DBG_LIB;
+ if (strcaseeq(type, "any")) return DBG_ANY;
+ else if (strcaseeq(type, "mgr")) return DBG_MGR;
+ else if (strcaseeq(type, "ike")) return DBG_IKE;
+ else if (strcaseeq(type, "chd")) return DBG_CHD;
+ else if (strcaseeq(type, "job")) return DBG_JOB;
+ else if (strcaseeq(type, "cfg")) return DBG_CFG;
+ else if (strcaseeq(type, "knl")) return DBG_KNL;
+ else if (strcaseeq(type, "net")) return DBG_NET;
+ else if (strcaseeq(type, "enc")) return DBG_ENC;
+ else if (strcaseeq(type, "lib")) return DBG_LIB;
else return -1;
}
@@ -561,8 +576,11 @@ static job_requeue_t receive(private_stroke_socket_t *this)
*/
static bool open_socket(private_stroke_socket_t *this)
{
- struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET};
+ struct sockaddr_un socket_addr;
mode_t old;
+
+ socket_addr.sun_family = AF_UNIX;
+ strcpy(socket_addr.sun_path, STROKE_SOCKET);
/* set up unix socket */
this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
diff --git a/src/charon/plugins/stroke/stroke_socket.h b/src/charon/plugins/stroke/stroke_socket.h
index 7a772c56c..6073f5133 100644
--- a/src/charon/plugins/stroke/stroke_socket.h
+++ b/src/charon/plugins/stroke/stroke_socket.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index a29d2d4b1..e599135cb 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -88,6 +88,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -110,6 +111,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -121,6 +125,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -134,6 +139,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -194,6 +201,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -205,6 +213,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -227,8 +236,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -326,7 +335,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
index c9d54a532..e697e8be6 100644
--- a/src/charon/plugins/uci/uci_config.c
+++ b/src/charon/plugins/uci/uci_config.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#define _GNU_SOURCE
@@ -83,24 +81,6 @@ static proposal_t *create_proposal(char *string, protocol_id_t proto)
}
/**
- * create an identity, with fallback to %any
- */
-static identification_t *create_id(char *string)
-{
- identification_t *id = NULL;
-
- if (string)
- {
- id = identification_create_from_string(string);
- }
- if (!id)
- {
- id = identification_create_from_encoding(ID_ANY, chunk_empty);
- }
- return id;
-}
-
-/**
* create an traffic selector, fallback to dynamic
*/
static traffic_selector_t *create_ts(char *string)
@@ -163,8 +143,7 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
char *remote_id, *remote_addr, *remote_net;
child_cfg_t *child_cfg;
ike_cfg_t *ike_cfg;
- auth_info_t *auth;
- auth_class_t class;
+ auth_cfg_t *auth;
/* defaults */
name = "unnamed";
@@ -187,16 +166,26 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
this->peer_cfg = peer_cfg_create(
- name, 2, ike_cfg, create_id(local_id), create_id(remote_id),
- CERT_SEND_IF_ASKED, UNIQUE_NO,
+ name, 2, ike_cfg, CERT_SEND_IF_ASKED, UNIQUE_NO,
1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */
1800, 900, /* jitter, overtime */
TRUE, 60, /* mobike, dpddelay */
NULL, NULL, /* vip, pool */
FALSE, NULL, NULL); /* mediation, med by, peer id */
- auth = this->peer_cfg->get_auth(this->peer_cfg);
- class = AUTH_CLASS_PSK;
- auth->add_item(auth, AUTHN_AUTH_CLASS, &class);
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_string(local_id));
+ this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, TRUE);
+
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+ if (remote_id)
+ {
+ auth->add(auth, AUTH_RULE_IDENTITY,
+ identification_create_from_string(remote_id));
+ }
+ this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE);
child_cfg = child_cfg_create(name,
create_rekey(esp_rekey) + 300, create_rekey(ike_rekey), 300,
NULL, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
diff --git a/src/charon/plugins/uci/uci_config.h b/src/charon/plugins/uci/uci_config.h
index 67893f771..eac05b1df 100644
--- a/src/charon/plugins/uci/uci_config.h
+++ b/src/charon/plugins/uci/uci_config.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/uci/uci_control.c b/src/charon/plugins/uci/uci_control.c
index 2ffdd2b7b..f74224fa7 100644
--- a/src/charon/plugins/uci/uci_control.c
+++ b/src/charon/plugins/uci/uci_control.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#define _GNU_SOURCE
@@ -39,15 +37,15 @@ typedef struct private_uci_control_t private_uci_control_t;
* private data of uci_control_t
*/
struct private_uci_control_t {
-
+
/**
- * Public part
- */
+ * Public part
+ */
uci_control_t public;
-
+
/**
- * Job
- */
+ * Job
+ */
callback_job_t *job;
};
@@ -86,13 +84,14 @@ static void status(private_uci_control_t *this, char *name)
char buf[2048];
FILE *out = NULL;
- configs = charon->backends->create_peer_cfg_enumerator(charon->backends);
- while (configs->enumerate(configs, &peer_cfg))
- {
- if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
- {
- continue;
- }
+ configs = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ NULL, NULL, NULL, NULL);
+ while (configs->enumerate(configs, &peer_cfg))
+ {
+ if (name && !streq(name, peer_cfg->get_name(peer_cfg)))
+ {
+ continue;
+ }
sas = charon->controller->create_ike_sa_enumerator(charon->controller);
while (sas->enumerate(sas, &ike_sa))
{
@@ -108,9 +107,9 @@ static void status(private_uci_control_t *this, char *name)
continue;
}
}
- fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
- ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
-
+ fprintf(out, "%-8s %-20D %-16H ", ike_sa->get_name(ike_sa),
+ ike_sa->get_other_id(ike_sa), ike_sa->get_other_host(ike_sa));
+
children = ike_sa->create_child_sa_iterator(ike_sa);
while (children->iterate(children, (void**)&child_sa))
{
@@ -118,7 +117,7 @@ static void status(private_uci_control_t *this, char *name)
child_sa->get_traffic_selectors(child_sa, FALSE));
}
children->destroy(children);
- fprintf(out, "\n");
+ fprintf(out, "\n");
}
sas->destroy(sas);
}
@@ -142,7 +141,7 @@ static void initiate(private_uci_control_t *this, char *name)
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
enumerator_t *enumerator;
-
+
peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, name);
if (peer_cfg)
{
@@ -174,7 +173,7 @@ static void terminate(private_uci_control_t *this, char *name)
enumerator_t *enumerator;
ike_sa_t *ike_sa;
u_int id;
-
+
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
@@ -240,7 +239,7 @@ static job_requeue_t receive(private_uci_control_t *this)
char message[128];
int oldstate, len;
FILE *in;
-
+
memset(message, 0, sizeof(message));
pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
in = fopen(FIFO_FILE, "r");
@@ -281,9 +280,9 @@ static void destroy(private_uci_control_t *this)
uci_control_t *uci_control_create()
{
private_uci_control_t *this = malloc_thing(private_uci_control_t);
-
+
this->public.destroy = (void(*)(uci_control_t*))destroy;
-
+
unlink(FIFO_FILE);
if (mkfifo(FIFO_FILE, S_IRUSR|S_IWUSR) != 0)
{
diff --git a/src/charon/plugins/uci/uci_control.h b/src/charon/plugins/uci/uci_control.h
index b5db32226..527ed82e7 100644
--- a/src/charon/plugins/uci/uci_control.h
+++ b/src/charon/plugins/uci/uci_control.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/uci/uci_creds.c b/src/charon/plugins/uci/uci_creds.c
index 60f6fc934..05bc6e109 100644
--- a/src/charon/plugins/uci/uci_creds.c
+++ b/src/charon/plugins/uci/uci_creds.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "uci_creds.h"
@@ -81,10 +79,6 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
if (me)
{
local = identification_create_from_string(local_id);
- if (!local)
- {
- continue;
- }
*me = this->me ? this->me->matches(this->me, local)
: ID_MATCH_ANY;
local->destroy(local);
@@ -96,10 +90,6 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
if (other)
{
remote = identification_create_from_string(remote_id);
- if (!remote)
- {
- continue;
- }
*other = this->other ? this->other->matches(this->other, remote)
: ID_MATCH_ANY;
remote->destroy(remote);
diff --git a/src/charon/plugins/uci/uci_creds.h b/src/charon/plugins/uci/uci_creds.h
index f1573a8a3..de50984a9 100644
--- a/src/charon/plugins/uci/uci_creds.h
+++ b/src/charon/plugins/uci/uci_creds.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/uci/uci_parser.c b/src/charon/plugins/uci/uci_parser.c
index 8f4acb938..f994e36f7 100644
--- a/src/charon/plugins/uci/uci_parser.c
+++ b/src/charon/plugins/uci/uci_parser.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "uci_parser.h"
diff --git a/src/charon/plugins/uci/uci_parser.h b/src/charon/plugins/uci/uci_parser.h
index b3e76962b..ef3d7b0f5 100644
--- a/src/charon/plugins/uci/uci_parser.h
+++ b/src/charon/plugins/uci/uci_parser.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/uci/uci_plugin.c b/src/charon/plugins/uci/uci_plugin.c
index fd84b224c..3ab4c92f8 100644
--- a/src/charon/plugins/uci/uci_plugin.c
+++ b/src/charon/plugins/uci/uci_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "uci_plugin.h"
diff --git a/src/charon/plugins/uci/uci_plugin.h b/src/charon/plugins/uci/uci_plugin.h
index d9a888aa1..e7743227c 100644
--- a/src/charon/plugins/uci/uci_plugin.h
+++ b/src/charon/plugins/uci/uci_plugin.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 9c86aa69f..50c5e0362 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -8,7 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-unit-tester.la
libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_enumerator.c \
tests/test_auth_info.c \
- tests/test_fips_prf.c \
tests/test_curl.c \
tests/test_mysql.c \
tests/test_sqlite.c \
@@ -16,11 +15,10 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_rsa_gen.c \
tests/test_cert.c \
tests/test_med_db.c \
- tests/test_aes.c \
tests/test_chunk.c \
tests/test_pool.c \
tests/test_agent.c \
- tests/test_rng.c
+ tests/test_id.c
libstrongswan_unit_tester_la_LDFLAGS = -module
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 537ec127e..2ee5e48d8 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -51,10 +51,10 @@ pluginLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(plugin_LTLIBRARIES)
libstrongswan_unit_tester_la_LIBADD =
am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \
- test_enumerator.lo test_auth_info.lo test_fips_prf.lo \
- test_curl.lo test_mysql.lo test_sqlite.lo test_mutex.lo \
- test_rsa_gen.lo test_cert.lo test_med_db.lo test_aes.lo \
- test_chunk.lo test_pool.lo test_agent.lo test_rng.lo
+ test_enumerator.lo test_auth_info.lo test_curl.lo \
+ test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \
+ test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \
+ test_agent.lo test_id.lo
libstrongswan_unit_tester_la_OBJECTS = \
$(am_libstrongswan_unit_tester_la_OBJECTS)
libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \
@@ -93,6 +93,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -115,6 +116,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -126,6 +130,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -139,6 +144,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -199,6 +206,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -210,6 +218,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -220,7 +229,6 @@ plugin_LTLIBRARIES = libstrongswan-unit-tester.la
libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_enumerator.c \
tests/test_auth_info.c \
- tests/test_fips_prf.c \
tests/test_curl.c \
tests/test_mysql.c \
tests/test_sqlite.c \
@@ -228,11 +236,10 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_rsa_gen.c \
tests/test_cert.c \
tests/test_med_db.c \
- tests/test_aes.c \
tests/test_chunk.c \
tests/test_pool.c \
tests/test_agent.c \
- tests/test_rng.c
+ tests/test_id.c
libstrongswan_unit_tester_la_LDFLAGS = -module
all: all-am
@@ -243,8 +250,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -304,19 +311,17 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_aes.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_agent.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_auth_info.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_cert.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_fips_prf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mysql.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_pool.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rng.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_rsa_gen.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_sqlite.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unit_tester.Plo@am__quote@
@@ -356,13 +361,6 @@ test_auth_info.lo: tests/test_auth_info.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_auth_info.lo `test -f 'tests/test_auth_info.c' || echo '$(srcdir)/'`tests/test_auth_info.c
-test_fips_prf.lo: tests/test_fips_prf.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_fips_prf.lo -MD -MP -MF $(DEPDIR)/test_fips_prf.Tpo -c -o test_fips_prf.lo `test -f 'tests/test_fips_prf.c' || echo '$(srcdir)/'`tests/test_fips_prf.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_fips_prf.Tpo $(DEPDIR)/test_fips_prf.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_fips_prf.c' object='test_fips_prf.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_fips_prf.lo `test -f 'tests/test_fips_prf.c' || echo '$(srcdir)/'`tests/test_fips_prf.c
-
test_curl.lo: tests/test_curl.c
@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_curl.lo -MD -MP -MF $(DEPDIR)/test_curl.Tpo -c -o test_curl.lo `test -f 'tests/test_curl.c' || echo '$(srcdir)/'`tests/test_curl.c
@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_curl.Tpo $(DEPDIR)/test_curl.Plo
@@ -412,13 +410,6 @@ test_med_db.lo: tests/test_med_db.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_med_db.lo `test -f 'tests/test_med_db.c' || echo '$(srcdir)/'`tests/test_med_db.c
-test_aes.lo: tests/test_aes.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_aes.lo -MD -MP -MF $(DEPDIR)/test_aes.Tpo -c -o test_aes.lo `test -f 'tests/test_aes.c' || echo '$(srcdir)/'`tests/test_aes.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_aes.Tpo $(DEPDIR)/test_aes.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_aes.c' object='test_aes.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_aes.lo `test -f 'tests/test_aes.c' || echo '$(srcdir)/'`tests/test_aes.c
-
test_chunk.lo: tests/test_chunk.c
@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_chunk.lo -MD -MP -MF $(DEPDIR)/test_chunk.Tpo -c -o test_chunk.lo `test -f 'tests/test_chunk.c' || echo '$(srcdir)/'`tests/test_chunk.c
@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_chunk.Tpo $(DEPDIR)/test_chunk.Plo
@@ -440,12 +431,12 @@ test_agent.lo: tests/test_agent.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_agent.lo `test -f 'tests/test_agent.c' || echo '$(srcdir)/'`tests/test_agent.c
-test_rng.lo: tests/test_rng.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_rng.lo -MD -MP -MF $(DEPDIR)/test_rng.Tpo -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_rng.Tpo $(DEPDIR)/test_rng.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_rng.c' object='test_rng.lo' libtool=yes @AMDEPBACKSLASH@
+test_id.lo: tests/test_id.c
+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_id.lo -MD -MP -MF $(DEPDIR)/test_id.Tpo -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
+@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/test_id.Tpo $(DEPDIR)/test_id.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_id.c' object='test_id.lo' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_rng.lo `test -f 'tests/test_rng.c' || echo '$(srcdir)/'`tests/test_rng.c
+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c
mostlyclean-libtool:
-rm -f *.lo
@@ -458,7 +449,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index 7a5aa5ab8..dcf2a5d18 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: tests.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -25,8 +23,7 @@ DEFINE_TEST("simple enumerator", test_enumerate, FALSE)
DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE)
DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE)
DEFINE_TEST("token enumerator", test_enumerate_token, FALSE)
-DEFINE_TEST("auth info", test_auth_info, FALSE)
-DEFINE_TEST("FIPS PRF", fips_prf_test, FALSE)
+DEFINE_TEST("auth cfg", test_auth_cfg, FALSE)
DEFINE_TEST("CURL get", test_curl_get, FALSE)
DEFINE_TEST("MySQL operations", test_mysql, FALSE)
DEFINE_TEST("SQLite operations", test_sqlite, FALSE)
@@ -35,11 +32,9 @@ DEFINE_TEST("RSA key generation", test_rsa_gen, FALSE)
DEFINE_TEST("RSA subjectPublicKeyInfo loading", test_rsa_load_any, FALSE)
DEFINE_TEST("X509 certificate", test_cert_x509, FALSE)
DEFINE_TEST("Mediation database key fetch", test_med_db, FALSE)
-DEFINE_TEST("AES-128 encryption", test_aes128, FALSE)
-DEFINE_TEST("AES-XCBC", test_aes_xcbc, FALSE)
DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
DEFINE_TEST("IP pool", test_pool, FALSE)
DEFINE_TEST("SSH agent", test_agent, FALSE)
-DEFINE_TEST("RNG quality", test_rng, FALSE)
+DEFINE_TEST("ID parts", test_id_parts, FALSE)
/** @}*/
diff --git a/src/charon/plugins/unit_tester/tests/test_aes.c b/src/charon/plugins/unit_tester/tests/test_aes.c
deleted file mode 100644
index 06e891d83..000000000
--- a/src/charon/plugins/unit_tester/tests/test_aes.c
+++ /dev/null
@@ -1,467 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-/**
- * run a test using given values
- */
-static bool do_aes_test(u_char *key, int keysize, u_char *iv,
- u_char *plain, u_char *cipher, int len)
-{
- crypter_t *crypter;
- chunk_t enc, dec;
- bool good = TRUE;
-
- crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, keysize);
- if (!crypter)
- {
- return FALSE;
- }
- crypter->set_key(crypter, chunk_create(key, keysize));
- crypter->encrypt(crypter,
- chunk_create(plain, len), chunk_create(iv, 16), &enc);
- if (!memeq(enc.ptr, cipher, len))
- {
- good = FALSE;
- }
- crypter->decrypt(crypter, enc, chunk_create(iv, 16), &dec);
- if (!memeq(dec.ptr, plain, len))
- {
- good = FALSE;
- }
- free(enc.ptr);
- free(dec.ptr);
- crypter->destroy(crypter);
- return good;
-}
-
-/*******************************************************************************
- * AES-128 test
- ******************************************************************************/
-bool test_aes128()
-{
- /*
- * Test 1 of RFC3602
- * Key : 0x06a9214036b8a15b512e03d534120006
- * IV : 0x3dafba429d9eb430b422da802c9fac41
- * Plaintext : "Single block msg"
- * Ciphertext: 0xe353779c1079aeb82708942dbe77181a
- */
- u_char key1[] = {
- 0x06,0xa9,0x21,0x40,0x36,0xb8,0xa1,0x5b,
- 0x51,0x2e,0x03,0xd5,0x34,0x12,0x00,0x06
- };
- u_char iv1[] = {
- 0x3d,0xaf,0xba,0x42,0x9d,0x9e,0xb4,0x30,
- 0xb4,0x22,0xda,0x80,0x2c,0x9f,0xac,0x41
- };
- u_char plain1[] = {
- 'S','i','n','g','l','e',' ','b','l','o','c','k',' ','m','s','g'
- };
- u_char cipher1[] = {
- 0xe3,0x53,0x77,0x9c,0x10,0x79,0xae,0xb8,
- 0x27,0x08,0x94,0x2d,0xbe,0x77,0x18,0x1a
- };
- if (!do_aes_test(key1, 16, iv1, plain1, cipher1, sizeof(plain1)))
- {
- return FALSE;
- }
-
- /*
- * Test 2 of RFC3602
- * Key : 0xc286696d887c9aa0611bbb3e2025a45a
- * IV : 0x562e17996d093d28ddb3ba695a2e6f58
- * Plaintext : 0x000102030405060708090a0b0c0d0e0f
- * 101112131415161718191a1b1c1d1e1f
- * Ciphertext: 0xd296cd94c2cccf8a3a863028b5e1dc0a
- * 7586602d253cfff91b8266bea6d61ab1
- */
- u_char key2[] = {
- 0xc2,0x86,0x69,0x6d,0x88,0x7c,0x9a,0xa0,
- 0x61,0x1b,0xbb,0x3e,0x20,0x25,0xa4,0x5a
- };
- u_char iv2[] = {
- 0x56,0x2e,0x17,0x99,0x6d,0x09,0x3d,0x28,
- 0xdd,0xb3,0xba,0x69,0x5a,0x2e,0x6f,0x58
- };
- u_char plain2[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
- 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
- };
- u_char cipher2[] = {
- 0xd2,0x96,0xcd,0x94,0xc2,0xcc,0xcf,0x8a,
- 0x3a,0x86,0x30,0x28,0xb5,0xe1,0xdc,0x0a,
- 0x75,0x86,0x60,0x2d,0x25,0x3c,0xff,0xf9,
- 0x1b,0x82,0x66,0xbe,0xa6,0xd6,0x1a,0xb1
- };
- if (!do_aes_test(key2, 16, iv2, plain2, cipher2, sizeof(plain2)))
- {
- return FALSE;
- }
-
- /*
- * Test 3 of RFC3603
- * Key : 0x56e47a38c5598974bc46903dba290349
- * IV : 0x8ce82eefbea0da3c44699ed7db51b7d9
- * Plaintext : 0xa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
- * b0b1b2b3b4b5b6b7b8b9babbbcbdbebf
- * c0c1c2c3c4c5c6c7c8c9cacbcccdcecf
- * d0d1d2d3d4d5d6d7d8d9dadbdcdddedf
- * Ciphertext: 0xc30e32ffedc0774e6aff6af0869f71aa
- * 0f3af07a9a31a9c684db207eb0ef8e4e
- * 35907aa632c3ffdf868bb7b29d3d46ad
- * 83ce9f9a102ee99d49a53e87f4c3da55
- */
- u_char key3[] = {
- 0x56,0xe4,0x7a,0x38,0xc5,0x59,0x89,0x74,
- 0xbc,0x46,0x90,0x3d,0xba,0x29,0x03,0x49
- };
- u_char iv3[] = {
- 0x8c,0xe8,0x2e,0xef,0xbe,0xa0,0xda,0x3c,
- 0x44,0x69,0x9e,0xd7,0xdb,0x51,0xb7,0xd9
- };
- u_char plain3[] = {
- 0xa0,0xa1,0xa2,0xa3,0xa4,0xa5,0xa6,0xa7,
- 0xa8,0xa9,0xaa,0xab,0xac,0xad,0xae,0xaf,
- 0xb0,0xb1,0xb2,0xb3,0xb4,0xb5,0xb6,0xb7,
- 0xb8,0xb9,0xba,0xbb,0xbc,0xbd,0xbe,0xbf,
- 0xc0,0xc1,0xc2,0xc3,0xc4,0xc5,0xc6,0xc7,
- 0xc8,0xc9,0xca,0xcb,0xcc,0xcd,0xce,0xcf,
- 0xd0,0xd1,0xd2,0xd3,0xd4,0xd5,0xd6,0xd7,
- 0xd8,0xd9,0xda,0xdb,0xdc,0xdd,0xde,0xdf
- };
- u_char cipher3[] = {
- 0xc3,0x0e,0x32,0xff,0xed,0xc0,0x77,0x4e,
- 0x6a,0xff,0x6a,0xf0,0x86,0x9f,0x71,0xaa,
- 0x0f,0x3a,0xf0,0x7a,0x9a,0x31,0xa9,0xc6,
- 0x84,0xdb,0x20,0x7e,0xb0,0xef,0x8e,0x4e,
- 0x35,0x90,0x7a,0xa6,0x32,0xc3,0xff,0xdf,
- 0x86,0x8b,0xb7,0xb2,0x9d,0x3d,0x46,0xad,
- 0x83,0xce,0x9f,0x9a,0x10,0x2e,0xe9,0x9d,
- 0x49,0xa5,0x3e,0x87,0xf4,0xc3,0xda,0x55
- };
- if (!do_aes_test(key3, 16, iv3, plain3, cipher3, sizeof(plain3)))
- {
- return FALSE;
- }
- return TRUE;
-}
-
-/**
- * run a single xcbc test for prf and signer
- */
-static bool do_xcbc_test(u_int8_t *key, size_t keylen, u_int8_t *mac,
- u_int8_t *plain, size_t len)
-{
- signer_t *signer;
- prf_t *prf;
- u_int8_t res[16];
-
- prf = lib->crypto->create_prf(lib->crypto, PRF_AES128_XCBC);
- if (!prf)
- {
- return FALSE;
- }
- prf->set_key(prf, chunk_create(key, keylen));
- prf->get_bytes(prf, chunk_create(plain, len), res);
- if (!memeq(res, mac, 16))
- {
- DBG1(DBG_CFG, "expected %b\ngot %b", mac, 16, res, 16);
- prf->destroy(prf);
- return FALSE;
- }
- prf->destroy(prf);
-
- signer = lib->crypto->create_signer(lib->crypto, AUTH_AES_XCBC_96);
- if (!signer)
- {
- return FALSE;
- }
- signer->set_key(signer, chunk_create(key, keylen));
- if (!signer->verify_signature(signer, chunk_create(plain, len),
- chunk_create(mac, 12)))
- {
- return FALSE;
- }
- signer->destroy(signer);
- return TRUE;
-}
-
-
-/*******************************************************************************
- * AES_XCBC mac test
- ******************************************************************************/
-bool test_aes_xcbc()
-{
- /* Vectors from RFC 3566 */
-
- /* Test Case #1 : AES-XCBC-MAC-96 with 0-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : <empty string>
- * AES-XCBC-MAC : 75f0251d528ac01c4573dfd584d79f29
- * AES-XCBC-MAC-96: 75f0251d528ac01c4573dfd5
- */
- u_char key1[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain1[] = {
- };
- u_char mac1[] = {
- 0x75,0xf0,0x25,0x1d,0x52,0x8a,0xc0,0x1c,
- 0x45,0x73,0xdf,0xd5,0x84,0xd7,0x9f,0x29
- };
- if (!do_xcbc_test(key1, 16, mac1, plain1, sizeof(plain1)))
- {
- return FALSE;
- }
-
- /*
- * Test Case #2 : AES-XCBC-MAC-96 with 3-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 000102
- * AES-XCBC-MAC : 5b376580ae2f19afe7219ceef172756f
- * AES-XCBC-MAC-96: 5b376580ae2f19afe7219cee
- */
- u_char key2[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain2[] = {
- 0x00,0x01,0x02
- };
- u_char mac2[] = {
- 0x5b,0x37,0x65,0x80,0xae,0x2f,0x19,0xaf,
- 0xe7,0x21,0x9c,0xee,0xf1,0x72,0x75,0x6f
- };
- if (!do_xcbc_test(key2, 16, mac2, plain2, sizeof(plain2)))
- {
- return FALSE;
- }
-
- /* Test Case #3 : AES-XCBC-MAC-96 with 16-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 000102030405060708090a0b0c0d0e0f
- * AES-XCBC-MAC : d2a246fa349b68a79998a4394ff7a263
- * AES-XCBC-MAC-96: d2a246fa349b68a79998a439
- */
- u_char key3[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain3[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char mac3[] = {
- 0xd2,0xa2,0x46,0xfa,0x34,0x9b,0x68,0xa7,
- 0x99,0x98,0xa4,0x39,0x4f,0xf7,0xa2,0x63
- };
- if (!do_xcbc_test(key3, 16, mac3, plain3, sizeof(plain3)))
- {
- return FALSE;
- }
-
- /* Test Case #4 : AES-XCBC-MAC-96 with 20-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 000102030405060708090a0b0c0d0e0f10111213
- * AES-XCBC-MAC : 47f51b4564966215b8985c63055ed308
- * AES-XCBC-MAC-96: 47f51b4564966215b8985c63
- */
- u_char key4[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain4[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13
- };
- u_char mac4[] = {
- 0x47,0xf5,0x1b,0x45,0x64,0x96,0x62,0x15,
- 0xb8,0x98,0x5c,0x63,0x05,0x5e,0xd3,0x08
- };
- if (!do_xcbc_test(key4, 16, mac4, plain4, sizeof(plain4)))
- {
- return FALSE;
- }
-
- /* Test Case #5 : AES-XCBC-MAC-96 with 32-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819
- * 1a1b1c1d1e1f
- * AES-XCBC-MAC : f54f0ec8d2b9f3d36807734bd5283fd4
- * AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b
- */
- u_char key5[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain5[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
- 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
- };
- u_char mac5[] = {
- 0xf5,0x4f,0x0e,0xc8,0xd2,0xb9,0xf3,0xd3,
- 0x68,0x07,0x73,0x4b,0xd5,0x28,0x3f,0xd4
- };
- if (!do_xcbc_test(key5, 16, mac5, plain5, sizeof(plain5)))
- {
- return FALSE;
- }
-
- /* Test Case #7 : AES-XCBC-MAC-96 with 1000-byte input
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 00000000000000000000 ... 00000000000000000000
- * [1000 bytes]
- * AES-XCBC-MAC : f0dafee895db30253761103b5d84528f
- * AES-XCBC-MAC-96: f0dafee895db30253761103b
- */
- u_char key7[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain7[1000];
- memset(plain7, 0, 1000);
- u_char mac7[] = {
- 0xf0,0xda,0xfe,0xe8,0x95,0xdb,0x30,0x25,
- 0x37,0x61,0x10,0x3b,0x5d,0x84,0x52,0x8f
- };
- if (!do_xcbc_test(key7, 16, mac7, plain7, sizeof(plain7)))
- {
- return FALSE;
- }
-
- /* variable key test, RFC4434 */
-
- /* Test Case AES-XCBC-PRF-128 with 20-byte input
- * Key : 00010203040506070809
- * Message : 000102030405060708090a0b0c0d0e0f10111213
- * PRF Output : 0fa087af7d866e7653434e602fdde835
- */
- u_char key8[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,
- };
- u_char plain8[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13
- };
- u_char mac8[] = {
- 0x0f,0xa0,0x87,0xaf,0x7d,0x86,0x6e,0x76,
- 0x53,0x43,0x4e,0x60,0x2f,0xdd,0xe8,0x35
- };
- if (!do_xcbc_test(key8, 10, mac8, plain8, sizeof(plain8)))
- {
- return FALSE;
- }
-
- /* Test Case AES-XCBC-PRF-128 with 20-byte input
- * Key : 000102030405060708090a0b0c0d0e0fedcb
- * Message : 000102030405060708090a0b0c0d0e0f10111213
- * PRF Output : 8cd3c93ae598a9803006ffb67c40e9e4
- */
- u_char key9[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0xed,0xcb
- };
- u_char plain9[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13
- };
- u_char mac9[] = {
- 0x8c,0xd3,0xc9,0x3a,0xe5,0x98,0xa9,0x80,
- 0x30,0x06,0xff,0xb6,0x7c,0x40,0xe9,0xe4
- };
- if (!do_xcbc_test(key9, 18, mac9, plain9, sizeof(plain9)))
- {
- return FALSE;
- }
-
-
- /* Test Case #10 : AES-XCBC-MAC-96 with 32-byte input using append mode
- * Key (K) : 000102030405060708090a0b0c0d0e0f
- * Message (M) : 000102030405060708090a0b0c0d0e0f10111213141516171819
- * 1a1b1c1d1e1f
- * AES-XCBC-MAC : f54f0ec8d2b9f3d36807734bd5283fd4
- * AES-XCBC-MAC-96: f54f0ec8d2b9f3d36807734b
- */
- u_char key10[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f
- };
- u_char plain10[] = {
- 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
- 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
- 0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
- 0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
- };
- u_char mac10[] = {
- 0xf5,0x4f,0x0e,0xc8,0xd2,0xb9,0xf3,0xd3,
- 0x68,0x07,0x73,0x4b,0xd5,0x28,0x3f,0xd4
- };
- int i;
- prf_t *prf = lib->crypto->create_prf(lib->crypto, PRF_AES128_XCBC);
- u_char res[16];
- if (!prf)
- {
- return FALSE;
- }
- prf->set_key(prf, chunk_create(key10, sizeof(key10)));
- for (i = 0; i < 4; i++)
- { /* bytes 0 - 3, 1 byte at once */
- prf->get_bytes(prf, chunk_create(plain10 + i, 1), NULL);
- }
- for (i = 4; i < 5; i+=8)
- { /* bytes 4 - 11, at once */
- prf->get_bytes(prf, chunk_create(plain10 + i, 8), NULL);
- }
- for (i = 12; i < 24; i+=4)
- { /* bytes 12 - 23, in blocks of 4 */
- prf->get_bytes(prf, chunk_create(plain10 + i, 4), NULL);
- }
- for (i = 0; i < 4; i++)
- { /* 4 zero blobs */
- prf->get_bytes(prf, chunk_create(NULL, 0), NULL);
- }
- for (i = 24; i < 25; i+=8)
- { /* bytes 24 - 32, at once */
- prf->get_bytes(prf, chunk_create(plain10 + i, 8), res);
- }
- if (!memeq(res, mac10, 16))
- {
- DBG1(DBG_CFG, "expected %b\ngot %b", mac10, 16, res, 16);
- prf->destroy(prf);
- return FALSE;
- }
- prf->destroy(prf);
-
- return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_auth_info.c b/src/charon/plugins/unit_tester/tests/test_auth_info.c
index 1719190b1..37bdd1087 100644
--- a/src/charon/plugins/unit_tester/tests/test_auth_info.c
+++ b/src/charon/plugins/unit_tester/tests/test_auth_info.c
@@ -15,7 +15,7 @@
#include <daemon.h>
#include <library.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
char buf[] = {0x01,0x02,0x03,0x04};
@@ -75,14 +75,14 @@ chunk_t certchunk = chunk_from_buf(certbuf);
/*******************************************************************************
* auth info test
******************************************************************************/
-bool test_auth_info()
+bool test_auth_cfg()
{
- auth_info_t *auth = auth_info_create(), *auth2;
+ auth_cfg_t *auth = auth_cfg_create(), *auth2;
certificate_t *c1, *c2;
enumerator_t *enumerator;
int round = 0;
void *value;
- auth_item_t type;
+ auth_rule_t type;
c1 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_ASN1_DER, certchunk,
@@ -92,8 +92,9 @@ bool test_auth_info()
return FALSE;
}
- auth->add_item(auth, AUTHN_SUBJECT_CERT, c1);
- if (!auth->get_item(auth, AUTHN_SUBJECT_CERT, (void**)&c2))
+ auth->add(auth, AUTH_RULE_SUBJECT_CERT, c1->get_ref(c1));
+ c2 = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!c2)
{
return FALSE;
}
@@ -102,11 +103,11 @@ bool test_auth_info()
return FALSE;
}
- enumerator = auth->create_item_enumerator(auth);
+ enumerator = auth->create_enumerator(auth);
while (enumerator->enumerate(enumerator, &type, &value))
{
round++;
- if (round == 1 && type == AUTHN_SUBJECT_CERT && value == c1)
+ if (round == 1 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
{
continue;
}
@@ -114,20 +115,20 @@ bool test_auth_info()
}
enumerator->destroy(enumerator);
- auth2 = auth_info_create();
- auth2->add_item(auth2, AUTHN_CA_CERT, c1);
- auth2->merge(auth2, auth);
+ auth2 = auth_cfg_create();
+ auth2->add(auth2, AUTH_RULE_CA_CERT, c1->get_ref(c1));
+ auth2->merge(auth2, auth, FALSE);
round = 0;
- enumerator = auth2->create_item_enumerator(auth2);
+ enumerator = auth2->create_enumerator(auth2);
while (enumerator->enumerate(enumerator, &type, &value))
{
round++;
- if (round == 1 && type == AUTHN_CA_CERT && value == c1)
+ if (round == 1 && type == AUTH_RULE_CA_CERT && value == c1)
{
continue;
}
- if (round == 2 && type == AUTHN_SUBJECT_CERT && value == c1)
+ if (round == 2 && type == AUTH_RULE_SUBJECT_CERT && value == c1)
{
continue;
}
diff --git a/src/charon/plugins/unit_tester/tests/test_fips_prf.c b/src/charon/plugins/unit_tester/tests/test_fips_prf.c
deleted file mode 100644
index 29612143e..000000000
--- a/src/charon/plugins/unit_tester/tests/test_fips_prf.c
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Copyright (C) 2007 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <utils/linked_list.h>
-#include <daemon.h>
-
-/*******************************************************************************
- * fips prf known value test
- ******************************************************************************/
-bool fips_prf_test()
-{
- prf_t *prf;
- u_int8_t key_buf[] = {
- 0xbd, 0x02, 0x9b, 0xbe, 0x7f, 0x51, 0x96, 0x0b,
- 0xcf, 0x9e, 0xdb, 0x2b, 0x61, 0xf0, 0x6f, 0x0f,
- 0xeb, 0x5a, 0x38, 0xb6
- };
- u_int8_t seed_buf[] = {
- 0x00
- };
- u_int8_t result_buf[] = {
- 0x20, 0x70, 0xb3, 0x22, 0x3d, 0xba, 0x37, 0x2f,
- 0xde, 0x1c, 0x0f, 0xfc, 0x7b, 0x2e, 0x3b, 0x49,
- 0x8b, 0x26, 0x06, 0x14, 0x3c, 0x6c, 0x18, 0xba,
- 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78,
- 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16
- };
- chunk_t key = chunk_from_buf(key_buf);
- chunk_t seed = chunk_from_buf(seed_buf);
- chunk_t expected = chunk_from_buf(result_buf);
- chunk_t result;
-
- prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160);
- if (prf == NULL)
- {
- DBG1(DBG_CFG, "FIPS PRF implementation not found");
- return FALSE;
- }
- prf->set_key(prf, key);
- prf->allocate_bytes(prf, seed, &result);
- prf->destroy(prf);
- if (!chunk_equals(result, expected))
- {
- DBG1(DBG_CFG, "FIPS PRF result invalid:\nexpected: %Bresult: %B",
- &expected, &result);
- chunk_free(&result);
- return FALSE;
- }
- chunk_free(&result);
- return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
new file mode 100644
index 000000000..56dab2421
--- /dev/null
+++ b/src/charon/plugins/unit_tester/tests/test_id.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <daemon.h>
+
+/*******************************************************************************
+ * identification part enumeration test
+ ******************************************************************************/
+bool test_id_parts()
+{
+ identification_t *id;
+ enumerator_t *enumerator;
+ id_part_t part;
+ chunk_t data;
+ int i = 0;
+
+ id = identification_create_from_string("C=CH, O=strongSwan, CN=tester");
+
+ enumerator = id->create_part_enumerator(id);
+ while (enumerator->enumerate(enumerator, &part, &data))
+ {
+ switch (i++)
+ {
+ case 0:
+ if (part != ID_PART_RDN_C ||
+ !chunk_equals(data, chunk_create("CH", 2)))
+ {
+ return FALSE;
+ }
+ break;
+ case 1:
+ if (part != ID_PART_RDN_O ||
+ !chunk_equals(data, chunk_create("strongSwan", 10)))
+ {
+ return FALSE;
+ }
+ break;
+ case 2:
+ if (part != ID_PART_RDN_CN ||
+ !chunk_equals(data, chunk_create("tester", 6)))
+ {
+ return FALSE;
+ }
+ break;
+ default:
+ return FALSE;
+ }
+ }
+ if (i < 3)
+ {
+ return FALSE;
+ }
+ enumerator->destroy(enumerator);
+ id->destroy(id);
+ return TRUE;
+}
+
diff --git a/src/charon/plugins/unit_tester/tests/test_med_db.c b/src/charon/plugins/unit_tester/tests/test_med_db.c
index d65eb0cc4..7b4603bd7 100644
--- a/src/charon/plugins/unit_tester/tests/test_med_db.c
+++ b/src/charon/plugins/unit_tester/tests/test_med_db.c
@@ -33,8 +33,8 @@ bool test_med_db()
chunk_t keyid = chunk_from_buf(keyid_buf);
identification_t *id, *found;
enumerator_t *enumerator;
- auth_info_t *auth;
public_key_t *public;
+ auth_cfg_t *auth;
bool good = FALSE;
id = identification_create_from_encoding(ID_KEY_ID, keyid);
diff --git a/src/charon/plugins/unit_tester/tests/test_pool.c b/src/charon/plugins/unit_tester/tests/test_pool.c
index b11f71704..ba5330fd9 100644
--- a/src/charon/plugins/unit_tester/tests/test_pool.c
+++ b/src/charon/plugins/unit_tester/tests/test_pool.c
@@ -25,32 +25,24 @@
static void* testing(void *thread)
{
- int i;
- auth_info_t *auth;
+ int i;
host_t *addr[ALLOCS];
identification_t *id[ALLOCS];
-
- auth = auth_info_create();
-
/* prepare identities */
for (i = 0; i < ALLOCS; i++)
{
char buf[256];
- snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (int)thread, i);
+ snprintf(buf, sizeof(buf), "%d-%d@strongswan.org", (uintptr_t)thread, i);
id[i] = identification_create_from_string(buf);
- if (!id[i])
- {
- return (void*)FALSE;
- }
}
/* allocate addresses */
for (i = 0; i < ALLOCS; i++)
{
addr[i] = charon->attributes->acquire_address(charon->attributes,
- "test", id[i], auth, NULL);
+ "test", id[i], NULL);
if (!addr[i])
{
return (void*)FALSE;
@@ -69,7 +61,6 @@ static void* testing(void *thread)
addr[i]->destroy(addr[i]);
id[i]->destroy(id[i]);
}
- auth->destroy(auth);
return (void*)TRUE;
}
@@ -79,7 +70,7 @@ static void* testing(void *thread)
******************************************************************************/
bool test_pool()
{
- int i;
+ uintptr_t i;
void *res;
pthread_t thread[THREADS];
diff --git a/src/charon/plugins/unit_tester/tests/test_rng.c b/src/charon/plugins/unit_tester/tests/test_rng.c
deleted file mode 100644
index 60cbf2d36..000000000
--- a/src/charon/plugins/unit_tester/tests/test_rng.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <daemon.h>
-#include <library.h>
-#include <utils/mutex.h>
-
-#include <unistd.h>
-#include <sched.h>
-#include <pthread.h>
-
-static bool test_monobit(chunk_t data)
-{
- int i, j, bits = 0;
-
- for (i = 0; i < data.len; i++)
- {
- for (j = 0; j < 8; j++)
- {
- if (data.ptr[i] & (1<<j))
- {
- bits++;
- }
- }
- }
- DBG1(DBG_CFG, " Monobit: %d/%d bits set", bits, data.len * 8);
- if (bits > 9654 && bits < 10346)
- {
- return TRUE;
- }
- return FALSE;
-}
-
-static bool test_poker(chunk_t data)
-{
- int i, counter[16];
- double sum = 0.0;
-
- memset(counter, 0, sizeof(counter));
-
- for (i = 0; i < data.len; i++)
- {
- counter[data.ptr[i] & 0x0F]++;
- counter[(data.ptr[i] & 0xF0) >> 4]++;
- }
-
- for (i = 0; i < countof(counter); i++)
- {
- sum += (counter[i] * counter[i]) / 5000.0 * 16.0;
- }
- sum -= 5000.0;
- DBG1(DBG_CFG, " Poker: %f", sum);
- if (sum > 1.03 && sum < 57.4)
- {
- return TRUE;
- }
- return FALSE;
-}
-
-static bool test_runs(chunk_t data)
-{
- int i, j, zero_runs[7], one_runs[7], zero = 0, one = 0, longrun = 0;
- bool ok = TRUE;
-
- memset(one_runs, 0, sizeof(zero_runs));
- memset(zero_runs, 0, sizeof(one_runs));
-
- for (i = 0; i < data.len; i++)
- {
- for (j = 0; j < 8; j++)
- {
- if (data.ptr[i] & (1<<j))
- {
- if (one)
- {
- if (++one >= 34)
- {
- longrun++;
- break;
- }
- }
- else
- {
- zero_runs[min(6, zero)]++;
- zero = 0;
- one = 1;
- }
- }
- else
- {
- if (zero)
- {
- if (++zero >= 34)
- {
- longrun++;
- break;
- }
- }
- else
- {
- one_runs[min(6, one)]++;
- one = 0;
- zero = 1;
- }
- }
- }
- }
-
- DBG1(DBG_CFG, " Runs: zero: %d/%d/%d/%d/%d/%d, one: %d/%d/%d/%d/%d/%d, "
- "longruns: %d",
- zero_runs[1], zero_runs[2], zero_runs[3],
- zero_runs[4], zero_runs[5], zero_runs[6],
- one_runs[1], one_runs[2], one_runs[3],
- one_runs[4], one_runs[5], one_runs[6],
- longrun);
-
- if (longrun)
- {
- return FALSE;
- }
-
- for (i = 1; i < countof(zero_runs); i++)
- {
- switch (i)
- {
- case 1:
- ok &= zero_runs[i] > 2267 && zero_runs[i] < 2733;
- ok &= one_runs[i] > 2267 && one_runs[i] < 2733;
- break;
- case 2:
- ok &= zero_runs[i] > 1079 && zero_runs[i] < 1421;
- ok &= one_runs[i] > 1079 && one_runs[i] < 1421;
- break;
- case 3:
- ok &= zero_runs[i] > 502 && zero_runs[i] < 748;
- ok &= one_runs[i] > 502 && one_runs[i] < 748;
- break;
- case 4:
- ok &= zero_runs[i] > 223 && zero_runs[i] < 402;
- ok &= one_runs[i] > 223 && one_runs[i] < 402;
- break;
- case 5:
- ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
- ok &= one_runs[i] > 90 && one_runs[i] < 223;
- break;
- case 6:
- ok &= zero_runs[i] > 90 && zero_runs[i] < 223;
- ok &= one_runs[i] > 90 && one_runs[i] < 223;
- break;
- }
- if (!ok)
- {
- return FALSE;
- }
- }
- return TRUE;
-}
-
-static bool test_rng_quality(rng_quality_t quality)
-{
- rng_t *rng;
- chunk_t chunk;
-
- rng = lib->crypto->create_rng(lib->crypto, quality);
- if (!rng)
- {
- return FALSE;
- }
- DBG1(DBG_CFG, "%N", rng_quality_names, quality);
- rng->allocate_bytes(rng, 2500, &chunk);
-
- if (!test_monobit(chunk))
- {
- return FALSE;
- }
- if (!test_poker(chunk))
- {
- return FALSE;
- }
- if (!test_runs(chunk))
- {
- return FALSE;
- }
-
- free(chunk.ptr);
- rng->destroy(rng);
- return TRUE;
-}
-
-/**
- * run a test using given values
- */
-bool test_rng()
-{
- if (!test_rng_quality(RNG_WEAK))
- {
- return FALSE;
- }
- if (!test_rng_quality(RNG_STRONG))
- {
- return FALSE;
- }
- if (!test_rng_quality(RNG_REAL))
- {
- return FALSE;
- }
- return TRUE;
-}
-
diff --git a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
index f13bb5bbf..1b7af63ee 100644
--- a/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
+++ b/src/charon/plugins/unit_tester/tests/test_rsa_gen.c
@@ -22,7 +22,7 @@
bool test_rsa_gen()
{
char buf[] = {0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08};
- chunk_t data = chunk_from_buf(buf), sig;
+ chunk_t data = chunk_from_buf(buf), sig, crypt, plain;
private_key_t *private;
public_key_t *public;
u_int key_size;
@@ -59,6 +59,24 @@ bool test_rsa_gen()
return FALSE;
}
free(sig.ptr);
+ if (!public->encrypt(public, data, &crypt))
+ {
+ DBG1(DBG_CFG, "encrypting data with RSA failed");
+ return FALSE;
+ }
+ if (!private->decrypt(private, crypt, &plain))
+ {
+ DBG1(DBG_CFG, "decrypting data with RSA failed");
+ return FALSE;
+ }
+ if (!chunk_equals(data, plain))
+ {
+ DBG1(DBG_CFG, "decrpyted data invalid, expected %B, got %B", &
+ data, &plain);
+ return FALSE;
+ }
+ chunk_clear(&crypt);
+ chunk_clear(&plain);
public->destroy(public);
private->destroy(private);
}
diff --git a/src/charon/plugins/unit_tester/unit_tester.c b/src/charon/plugins/unit_tester/unit_tester.c
index 28c6b4c11..c9651e601 100644
--- a/src/charon/plugins/unit_tester/unit_tester.c
+++ b/src/charon/plugins/unit_tester/unit_tester.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: unit_tester.c 3491 2008-02-22 14:04:00Z martin $
*/
#include "unit_tester.h"
diff --git a/src/charon/plugins/unit_tester/unit_tester.h b/src/charon/plugins/unit_tester/unit_tester.h
index 760b0389b..33b13313d 100644
--- a/src/charon/plugins/unit_tester/unit_tester.h
+++ b/src/charon/plugins/unit_tester/unit_tester.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: unit_tester.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index 15bc7b95c..d0aac79f9 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.10.2 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -89,6 +89,7 @@ CPPFLAGS = @CPPFLAGS@
CYGPATH_W = @CYGPATH_W@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
@@ -111,6 +112,9 @@ LDFLAGS = @LDFLAGS@
LEX = @LEX@
LEXLIB = @LEXLIB@
LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
LIBOBJS = @LIBOBJS@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
@@ -122,6 +126,7 @@ MAKEINFO = @MAKEINFO@
MKDIR_P = @MKDIR_P@
NM = @NM@
NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
@@ -135,6 +140,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@
PERL = @PERL@
PKG_CONFIG = @PKG_CONFIG@
RANLIB = @RANLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
@@ -195,6 +202,7 @@ oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
piddir = @piddir@
plugindir = @plugindir@
+pluto_plugins = @pluto_plugins@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
@@ -206,6 +214,7 @@ srcdir = @srcdir@
strongswan_conf = @strongswan_conf@
sysconfdir = @sysconfdir@
target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
@@ -226,8 +235,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
@@ -322,7 +331,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
diff --git a/src/charon/plugins/updown/updown_listener.c b/src/charon/plugins/updown/updown_listener.c
index 7dfb874cb..a6be35690 100644
--- a/src/charon/plugins/updown/updown_listener.c
+++ b/src/charon/plugins/updown/updown_listener.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#define _GNU_SOURCE
@@ -188,14 +186,14 @@ static void updown(private_updown_listener_t *this, ike_sa_t *ike_sa,
"PLUTO_INTERFACE='%s' "
"PLUTO_REQID='%u' "
"PLUTO_ME='%H' "
- "PLUTO_MY_ID='%D' "
+ "PLUTO_MY_ID='%Y' "
"PLUTO_MY_CLIENT='%s/%s' "
"PLUTO_MY_CLIENT_NET='%s' "
"PLUTO_MY_CLIENT_MASK='%s' "
"PLUTO_MY_PORT='%u' "
"PLUTO_MY_PROTOCOL='%u' "
"PLUTO_PEER='%H' "
- "PLUTO_PEER_ID='%D' "
+ "PLUTO_PEER_ID='%Y' "
"PLUTO_PEER_CLIENT='%s/%s' "
"PLUTO_PEER_CLIENT_NET='%s' "
"PLUTO_PEER_CLIENT_MASK='%s' "
diff --git a/src/charon/plugins/updown/updown_listener.h b/src/charon/plugins/updown/updown_listener.h
index 0d09a4cea..cc59f61c6 100644
--- a/src/charon/plugins/updown/updown_listener.h
+++ b/src/charon/plugins/updown/updown_listener.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/plugins/updown/updown_plugin.c b/src/charon/plugins/updown/updown_plugin.c
index 2e5884222..4f0483fac 100644
--- a/src/charon/plugins/updown/updown_plugin.c
+++ b/src/charon/plugins/updown/updown_plugin.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "updown_plugin.h"
diff --git a/src/charon/plugins/updown/updown_plugin.h b/src/charon/plugins/updown/updown_plugin.h
index 99779d04e..2873b499d 100644
--- a/src/charon/plugins/updown/updown_plugin.h
+++ b/src/charon/plugins/updown/updown_plugin.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/processing/jobs/acquire_job.c b/src/charon/processing/jobs/acquire_job.c
index 50cebd88a..90b221b84 100644
--- a/src/charon/processing/jobs/acquire_job.c
+++ b/src/charon/processing/jobs/acquire_job.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: acquire_job.c 4535 2008-10-31 01:43:23Z andreas $
*/
#include "acquire_job.h"
@@ -35,12 +33,12 @@ struct private_acquire_job_t {
* reqid of the child to rekey
*/
u_int32_t reqid;
-
+
/**
* acquired source traffic selector
*/
traffic_selector_t *src_ts;
-
+
/**
* acquired destination traffic selector
*/
@@ -62,24 +60,8 @@ static void destroy(private_acquire_job_t *this)
*/
static void execute(private_acquire_job_t *this)
{
- ike_sa_t *ike_sa = NULL;
-
- if (this->reqid)
- {
- ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager,
- this->reqid, TRUE);
- }
- if (ike_sa == NULL)
- {
- DBG1(DBG_JOB, "acquire job found no CHILD_SA with reqid {%d}",
- this->reqid);
- }
- else
- {
- ike_sa->acquire(ike_sa, this->reqid);
-
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- }
+ charon->traps->acquire(charon->traps, this->reqid,
+ this->src_ts, this->dst_ts);
destroy(this);
}
@@ -92,14 +74,13 @@ acquire_job_t *acquire_job_create(u_int32_t reqid,
{
private_acquire_job_t *this = malloc_thing(private_acquire_job_t);
- /* interface functions */
this->public.job_interface.execute = (void (*) (job_t *)) execute;
this->public.job_interface.destroy = (void (*)(job_t*)) destroy;
- /* private variables */
this->reqid = reqid;
this->src_ts = src_ts;
this->dst_ts = dst_ts;
return &this->public;
}
+
diff --git a/src/charon/processing/jobs/acquire_job.h b/src/charon/processing/jobs/acquire_job.h
index feea5c72a..a78e5274d 100644
--- a/src/charon/processing/jobs/acquire_job.h
+++ b/src/charon/processing/jobs/acquire_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: acquire_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -44,9 +42,7 @@ struct acquire_job_t {
/**
* Creates a job of type ACQUIRE.
*
- * We use the reqid to find the routed CHILD_SA.
- *
- * @param reqid reqid of the CHILD_SA to acquire
+ * @param reqid reqid of the trapped CHILD_SA to acquire
* @param src_ts source traffic selector
* @param dst_ts destination traffic selector
* @return acquire_job_t object
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index f0cebd473..82b4643eb 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: callback_job.c 4579 2008-11-05 11:29:56Z martin $
*/
#include "callback_job.h"
diff --git a/src/charon/processing/jobs/callback_job.h b/src/charon/processing/jobs/callback_job.h
index 012bb271c..2bb209cb7 100644
--- a/src/charon/processing/jobs/callback_job.h
+++ b/src/charon/processing/jobs/callback_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: callback_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/delete_child_sa_job.c b/src/charon/processing/jobs/delete_child_sa_job.c
index 26f538d67..206f07617 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.c
+++ b/src/charon/processing/jobs/delete_child_sa_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_child_sa_job.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "delete_child_sa_job.h"
diff --git a/src/charon/processing/jobs/delete_child_sa_job.h b/src/charon/processing/jobs/delete_child_sa_job.h
index a17c86b22..9bf6ee423 100644
--- a/src/charon/processing/jobs/delete_child_sa_job.h
+++ b/src/charon/processing/jobs/delete_child_sa_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.c b/src/charon/processing/jobs/delete_ike_sa_job.c
index c37e4e389..6d4639fad 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.c
+++ b/src/charon/processing/jobs/delete_ike_sa_job.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_ike_sa_job.c 4722 2008-11-28 15:44:25Z martin $
*/
#include "delete_ike_sa_job.h"
diff --git a/src/charon/processing/jobs/delete_ike_sa_job.h b/src/charon/processing/jobs/delete_ike_sa_job.h
index fcb712e43..8209977f9 100644
--- a/src/charon/processing/jobs/delete_ike_sa_job.h
+++ b/src/charon/processing/jobs/delete_ike_sa_job.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: delete_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/initiate_mediation_job.c b/src/charon/processing/jobs/initiate_mediation_job.c
index 4d4fd8dc6..157d84341 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.c
+++ b/src/charon/processing/jobs/initiate_mediation_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: initiate_mediation_job.c 4625 2008-11-11 13:12:05Z tobias $
*/
#include "initiate_mediation_job.h"
@@ -75,6 +73,8 @@ static void initiate(private_initiate_mediation_job_t *this)
{
ike_sa_t *mediated_sa, *mediation_sa;
peer_cfg_t *mediated_cfg, *mediation_cfg;
+ enumerator_t *enumerator;
+ auth_cfg_t *auth_cfg;
mediated_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
this->mediated_sa_id);
@@ -88,8 +88,20 @@ static void initiate(private_initiate_mediation_job_t *this)
mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
mediation_cfg->get_ref(mediation_cfg);
+ enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
+ TRUE);
+ if (!enumerator->enumerate(enumerator, &auth_cfg) ||
+ auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY) == NULL)
+ {
+ mediated_cfg->destroy(mediated_cfg);
+ mediation_cfg->destroy(mediation_cfg);
+ enumerator->destroy(enumerator);
+ destroy(this);
+ return;
+ }
+
if (charon->connect_manager->check_and_register(charon->connect_manager,
- mediation_cfg->get_my_id(mediation_cfg),
+ auth_cfg->get(auth_cfg, AUTH_RULE_IDENTITY),
mediated_cfg->get_peer_id(mediated_cfg),
this->mediated_sa_id))
{
diff --git a/src/charon/processing/jobs/initiate_mediation_job.h b/src/charon/processing/jobs/initiate_mediation_job.h
index 17f5e4d18..084e1b9fd 100644
--- a/src/charon/processing/jobs/initiate_mediation_job.h
+++ b/src/charon/processing/jobs/initiate_mediation_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: initiate_mediation_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/job.h b/src/charon/processing/jobs/job.h
index e0a2d1df7..acc88b124 100644
--- a/src/charon/processing/jobs/job.h
+++ b/src/charon/processing/jobs/job.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/mediation_job.c b/src/charon/processing/jobs/mediation_job.c
index c177d8db3..cf522faff 100644
--- a/src/charon/processing/jobs/mediation_job.c
+++ b/src/charon/processing/jobs/mediation_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: mediation_job.c 3666 2008-03-26 18:40:19Z tobias $
*/
#include "mediation_job.h"
@@ -101,7 +99,7 @@ static void execute(private_mediation_job_t *this)
/* send callback to a peer */
if (target_sa->callback(target_sa, this->source) != SUCCESS)
{
- DBG1(DBG_JOB, "callback for '%D' to '%D' failed",
+ DBG1(DBG_JOB, "callback for '%Y' to '%Y' failed",
this->source, this->target);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
destroy(this);
@@ -114,7 +112,7 @@ static void execute(private_mediation_job_t *this)
if (target_sa->relay(target_sa, this->source, this->connect_id,
this->connect_key, this->endpoints, this->response) != SUCCESS)
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed",
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed",
this->source, this->target);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, target_sa);
/* FIXME: notify the initiator */
@@ -127,13 +125,13 @@ static void execute(private_mediation_job_t *this)
}
else
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
"SA not found", this->source, this->target);
}
}
else
{
- DBG1(DBG_JOB, "mediation between '%D' and '%D' failed: "
+ DBG1(DBG_JOB, "mediation between '%Y' and '%Y' failed: "
"peer is not online anymore", this->source, this->target);
}
destroy(this);
diff --git a/src/charon/processing/jobs/mediation_job.h b/src/charon/processing/jobs/mediation_job.h
index 08e37915f..583ea8230 100644
--- a/src/charon/processing/jobs/mediation_job.h
+++ b/src/charon/processing/jobs/mediation_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: mediation_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/migrate_job.c b/src/charon/processing/jobs/migrate_job.c
index 47ff658f1..a57d0478b 100644
--- a/src/charon/processing/jobs/migrate_job.c
+++ b/src/charon/processing/jobs/migrate_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: migrate_job.c 4677 2008-11-19 15:31:27Z martin $
*/
#include "migrate_job.h"
diff --git a/src/charon/processing/jobs/migrate_job.h b/src/charon/processing/jobs/migrate_job.h
index 9f39b9730..672a09b0a 100644
--- a/src/charon/processing/jobs/migrate_job.h
+++ b/src/charon/processing/jobs/migrate_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: migrate_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/process_message_job.c b/src/charon/processing/jobs/process_message_job.c
index 33bcae6f0..1f0b3e287 100644
--- a/src/charon/processing/jobs/process_message_job.c
+++ b/src/charon/processing/jobs/process_message_job.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: process_message_job.c 3666 2008-03-26 18:40:19Z tobias $
*/
#include "process_message_job.h"
diff --git a/src/charon/processing/jobs/process_message_job.h b/src/charon/processing/jobs/process_message_job.h
index 0aae4c24e..b01d388f9 100644
--- a/src/charon/processing/jobs/process_message_job.h
+++ b/src/charon/processing/jobs/process_message_job.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: process_message_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.c b/src/charon/processing/jobs/rekey_child_sa_job.c
index 42bf79d26..17fcf641b 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.c
+++ b/src/charon/processing/jobs/rekey_child_sa_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: rekey_child_sa_job.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "rekey_child_sa_job.h"
diff --git a/src/charon/processing/jobs/rekey_child_sa_job.h b/src/charon/processing/jobs/rekey_child_sa_job.h
index 14e4af5e1..2e2eef361 100644
--- a/src/charon/processing/jobs/rekey_child_sa_job.h
+++ b/src/charon/processing/jobs/rekey_child_sa_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: rekey_child_sa_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.c b/src/charon/processing/jobs/rekey_ike_sa_job.c
index 38aa41c27..1ceb1e144 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.c
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: rekey_ike_sa_job.c 3793 2008-04-11 08:14:48Z martin $
*/
#include "rekey_ike_sa_job.h"
diff --git a/src/charon/processing/jobs/rekey_ike_sa_job.h b/src/charon/processing/jobs/rekey_ike_sa_job.h
index c03711d73..0d830e134 100644
--- a/src/charon/processing/jobs/rekey_ike_sa_job.h
+++ b/src/charon/processing/jobs/rekey_ike_sa_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: rekey_ike_sa_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/retransmit_job.c b/src/charon/processing/jobs/retransmit_job.c
index 89858786e..122cad853 100644
--- a/src/charon/processing/jobs/retransmit_job.c
+++ b/src/charon/processing/jobs/retransmit_job.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: retransmit_job.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "retransmit_job.h"
diff --git a/src/charon/processing/jobs/retransmit_job.h b/src/charon/processing/jobs/retransmit_job.h
index a20369a1b..4c9bea1c8 100644
--- a/src/charon/processing/jobs/retransmit_job.h
+++ b/src/charon/processing/jobs/retransmit_job.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: retransmit_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/roam_job.c b/src/charon/processing/jobs/roam_job.c
index 0b323ae8b..c01f83248 100644
--- a/src/charon/processing/jobs/roam_job.c
+++ b/src/charon/processing/jobs/roam_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: roam_job.c 3804 2008-04-14 11:37:46Z martin $
*/
#include <stdlib.h>
diff --git a/src/charon/processing/jobs/roam_job.h b/src/charon/processing/jobs/roam_job.h
index 6c0cbc2b7..7bb1227f5 100644
--- a/src/charon/processing/jobs/roam_job.h
+++ b/src/charon/processing/jobs/roam_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: roam_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/send_dpd_job.c b/src/charon/processing/jobs/send_dpd_job.c
index a7d0cf3f3..c6e81a56f 100644
--- a/src/charon/processing/jobs/send_dpd_job.c
+++ b/src/charon/processing/jobs/send_dpd_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: send_dpd_job.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stdlib.h>
diff --git a/src/charon/processing/jobs/send_dpd_job.h b/src/charon/processing/jobs/send_dpd_job.h
index 2b6b5fee3..91556a9d1 100644
--- a/src/charon/processing/jobs/send_dpd_job.h
+++ b/src/charon/processing/jobs/send_dpd_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: send_dpd_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/send_keepalive_job.c b/src/charon/processing/jobs/send_keepalive_job.c
index 82f6a5f55..5d3cfb530 100644
--- a/src/charon/processing/jobs/send_keepalive_job.c
+++ b/src/charon/processing/jobs/send_keepalive_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: send_keepalive_job.c 3589 2008-03-13 14:14:44Z martin $
*/
#include <stdlib.h>
diff --git a/src/charon/processing/jobs/send_keepalive_job.h b/src/charon/processing/jobs/send_keepalive_job.h
index 7b3fe9f60..f92e6217a 100644
--- a/src/charon/processing/jobs/send_keepalive_job.h
+++ b/src/charon/processing/jobs/send_keepalive_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: send_keepalive_job.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/jobs/update_sa_job.c b/src/charon/processing/jobs/update_sa_job.c
index acf263d25..5e6c83942 100644
--- a/src/charon/processing/jobs/update_sa_job.c
+++ b/src/charon/processing/jobs/update_sa_job.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include <stdlib.h>
diff --git a/src/charon/processing/jobs/update_sa_job.h b/src/charon/processing/jobs/update_sa_job.h
index 79b89bbe3..93262d46f 100644
--- a/src/charon/processing/jobs/update_sa_job.h
+++ b/src/charon/processing/jobs/update_sa_job.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index 68916937b..eb1db331b 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: processor.c 4802 2008-12-12 15:57:12Z martin $
*/
#include <stdlib.h>
diff --git a/src/charon/processing/processor.h b/src/charon/processing/processor.h
index 6ab643b1f..e56e69382 100644
--- a/src/charon/processing/processor.h
+++ b/src/charon/processing/processor.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: processor.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index 593a51f0b..b3633f263 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -13,13 +13,10 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: scheduler.c 4799 2008-12-12 09:16:31Z martin $
*/
#include <stdlib.h>
#include <pthread.h>
-#include <sys/time.h>
#include "scheduler.h"
@@ -41,7 +38,7 @@ struct event_t {
* Time to fire the event.
*/
timeval_t time;
-
+
/**
* Every event has its assigned job.
*/
@@ -63,16 +60,17 @@ typedef struct private_scheduler_t private_scheduler_t;
* Private data of a scheduler_t object.
*/
struct private_scheduler_t {
+
/**
* Public part of a scheduler_t object.
*/
scheduler_t public;
-
+
/**
* Job which queues scheduled jobs to the processor.
*/
callback_job_t *job;
-
+
/**
* The heap in which the events are stored.
*/
@@ -87,12 +85,12 @@ struct private_scheduler_t {
* The number of scheduled events.
*/
u_int event_count;
-
+
/**
* Exclusive access to list
*/
mutex_t *mutex;
-
+
/**
* Condvar to wait for next job.
*/
@@ -100,16 +98,27 @@ struct private_scheduler_t {
};
/**
- * Returns the difference of two timeval structs in milliseconds
+ * Comparse two timevals, return >0 if a > b, <0 if a < b and =0 if equal
*/
-static long time_difference(timeval_t *end, timeval_t *start)
+static int timeval_cmp(timeval_t *a, timeval_t *b)
{
- time_t s;
- suseconds_t us;
-
- s = end->tv_sec - start->tv_sec;
- us = end->tv_usec - start->tv_usec;
- return (s * 1000 + us/1000);
+ if (a->tv_sec > b->tv_sec)
+ {
+ return 1;
+ }
+ if (a->tv_sec < b->tv_sec)
+ {
+ return -1;
+ }
+ if (a->tv_usec > b->tv_usec)
+ {
+ return 1;
+ }
+ if (a->tv_usec < b->tv_usec)
+ {
+ return -1;
+ }
+ return 0;
}
/**
@@ -146,20 +155,21 @@ static event_t *remove_event(private_scheduler_t *this)
u_int child = position << 1;
if ((child + 1) <= this->event_count &&
- time_difference(&this->heap[child + 1]->time,
- &this->heap[child]->time) < 0)
+ timeval_cmp(&this->heap[child + 1]->time,
+ &this->heap[child]->time) < 0)
{
/* the "right" child is smaller */
child++;
}
- if (time_difference(&top->time, &this->heap[child]->time) <= 0)
+ if (timeval_cmp(&top->time, &this->heap[child]->time) <= 0)
{
- /* the top event fires before the smaller of the two children, stop */
+ /* the top event fires before the smaller of the two children,
+ * stop */
break;
}
- /* exchange with the smaller child */
+ /* swap with the smaller child */
this->heap[position] = this->heap[child];
position = child;
}
@@ -175,7 +185,6 @@ static job_requeue_t schedule(private_scheduler_t * this)
{
timeval_t now;
event_t *event;
- long difference;
int oldstate;
bool timed = FALSE;
@@ -185,8 +194,7 @@ static job_requeue_t schedule(private_scheduler_t * this)
if ((event = peek_event(this)) != NULL)
{
- difference = time_difference(&now, &event->time);
- if (difference >= 0)
+ if (timeval_cmp(&now, &event->time) >= 0)
{
remove_event(this);
this->mutex->unlock(this->mutex);
@@ -195,7 +203,16 @@ static job_requeue_t schedule(private_scheduler_t * this)
free(event);
return JOB_REQUEUE_DIRECT;
}
- DBG2(DBG_JOB, "next event in %ldms, waiting", -difference);
+ timersub(&event->time, &now, &now);
+ if (now.tv_sec)
+ {
+ DBG2(DBG_JOB, "next event in %ds %dms, waiting",
+ now.tv_sec, now.tv_usec/1000);
+ }
+ else
+ {
+ DBG2(DBG_JOB, "next event in %dms, waiting", now.tv_usec/1000);
+ }
timed = TRUE;
}
pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
@@ -228,25 +245,16 @@ static u_int get_job_load(private_scheduler_t *this)
}
/**
- * Implements scheduler_t.schedule_job.
+ * Implements scheduler_t.schedule_job_tv.
*/
-static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
+static void schedule_job_tv(private_scheduler_t *this, job_t *job, timeval_t tv)
{
- timeval_t now;
event_t *event;
u_int position;
- time_t s;
- suseconds_t us;
event = malloc_thing(event_t);
event->job = job;
-
- /* calculate absolute time */
- s = time / 1000;
- us = (time - s * 1000) * 1000;
- gettimeofday(&now, NULL);
- event->time.tv_usec = (now.tv_usec + us) % 1000000;
- event->time.tv_sec = now.tv_sec + (now.tv_usec + us)/1000000 + s;
+ event->time = tv;
this->mutex->lock(this->mutex);
@@ -255,14 +263,15 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
{
/* double the size of the heap */
this->heap_size <<= 1;
- this->heap = (event_t**)realloc(this->heap, (this->heap_size + 1) * sizeof(event_t*));
+ this->heap = (event_t**)realloc(this->heap,
+ (this->heap_size + 1) * sizeof(event_t*));
}
/* "put" the event to the bottom */
position = this->event_count;
/* then bubble it up */
- while (position > 1 && time_difference(&this->heap[position >> 1]->time,
- &event->time) > 0)
+ while (position > 1 && timeval_cmp(&this->heap[position >> 1]->time,
+ &event->time) > 0)
{
/* parent has to be fired after the new event, move up */
this->heap[position] = this->heap[position >> 1];
@@ -275,6 +284,35 @@ static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t time)
}
/**
+ * Implements scheduler_t.schedule_job.
+ */
+static void schedule_job(private_scheduler_t *this, job_t *job, u_int32_t s)
+{
+ timeval_t tv;
+
+ gettimeofday(&tv, NULL);
+ tv.tv_sec += s;
+
+ schedule_job_tv(this, job, tv);
+}
+
+/**
+ * Implements scheduler_t.schedule_job_ms.
+ */
+static void schedule_job_ms(private_scheduler_t *this, job_t *job, u_int32_t ms)
+{
+ timeval_t tv, add;
+
+ gettimeofday(&tv, NULL);
+ add.tv_sec = ms / 1000;
+ add.tv_usec = (ms % 1000) * 1000;
+
+ timeradd(&tv, &add, &tv);
+
+ schedule_job_tv(this, job, tv);
+}
+
+/**
* Implementation of scheduler_t.destroy.
*/
static void destroy(private_scheduler_t *this)
@@ -299,7 +337,9 @@ scheduler_t * scheduler_create()
private_scheduler_t *this = malloc_thing(private_scheduler_t);
this->public.get_job_load = (u_int (*) (scheduler_t *this)) get_job_load;
- this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job;
+ this->public.schedule_job = (void (*) (scheduler_t *this, job_t *job, u_int32_t s)) schedule_job;
+ this->public.schedule_job_ms = (void (*) (scheduler_t *this, job_t *job, u_int32_t ms)) schedule_job_ms;
+ this->public.schedule_job_tv = (void (*) (scheduler_t *this, job_t *job, timeval_t tv)) schedule_job_tv;
this->public.destroy = (void(*)(scheduler_t*)) destroy;
/* Note: the root of the heap is at index 1 */
diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h
index c3e177727..502f70b33 100644
--- a/src/charon/processing/scheduler.h
+++ b/src/charon/processing/scheduler.h
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2009 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -12,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: scheduler.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -26,25 +25,86 @@
typedef struct scheduler_t scheduler_t;
+#include <sys/time.h>
+
#include <library.h>
#include <processing/jobs/job.h>
/**
- * The scheduler queues and executes timed events.
+ * The scheduler queues timed events which are then passed to the processor.
+ *
+ * The scheduler is implemented as a heap. A heap is a special kind of tree-
+ * based data structure that satisfies the following property: if B is a child
+ * node of A, then key(A) >= (or <=) key(B). So either the element with the
+ * greatest (max-heap) or the smallest (min-heap) key is the root of the heap.
+ * We use a min-heap whith the key being the absolute unix time at which an
+ * event is scheduled. So the root is always the event that will fire next.
+ *
+ * An earlier implementation of the scheduler used a sorted linked list to store
+ * the events. That had the advantage that removing the next event was extremely
+ * fast, also, adding an event scheduled before or after all other events was
+ * equally fast (all in O(1)). The problem was, though, that adding an event
+ * in-between got slower, as the number of events grew larger (O(n)).
+ * For each connection there could be several events: IKE-rekey, NAT-keepalive,
+ * retransmissions, expire (half-open), and others. So a gateway that probably
+ * has to handle thousands of concurrent connnections has to be able to queue a
+ * large number of events as fast as possible. Locking makes this even worse, to
+ * provide thread-safety, no events can be processed, while an event is queued,
+ * so making the insertion fast is even more important.
+ *
+ * That's the advantage of the heap. Adding an element to the heap can be
+ * achieved in O(log n) - on the other hand, removing the root node also
+ * requires O(log n) operations. Consider 10000 queued events. Inserting a new
+ * event in the list implementation required up to 10000 comparisons. In the
+ * heap implementation, the worst case is about 13.3 comparisons. That's a
+ * drastic improvement.
*
- * The scheduler stores timed events and passes them to the processor.
+ * The implementation itself uses a binary tree mapped to a one-based array to
+ * store the elements. This reduces storage overhead and simplifies navigation:
+ * the children of the node at position n are at position 2n and 2n+1 (likewise
+ * the parent node of the node at position n is at position [n/2]). Thus,
+ * navigating up and down the tree is reduced to simple index computations.
+ *
+ * Adding an element to the heap works as follows: The heap is always filled
+ * from left to right, until a row is full, then the next row is filled. Mapped
+ * to an array this gets as simple as putting the new element to the first free
+ * position. In a one-based array that position equals the number of elements
+ * currently stored in the heap. Then the heap property has to be restored, i.e.
+ * the new element has to be "bubbled up" the tree until the parent node's key
+ * is smaller or the element got the new root of the tree.
+ *
+ * Removing the next event from the heap works similarly. The event itself is
+ * the root node and stored at position 1 of the array. After removing it, the
+ * root has to be replaced and the heap property has to be restored. This is
+ * done by moving the bottom element (last row, rightmost element) to the root
+ * and then "seep it down" by swapping it with child nodes until none of the
+ * children has a smaller key or it is again a leaf node.
*/
-struct scheduler_t {
-
+struct scheduler_t {
+
/**
- * Adds a event to the queue, using a relative time offset.
+ * Adds a event to the queue, using a relative time offset in s.
*
- * Schedules a job for execution using a relative time offset.
+ * @param job job to schedule
+ * @param time relative time to schedule job, in s
+ */
+ void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t s);
+
+ /**
+ * Adds a event to the queue, using a relative time offset in ms.
+ *
+ * @param job job to schedule
+ * @param time relative time to schedule job, in ms
+ */
+ void (*schedule_job_ms) (scheduler_t *this, job_t *job, u_int32_t ms);
+
+ /**
+ * Adds a event to the queue, using an absolut time.
*
- * @param job job to schedule
- * @param time relative to to schedule job (in ms)
+ * @param job job to schedule
+ * @param time absolut time to schedule job
*/
- void (*schedule_job) (scheduler_t *this, job_t *job, u_int32_t time);
+ void (*schedule_job_tv) (scheduler_t *this, job_t *job, timeval_t tv);
/**
* Returns number of jobs scheduled.
@@ -61,7 +121,7 @@ struct scheduler_t {
/**
* Create a scheduler.
- *
+ *
* @return scheduler_t object
*/
scheduler_t *scheduler_create(void);
diff --git a/src/charon/sa/authenticators/authenticator.c b/src/charon/sa/authenticators/authenticator.c
index 827c7a69a..ea8a16279 100644
--- a/src/charon/sa/authenticators/authenticator.c
+++ b/src/charon/sa/authenticators/authenticator.c
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2006-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: authenticator.c 4276 2008-08-22 10:44:51Z martin $
*/
#include <string.h>
@@ -23,6 +21,7 @@
#include <sa/authenticators/pubkey_authenticator.h>
#include <sa/authenticators/psk_authenticator.h>
#include <sa/authenticators/eap_authenticator.h>
+#include <encoding/payloads/auth_payload.h>
ENUM_BEGIN(auth_method_names, AUTH_RSA, AUTH_DSS,
@@ -35,7 +34,8 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS,
"ECDSA-521 signature");
ENUM_END(auth_method_names, AUTH_ECDSA_521);
-ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
+ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP,
+ "any",
"public key",
"pre-shared key",
"EAP",
@@ -44,17 +44,23 @@ ENUM(auth_class_names, AUTH_CLASS_PUBKEY, AUTH_CLASS_EAP,
/**
* Described in header.
*/
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
- auth_class_t class)
+authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- switch (class)
+ switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS))
{
+ case AUTH_CLASS_ANY:
+ /* defaults to PUBKEY */
case AUTH_CLASS_PUBKEY:
- return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+ return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa,
+ received_nonce, sent_init);
case AUTH_CLASS_PSK:
- return (authenticator_t*)psk_authenticator_create(ike_sa);
+ return (authenticator_t*)psk_authenticator_create_builder(ike_sa,
+ received_nonce, sent_init);
case AUTH_CLASS_EAP:
- return (authenticator_t*)eap_authenticator_create(ike_sa);
+ return (authenticator_t*)eap_authenticator_create_builder(ike_sa,
+ received_nonce, sent_nonce, received_init, sent_init);
default:
return NULL;
}
@@ -63,19 +69,32 @@ authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
/**
* Described in header.
*/
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
- auth_method_t method)
+authenticator_t *authenticator_create_verifier(
+ ike_sa_t *ike_sa, message_t *message,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- switch (method)
+ auth_payload_t *auth_payload;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (auth_payload == NULL)
+ {
+ return (authenticator_t*)eap_authenticator_create_verifier(ike_sa,
+ received_nonce, sent_nonce, received_init, sent_init);
+ }
+ switch (auth_payload->get_auth_method(auth_payload))
{
case AUTH_RSA:
case AUTH_ECDSA_256:
case AUTH_ECDSA_384:
case AUTH_ECDSA_521:
- return (authenticator_t*)pubkey_authenticator_create(ike_sa);
+ return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa,
+ sent_nonce, received_init);
case AUTH_PSK:
- return (authenticator_t*)psk_authenticator_create(ike_sa);
+ return (authenticator_t*)psk_authenticator_create_verifier(ike_sa,
+ sent_nonce, received_init);
default:
return NULL;
}
}
+
diff --git a/src/charon/sa/authenticators/authenticator.h b/src/charon/sa/authenticators/authenticator.h
index 345cc7deb..c60881629 100644
--- a/src/charon/sa/authenticators/authenticator.h
+++ b/src/charon/sa/authenticators/authenticator.h
@@ -1,6 +1,6 @@
/*
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -30,9 +28,8 @@ typedef enum auth_class_t auth_class_t;
typedef struct authenticator_t authenticator_t;
#include <library.h>
+#include <config/auth_cfg.h>
#include <sa/ike_sa.h>
-#include <config/peer_cfg.h>
-#include <encoding/payloads/auth_payload.h>
/**
* Method to use for authentication, as defined in IKEv2.
@@ -84,6 +81,8 @@ extern enum_name_t *auth_method_names;
* certificate finally dictates wich method is used.
*/
enum auth_class_t {
+ /** any class acceptable */
+ AUTH_CLASS_ANY = 0,
/** authentication using public keys (RSA, ECDSA) */
AUTH_CLASS_PUBKEY = 1,
/** authentication using a pre-shared secrets */
@@ -100,66 +99,70 @@ extern enum_name_t *auth_class_names;
/**
* Authenticator interface implemented by the various authenticators.
*
- * Currently the following two AUTH methods are supported:
- * - shared key message integrity code
- * - RSA digital signature
- * - EAP using the EAP framework and one of the EAP plugins
- * - ECDSA is supported using OpenSSL
+ * An authenticator implementation handles AUTH and EAP payloads. Received
+ * messages are passed to the process() method, to send authentication data
+ * the message is passed to the build() method.
*/
struct authenticator_t {
/**
- * Verify a received authentication payload.
+ * Process an incoming message using the authenticator.
*
- * @param ike_sa_init binary representation of received ike_sa_init
- * @param my_nonce the sent nonce
- * @param auth_payload authentication payload to verify
+ * @param message message containing authentication payloads
* @return
- * - SUCCESS,
- * - FAILED if verification failed
- * - INVALID_ARG if auth_method does not match
- * - NOT_FOUND if credentials not found
+ * - SUCCESS if authentication successful
+ * - FAILED if authentication failed
+ * - NEED_MORE if another exchange required
*/
- status_t (*verify) (authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload);
-
+ status_t (*process)(authenticator_t *this, message_t *message);
+
/**
- * Build an authentication payload to send to the other peer.
+ * Attach authentication data to an outgoing message.
*
- * @param ike_sa_init binary representation of sent ike_sa_init
- * @param other_nonce the received nonce
- * @param auth_payload the resulting authentication payload
+ * @param message message to add authentication data to
* @return
- * - SUCCESS,
- * - NOT_FOUND if credentials not found
+ * - SUCCESS if authentication successful
+ * - FAILED if authentication failed
+ * - NEED_MORE if another exchange required
*/
- status_t (*build) (authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload);
-
+ status_t (*build)(authenticator_t *this, message_t *message);
+
/**
- * Destroys a authenticator_t object.
+ * Destroy authenticator instance.
*/
void (*destroy) (authenticator_t *this);
};
/**
- * Creates an authenticator for the specified auth class (as configured).
+ * Create an authenticator to build signatures.
*
- * @param ike_sa associated ike_sa
- * @param class class of authentication to use
- * @return authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param cfg authentication configuration
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return authenticator, NULL if not supported
*/
-authenticator_t *authenticator_create_from_class(ike_sa_t *ike_sa,
- auth_class_t class);
+authenticator_t *authenticator_create_builder(
+ ike_sa_t *ike_sa, auth_cfg_t *cfg,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
/**
- * Creates an authenticator for method (as received in payload).
+ * Create an authenticator to verify signatures.
*
- * @param ike_sa associated ike_sa
- * @param method method as found in payload
- * @return authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param message message containing authentication data
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return authenticator, NULL if not supported
*/
-authenticator_t *authenticator_create_from_method(ike_sa_t *ike_sa,
- auth_method_t method);
+authenticator_t *authenticator_create_verifier(
+ ike_sa_t *ike_sa, message_t *message,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
#endif /** AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index c1c2d6fce..b8316036e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_manager.c 4579 2008-11-05 11:29:56Z martin $
*/
#include "eap_manager.h"
@@ -65,9 +63,9 @@ struct private_eap_manager_t {
linked_list_t *methods;
/**
- * mutex to lock methods
+ * rwlock to lock methods
*/
- mutex_t *mutex;
+ rwlock_t *lock;
};
/**
@@ -84,9 +82,9 @@ static void add_method(private_eap_manager_t *this, eap_type_t type,
entry->role = role;
entry->constructor = constructor;
- this->mutex->lock(this->mutex);
+ this->lock->write_lock(this->lock);
this->methods->insert_last(this->methods, entry);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
}
/**
@@ -97,7 +95,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
enumerator_t *enumerator;
eap_entry_t *entry;
- this->mutex->lock(this->mutex);
+ this->lock->write_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -108,7 +106,7 @@ static void remove_method(private_eap_manager_t *this, eap_constructor_t constru
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
}
/**
@@ -123,7 +121,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
eap_entry_t *entry;
eap_method_t *method = NULL;
- this->mutex->lock(this->mutex);
+ this->lock->read_lock(this->lock);
enumerator = this->methods->create_enumerator(this->methods);
while (enumerator->enumerate(enumerator, &entry))
{
@@ -138,7 +136,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
}
}
enumerator->destroy(enumerator);
- this->mutex->unlock(this->mutex);
+ this->lock->unlock(this->lock);
return method;
}
@@ -148,7 +146,7 @@ static eap_method_t* create_instance(private_eap_manager_t *this,
static void destroy(private_eap_manager_t *this)
{
this->methods->destroy_function(this->methods, free);
- this->mutex->destroy(this->mutex);
+ this->lock->destroy(this->lock);
free(this);
}
@@ -165,7 +163,7 @@ eap_manager_t *eap_manager_create()
this->public.destroy = (void(*)(eap_manager_t*))destroy;
this->methods = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
return &this->public;
}
diff --git a/src/charon/sa/authenticators/eap/eap_manager.h b/src/charon/sa/authenticators/eap/eap_manager.h
index db5535a81..667c54a8e 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.h
+++ b/src/charon/sa/authenticators/eap/eap_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/authenticators/eap/eap_method.c b/src/charon/sa/authenticators/eap/eap_method.c
index 2e4307eb4..1d1900301 100644
--- a/src/charon/sa/authenticators/eap/eap_method.c
+++ b/src/charon/sa/authenticators/eap/eap_method.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_method.c 4997 2009-03-24 10:24:58Z martin $
*/
#include "eap_method.h"
@@ -36,6 +34,36 @@ ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2,
"EAP_EXPERIMENTAL");
ENUM_END(eap_type_names, EAP_EXPERIMENTAL);
+/*
+ * See header
+ */
+eap_type_t eap_type_from_string(char *name)
+{
+ int i;
+ static struct {
+ char *name;
+ eap_type_t type;
+ } types[] = {
+ {"identity", EAP_IDENTITY},
+ {"md5", EAP_MD5},
+ {"otp", EAP_OTP},
+ {"gtc", EAP_GTC},
+ {"sim", EAP_SIM},
+ {"aka", EAP_AKA},
+ {"mschapv2", EAP_MSCHAPV2},
+ {"radius", EAP_RADIUS},
+ };
+
+ for (i = 0; i < countof(types); i++)
+ {
+ if (strcaseeq(name, types[i].name))
+ {
+ return types[i].type;
+ }
+ }
+ return 0;
+}
+
ENUM(eap_code_names, EAP_REQUEST, EAP_FAILURE,
"EAP_REQUEST",
"EAP_RESPONSE",
@@ -48,3 +76,6 @@ ENUM(eap_role_names, EAP_SERVER, EAP_PEER,
"EAP_PEER",
);
+
+
+
diff --git a/src/charon/sa/authenticators/eap/eap_method.h b/src/charon/sa/authenticators/eap/eap_method.h
index 6f3da1ba7..578b89e96 100644
--- a/src/charon/sa/authenticators/eap/eap_method.h
+++ b/src/charon/sa/authenticators/eap/eap_method.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_method.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -69,6 +67,14 @@ enum eap_type_t {
extern enum_name_t *eap_type_names;
/**
+ * Lookup the EAP method type from a string.
+ *
+ * @param name EAP method name (such as "md5", "aka")
+ * @return method type, 0 if unkown
+ */
+eap_type_t eap_type_from_string(char *name);
+
+/**
* EAP code, type of an EAP message
*/
enum eap_code_t {
@@ -83,7 +89,6 @@ enum eap_code_t {
*/
extern enum_name_t *eap_code_names;
-
/**
* Interface of an EAP method for server and client side.
*
diff --git a/src/charon/sa/authenticators/eap/sim_manager.c b/src/charon/sa/authenticators/eap/sim_manager.c
index e6817ca20..51cd4fb3f 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.c
+++ b/src/charon/sa/authenticators/eap/sim_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "sim_manager.h"
diff --git a/src/charon/sa/authenticators/eap/sim_manager.h b/src/charon/sa/authenticators/eap/sim_manager.h
index 69a2e4df9..3c6d66dfe 100644
--- a/src/charon/sa/authenticators/eap/sim_manager.h
+++ b/src/charon/sa/authenticators/eap/sim_manager.h
@@ -39,7 +39,7 @@ struct sim_card_t {
* The returned identity owned by the sim_card and not destroyed outside.
* The SIM card may return ID_ANY if it does not support/use an IMSI.
*
- * @return identity of type ID_EAP/ID_ANY
+ * @return identity
*/
identification_t* (*get_imsi)(sim_card_t *this);
@@ -63,7 +63,7 @@ struct sim_provider_t {
/**
* Get a single triplet to authenticate a EAP client.
*
- * @param imsi client identity of type ID_EAP
+ * @param imsi client identity
* @param rand RAND output buffer, fixed size 16 bytes
* @param sres SRES output buffer, fixed size 4 byte
* @param kc KC output buffer, fixed size 8 bytes
diff --git a/src/charon/sa/authenticators/eap_authenticator.c b/src/charon/sa/authenticators/eap_authenticator.c
index 7b97fe56c..2abdf7a02 100644
--- a/src/charon/sa/authenticators/eap_authenticator.c
+++ b/src/charon/sa/authenticators/eap_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,17 +11,14 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_authenticator.c 5037 2009-03-26 13:58:17Z andreas $
*/
-#include <string.h>
-
#include "eap_authenticator.h"
#include <daemon.h>
-#include <config/peer_cfg.h>
#include <sa/authenticators/eap/eap_method.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
typedef struct private_eap_authenticator_t private_eap_authenticator_t;
@@ -41,9 +38,24 @@ struct private_eap_authenticator_t {
ike_sa_t *ike_sa;
/**
- * Role of this authenticator, PEER or SERVER
+ * others nonce to include in AUTH calculation
+ */
+ chunk_t received_nonce;
+
+ /**
+ * our nonce to include in AUTH calculation
+ */
+ chunk_t sent_nonce;
+
+ /**
+ * others IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t received_init;
+
+ /**
+ * our IKE_SA_INIT message data to include in AUTH calculation
*/
- eap_role_t role;
+ chunk_t sent_init;
/**
* Current EAP method processing
@@ -56,442 +68,514 @@ struct private_eap_authenticator_t {
chunk_t msk;
/**
- * should we do a EAP-Identity exchange as server?
+ * EAP authentication method completed successfully
*/
- bool do_eap_identity;
+ bool eap_complete;
/**
- * saved EAP type if we do eap_identity
+ * authentication payload verified successfully
*/
- eap_type_t type;
+ bool auth_complete;
/**
- * saved vendor id if we do eap_identity
+ * generated EAP payload
*/
- u_int32_t vendor;
+ eap_payload_t *eap_payload;
+
+ /**
+ * EAP identity of peer
+ */
+ identification_t *eap_identity;
};
+
/**
- * Implementation of authenticator_t.verify.
+ * load an EAP method
*/
-static status_t verify(private_eap_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
+static eap_method_t *load_method(private_eap_authenticator_t *this,
+ eap_type_t type, u_int32_t vendor, eap_role_t role)
{
- chunk_t auth_data, recv_auth_data;
- identification_t *other_id;
- keymat_t *keymat;
-
- other_id = this->ike_sa->get_other_id(this->ike_sa);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
-
- auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
- this->msk, other_id);
+ identification_t *server, *peer;
- recv_auth_data = auth_payload->get_data(auth_payload);
- if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+ if (role == EAP_SERVER)
{
- DBG1(DBG_IKE, "verification of AUTH payload created from EAP MSK failed");
- chunk_free(&auth_data);
- return FAILED;
+ server = this->ike_sa->get_my_id(this->ike_sa);
+ peer = this->ike_sa->get_other_id(this->ike_sa);
}
- chunk_free(&auth_data);
-
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
- other_id, auth_class_names, AUTH_CLASS_EAP);
- return SUCCESS;
-}
-
-/**
- * Implementation of authenticator_t.build.
- */
-static status_t build(private_eap_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
-{
- identification_t *my_id;
- chunk_t auth_data;
- keymat_t *keymat;
-
- my_id = this->ike_sa->get_my_id(this->ike_sa);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
-
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
- my_id, auth_class_names, AUTH_CLASS_EAP);
-
- auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
- this->msk, my_id);
-
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
- (*auth_payload)->set_data(*auth_payload, auth_data);
- chunk_free(&auth_data);
-
- return SUCCESS;
+ else
+ {
+ server = this->ike_sa->get_other_id(this->ike_sa);
+ peer = this->ike_sa->get_my_id(this->ike_sa);
+ }
+ if (this->eap_identity)
+ {
+ peer = this->eap_identity;
+ }
+ return charon->eap->create_instance(charon->eap, type, vendor,
+ role, server, peer);
}
/**
- * get the peers identity to use in the EAP method
+ * Initiate EAP conversation as server
*/
-static identification_t *get_peer_id(private_eap_authenticator_t *this)
+static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this,
+ bool do_identity)
{
+ auth_cfg_t *auth;
+ eap_type_t type;
identification_t *id;
- peer_cfg_t *config;
- auth_info_t *auth;
+ u_int32_t vendor;
+ eap_payload_t *out;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
- id = this->ike_sa->get_eap_identity(this->ike_sa);
- if (!id)
+ /* initiate EAP-Identity exchange if required */
+ if (!this->eap_identity && do_identity)
{
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- auth = config->get_auth(config);
- if (!auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id) ||
- id->get_type(id) == ID_ANY)
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (id)
{
- if (this->role == EAP_PEER)
+ this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER);
+ if (this->method)
{
- id = this->ike_sa->get_my_id(this->ike_sa);
- }
- else
- {
- id = this->ike_sa->get_other_id(this->ike_sa);
+ if (this->method->initiate(this->method, &out) == NEED_MORE)
+ {
+ DBG1(DBG_IKE, "initiating EAP-Identity request");
+ return out;
+ }
+ this->method->destroy(this->method);
}
+ DBG1(DBG_IKE, "EAP-Identity request configured, but not supported");
}
}
- if (id->get_type(id) == ID_EAP)
+ /* invoke real EAP method */
+ type = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_TYPE);
+ vendor = (uintptr_t)auth->get(auth, AUTH_RULE_EAP_VENDOR);
+ this->method = load_method(this, type, vendor, EAP_SERVER);
+ if (this->method &&
+ this->method->initiate(this->method, &out) == NEED_MORE)
{
- return id->clone(id);
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "initiating EAP vendor type %d-%d", type, vendor);
+
+ }
+ else
+ {
+ DBG1(DBG_IKE, "initiating %N", eap_type_names, type);
+ }
+ return out;
}
- return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * get the servers identity to use in the EAP method
- */
-static identification_t *get_server_id(private_eap_authenticator_t *this)
-{
- identification_t *id;
-
- if (this->role == EAP_SERVER)
+ if (vendor)
{
- id = this->ike_sa->get_my_id(this->ike_sa);
+ DBG1(DBG_IKE, "initiating EAP vendor type %d-%d failed", type, vendor);
}
else
{
- id = this->ike_sa->get_other_id(this->ike_sa);
+ DBG1(DBG_IKE, "initiating %N failed", eap_type_names, type);
}
- if (id->get_type(id) == ID_EAP)
- {
- return id->clone(id);
- }
- return identification_create_from_encoding(ID_EAP, id->get_encoding(id));
-}
-
-/**
- * load an EAP method using the correct identities
- */
-static eap_method_t *load_method(private_eap_authenticator_t *this,
- eap_type_t type, u_int32_t vendor, eap_role_t role)
-{
- identification_t *server, *peer;
- eap_method_t *method;
-
- server = get_server_id(this);
- peer = get_peer_id(this);
- method = charon->eap->create_instance(charon->eap, type, vendor, role,
- server, peer);
- server->destroy(server);
- peer->destroy(peer);
- return method;
+ return eap_payload_create_code(EAP_FAILURE, 0);
}
/**
- * Implementation of eap_authenticator_t.initiate
+ * Handle EAP exchange as server
*/
-static status_t initiate(private_eap_authenticator_t *this, eap_type_t type,
- u_int32_t vendor, eap_payload_t **out)
+static eap_payload_t* server_process_eap(private_eap_authenticator_t *this,
+ eap_payload_t *in)
{
- /* if initiate() is called, role is always server */
- this->role = EAP_SERVER;
-
- if (this->do_eap_identity)
- { /* do an EAP-Identity request first */
- this->type = type;
- this->vendor = vendor;
- vendor = 0;
- type = EAP_IDENTITY;
- }
+ eap_type_t type, received_type;
+ u_int32_t vendor, received_vendor;
+ eap_payload_t *out;
+ auth_cfg_t *cfg;
- if (type == 0)
+ if (in->get_code(in) != EAP_RESPONSE)
{
- DBG1(DBG_IKE,
- "client requested EAP authentication, but configuration forbids it");
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ DBG1(DBG_IKE, "received %N, sending %N",
+ eap_code_names, in->get_code(in), eap_code_names, EAP_FAILURE);
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- if (vendor)
- {
- DBG1(DBG_IKE, "requesting vendor specific EAP method %d-%d",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "requesting EAP method %N", eap_type_names, type);
- }
- this->method = load_method(this, type, vendor, this->role);
- if (this->method == NULL)
+ type = this->method->get_type(this->method, &vendor);
+ received_type = in->get_type(in, &received_vendor);
+ if (type != received_type || vendor != received_vendor)
{
- if (vendor == 0 && type == EAP_IDENTITY)
+ if (received_vendor == 0 && received_type == EAP_NAK)
{
- DBG1(DBG_IKE, "skipping %N, no implementation found",
- eap_type_names, type);
- this->do_eap_identity = FALSE;
- return initiate(this, this->type, this->vendor, out);
+ DBG1(DBG_IKE, "received %N, sending %N",
+ eap_type_names, EAP_NAK, eap_code_names, EAP_FAILURE);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received invalid EAP response, sending %N",
+ eap_code_names, EAP_FAILURE);
}
- DBG1(DBG_IKE, "configured EAP server method not supported, sending %N",
- eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- if (this->method->initiate(this->method, out) != NEED_MORE)
+
+ switch (this->method->process(this->method, in, &out))
{
- DBG1(DBG_IKE, "failed to initiate EAP exchange, sending %N",
- eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE, 0);
- return FAILED;
+ case NEED_MORE:
+ return out;
+ case SUCCESS:
+ if (type == EAP_IDENTITY)
+ {
+ chunk_t data;
+ char buf[256];
+
+ if (this->method->get_msk(this->method, &data) == SUCCESS)
+ {
+ snprintf(buf, sizeof(buf), "%.*s", data.len, data.ptr);
+ this->eap_identity = identification_create_from_string(buf);
+ DBG1(DBG_IKE, "received EAP identity '%Y'",
+ this->eap_identity);
+ }
+ /* restart EAP exchange, but with real method */
+ this->method->destroy(this->method);
+ return server_initiate_eap(this, FALSE);
+ }
+ if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
+ {
+ this->msk = chunk_clone(this->msk);
+ }
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+ "%sMSK established", type, vendor,
+ this->msk.ptr ? "" : "no ");
+ }
+ else
+ {
+ DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+ eap_type_names, type, this->msk.ptr ? "" : "no ");
+ }
+ this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED,
+ TRUE);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+ if (vendor)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+ }
+ this->eap_complete = TRUE;
+ return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
+ case FAILED:
+ default:
+ if (vendor)
+ {
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
+ "peer %Y", type, vendor,
+ this->ike_sa->get_other_id(this->ike_sa));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "EAP method %N failed for peer %Y",
+ eap_type_names, type,
+ this->ike_sa->get_other_id(this->ike_sa));
+ }
+ return eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
}
- return NEED_MORE;
}
/**
* Processing method for a peer
*/
-static status_t process_peer(private_eap_authenticator_t *this,
- eap_payload_t *in, eap_payload_t **out)
+static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
+ eap_payload_t *in)
{
eap_type_t type;
u_int32_t vendor;
+ auth_cfg_t *auth;
+ eap_payload_t *out;
+ identification_t *id;
type = in->get_type(in, &vendor);
if (!vendor && type == EAP_IDENTITY)
{
- eap_method_t *method;
+ DESTROY_IF(this->eap_identity);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ id = auth->get(auth, AUTH_RULE_EAP_IDENTITY);
+ if (!id || id->get_type(id) == ID_ANY)
+ {
+ id = this->ike_sa->get_my_id(this->ike_sa);
+ }
+ DBG1(DBG_IKE, "server requested %N, sending '%Y'",
+ eap_type_names, type, id);
+ this->eap_identity = id->clone(id);
- method = load_method(this, type, 0, EAP_PEER);
- if (method == NULL || method->process(method, in, out) != SUCCESS)
+ this->method = load_method(this, type, vendor, EAP_PEER);
+ if (this->method)
{
- DBG1(DBG_IKE, "EAP server requested %N, but unable to process",
- eap_type_names, type);
- DESTROY_IF(method);
- return FAILED;
+ if (this->method->process(this->method, in, &out) == SUCCESS)
+ {
+ this->method->destroy(this->method);
+ this->method = NULL;
+ return out;
+ }
+ this->method->destroy(this->method);
+ this->method = NULL;
}
- DBG1(DBG_IKE, "EAP server requested %N", eap_type_names, type);
- method->destroy(method);
- return NEED_MORE;
+ DBG1(DBG_IKE, "%N not supported, sending EAP_NAK",
+ eap_type_names, type);
+ return eap_payload_create_nak(in->get_identifier(in));
}
-
- /* create an eap_method for the first call */
if (this->method == NULL)
{
if (vendor)
{
- DBG1(DBG_IKE, "EAP server requested vendor specific EAP method %d-%d",
+ DBG1(DBG_IKE, "server requested vendor specific EAP method %d-%d",
type, vendor);
}
else
{
- DBG1(DBG_IKE, "EAP server requested %N authentication",
+ DBG1(DBG_IKE, "server requested %N authentication",
eap_type_names, type);
}
this->method = load_method(this, type, vendor, EAP_PEER);
- if (this->method == NULL)
+ if (!this->method)
{
- DBG1(DBG_IKE, "EAP server requested unsupported "
- "EAP method, sending EAP_NAK");
- *out = eap_payload_create_nak(in->get_identifier(in));
- return NEED_MORE;
+ DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
+ return eap_payload_create_nak(in->get_identifier(in));
}
}
type = this->method->get_type(this->method, &vendor);
- switch (this->method->process(this->method, in, out))
+ if (this->method->process(this->method, in, &out) == NEED_MORE)
+ { /* client methods should never return SUCCESS */
+ return out;
+ }
+
+ if (vendor)
{
- case NEED_MORE:
- return NEED_MORE;
- case SUCCESS:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N succeeded", eap_type_names, type);
- }
- return SUCCESS;
- case FAILED:
- default:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed",
- type, vendor);
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N failed",
- eap_type_names, type);
- }
- return FAILED;
+ DBG1(DBG_IKE, "vendor specific EAP method %d-%d failed", type, vendor);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
}
+ return NULL;
}
/**
- * handle an EAP-Identity response on the server
+ * Verify AUTH payload
*/
-static status_t process_eap_identity(private_eap_authenticator_t *this,
- eap_payload_t **out)
+static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
+ chunk_t nonce, chunk_t init)
{
- chunk_t data;
- identification_t *id;
-
- if (this->method->get_msk(this->method, &data) == SUCCESS)
+ auth_payload_t *auth_payload;
+ chunk_t auth_data, recv_auth_data;
+ identification_t *other_id;
+ auth_cfg_t *auth;
+ keymat_t *keymat;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message,
+ AUTHENTICATION);
+ if (!auth_payload)
{
- id = identification_create_from_encoding(ID_EAP, data);
- DBG1(DBG_IKE, "using EAP identity '%D'", id);
- this->ike_sa->set_eap_identity(this->ike_sa, id);
+ DBG1(DBG_IKE, "AUTH payload missing");
+ return FALSE;
}
- /* restart EAP exchange, but with real method */
- this->method->destroy(this->method);
- this->method = NULL;
- this->do_eap_identity = FALSE;
- return initiate(this, this->type, this->vendor, out);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
+ this->msk, other_id);
+ recv_auth_data = auth_payload->get_data(auth_payload);
+ if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
+ {
+ DBG1(DBG_IKE, "verification of AUTH payload with%s EAP MSK failed",
+ this->msk.ptr ? "" : "out");
+ chunk_free(&auth_data);
+ return FALSE;
+ }
+ chunk_free(&auth_data);
+
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+ other_id, auth_class_names, AUTH_CLASS_EAP);
+ this->auth_complete = TRUE;
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+ return TRUE;
+}
+
+/**
+ * Build AUTH payload
+ */
+static void build_auth(private_eap_authenticator_t *this, message_t *message,
+ chunk_t nonce, chunk_t init)
+{
+ auth_payload_t *auth_payload;
+ identification_t *my_id;
+ chunk_t auth_data;
+ keymat_t *keymat;
+
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+ my_id, auth_class_names, AUTH_CLASS_EAP);
+
+ auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id);
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+ auth_payload->set_data(auth_payload, auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
+ chunk_free(&auth_data);
}
/**
- * Processing method for a server
+ * Implementation of authenticator_t.process for a server
*/
static status_t process_server(private_eap_authenticator_t *this,
- eap_payload_t *in, eap_payload_t **out)
+ message_t *message)
{
- eap_type_t type;
- u_int32_t vendor;
+ eap_payload_t *eap_payload;
- type = this->method->get_type(this->method, &vendor);
+ if (this->eap_complete)
+ {
+ if (!verify_auth(this, message, this->sent_nonce, this->received_init))
+ {
+ return FAILED;
+ }
+ return NEED_MORE;
+ }
- switch (this->method->process(this->method, in, out))
+ if (!this->method)
{
- case NEED_MORE:
- return NEED_MORE;
- case SUCCESS:
- if (this->do_eap_identity)
- {
- return process_eap_identity(this, out);
- }
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
- {
- this->msk = chunk_clone(this->msk);
- }
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeded, "
- "%sMSK established", type, vendor,
- this->msk.ptr ? "" : "no ");
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N succeded, %sMSK established",
- eap_type_names, type, this->msk.ptr ? "" : "no ");
- }
- *out = eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in));
- return SUCCESS;
- case FAILED:
- default:
- if (vendor)
- {
- DBG1(DBG_IKE, "EAP vendor specific method %d-%d failed for "
- "peer %D", type, vendor,
- this->ike_sa->get_other_id(this->ike_sa));
- }
- else
- {
- DBG1(DBG_IKE, "EAP method %N failed for peer '%D'",
- eap_type_names, type,
- this->ike_sa->get_other_id(this->ike_sa));
- }
- *out = eap_payload_create_code(EAP_FAILURE, in->get_identifier(in));
+ this->eap_payload = server_initiate_eap(this, TRUE);
+ }
+ else
+ {
+ eap_payload = (eap_payload_t*)message->get_payload(message,
+ EXTENSIBLE_AUTHENTICATION);
+ if (!eap_payload)
+ {
return FAILED;
+ }
+ this->eap_payload = server_process_eap(this, eap_payload);
}
+ return NEED_MORE;
}
/**
- * Implementation of eap_authenticator_t.process
+ * Implementation of authenticator_t.build for a server
*/
-static status_t process(private_eap_authenticator_t *this, eap_payload_t *in,
- eap_payload_t **out)
+static status_t build_server(private_eap_authenticator_t *this,
+ message_t *message)
{
- eap_code_t code = in->get_code(in);
+ if (this->eap_payload)
+ {
+ eap_code_t code;
+
+ code = this->eap_payload->get_code(this->eap_payload);
+ message->add_payload(message, (payload_t*)this->eap_payload);
+ this->eap_payload = NULL;
+ if (code == EAP_FAILURE)
+ {
+ return FAILED;
+ }
+ return NEED_MORE;
+ }
+ if (this->eap_complete && this->auth_complete)
+ {
+ build_auth(this, message, this->received_nonce, this->sent_init);
+ return SUCCESS;
+ }
+ return FAILED;
+}
+
+/**
+ * Implementation of authenticator_t.process for a client
+ */
+static status_t process_client(private_eap_authenticator_t *this,
+ message_t *message)
+{
+ eap_payload_t *eap_payload;
- switch (this->role)
+ if (this->eap_complete)
{
- case EAP_SERVER:
+ if (!verify_auth(this, message, this->sent_nonce, this->received_init))
{
- switch (code)
+ return FAILED;
+ }
+ return SUCCESS;
+ }
+
+ eap_payload = (eap_payload_t*)message->get_payload(message,
+ EXTENSIBLE_AUTHENTICATION);
+ if (eap_payload)
+ {
+ switch (eap_payload->get_code(eap_payload))
+ {
+ case EAP_REQUEST:
{
- case EAP_RESPONSE:
+ this->eap_payload = client_process_eap(this, eap_payload);
+ if (this->eap_payload)
{
- return process_server(this, in, out);
- }
- default:
- {
- DBG1(DBG_IKE, "received %N, sending %N",
- eap_code_names, code, eap_code_names, EAP_FAILURE);
- *out = eap_payload_create_code(EAP_FAILURE,
- in->get_identifier(in));
- return FAILED;
+ return NEED_MORE;
}
+ return FAILED;
}
- }
- case EAP_PEER:
- {
- switch (code)
+ case EAP_SUCCESS:
{
- case EAP_REQUEST:
+ eap_type_t type;
+ u_int32_t vendor;
+ auth_cfg_t *cfg;
+
+ if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
{
- return process_peer(this, in, out);
+ this->msk = chunk_clone(this->msk);
}
- case EAP_SUCCESS:
+ type = this->method->get_type(this->method, &vendor);
+ if (vendor)
{
- if (this->method->get_msk(this->method, &this->msk) == SUCCESS)
- {
- this->msk = chunk_clone(this->msk);
- }
- return SUCCESS;
+ DBG1(DBG_IKE, "EAP vendor specific method %d-%d succeeded, "
+ "%sMSK established", type, vendor,
+ this->msk.ptr ? "" : "no ");
}
- case EAP_FAILURE:
- default:
+ else
{
- DBG1(DBG_IKE, "received %N, EAP authentication failed",
- eap_code_names, code);
- return FAILED;
+ DBG1(DBG_IKE, "EAP method %N succeeded, %sMSK established",
+ eap_type_names, type, this->msk.ptr ? "" : "no ");
}
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE, type);
+ if (vendor)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor);
+ }
+ this->eap_complete = TRUE;
+ return NEED_MORE;
+ }
+ case EAP_FAILURE:
+ default:
+ {
+ DBG1(DBG_IKE, "received %N, EAP authentication failed",
+ eap_code_names, eap_payload->get_code(eap_payload));
+ return FAILED;
}
- }
- default:
- {
- return FAILED;
}
}
+ return FAILED;
}
/**
- * Implementation of authenticator_t.is_mutual.
+ * Implementation of authenticator_t.build for a client
*/
-static bool is_mutual(private_eap_authenticator_t *this)
+static status_t build_client(private_eap_authenticator_t *this,
+ message_t *message)
{
- if (this->method)
+ if (this->eap_payload)
{
- return this->method->is_mutual(this->method);
+ message->add_payload(message, (payload_t*)this->eap_payload);
+ this->eap_payload = NULL;
+ return NEED_MORE;
}
- return FALSE;
+ if (this->eap_complete)
+ {
+ build_auth(this, message, this->received_nonce, this->sent_init);
+ return NEED_MORE;
+ }
+ return NEED_MORE;
}
/**
@@ -500,6 +584,8 @@ static bool is_mutual(private_eap_authenticator_t *this)
static void destroy(private_eap_authenticator_t *this)
{
DESTROY_IF(this->method);
+ DESTROY_IF(this->eap_payload);
+ DESTROY_IF(this->eap_identity);
chunk_free(&this->msk);
free(this);
}
@@ -507,46 +593,56 @@ static void destroy(private_eap_authenticator_t *this)
/*
* Described in header.
*/
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa)
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
{
- peer_cfg_t *config;
- auth_info_t *auth;
- identification_t *id;
private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
-
- this->public.is_mutual = (bool(*)(eap_authenticator_t*))is_mutual;
- this->public.initiate = (status_t(*)(eap_authenticator_t*,eap_type_t,u_int32_t,eap_payload_t**))initiate;
- this->public.process = (status_t(*)(eap_authenticator_t*,eap_payload_t*,eap_payload_t**))process;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build_client;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_client;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
- this->role = EAP_PEER;
+ this->received_init = received_init;
+ this->received_nonce = received_nonce;
+ this->sent_init = sent_init;
+ this->sent_nonce = sent_nonce;
+ this->msk = chunk_empty;
this->method = NULL;
+ this->eap_payload = NULL;
+ this->eap_complete = FALSE;
+ this->auth_complete = FALSE;
+ this->eap_identity = NULL;
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init)
+{
+ private_eap_authenticator_t *this = malloc_thing(private_eap_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))build_server;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process_server;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->received_init = received_init;
+ this->received_nonce = received_nonce;
+ this->sent_init = sent_init;
+ this->sent_nonce = sent_nonce;
this->msk = chunk_empty;
- this->do_eap_identity = FALSE;
- this->type = 0;
- this->vendor = 0;
+ this->method = NULL;
+ this->eap_payload = NULL;
+ this->eap_complete = FALSE;
+ this->auth_complete = FALSE;
+ this->eap_identity = NULL;
- config = ike_sa->get_peer_cfg(ike_sa);
- if (config)
- {
- auth = config->get_auth(config);
- if (auth->get_item(auth, AUTHN_EAP_IDENTITY, (void**)&id))
- {
- if (id->get_type(id) == ID_ANY)
- { /* %any as configured EAP identity runs EAP-Identity first */
- this->do_eap_identity = TRUE;
- }
- else
- {
- ike_sa->set_eap_identity(ike_sa, id->clone(id));
- }
- }
- }
return &this->public;
}
+
diff --git a/src/charon/sa/authenticators/eap_authenticator.h b/src/charon/sa/authenticators/eap_authenticator.h
index 3ee6839fa..b90a6f4df 100644
--- a/src/charon/sa/authenticators/eap_authenticator.h
+++ b/src/charon/sa/authenticators/eap_authenticator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: eap_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -26,21 +24,13 @@
typedef struct eap_authenticator_t eap_authenticator_t;
#include <sa/authenticators/authenticator.h>
-#include <encoding/payloads/eap_payload.h>
/**
- * Implementation of the authenticator_t interface using AUTH_CLASS_EAP.
+ * Implementation of authenticator_t using EAP authentication.
*
* Authentication using EAP involves the most complex authenticator. It stays
* alive over multiple ike_auth transactions and handles multiple EAP
* messages.
- * EAP authentication must be clearly distinguished between using
- * mutual EAP methods and using methods not providing server authentication.
- * If no mutual authentication is used, the server must prove it's identity
- * by traditional AUTH methods (RSA, psk). Only when the EAP method is mutual,
- * the client should accept an EAP-only authentication.
- * RFC4306 does always use traditional authentiction, EAP only authentication
- * is described in the internet draft draft-eronen-ipsec-ikev2-eap-auth-05.txt.
*
* @verbatim
ike_sa_init
@@ -49,12 +39,12 @@ typedef struct eap_authenticator_t eap_authenticator_t;
followed by multiple ike_auth:
+--------+ +--------+
- | EAP | ID, SA, TS, N(EAP_ONLY) | EAP |
+ | EAP | IDi, [IDr,] SA, TS | EAP |
| client | ---------------------------> | server |
- | | ID, [AUTH,] EAP | | AUTH payload is
- | | <--------------------------- | | only included if
- | | EAP | | authentication
- | | ---------------------------> | | is not mutual.
+ | | ID, AUTH, EAP | |
+ | | <--------------------------- | |
+ | | EAP | |
+ | | ---------------------------> | |
| | EAP | |
| | <--------------------------- | |
| | EAP | |
@@ -74,74 +64,35 @@ struct eap_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
-
- /**
- * Check if the EAP method was/is mutual and secure.
- *
- * RFC4306 proposes to authenticate the EAP responder (server) by standard
- * IKEv2 methods (RSA, psk). Not all, but some EAP methods
- * provide mutual authentication, which would result in a redundant
- * authentication. If the client supports EAP_ONLY_AUTHENTICATION, and
- * the the server provides mutual authentication, authentication using
- * RSA/PSK may be omitted. If the server did not include a traditional
- * AUTH payload, the client must verify that the server initiated mutual
- * EAP authentication before it can trust the server.
- *
- * @return TRUE, if no AUTH payload required, FALSE otherwise
- */
- bool (*is_mutual) (eap_authenticator_t* this);
-
- /**
- * Initiate the EAP exchange.
- *
- * The server initiates EAP exchanges, so the client never calls
- * this method. If initiate() returns NEED_MORE, the EAP authentication
- * process started. In any case, a payload is created in "out".
- *
- * @param type EAP method to use to authenticate client
- * @param vendor EAP vendor identifier, if type is vendor specific, or 0
- * @param out created initiaal EAP message to send
- * @return
- * - FAILED, if initiation failed
- * - NEED_MORE, if more EAP exchanges reqired
- */
- status_t (*initiate) (eap_authenticator_t* this, eap_type_t type,
- u_int32_t vendor, eap_payload_t **out);
-
- /**
- * Process an EAP message.
- *
- * After receiving an EAP message "in", the peer/server processes
- * the payload and creates a reply/subsequent request.
- * The server side always returns NEED_MORE if another EAP message
- * is expected from the client, SUCCESS if EAP exchange completed and
- * "out" is EAP_SUCCES, or FAILED if the EAP exchange failed with
- * a EAP_FAILURE payload in "out". Anyway, a payload in "out" is always
- * created.
- * The peer (client) side only creates a "out" payload if result is
- * NEED_MORE, a SUCCESS/FAILED is returned whenever a
- * EAP_SUCCESS/EAP_FAILURE message is received in "in".
- * If a SUCCESS is returned (on any side), the EAP authentication was
- * successful and the AUTH payload can be exchanged.
- *
- * @param in received EAP message
- * @param out created EAP message to send
- * @return
- * - FAILED, if authentication/EAP exchange failed
- * - SUCCESS, if authentication completed
- * - NEED_MORE, if more EAP exchanges reqired
- */
- status_t (*process) (eap_authenticator_t* this,
- eap_payload_t *in, eap_payload_t **out);
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_CLASS_EAP.
+ * Create an authenticator to authenticate against an EAP server.
*
- * @param ike_sa associated ike_sa
- * @return eap_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return EAP authenticator
+ */
+eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
+
+/**
+ * Create an authenticator to authenticate EAP clients.
+ *
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return EAP authenticator
*/
-eap_authenticator_t *eap_authenticator_create(ike_sa_t *ike_sa);
+eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_nonce,
+ chunk_t received_init, chunk_t sent_init);
#endif /** EAP_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/psk_authenticator.c b/src/charon/sa/authenticators/psk_authenticator.c
index ae5a66479..742b67789 100644
--- a/src/charon/sa/authenticators/psk_authenticator.c
+++ b/src/charon/sa/authenticators/psk_authenticator.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,17 +12,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: psk_authenticator.c 4495 2008-10-28 16:07:06Z martin $
*/
-#include <string.h>
-
#include "psk_authenticator.h"
#include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
typedef struct private_psk_authenticator_t private_psk_authenticator_t;
@@ -40,22 +35,74 @@ struct private_psk_authenticator_t {
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
+
+ /**
+ * nonce to include in AUTH calculation
+ */
+ chunk_t nonce;
+
+ /**
+ * IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t ike_sa_init;
};
+/*
+ * Implementation of authenticator_t.build for builder
+ */
+static status_t build(private_psk_authenticator_t *this, message_t *message)
+{
+ identification_t *my_id, *other_id;
+ auth_payload_t *auth_payload;
+ shared_key_t *key;
+ chunk_t auth_data;
+ keymat_t *keymat;
+
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
+ my_id, auth_method_names, AUTH_PSK);
+ key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
+ my_id, other_id);
+ if (key == NULL)
+ {
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
+ return NOT_FOUND;
+ }
+ auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
+ this->nonce, key->get_key(key), my_id);
+ key->destroy(key);
+ DBG2(DBG_IKE, "successfully created shared key MAC");
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, AUTH_PSK);
+ auth_payload->set_data(auth_payload, auth_data);
+ chunk_free(&auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
+
+ return SUCCESS;
+}
+
/**
- * Implementation of authenticator_t.verify.
+ * Implementation of authenticator_t.process for verifier
*/
-static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
+static status_t process(private_psk_authenticator_t *this, message_t *message)
{
chunk_t auth_data, recv_auth_data;
identification_t *my_id, *other_id;
+ auth_payload_t *auth_payload;
+ auth_cfg_t *auth;
shared_key_t *key;
enumerator_t *enumerator;
bool authenticated = FALSE;
int keys_found = 0;
keymat_t *keymat;
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (!auth_payload)
+ {
+ return FAILED;
+ }
keymat = this->ike_sa->get_keymat(this->ike_sa);
recv_auth_data = auth_payload->get_data(auth_payload);
my_id = this->ike_sa->get_my_id(this->ike_sa);
@@ -66,11 +113,11 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
{
keys_found++;
- auth_data = keymat->get_psk_sig(keymat, TRUE, ike_sa_init, my_nonce,
- key->get_key(key), other_id);
+ auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
+ this->nonce, key->get_key(key), other_id);
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
{
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
other_id, auth_method_names, AUTH_PSK);
authenticated = TRUE;
}
@@ -82,49 +129,26 @@ static status_t verify(private_psk_authenticator_t *this, chunk_t ike_sa_init,
{
if (keys_found == 0)
{
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
+ DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
- DBG1(DBG_IKE, "tried %d shared key%s for '%D' - '%D', but MAC mismatched",
+ DBG1(DBG_IKE, "tried %d shared key%s for '%Y' - '%Y', but MAC mismatched",
keys_found, keys_found == 1 ? "" : "s", my_id, other_id);
return FAILED;
}
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
return SUCCESS;
}
/**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
*/
-static status_t build(private_psk_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t return_failed()
{
- identification_t *my_id, *other_id;
- shared_key_t *key;
- chunk_t auth_data;
- keymat_t *keymat;
-
- keymat = this->ike_sa->get_keymat(this->ike_sa);
- my_id = this->ike_sa->get_my_id(this->ike_sa);
- other_id = this->ike_sa->get_other_id(this->ike_sa);
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N",
- my_id, auth_method_names, AUTH_PSK);
- key = charon->credentials->get_shared(charon->credentials, SHARED_IKE,
- my_id, other_id);
- if (key == NULL)
- {
- DBG1(DBG_IKE, "no shared key found for '%D' - '%D'", my_id, other_id);
- return NOT_FOUND;
- }
- auth_data = keymat->get_psk_sig(keymat, FALSE, ike_sa_init, other_nonce,
- key->get_key(key), my_id);
- key->destroy(key);
- DBG2(DBG_IKE, "successfully created shared key MAC");
- *auth_payload = auth_payload_create();
- (*auth_payload)->set_auth_method(*auth_payload, AUTH_PSK);
- (*auth_payload)->set_data(*auth_payload, auth_data);
-
- chunk_free(&auth_data);
- return SUCCESS;
+ return FAILED;
}
/**
@@ -138,17 +162,38 @@ static void destroy(private_psk_authenticator_t *this)
/*
* Described in header.
*/
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa)
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init)
{
private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
+ this->ike_sa_init = sent_init;
+ this->nonce = received_nonce;
return &this->public;
}
+
+/*
+ * Described in header.
+ */
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init)
+{
+ private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->ike_sa_init = received_init;
+ this->nonce = sent_nonce;
+
+ return &this->public;
+}
+
diff --git a/src/charon/sa/authenticators/psk_authenticator.h b/src/charon/sa/authenticators/psk_authenticator.h
index df65076a4..5bb743d93 100644
--- a/src/charon/sa/authenticators/psk_authenticator.h
+++ b/src/charon/sa/authenticators/psk_authenticator.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: psk_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -28,22 +26,36 @@ typedef struct psk_authenticator_t psk_authenticator_t;
#include <sa/authenticators/authenticator.h>
/**
- * Implementation of the authenticator_t interface using AUTH_PSK.
+ * Implementation of authenticator_t using pre-shared keys.
*/
struct psk_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_PSK.
+ * Create an authenticator to build PSK signatures.
*
- * @param ike_sa associated ike_sa
- * @return psk_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return PSK authenticator
+ */
+psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify PSK signatures.
+ *
+ * @param ike_sa associated ike_sa
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @return PSK authenticator
*/
-psk_authenticator_t *psk_authenticator_create(ike_sa_t *ike_sa);
+psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init);
#endif /** PSK_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.c b/src/charon/sa/authenticators/pubkey_authenticator.c
index c16f3b888..44cabfb94 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.c
+++ b/src/charon/sa/authenticators/pubkey_authenticator.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -13,17 +13,12 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: pubkey_authenticator.c 4495 2008-10-28 16:07:06Z martin $
*/
-#include <string.h>
-
#include "pubkey_authenticator.h"
#include <daemon.h>
-#include <credentials/auth_info.h>
-
+#include <encoding/payloads/auth_payload.h>
typedef struct private_pubkey_authenticator_t private_pubkey_authenticator_t;
@@ -41,95 +36,40 @@ struct private_pubkey_authenticator_t {
* Assigned IKE_SA
*/
ike_sa_t *ike_sa;
-};
-
-/**
- * Implementation of authenticator_t.verify.
- */
-static status_t verify(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t my_nonce, auth_payload_t *auth_payload)
-{
- public_key_t *public;
- auth_method_t auth_method;
- chunk_t auth_data, octets;
- identification_t *id;
- auth_info_t *auth, *current_auth;
- enumerator_t *enumerator;
- key_type_t key_type = KEY_ECDSA;
- signature_scheme_t scheme;
- status_t status = FAILED;
- keymat_t *keymat;
- id = this->ike_sa->get_other_id(this->ike_sa);
- auth_method = auth_payload->get_auth_method(auth_payload);
- switch (auth_method)
- {
- case AUTH_RSA:
- /* We are currently fixed to SHA1 hashes.
- * TODO: allow other hash algorithms and note it in "auth" */
- key_type = KEY_RSA;
- scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
- break;
- case AUTH_ECDSA_256:
- scheme = SIGN_ECDSA_256;
- break;
- case AUTH_ECDSA_384:
- scheme = SIGN_ECDSA_384;
- break;
- case AUTH_ECDSA_521:
- scheme = SIGN_ECDSA_521;
- break;
- default:
- return INVALID_ARG;
- }
- auth_data = auth_payload->get_data(auth_payload);
- keymat = this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, TRUE, ike_sa_init, my_nonce, id);
- auth = this->ike_sa->get_other_auth(this->ike_sa);
- enumerator = charon->credentials->create_public_enumerator(
- charon->credentials, key_type, id, auth);
- while (enumerator->enumerate(enumerator, &public, &current_auth))
- {
- if (public->verify(public, scheme, octets, auth_data))
- {
- DBG1(DBG_IKE, "authentication of '%D' with %N successful",
- id, auth_method_names, auth_method);
- status = SUCCESS;
- auth->merge(auth, current_auth);
- break;
- }
- else
- {
- DBG1(DBG_IKE, "signature validation failed, looking for another key");
- }
- }
- enumerator->destroy(enumerator);
- chunk_free(&octets);
- return status;
-}
+ /**
+ * nonce to include in AUTH calculation
+ */
+ chunk_t nonce;
+
+ /**
+ * IKE_SA_INIT message data to include in AUTH calculation
+ */
+ chunk_t ike_sa_init;
+};
/**
- * Implementation of authenticator_t.build.
+ * Implementation of authenticator_t.build for builder
*/
-static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
- chunk_t other_nonce, auth_payload_t **auth_payload)
+static status_t build(private_pubkey_authenticator_t *this, message_t *message)
{
chunk_t octets, auth_data;
status_t status = FAILED;
private_key_t *private;
identification_t *id;
- auth_info_t *auth;
+ auth_cfg_t *auth;
+ auth_payload_t *auth_payload;
auth_method_t auth_method;
signature_scheme_t scheme;
keymat_t *keymat;
id = this->ike_sa->get_my_id(this->ike_sa);
- auth = this->ike_sa->get_my_auth(this->ike_sa);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
private = charon->credentials->get_private(charon->credentials, KEY_ANY,
id, auth);
if (private == NULL)
{
- DBG1(DBG_IKE, "no private key found for '%D'", id);
+ DBG1(DBG_IKE, "no private key found for '%Y'", id);
return NOT_FOUND;
}
@@ -169,18 +109,18 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
return status;
}
keymat = this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, FALSE, ike_sa_init, other_nonce, id);
-
+ octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+ this->nonce, id);
if (private->sign(private, scheme, octets, &auth_data))
{
- auth_payload_t *payload = auth_payload_create();
- payload->set_auth_method(payload, auth_method);
- payload->set_data(payload, auth_data);
- *auth_payload = payload;
+ auth_payload = auth_payload_create();
+ auth_payload->set_auth_method(auth_payload, auth_method);
+ auth_payload->set_data(auth_payload, auth_data);
chunk_free(&auth_data);
+ message->add_payload(message, (payload_t*)auth_payload);
status = SUCCESS;
}
- DBG1(DBG_IKE, "authentication of '%D' (myself) with %N %s", id,
+ DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N %s", id,
auth_method_names, auth_method,
(status == SUCCESS)? "successful":"failed");
chunk_free(&octets);
@@ -190,6 +130,93 @@ static status_t build(private_pubkey_authenticator_t *this, chunk_t ike_sa_init,
}
/**
+ * Implementation of authenticator_t.process for verifier
+ */
+static status_t process(private_pubkey_authenticator_t *this, message_t *message)
+{
+ public_key_t *public;
+ auth_method_t auth_method;
+ auth_payload_t *auth_payload;
+ chunk_t auth_data, octets;
+ identification_t *id;
+ auth_cfg_t *auth, *current_auth;
+ enumerator_t *enumerator;
+ key_type_t key_type = KEY_ECDSA;
+ signature_scheme_t scheme;
+ status_t status = NOT_FOUND;
+ keymat_t *keymat;
+
+ auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ if (!auth_payload)
+ {
+ return FAILED;
+ }
+ auth_method = auth_payload->get_auth_method(auth_payload);
+ switch (auth_method)
+ {
+ case AUTH_RSA:
+ /* We currently accept SHA1 signatures only
+ * TODO: allow other hash algorithms and note it in "auth" */
+ key_type = KEY_RSA;
+ scheme = SIGN_RSA_EMSA_PKCS1_SHA1;
+ break;
+ case AUTH_ECDSA_256:
+ scheme = SIGN_ECDSA_256;
+ break;
+ case AUTH_ECDSA_384:
+ scheme = SIGN_ECDSA_384;
+ break;
+ case AUTH_ECDSA_521:
+ scheme = SIGN_ECDSA_521;
+ break;
+ default:
+ return INVALID_ARG;
+ }
+ auth_data = auth_payload->get_data(auth_payload);
+ id = this->ike_sa->get_other_id(this->ike_sa);
+ keymat = this->ike_sa->get_keymat(this->ike_sa);
+ octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+ this->nonce, id);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ enumerator = charon->credentials->create_public_enumerator(
+ charon->credentials, key_type, id, auth);
+ while (enumerator->enumerate(enumerator, &public, &current_auth))
+ {
+ if (public->verify(public, scheme, octets, auth_data))
+ {
+ DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
+ id, auth_method_names, auth_method);
+ status = SUCCESS;
+ auth->merge(auth, current_auth, FALSE);
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ break;
+ }
+ else
+ {
+ status = FAILED;
+ DBG1(DBG_IKE, "signature validation failed, looking for another key");
+ }
+ }
+ enumerator->destroy(enumerator);
+ chunk_free(&octets);
+ if (status == NOT_FOUND)
+ {
+ DBG1(DBG_IKE, "no trusted %N public key found for '%Y'",
+ key_type_names, key_type, id);
+ }
+ return status;
+}
+
+/**
+ * Implementation of authenticator_t.process for builder
+ * Implementation of authenticator_t.build for verifier
+ */
+static status_t return_failed()
+{
+ return FAILED;
+}
+
+/**
* Implementation of authenticator_t.destroy.
*/
static void destroy(private_pubkey_authenticator_t *this)
@@ -200,17 +227,37 @@ static void destroy(private_pubkey_authenticator_t *this)
/*
* Described in header.
*/
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa)
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init)
+{
+ private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
+
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
+
+ this->ike_sa = ike_sa;
+ this->ike_sa_init = sent_init;
+ this->nonce = received_nonce;
+
+ return &this->public;
+}
+
+/*
+ * Described in header.
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init)
{
private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t);
- /* public functions */
- this->public.authenticator_interface.verify = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t*))verify;
- this->public.authenticator_interface.build = (status_t(*)(authenticator_t*,chunk_t,chunk_t,auth_payload_t**))build;
- this->public.authenticator_interface.destroy = (void(*)(authenticator_t*))destroy;
+ this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed;
+ this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process;
+ this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy;
- /* private data */
this->ike_sa = ike_sa;
+ this->ike_sa_init = received_init;
+ this->nonce = sent_nonce;
return &this->public;
}
diff --git a/src/charon/sa/authenticators/pubkey_authenticator.h b/src/charon/sa/authenticators/pubkey_authenticator.h
index d2189fa97..e67f020ff 100644
--- a/src/charon/sa/authenticators/pubkey_authenticator.h
+++ b/src/charon/sa/authenticators/pubkey_authenticator.h
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: pubkey_authenticator.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -29,22 +27,36 @@ typedef struct pubkey_authenticator_t pubkey_authenticator_t;
#include <sa/authenticators/authenticator.h>
/**
- * Implementation of the authenticator_t interface using AUTH_PUBKEY.
+ * Implementation of authenticator_t using public key authenitcation.
*/
struct pubkey_authenticator_t {
/**
* Implemented authenticator_t interface.
*/
- authenticator_t authenticator_interface;
+ authenticator_t authenticator;
};
/**
- * Creates an authenticator for AUTH_PUBKEY.
+ * Create an authenticator to build public key signatures.
*
- * @param ike_sa associated ike_sa
- * @return pubkey_authenticator_t object
+ * @param ike_sa associated ike_sa
+ * @param received_nonce nonce received in IKE_SA_INIT
+ * @param sent_init sent IKE_SA_INIT message data
+ * @return public key authenticator
+ */
+pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa,
+ chunk_t received_nonce, chunk_t sent_init);
+
+/**
+ * Create an authenticator to verify public key signatures.
+ *
+ * @param ike_sa associated ike_sa
+ * @param sent_nonce nonce sent in IKE_SA_INIT
+ * @param received_init received IKE_SA_INIT message data
+ * @return public key authenticator
*/
-pubkey_authenticator_t *pubkey_authenticator_create(ike_sa_t *ike_sa);
+pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa,
+ chunk_t sent_nonce, chunk_t received_init);
#endif /** PUBKEY_AUTHENTICATOR_H_ @}*/
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 022b9149a..9202e972e 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_sa.c 4677 2008-11-19 15:31:27Z martin $
*/
#define _GNU_SOURCE
@@ -412,26 +410,11 @@ static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
*/
static u_int32_t alloc_spi(private_child_sa_t *this, protocol_id_t protocol)
{
- switch (protocol)
- {
- case PROTO_AH:
- if (charon->kernel_interface->get_spi(charon->kernel_interface,
- this->other_addr, this->my_addr, PROTO_AH,
- this->reqid, &this->my_spi) == SUCCESS)
- {
- return this->my_spi;
- }
- break;
- case PROTO_ESP:
- if (charon->kernel_interface->get_spi(charon->kernel_interface,
- this->other_addr, this->my_addr, PROTO_ESP,
+ if (charon->kernel_interface->get_spi(charon->kernel_interface,
+ this->other_addr, this->my_addr, protocol,
this->reqid, &this->my_spi) == SUCCESS)
- {
- return this->my_spi;
- }
- break;
- default:
- break;
+ {
+ return this->my_spi;
}
return 0;
}
@@ -504,8 +487,14 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ,
this->mode, this->ipcomp, cpi, this->encap, update);
now = time(NULL);
- this->rekey_time = now + soft;
- this->expire_time = now + hard;
+ if (soft)
+ {
+ this->rekey_time = now + soft;
+ }
+ if (hard)
+ {
+ this->expire_time = now + hard;
+ }
return status;
}
@@ -724,14 +713,14 @@ static void destroy(private_child_sa_t *this)
if (this->my_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->my_addr, this->my_spi, this->protocol,
- this->my_cpi);
+ this->other_addr, this->my_addr, this->my_spi,
+ this->protocol, this->my_cpi);
}
if (this->other_spi)
{
charon->kernel_interface->del_sa(charon->kernel_interface,
- this->other_addr, this->other_spi, this->protocol,
- this->other_cpi);
+ this->my_addr, this->other_addr, this->other_spi,
+ this->protocol, this->other_cpi);
}
if (this->config->install_policy(this->config))
@@ -816,6 +805,8 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->protocol = PROTO_NONE;
this->mode = MODE_TUNNEL;
this->proposal = NULL;
+ this->rekey_time = 0;
+ this->expire_time = 0;
this->config = config;
config->get_ref(config);
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index 70169f515..ec9b36dab 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_sa.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index b9141ffc1..a1b037de4 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: connect_manager.c 4579 2008-11-05 11:29:56Z martin $
*/
#include "connect_manager.h"
@@ -734,11 +732,11 @@ static void build_pairs(check_list_t *checklist)
*/
static status_t process_payloads(message_t *message, check_t *check)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) != NOTIFY)
{
@@ -796,7 +794,7 @@ static status_t process_payloads(message_t *message, check_t *check)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
if (!check->connect_id.ptr || !check->endpoint || !check->auth.ptr)
{
@@ -904,7 +902,7 @@ static void update_checklist_state(private_connect_manager_t *this, check_list_t
callback_data_t *data = callback_data_create(this, checklist->connect_id);
job_t *job = (job_t*)callback_job_create((callback_job_cb_t)initiator_finish, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
- charon->scheduler->schedule_job(charon->scheduler, job, ME_WAIT_TO_FINISH);
+ charon->scheduler->schedule_job_ms(charon->scheduler, job, ME_WAIT_TO_FINISH);
checklist->is_finishing = TRUE;
}
@@ -1002,7 +1000,7 @@ static void queue_retransmission(private_connect_manager_t *this, check_list_t *
}
DBG2(DBG_IKE, "scheduling retransmission %d of pair '%d' in %dms", retransmission, pair->id, rto);
- charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, rto);
+ charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)job, rto);
}
/**
@@ -1139,7 +1137,7 @@ static void schedule_checks(private_connect_manager_t *this, check_list_t *check
{
callback_data_t *data = callback_data_create(this, checklist->connect_id);
checklist->sender = (job_t*)callback_job_create((callback_job_cb_t)sender, data, (callback_job_cleanup_t)callback_data_destroy, NULL);
- charon->scheduler->schedule_job(charon->scheduler, checklist->sender, time);
+ charon->scheduler->schedule_job_ms(charon->scheduler, checklist->sender, time);
}
/**
@@ -1196,8 +1194,8 @@ static void finish_checks(private_connect_manager_t *this, check_list_t *checkli
}
else
{
- DBG1(DBG_IKE, "there is no mediated connection waiting between '%D' "
- "and '%D'", checklist->initiator.id, checklist->responder.id);
+ DBG1(DBG_IKE, "there is no mediated connection waiting between '%Y' "
+ "and '%Y'", checklist->initiator.id, checklist->responder.id);
}
}
}
@@ -1396,7 +1394,7 @@ static bool check_and_register(private_connect_manager_t *this,
if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
{
- DBG2(DBG_IKE, "registered waiting mediated connection with '%D'", peer_id);
+ DBG2(DBG_IKE, "registered waiting mediated connection with '%Y'", peer_id);
initiated = initiated_create(id, peer_id);
this->initiated->insert_last(this->initiated, initiated);
already_there = FALSE;
@@ -1425,7 +1423,7 @@ static void check_and_initiate(private_connect_manager_t *this, ike_sa_id_t *med
if (get_initiated_by_ids(this, id, peer_id, &initiated) != SUCCESS)
{
- DBG2(DBG_IKE, "no waiting mediated connections with '%D'", peer_id);
+ DBG2(DBG_IKE, "no waiting mediated connections with '%Y'", peer_id);
this->mutex->unlock(this->mutex);
return;
}
diff --git a/src/charon/sa/connect_manager.h b/src/charon/sa/connect_manager.h
index c16f87352..b5abc853c 100644
--- a/src/charon/sa/connect_manager.h
+++ b/src/charon/sa/connect_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: connect_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index bebd74160..6b7fa3582 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2008 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa.c 4945 2009-03-16 14:23:36Z martin $
*/
#include <sys/time.h>
@@ -57,10 +55,6 @@
#include <processing/jobs/initiate_mediation_job.h>
#endif
-#ifndef RESOLV_CONF
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-
ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
"CREATED",
"CONNECTING",
@@ -72,17 +66,18 @@ ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
);
typedef struct private_ike_sa_t private_ike_sa_t;
+typedef struct attribute_entry_t attribute_entry_t;
/**
* Private data of an ike_sa_t object.
*/
struct private_ike_sa_t {
-
+
/**
* Public members
*/
ike_sa_t public;
-
+
/**
* Identifier for the current IKE_SA.
*/
@@ -96,7 +91,7 @@ struct private_ike_sa_t {
/**
* Current state of the IKE_SA
*/
- ike_sa_state_t state;
+ ike_sa_state_t state;
/**
* IKE configuration used to set up this IKE_SA
@@ -109,14 +104,14 @@ struct private_ike_sa_t {
peer_cfg_t *peer_cfg;
/**
- * associated authentication/authorization info for local peer
+ * currently used authentication ruleset, local (as auth_cfg_t)
*/
- auth_info_t *my_auth;
+ auth_cfg_t *my_auth;
/**
- * associated authentication/authorization info for remote peer
+ * currently used authentication constraints, remote (as auth_cfg_t)
*/
- auth_info_t *other_auth;
+ auth_cfg_t *other_auth;
/**
* Selected IKE proposal
@@ -179,7 +174,7 @@ struct private_ike_sa_t {
* set of condition flags currently enabled for this IKE_SA
*/
ike_condition_t conditions;
-
+
/**
* Linked List containing the child sa's of the current IKE_SA.
*/
@@ -201,9 +196,9 @@ struct private_ike_sa_t {
host_t *other_virtual_ip;
/**
- * List of DNS servers installed by us
+ * List of configuration attributes (attribute_entry_t)
*/
- linked_list_t *dns_servers;
+ linked_list_t *attributes;
/**
* list of peers additional addresses, transmitted via MOBIKE
@@ -219,7 +214,7 @@ struct private_ike_sa_t {
* number pending UPDATE_SA_ADDRESS (MOBIKE)
*/
u_int32_t pending_updates;
-
+
/**
* NAT keep alive interval
*/
@@ -234,12 +229,12 @@ struct private_ike_sa_t {
* how many times we have retried so far (keyingtries)
*/
u_int32_t keyingtry;
-
+
/**
* local host address to be used for IKE, set via MIGRATE kernel message
*/
host_t *local_host;
-
+
/**
* remote host address to be used for IKE, set via MIGRATE kernel message
*/
@@ -247,6 +242,18 @@ struct private_ike_sa_t {
};
/**
+ * Entry to maintain install configuration attributes during IKE_SA lifetime
+ */
+struct attribute_entry_t {
+ /** handler used to install this attribute */
+ attribute_handler_t *handler;
+ /** attribute type */
+ configuration_attribute_type_t type;
+ /** attribute data */
+ chunk_t data;
+};
+
+/**
* get the time of the latest traffic processed by the kernel
*/
static time_t get_use_time(private_ike_sa_t* this, bool inbound)
@@ -355,40 +362,23 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
DESTROY_IF(this->peer_cfg);
peer_cfg->get_ref(peer_cfg);
this->peer_cfg = peer_cfg;
-
+
if (this->ike_cfg == NULL)
{
this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
this->ike_cfg->get_ref(this->ike_cfg);
}
- /* apply IDs if they are not already set */
- if (this->my_id->contains_wildcards(this->my_id))
- {
- DESTROY_IF(this->my_id);
- this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
- this->my_id = this->my_id->clone(this->my_id);
- }
- if (this->other_id->contains_wildcards(this->other_id))
- {
- DESTROY_IF(this->other_id);
- this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
- this->other_id = this->other_id->clone(this->other_id);
- }
-}
-
-/**
- * Implementation of ike_sa_t.get_my_auth.
- */
-static auth_info_t* get_my_auth(private_ike_sa_t *this)
-{
- return this->my_auth;
}
/**
- * Implementation of ike_sa_t.get_other_auth.
+ * Implementation of ike_sa_t.get_auth_cfg
*/
-static auth_info_t* get_other_auth(private_ike_sa_t *this)
+static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
{
+ if (local)
+ {
+ return this->my_auth;
+ }
return this->other_auth;
}
@@ -460,7 +450,7 @@ static void send_keepalive(private_ike_sa_t *this)
}
job = send_keepalive_job_create(this->ike_sa_id);
charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
- (this->keepalive_interval - diff) * 1000);
+ this->keepalive_interval - diff);
}
/**
@@ -559,7 +549,7 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
*/
static status_t send_dpd(private_ike_sa_t *this)
{
- send_dpd_job_t *job;
+ job_t *job;
time_t diff, delay;
delay = this->peer_cfg->get_dpd(this->peer_cfg);
@@ -608,9 +598,8 @@ static status_t send_dpd(private_ike_sa_t *this)
}
}
/* recheck in "interval" seconds */
- job = send_dpd_job_create(this->ike_sa_id);
- charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
- (delay - diff) * 1000);
+ job = (job_t*)send_dpd_job_create(this->ike_sa_id);
+ charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
return SUCCESS;
}
@@ -653,8 +642,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
{
this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
- charon->scheduler->schedule_job(charon->scheduler,
- job, t * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, job, t);
DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
}
t = this->peer_cfg->get_reauth_time(this->peer_cfg);
@@ -663,8 +651,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
{
this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
- charon->scheduler->schedule_job(charon->scheduler,
- job, t * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, job, t);
DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
}
t = this->peer_cfg->get_over_time(this->peer_cfg);
@@ -686,8 +673,7 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
this->stats[STAT_DELETE] += t;
t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
- charon->scheduler->schedule_job(charon->scheduler, job,
- t * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, job, t);
DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
}
@@ -1117,9 +1103,11 @@ static void resolve_hosts(private_ike_sa_t *this)
}
/**
- * Initiates a CHILD_SA using the appropriate reqid
+ * Implementation of ike_sa_t.initiate
*/
-static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
+static status_t initiate(private_ike_sa_t *this,
+ child_cfg_t *child_cfg, u_int32_t reqid,
+ traffic_selector_t *tsi, traffic_selector_t *tsr)
{
task_t *task;
@@ -1181,7 +1169,7 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
#endif /* ME */
{
/* normal IKE_SA with CHILD_SA */
- task = (task_t*)child_create_create(&this->public, child_cfg);
+ task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr);
child_cfg->destroy(child_cfg);
if (reqid)
{
@@ -1205,176 +1193,6 @@ static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_c
}
/**
- * Implementation of ike_sa_t.initiate.
- */
-static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
-{
- return initiate_with_reqid(this, child_cfg, 0);
-}
-
-/**
- * Implementation of ike_sa_t.acquire.
- */
-static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
-{
- child_cfg_t *child_cfg;
- iterator_t *iterator;
- child_sa_t *current, *child_sa = NULL;
-
- switch (this->state)
- {
- case IKE_DELETING:
- DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
- "IKE_SA is deleting", reqid);
- return FAILED;
- case IKE_PASSIVE:
- /* do not process acquires if passive */
- return FAILED;
- default:
- break;
- }
-
- /* find CHILD_SA */
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&current))
- {
- if (current->get_reqid(current) == reqid)
- {
- child_sa = current;
- break;
- }
- }
- iterator->destroy(iterator);
- if (!child_sa)
- {
- DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
- "CHILD_SA not found", reqid);
- return FAILED;
- }
-
- child_cfg = child_sa->get_config(child_sa);
- child_cfg->get_ref(child_cfg);
-
- return initiate_with_reqid(this, child_cfg, reqid);
-}
-
-/**
- * Implementation of ike_sa_t.route.
- */
-static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
-{
- child_sa_t *child_sa;
- iterator_t *iterator;
- linked_list_t *my_ts, *other_ts;
- host_t *me, *other;
- status_t status;
-
- /* check if not already routed*/
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&child_sa))
- {
- if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
- streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
- {
- iterator->destroy(iterator);
- DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
- return FAILED;
- }
- }
- iterator->destroy(iterator);
-
- switch (this->state)
- {
- case IKE_DELETING:
- case IKE_REKEYING:
- DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
- ike_sa_state_names, this->state);
- return FAILED;
- case IKE_CREATED:
- case IKE_CONNECTING:
- case IKE_ESTABLISHED:
- case IKE_PASSIVE:
- default:
- break;
- }
-
- resolve_hosts(this);
-
- /* install kernel policies */
- child_sa = child_sa_create(this->my_host, this->other_host,
- child_cfg, 0, FALSE);
- me = this->my_host;
- if (this->my_virtual_ip)
- {
- me = this->my_virtual_ip;
- }
- other = this->other_host;
- if (this->other_virtual_ip)
- {
- other = this->other_virtual_ip;
- }
-
- my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
- other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
-
- child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg));
- status = child_sa->add_policies(child_sa, my_ts, other_ts);
-
- my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
- other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
- if (status == SUCCESS)
- {
- this->child_sas->insert_last(this->child_sas, child_sa);
- DBG1(DBG_IKE, "CHILD_SA routed");
- }
- else
- {
- child_sa->destroy(child_sa);
- DBG1(DBG_IKE, "routing CHILD_SA failed");
- }
- return status;
-}
-
-/**
- * Implementation of ike_sa_t.unroute.
- */
-static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
-{
- iterator_t *iterator;
- child_sa_t *child_sa;
- bool found = FALSE;
-
- /* find CHILD_SA in ROUTED state */
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&child_sa))
- {
- if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
- child_sa->get_reqid(child_sa) == reqid)
- {
- iterator->remove(iterator);
- DBG1(DBG_IKE, "CHILD_SA unrouted");
- child_sa->destroy(child_sa);
- found = TRUE;
- break;
- }
- }
- iterator->destroy(iterator);
-
- if (!found)
- {
- DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
- return FAILED;
- }
- /* if we are not established, and we have no more routed childs, remove whole SA */
- if (this->state == IKE_CREATED &&
- this->child_sas->get_count(this->child_sas) == 0)
- {
- return DESTROY_ME;
- }
- return SUCCESS;
-}
-
-/**
* Implementation of ike_sa_t.process_message.
*/
static status_t process_message(private_ike_sa_t *this, message_t *message)
@@ -1448,14 +1266,10 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
else
{
host_t *me, *other;
- private_ike_sa_t *new;
- iterator_t *iterator;
- child_sa_t *child;
- bool has_routed = FALSE;
me = message->get_destination(message);
other = message->get_source(message);
-
+
/* if this IKE_SA is virgin, we check for a config */
if (this->ike_cfg == NULL)
{
@@ -1485,59 +1299,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message)
update_hosts(this, me, other);
}
}
- status = this->task_manager->process_message(this->task_manager, message);
- if (status != DESTROY_ME)
- {
- if (message->get_exchange_type(message) == IKE_AUTH &&
- this->state == IKE_ESTABLISHED)
- {
- /* purge auth items if SA is up, as they contain certs
- * and other memory wasting elements */
- this->my_auth->purge(this->my_auth);
- this->other_auth->purge(this->other_auth);
- }
- return status;
- }
- /* if IKE_SA gets closed for any reasons, reroute routed children */
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&child))
- {
- if (child->get_state(child) == CHILD_ROUTED)
- {
- has_routed = TRUE;
- break;
- }
- }
- iterator->destroy(iterator);
- if (!has_routed)
- {
- return status;
- }
- /* move routed children to a new IKE_SA, apply connection info */
- new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
- charon->ike_sa_manager, TRUE);
- set_peer_cfg(new, this->peer_cfg);
- new->other_host->destroy(new->other_host);
- new->other_host = this->other_host->clone(this->other_host);
- if (!has_condition(this, COND_NAT_THERE))
- {
- new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
- }
- if (this->my_virtual_ip)
- {
- set_virtual_ip(new, TRUE, this->my_virtual_ip);
- }
- iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
- while (iterator->iterate(iterator, (void**)&child))
- {
- if (child->get_state(child) == CHILD_ROUTED)
- {
- route(new, child->get_config(child));
- }
- }
- iterator->destroy(iterator);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
- return status;
+ return this->task_manager->process_message(this->task_manager, message);
}
}
@@ -1846,7 +1608,7 @@ static status_t reestablish(private_ike_sa_t *this)
#ifdef ME
if (this->peer_cfg->is_mediation(this->peer_cfg))
{
- status = new->initiate(new, NULL);
+ status = new->initiate(new, NULL, 0, NULL, NULL);
}
else
#endif /* ME */
@@ -1869,10 +1631,11 @@ static status_t reestablish(private_ike_sa_t *this)
DBG1(DBG_IKE, "restarting CHILD_SA %s",
child_cfg->get_name(child_cfg));
child_cfg->get_ref(child_cfg);
- status = new->initiate(new, child_cfg);
+ status = new->initiate(new, child_cfg, 0, NULL, NULL);
break;
case ACTION_ROUTE:
- status = new->route(new, child_cfg);
+ charon->traps->install(charon->traps,
+ this->peer_cfg, child_cfg);
break;
default:
continue;
@@ -1888,13 +1651,15 @@ static status_t reestablish(private_ike_sa_t *this)
if (status == DESTROY_ME)
{
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
- return FAILED;
+ status = FAILED;
}
else
{
charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
- return SUCCESS;
+ status = SUCCESS;
}
+ charon->bus->set_sa(charon->bus, &this->public);
+ return status;
}
/**
@@ -1960,8 +1725,8 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
" in %ds", lifetime, lifetime - reduction);
charon->scheduler->schedule_job(charon->scheduler,
- (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
- (lifetime - reduction) * 1000);
+ (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
+ lifetime - reduction);
}
else
{
@@ -2030,12 +1795,34 @@ static status_t roam(private_ike_sa_t *this, bool address)
}
/**
+ * Implementation of ike_sa_t.add_configuration_attribute
+ */
+static void add_configuration_attribute(private_ike_sa_t *this,
+ configuration_attribute_type_t type, chunk_t data)
+{
+ attribute_entry_t *entry;
+ attribute_handler_t *handler;
+
+ handler = charon->attributes->handle(charon->attributes,
+ &this->public, type, data);
+ if (handler)
+ {
+ entry = malloc_thing(attribute_entry_t);
+ entry->handler = handler;
+ entry->type = type;
+ entry->data = chunk_clone(data);
+
+ this->attributes->insert_last(this->attributes, entry);
+ }
+}
+
+/**
* Implementation of ike_sa_t.inherit.
*/
static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
{
child_sa_t *child_sa;
- host_t *ip;
+ attribute_entry_t *entry;
/* apply hosts and ids */
this->my_host->destroy(this->my_host);
@@ -2059,11 +1846,11 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
other->other_virtual_ip = NULL;
}
- /* ... and DNS servers */
- while (other->dns_servers->remove_last(other->dns_servers,
- (void**)&ip) == SUCCESS)
+ /* ... and configuration attributes */
+ while (other->attributes->remove_last(other->attributes,
+ (void**)&entry) == SUCCESS)
{
- this->dns_servers->insert_first(this->dns_servers, ip);
+ this->attributes->insert_first(this->attributes, entry);
}
/* inherit all conditions */
@@ -2107,158 +1894,36 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
"lifetime reduced to %ds", reauth, delete);
charon->scheduler->schedule_job(charon->scheduler,
- (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
- reauth * 1000);
+ (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
charon->scheduler->schedule_job(charon->scheduler,
- (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
- delete * 1000);
+ (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
}
/* we have to initate here, there may be new tasks to handle */
return this->task_manager->initiate(this->task_manager);
}
/**
- * Implementation of ike_sa_t.remove_dns_server
- */
-static void remove_dns_servers(private_ike_sa_t *this)
-{
- FILE *file;
- struct stat stats;
- chunk_t contents, line, orig_line, token;
- char string[INET6_ADDRSTRLEN];
- host_t *ip;
- iterator_t *iterator;
-
- if (this->dns_servers->get_count(this->dns_servers) == 0)
- {
- /* don't touch anything if we have no nameservers installed */
- return;
- }
-
- file = fopen(RESOLV_CONF, "r");
- if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
- {
- DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
- RESOLV_CONF, strerror(errno));
- return;
- }
-
- contents = chunk_alloca((size_t)stats.st_size);
-
- if (fread(contents.ptr, 1, contents.len, file) != contents.len)
- {
- DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
- fclose(file);
- return;
- }
-
- fclose(file);
- file = fopen(RESOLV_CONF, "w");
- if (file == NULL)
- {
- DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
- RESOLV_CONF, strerror(errno));
- return;
- }
-
- iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
- while (fetchline(&contents, &line))
- {
- bool found = FALSE;
- orig_line = line;
- if (extract_token(&token, ' ', &line) &&
- strncasecmp(token.ptr, "nameserver", token.len) == 0)
- {
- if (!extract_token(&token, ' ', &line))
- {
- token = line;
- }
- iterator->reset(iterator);
- while (iterator->iterate(iterator, (void**)&ip))
- {
- snprintf(string, sizeof(string), "%H", ip);
- if (strlen(string) == token.len &&
- strncmp(token.ptr, string, token.len) == 0)
- {
- iterator->remove(iterator);
- ip->destroy(ip);
- found = TRUE;
- break;
- }
- }
- }
-
- if (!found)
- {
- /* write line untouched back to file */
- ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file));
- fprintf(file, "\n");
- }
- }
- iterator->destroy(iterator);
- fclose(file);
-}
-
-/**
- * Implementation of ike_sa_t.add_dns_server
- */
-static void add_dns_server(private_ike_sa_t *this, host_t *dns)
-{
- FILE *file;
- struct stat stats;
- chunk_t contents;
-
- DBG1(DBG_IKE, "installing DNS server %H", dns);
-
- file = fopen(RESOLV_CONF, "a+");
- if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
- {
- DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
- RESOLV_CONF, strerror(errno));
- return;
- }
-
- contents = chunk_alloca(stats.st_size);
-
- if (fread(contents.ptr, 1, contents.len, file) != contents.len)
- {
- DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
- fclose(file);
- return;
- }
-
- fclose(file);
- file = fopen(RESOLV_CONF, "w");
- if (file == NULL)
- {
- DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
- RESOLV_CONF, strerror(errno));
- return;
- }
-
- if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
- dns, this->other_id) < 0)
- {
- DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
- }
- else
- {
- this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
- }
- ignore_result(fwrite(contents.ptr, contents.len, 1, file));
-
- fclose(file);
-}
-
-/**
* Implementation of ike_sa_t.destroy.
*/
static void destroy(private_ike_sa_t *this)
{
+ attribute_entry_t *entry;
+
charon->bus->set_sa(charon->bus, &this->public);
set_state(this, IKE_DESTROYING);
+ /* remove attributes first, as we pass the IKE_SA to the handler */
+ while (this->attributes->remove_last(this->attributes,
+ (void**)&entry) == SUCCESS)
+ {
+ charon->attributes->release(charon->attributes, entry->handler,
+ &this->public, entry->type, entry->data);
+ free(entry->data.ptr);
+ free(entry);
+ }
+ this->attributes->destroy(this->attributes);
+
this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
/* unset SA after here to avoid usage by the listeners */
@@ -2283,10 +1948,6 @@ static void destroy(private_ike_sa_t *this)
}
this->other_virtual_ip->destroy(this->other_virtual_ip);
}
-
- remove_dns_servers(this);
- this->dns_servers->destroy_offset(this->dns_servers,
- offsetof(host_t, destroy));
this->additional_addresses->destroy_offset(this->additional_addresses,
offsetof(host_t, destroy));
#ifdef ME
@@ -2309,9 +1970,9 @@ static void destroy(private_ike_sa_t *this)
DESTROY_IF(this->ike_cfg);
DESTROY_IF(this->peer_cfg);
- DESTROY_IF(this->my_auth);
- DESTROY_IF(this->other_auth);
DESTROY_IF(this->proposal);
+ this->my_auth->destroy(this->my_auth);
+ this->other_auth->destroy(this->other_auth);
this->ike_sa_id->destroy(this->ike_sa_id);
free(this);
@@ -2331,16 +1992,12 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->public.get_name = (char* (*)(ike_sa_t*))get_name;
this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
- this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
- this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
- this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
- this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
+ this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate;
this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
- this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
- this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
+ this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
@@ -2388,7 +2045,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
- this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
+ this->public.add_configuration_attribute = (void(*)(ike_sa_t*, configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
#ifdef ME
this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
@@ -2421,15 +2078,15 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
this->ike_cfg = NULL;
this->peer_cfg = NULL;
- this->my_auth = auth_info_create();
- this->other_auth = auth_info_create();
+ this->my_auth = auth_cfg_create();
+ this->other_auth = auth_cfg_create();
this->proposal = NULL;
this->task_manager = task_manager_create(&this->public);
this->unique_id = ++unique_id;
this->my_virtual_ip = NULL;
this->other_virtual_ip = NULL;
- this->dns_servers = linked_list_create();
this->additional_addresses = linked_list_create();
+ this->attributes = linked_list_create();
this->nat_detection_dest = chunk_empty;
this->pending_updates = 0;
this->keyingtry = 0;
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index 3ca8d9521..b751bda0c 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2006-2008 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
- * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -14,8 +14,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -35,18 +33,19 @@ typedef struct ike_sa_t ike_sa_t;
#include <library.h>
#include <encoding/message.h>
#include <encoding/payloads/proposal_substructure.h>
+#include <encoding/payloads/configuration_attribute.h>
#include <sa/ike_sa_id.h>
#include <sa/child_sa.h>
#include <sa/tasks/task.h>
#include <sa/keymat.h>
#include <config/peer_cfg.h>
#include <config/ike_cfg.h>
-#include <credentials/auth_info.h>
+#include <config/auth_cfg.h>
/**
- * Timeout in milliseconds after that a half open IKE_SA gets deleted.
+ * Timeout in seconds after that a half open IKE_SA gets deleted.
*/
-#define HALF_OPEN_IKE_SA_TIMEOUT 30000
+#define HALF_OPEN_IKE_SA_TIMEOUT 30
/**
* Interval to send keepalives when NATed, in seconds.
@@ -82,6 +81,11 @@ enum ike_extension_t {
* peer supports HTTP cert lookups as specified in RFC4306
*/
EXT_HASH_AND_URL = (1<<2),
+
+ /**
+ * peer supports multiple authentication exchanges, RFC4739
+ */
+ EXT_MULTIPLE_AUTH = (1<<3),
};
/**
@@ -110,7 +114,7 @@ enum ike_condition_t {
COND_NAT_FAKE = (1<<3),
/**
- * peer has ben authenticated using EAP
+ * peer has been authenticated using EAP at least once
*/
COND_EAP_AUTHENTICATED = (1<<4),
@@ -391,18 +395,12 @@ struct ike_sa_t {
void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
/**
- * Get authentication/authorization info for local peer.
- *
- * @return auth_info for me
- */
- auth_info_t* (*get_my_auth)(ike_sa_t *this);
-
- /**
- * Get authentication/authorization info for remote peer.
+ * Get the authentication config with rules of the current auth round.
*
- * @return auth_info for me
+ * @param local TRUE for local rules, FALSE for remote constraints
+ * @return current cfg
*/
- auth_info_t* (*get_other_auth)(ike_sa_t *this);
+ auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
/**
* Get the selected proposal of this IKE_SA.
@@ -602,51 +600,21 @@ struct ike_sa_t {
/**
* Initiate a new connection.
*
- * The configs are owned by the IKE_SA after the call.
+ * The configs are owned by the IKE_SA after the call. If the initiate
+ * is triggered by a packet, traffic selectors of the packet can be added
+ * to the CHILD_SA.
*
* @param child_cfg child config to create CHILD from
+ * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
+ * @param tsi source of triggering packet
+ * @param tsr destination of triggering packet.
* @return
* - SUCCESS if initialization started
* - DESTROY_ME if initialization failed
*/
- status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg);
-
- /**
- * Route a policy in the kernel.
- *
- * Installs the policies in the kernel. If traffic matches,
- * the kernel requests connection setup from the IKE_SA via acquire().
- *
- * @param child_cfg child config to route
- * @return
- * - SUCCESS if routed successfully
- * - FAILED if routing failed
- */
- status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg);
-
- /**
- * Unroute a policy in the kernel previously routed.
- *
- * @param reqid reqid of CHILD_SA to unroute
- * @return
- * - SUCCESS if route removed
- * - NOT_FOUND if CHILD_SA not found
- * - DESTROY_ME if last CHILD_SA was unrouted
- */
- status_t (*unroute) (ike_sa_t *this, u_int32_t reqid);
-
- /**
- * Acquire connection setup for an installed kernel policy.
- *
- * If an installed policy raises an acquire, the kernel calls
- * this function to establish the CHILD_SA (and maybe the IKE_SA).
- *
- * @param reqid reqid of the CHILD_SA the policy belongs to.
- * @return
- * - SUCCESS if initialization started
- * - DESTROY_ME if initialization failed
- */
- status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
+ status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
+ u_int32_t reqid, traffic_selector_t *tsi,
+ traffic_selector_t *tsr);
/**
* Initiates the deletion of an IKE_SA.
@@ -869,14 +837,18 @@ struct ike_sa_t {
host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
/**
- * Add a DNS server to the system.
+ * Register a configuration attribute to the IKE_SA.
*
- * An IRAS may send a DNS server. To use it, it is installed on the
- * system. The DNS entry has a lifetime until the IKE_SA gets closed.
+ * If an IRAS sends a configuration attribute it is installed and
+ * registered at the IKE_SA. Attributes are inherit()ed and get released
+ * when the IKE_SA is closed.
*
- * @param dns DNS server to install on the system
+ * @param handler handler installed the attribute, use for release()
+ * @param type configuration attribute type
+ * @param data associated attribute data
*/
- void (*add_dns_server) (ike_sa_t *this, host_t *dns);
+ void (*add_configuration_attribute)(ike_sa_t *this,
+ configuration_attribute_type_t type, chunk_t data);
/**
* Set local and remote host addresses to be used for IKE.
@@ -888,7 +860,7 @@ struct ike_sa_t {
* @param remote remote kmaddress
*/
void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
-
+
/**
* Inherit all attributes of other to this after rekeying.
*
diff --git a/src/charon/sa/ike_sa_id.c b/src/charon/sa/ike_sa_id.c
index e012d5944..94c5405f2 100644
--- a/src/charon/sa/ike_sa_id.c
+++ b/src/charon/sa/ike_sa_id.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa_id.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "ike_sa_id.h"
diff --git a/src/charon/sa/ike_sa_id.h b/src/charon/sa/ike_sa_id.h
index db36fda95..377e64e8a 100644
--- a/src/charon/sa/ike_sa_id.h
+++ b/src/charon/sa/ike_sa_id.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa_id.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index e2aacddd5..efe7c228c 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa_manager.c 5035 2009-03-26 13:18:19Z andreas $
*/
#include <string.h>
@@ -901,25 +899,35 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
*/
static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator)
{
+ ike_sa_id_t *ike_sa_id;
+ ike_sa_t *ike_sa;
entry_t *entry;
u_int segment;
- entry = entry_create();
if (initiator)
{
- entry->ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
+ ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE);
}
else
{
- entry->ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+ ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE);
+ }
+ ike_sa = ike_sa_create(ike_sa_id);
+
+ DBG2(DBG_MGR, "created IKE_SA");
+
+ if (!initiator)
+ {
+ ike_sa_id->destroy(ike_sa_id);
+ return ike_sa;
}
- entry->ike_sa = ike_sa_create(entry->ike_sa_id);
- segment = put_entry(this, entry);
+ entry = entry_create();
+ entry->ike_sa_id = ike_sa_id;
+ entry->ike_sa = ike_sa;
+ segment = put_entry(this, entry);
entry->checked_out = TRUE;
unlock_single_segment(this, segment);
-
- DBG2(DBG_MGR, "created IKE_SA");
return entry->ike_sa;
}
@@ -1042,9 +1050,7 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
enumerator_t *enumerator;
entry_t *entry;
ike_sa_t *ike_sa = NULL;
- identification_t *my_id, *other_id;
- host_t *my_host, *other_host;
- ike_cfg_t *ike_cfg;
+ peer_cfg_t *current_cfg;
u_int segment;
if (!this->reuse_ikesa)
@@ -1054,70 +1060,29 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
return ike_sa;
}
- ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
- my_id = peer_cfg->get_my_id(peer_cfg);
- other_id = peer_cfg->get_other_id(peer_cfg);
- my_host = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg), 0, 0);
- other_host = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, 0);
-
- if (my_host && other_host)
+ enumerator = create_table_enumerator(this);
+ while (enumerator->enumerate(enumerator, &entry, &segment))
{
- enumerator = create_table_enumerator(this);
- while (enumerator->enumerate(enumerator, &entry, &segment))
+ if (!wait_for_entry(this, entry, segment))
{
- identification_t *found_my_id, *found_other_id;
- host_t *found_my_host, *found_other_host;
-
- if (!wait_for_entry(this, entry, segment))
- {
- continue;
- }
-
- if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
- {
- /* skip IKE_SAs which are not usable */
- continue;
- }
-
- found_my_id = entry->ike_sa->get_my_id(entry->ike_sa);
- found_other_id = entry->ike_sa->get_other_id(entry->ike_sa);
- found_my_host = entry->ike_sa->get_my_host(entry->ike_sa);
- found_other_host = entry->ike_sa->get_other_host(entry->ike_sa);
+ continue;
+ }
+ if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
+ { /* skip IKE_SAs which are not usable */
+ continue;
+ }
- if (found_my_id->get_type(found_my_id) == ID_ANY &&
- found_other_id->get_type(found_other_id) == ID_ANY)
- {
- /* IKE_SA has no IDs yet, so we can't use it */
- continue;
- }
- DBG2(DBG_MGR, "candidate IKE_SA for \n"
- " %H[%D]...%H[%D]\n"
- " %H[%D]...%H[%D]",
- my_host, my_id, other_host, other_id,
- found_my_host, found_my_id, found_other_host, found_other_id);
- /* compare ID and hosts. Supplied ID may contain wildcards, and IP
- * may be %any. */
- if ((my_host->is_anyaddr(my_host) ||
- my_host->ip_equals(my_host, found_my_host)) &&
- (other_host->is_anyaddr(other_host) ||
- other_host->ip_equals(other_host, found_other_host)) &&
- found_my_id->matches(found_my_id, my_id) &&
- found_other_id->matches(found_other_id, other_id) &&
- streq(peer_cfg->get_name(peer_cfg),
- entry->ike_sa->get_name(entry->ike_sa)))
- {
- /* looks good, we take this one */
- DBG2(DBG_MGR, "found an existing IKE_SA for %H[%D]...%H[%D]",
- my_host, my_id, other_host, other_id);
- entry->checked_out = TRUE;
- ike_sa = entry->ike_sa;
- break;
- }
+ current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ if (current_cfg && current_cfg->equals(current_cfg, peer_cfg))
+ {
+ DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
+ current_cfg->get_name(current_cfg));
+ entry->checked_out = TRUE;
+ ike_sa = entry->ike_sa;
+ break;
}
- enumerator->destroy(enumerator);
}
- DESTROY_IF(my_host);
- DESTROY_IF(other_host);
+ enumerator->destroy(enumerator);
if (!ike_sa)
{ /* no IKE_SA using such a config, hand out a new */
@@ -1326,20 +1291,12 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
/* apply identities for duplicate test (only as responder) */
if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
- (!entry->my_id || !entry->other_id))
+ ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+ entry->my_id == NULL && entry->other_id == NULL)
{
- if (!entry->my_id && my_id->get_type(my_id) != ID_ANY)
- {
- entry->my_id = my_id->clone(my_id);
- }
- if (!entry->other_id && other_id->get_type(other_id) != ID_ANY)
- {
- entry->other_id = other_id->clone(other_id);
- }
- if (entry->my_id && entry->other_id)
- {
- put_connected_peers(this, entry);
- }
+ entry->my_id = my_id->clone(my_id);
+ entry->other_id = other_id->clone(other_id);
+ put_connected_peers(this, entry);
}
unlock_single_segment(this, segment);
@@ -1477,7 +1434,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
{
case UNIQUE_REPLACE:
DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
- "'%D' due to uniqueness policy", other);
+ "'%Y' due to uniqueness policy", other);
status = duplicate->delete(duplicate);
break;
case UNIQUE_KEEP:
diff --git a/src/charon/sa/ike_sa_manager.h b/src/charon/sa/ike_sa_manager.h
index 8fe991521..6da768080 100644
--- a/src/charon/sa/ike_sa_manager.h
+++ b/src/charon/sa/ike_sa_manager.h
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_sa_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -53,6 +51,9 @@ struct ike_sa_manager_t {
/**
* Create and check out a new IKE_SA.
+ *
+ * @note If initiator equals FALSE, the returned IKE_SA is not registered
+ * in the manager.
*
* @param initiator TRUE for initiator, FALSE otherwise
* @returns created and checked out IKE_SA
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index b2e646c93..117d260ba 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
#include "keymat.h"
@@ -415,17 +413,18 @@ static bool derive_child_keys(private_keymat_t *this,
/* to bytes */
enc_size /= 8;
- /* CCM/GCM needs additional bytes */
+ /* CCM/GCM/CTR needs additional bytes */
switch (enc_alg)
{
case ENCR_AES_CCM_ICV8:
case ENCR_AES_CCM_ICV12:
case ENCR_AES_CCM_ICV16:
enc_size += 3;
- break;
+ break;
case ENCR_AES_GCM_ICV8:
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
+ case ENCR_AES_CTR:
enc_size += 4;
break;
default:
@@ -463,6 +462,16 @@ static bool derive_child_keys(private_keymat_t *this,
prf_plus->destroy(prf_plus);
+ if (enc_size)
+ {
+ DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
+ DBG4(DBG_CHD, "encryption responder key %B", encr_r);
+ }
+ if (int_size)
+ {
+ DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
+ DBG4(DBG_CHD, "integrity responder key %B", integ_r);
+ }
return TRUE;
}
diff --git a/src/charon/sa/keymat.h b/src/charon/sa/keymat.h
index 659e4dff2..43b9dd113 100644
--- a/src/charon/sa/keymat.h
+++ b/src/charon/sa/keymat.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id$
*/
/**
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index b508c48c3..890e567c7 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: mediation_manager.c 4579 2008-11-05 11:29:56Z martin $
*/
#include "mediation_manager.h"
@@ -227,12 +225,12 @@ static void update_sa_id(private_mediation_manager_t *this, identification_t *pe
if (!found)
{
- DBG2(DBG_IKE, "adding peer '%D'", peer_id);
+ DBG2(DBG_IKE, "adding peer '%Y'", peer_id);
peer = peer_create(peer_id, NULL);
this->peers->insert_last(this->peers, peer);
}
- DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%D'", peer_id);
+ DBG2(DBG_IKE, "changing registered IKE_SA ID of peer '%Y'", peer_id);
peer->ike_sa_id = ike_sa_id ? ike_sa_id->clone(ike_sa_id) : NULL;
/* send callbacks to registered peers */
@@ -284,7 +282,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
if (get_peer_by_id(this, peer_id, &peer) != SUCCESS)
{
- DBG2(DBG_IKE, "adding peer %D", peer_id);
+ DBG2(DBG_IKE, "adding peer %Y", peer_id);
peer = peer_create(peer_id, NULL);
this->peers->insert_last(this->peers, peer);
}
@@ -292,7 +290,7 @@ static ike_sa_id_t *check_and_register(private_mediation_manager_t *this,
if (!peer->ike_sa_id)
{
/* the peer is not online */
- DBG2(DBG_IKE, "requested peer '%D' is offline, registering peer '%D'", peer_id, requester);
+ DBG2(DBG_IKE, "requested peer '%Y' is offline, registering peer '%Y'", peer_id, requester);
register_peer(peer, requester);
this->mutex->unlock(this->mutex);
return NULL;
diff --git a/src/charon/sa/mediation_manager.h b/src/charon/sa/mediation_manager.h
index 7eee09d67..29e16d84f 100644
--- a/src/charon/sa/mediation_manager.h
+++ b/src/charon/sa/mediation_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: mediation_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index e5c5fe178..2cd9532eb 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: task_manager.c 4857 2009-02-09 10:45:51Z martin $
*/
#include "task_manager.h"
@@ -259,7 +257,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
this->initiating.retransmitted++;
job = (job_t*)retransmit_job_create(this->initiating.mid,
this->ike_sa->get_id(this->ike_sa));
- charon->scheduler->schedule_job(charon->scheduler, job, timeout);
+ charon->scheduler->schedule_job_ms(charon->scheduler, job, timeout);
}
return SUCCESS;
}
@@ -626,6 +624,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
/* message complete, send it */
DESTROY_IF(this->responding.packet);
+ this->responding.packet = NULL;
status = this->ike_sa->generate_message(this->ike_sa, message,
&this->responding.packet);
charon->bus->message(charon->bus, message, FALSE);
@@ -650,167 +649,170 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
static status_t process_request(private_task_manager_t *this,
message_t *message)
{
+ enumerator_t *enumerator;
iterator_t *iterator;
task_t *task = NULL;
payload_t *payload;
notify_payload_t *notify;
delete_payload_t *delete;
- /* create tasks depending on request type */
- switch (message->get_exchange_type(message))
- {
- case IKE_SA_INIT:
+ if (this->passive_tasks->get_count(this->passive_tasks) == 0)
+ { /* create tasks depending on request type, if not already some queued */
+ switch (message->get_exchange_type(message))
{
- task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
+ case IKE_SA_INIT:
+ {
+ task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
#ifdef ME
- task = (task_t*)ike_me_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
#endif /* ME */
- task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_config_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)child_create_create(this->ike_sa, NULL);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- break;
- }
- case CREATE_CHILD_SA:
- { /* FIXME: we should prevent this on mediation connections */
- bool notify_found = FALSE, ts_found = FALSE;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
- {
- switch (payload->get_type(payload))
+ task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_config_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ break;
+ }
+ case CREATE_CHILD_SA:
+ { /* FIXME: we should prevent this on mediation connections */
+ bool notify_found = FALSE, ts_found = FALSE;
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
- case NOTIFY:
+ switch (payload->get_type(payload))
{
- /* if we find a rekey notify, its CHILD_SA rekeying */
- notify = (notify_payload_t*)payload;
- if (notify->get_notify_type(notify) == REKEY_SA &&
- (notify->get_protocol_id(notify) == PROTO_AH ||
- notify->get_protocol_id(notify) == PROTO_ESP))
- {
- notify_found = TRUE;
+ case NOTIFY:
+ { /* if we find a rekey notify, its CHILD_SA rekeying */
+ notify = (notify_payload_t*)payload;
+ if (notify->get_notify_type(notify) == REKEY_SA &&
+ (notify->get_protocol_id(notify) == PROTO_AH ||
+ notify->get_protocol_id(notify) == PROTO_ESP))
+ {
+ notify_found = TRUE;
+ }
+ break;
}
- break;
- }
- case TRAFFIC_SELECTOR_INITIATOR:
- case TRAFFIC_SELECTOR_RESPONDER:
- {
- /* if we don't find a TS, its IKE rekeying */
- ts_found = TRUE;
- break;
+ case TRAFFIC_SELECTOR_INITIATOR:
+ case TRAFFIC_SELECTOR_RESPONDER:
+ { /* if we don't find a TS, its IKE rekeying */
+ ts_found = TRUE;
+ break;
+ }
+ default:
+ break;
}
- default:
- break;
}
- }
- iterator->destroy(iterator);
-
- if (ts_found)
- {
- if (notify_found)
+ enumerator->destroy(enumerator);
+
+ if (ts_found)
{
- task = (task_t*)child_rekey_create(this->ike_sa,
- PROTO_NONE, 0);
+ if (notify_found)
+ {
+ task = (task_t*)child_rekey_create(this->ike_sa,
+ PROTO_NONE, 0);
+ }
+ else
+ {
+ task = (task_t*)child_create_create(this->ike_sa,
+ NULL, NULL, NULL);
+ }
}
else
{
- task = (task_t*)child_create_create(this->ike_sa, NULL);
+ task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
}
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ break;
}
- else
- {
- task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
- }
- this->passive_tasks->insert_last(this->passive_tasks, task);
- break;
- }
- case INFORMATIONAL:
- {
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ case INFORMATIONAL:
{
- switch (payload->get_type(payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
- case NOTIFY:
+ switch (payload->get_type(payload))
{
- notify = (notify_payload_t*)payload;
- switch (notify->get_notify_type(notify))
+ case NOTIFY:
{
- case ADDITIONAL_IP4_ADDRESS:
- case ADDITIONAL_IP6_ADDRESS:
- case NO_ADDITIONAL_ADDRESSES:
- case UPDATE_SA_ADDRESSES:
- case NO_NATS_ALLOWED:
- case UNACCEPTABLE_ADDRESSES:
- case UNEXPECTED_NAT_DETECTED:
- case COOKIE2:
- case NAT_DETECTION_SOURCE_IP:
- case NAT_DETECTION_DESTINATION_IP:
- task = (task_t*)ike_mobike_create(
- this->ike_sa, FALSE);
- break;
- case AUTH_LIFETIME:
- task = (task_t*)ike_auth_lifetime_create(
- this->ike_sa, FALSE);
- break;
- default:
- break;
+ notify = (notify_payload_t*)payload;
+ switch (notify->get_notify_type(notify))
+ {
+ case ADDITIONAL_IP4_ADDRESS:
+ case ADDITIONAL_IP6_ADDRESS:
+ case NO_ADDITIONAL_ADDRESSES:
+ case UPDATE_SA_ADDRESSES:
+ case NO_NATS_ALLOWED:
+ case UNACCEPTABLE_ADDRESSES:
+ case UNEXPECTED_NAT_DETECTED:
+ case COOKIE2:
+ case NAT_DETECTION_SOURCE_IP:
+ case NAT_DETECTION_DESTINATION_IP:
+ task = (task_t*)ike_mobike_create(
+ this->ike_sa, FALSE);
+ break;
+ case AUTH_LIFETIME:
+ task = (task_t*)ike_auth_lifetime_create(
+ this->ike_sa, FALSE);
+ break;
+ default:
+ break;
+ }
+ break;
}
- break;
- }
- case DELETE:
- {
- delete = (delete_payload_t*)payload;
- if (delete->get_protocol_id(delete) == PROTO_IKE)
- {
- task = (task_t*)ike_delete_create(this->ike_sa, FALSE);
- }
- else
+ case DELETE:
{
- task = (task_t*)child_delete_create(this->ike_sa,
+ delete = (delete_payload_t*)payload;
+ if (delete->get_protocol_id(delete) == PROTO_IKE)
+ {
+ task = (task_t*)ike_delete_create(this->ike_sa,
+ FALSE);
+ }
+ else
+ {
+ task = (task_t*)child_delete_create(this->ike_sa,
PROTO_NONE, 0);
+ }
+ break;
}
- break;
+ default:
+ break;
}
- default:
+ if (task)
+ {
break;
+ }
}
- if (task)
+ enumerator->destroy(enumerator);
+
+ if (task == NULL)
{
- break;
+ task = (task_t*)ike_dpd_create(FALSE);
}
+ this->passive_tasks->insert_last(this->passive_tasks, task);
+ break;
}
- iterator->destroy(iterator);
-
- if (task == NULL)
+#ifdef ME
+ case ME_CONNECT:
{
- task = (task_t*)ike_dpd_create(FALSE);
+ task = (task_t*)ike_me_create(this->ike_sa, FALSE);
+ this->passive_tasks->insert_last(this->passive_tasks, task);
}
- this->passive_tasks->insert_last(this->passive_tasks, task);
- break;
- }
-#ifdef ME
- case ME_CONNECT:
- {
- task = (task_t*)ike_me_create(this->ike_sa, FALSE);
- this->passive_tasks->insert_last(this->passive_tasks, task);
- }
#endif /* ME */
- default:
- break;
+ default:
+ break;
+ }
}
/* let the tasks process the message */
@@ -941,15 +943,6 @@ static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *ot
task->migrate(task, this->ike_sa);
this->queued_tasks->insert_first(this->queued_tasks, task);
}
-
- /* reset active tasks and move them to others queued tasks */
- while (other->active_tasks->remove_last(other->active_tasks,
- (void**)&task) == SUCCESS)
- {
- DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
- task->migrate(task, this->ike_sa);
- this->queued_tasks->insert_first(this->queued_tasks, task);
- }
}
/**
diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h
index db21684c3..9c3b2cc87 100644
--- a/src/charon/sa/task_manager.h
+++ b/src/charon/sa/task_manager.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: task_manager.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index c07cd37b8..f51443738 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_create.c 4860 2009-02-11 13:09:52Z martin $
*/
#include "child_create.h"
@@ -87,6 +85,16 @@ struct private_child_create_t {
linked_list_t *tsr;
/**
+ * source of triggering packet
+ */
+ traffic_selector_t *packet_tsi;
+
+ /**
+ * destination of triggering packet
+ */
+ traffic_selector_t *packet_tsr;
+
+ /**
* optional diffie hellman exchange
*/
diffie_hellman_t *dh;
@@ -570,7 +578,7 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify
*/
static void process_payloads(private_child_create_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
sa_payload_t *sa_payload;
ke_payload_t *ke_payload;
@@ -579,8 +587,8 @@ static void process_payloads(private_child_create_t *this, message_t *message)
/* defaults to TUNNEL mode */
this->mode = MODE_TUNNEL;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
switch (payload->get_type(payload))
{
@@ -616,7 +624,7 @@ static void process_payloads(private_child_create_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -643,9 +651,9 @@ static status_t build_i(private_child_create_t *this, message_t *message)
}
break;
case IKE_AUTH:
- if (!message->get_payload(message, ID_INITIATOR))
+ if (message->get_message_id(message) != 1)
{
- /* send only in the first request, not in subsequent EAP */
+ /* send only in the first request, not in subsequent rounds */
return NEED_MORE;
}
break;
@@ -694,7 +702,17 @@ static status_t build_i(private_child_create_t *this, message_t *message)
}
this->tsr = this->config->get_traffic_selectors(this->config, FALSE,
NULL, other);
-
+
+ if (this->packet_tsi)
+ {
+ this->tsi->insert_first(this->tsi,
+ this->packet_tsi->clone(this->packet_tsi));
+ }
+ if (this->packet_tsr)
+ {
+ this->tsr->insert_first(this->tsr,
+ this->packet_tsr->clone(this->packet_tsr));
+ }
this->proposals = this->config->get_proposals(this->config,
this->dh_group == MODP_NONE);
this->mode = this->config->get_mode(this->config);
@@ -737,8 +755,6 @@ static status_t build_i(private_child_create_t *this, message_t *message)
*/
static status_t process_r(private_child_create_t *this, message_t *message)
{
- peer_cfg_t *peer_cfg;
-
switch (message->get_exchange_type(message))
{
case IKE_SA_INIT:
@@ -747,42 +763,17 @@ static status_t process_r(private_child_create_t *this, message_t *message)
get_nonce(message, &this->other_nonce);
break;
case IKE_AUTH:
- if (message->get_payload(message, ID_INITIATOR) == NULL)
+ if (message->get_message_id(message) != 1)
{
- /* wait until extensible authentication completed, if used */
+ /* only handle first AUTH payload, not additional rounds */
return NEED_MORE;
}
default:
break;
}
-
+
process_payloads(this, message);
- if (this->tsi == NULL || this->tsr == NULL)
- {
- DBG1(DBG_IKE, "TS payload missing in message");
- return NEED_MORE;
- }
-
- peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (peer_cfg)
- {
- host_t *me, *other;
-
- me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
- if (me == NULL)
- {
- me = this->ike_sa->get_my_host(this->ike_sa);
- }
- other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
- if (other == NULL)
- {
- other = this->ike_sa->get_other_host(this->ike_sa);
- }
-
- this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
- this->tsi, me, other);
- }
return NEED_MORE;
}
@@ -799,7 +790,7 @@ static void handle_child_sa_failure(private_child_create_t *this,
/* we delay the delete for 100ms, as the IKE_AUTH response must arrive
* first */
DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
- charon->scheduler->schedule_job(charon->scheduler, (job_t*)
+ charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
100);
}
@@ -810,10 +801,11 @@ static void handle_child_sa_failure(private_child_create_t *this,
*/
static status_t build_r(private_child_create_t *this, message_t *message)
{
+ peer_cfg_t *peer_cfg;
payload_t *payload;
- iterator_t *iterator;
+ enumerator_t *enumerator;
bool no_dh = TRUE;
-
+
switch (message->get_exchange_type(message))
{
case IKE_SA_INIT:
@@ -828,9 +820,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
no_dh = FALSE;
break;
case IKE_AUTH:
- if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
- {
- /* wait until extensible authentication completed, if used */
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* wait until all authentication round completed */
return NEED_MORE;
}
default:
@@ -844,6 +835,25 @@ static status_t build_r(private_child_create_t *this, message_t *message)
return SUCCESS;
}
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (peer_cfg && this->tsi && this->tsr)
+ {
+ host_t *me, *other;
+
+ me = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
+ if (me == NULL)
+ {
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ }
+ other = this->ike_sa->get_virtual_ip(this->ike_sa, FALSE);
+ if (other == NULL)
+ {
+ other = this->ike_sa->get_other_host(this->ike_sa);
+ }
+ this->config = peer_cfg->select_child_cfg(peer_cfg, this->tsr,
+ this->tsi, me, other);
+ }
+
if (this->config == NULL)
{
DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
@@ -854,8 +864,8 @@ static status_t build_r(private_child_create_t *this, message_t *message)
}
/* check if ike_config_t included non-critical error notifies */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -868,7 +878,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
{
DBG1(DBG_IKE,"configuration payload negotation "
"failed, no CHILD_SA built");
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
handle_child_sa_failure(this, message);
return SUCCESS;
}
@@ -877,7 +887,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
@@ -938,7 +948,7 @@ static status_t build_r(private_child_create_t *this, message_t *message)
*/
static status_t process_i(private_child_create_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
bool no_dh = TRUE;
@@ -951,9 +961,8 @@ static status_t process_i(private_child_create_t *this, message_t *message)
no_dh = FALSE;
break;
case IKE_AUTH:
- if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
- {
- /* wait until extensible authentication completed, if used */
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* wait until all authentication round completed */
return NEED_MORE;
}
default:
@@ -961,8 +970,8 @@ static status_t process_i(private_child_create_t *this, message_t *message)
}
/* check for erronous notifies */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -982,7 +991,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
{
DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
notify_type_names, type);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
handle_child_sa_failure(this, message);
/* an error in CHILD_SA creation is not critical */
return SUCCESS;
@@ -1000,7 +1009,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
bad_group, diffie_hellman_group_names, this->dh_group);
this->public.task.migrate(&this->public.task, this->ike_sa);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return NEED_MORE;
}
default:
@@ -1008,7 +1017,7 @@ static status_t process_i(private_child_create_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
process_payloads(this, message);
@@ -1149,6 +1158,8 @@ static void destroy(private_child_create_t *this)
{
DESTROY_IF(this->child_sa);
}
+ DESTROY_IF(this->packet_tsi);
+ DESTROY_IF(this->packet_tsr);
DESTROY_IF(this->proposal);
DESTROY_IF(this->dh);
if (this->proposals)
@@ -1163,7 +1174,8 @@ static void destroy(private_child_create_t *this)
/*
* Described in header.
*/
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+ traffic_selector_t *tsi, traffic_selector_t *tsr)
{
private_child_create_t *this = malloc_thing(private_child_create_t);
@@ -1195,6 +1207,8 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config)
this->proposal = NULL;
this->tsi = NULL;
this->tsr = NULL;
+ this->packet_tsi = tsi ? tsi->clone(tsi) : NULL;
+ this->packet_tsr = tsr ? tsr->clone(tsr) : NULL;
this->dh = NULL;
this->dh_group = MODP_NONE;
this->keymat = ike_sa->get_keymat(ike_sa);
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index d01baa594..ce2829a9a 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_create.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
@@ -73,8 +71,11 @@ struct child_create_t {
*
* @param ike_sa IKE_SA this task works for
* @param config child_cfg if task initiator, NULL if responder
- * @return child_create task to handle by the task_manager
+ * @param tsi source of triggering packet, or NULL
+ * @param tsr destination of triggering packet, or NULL
+ * @return child_create task to handle by the task_manager
*/
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config);
+child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+ traffic_selector_t *tsi, traffic_selector_t *tsr);
#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 0fd4a056b..0d89c148e 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_delete.c 4730 2008-12-01 18:38:28Z martin $
*/
#include "child_delete.h"
@@ -114,15 +112,16 @@ static void build_payloads(private_child_delete_t *this, message_t *message)
*/
static void process_payloads(private_child_delete_t *this, message_t *message)
{
- iterator_t *payloads, *spis;
+ enumerator_t *payloads;
+ iterator_t *spis;
payload_t *payload;
delete_payload_t *delete_payload;
u_int32_t *spi;
protocol_id_t protocol;
child_sa_t *child_sa;
- payloads = message->get_payload_iterator(message);
- while (payloads->iterate(payloads, (void**)&payload))
+ payloads = message->create_payload_enumerator(message);
+ while (payloads->enumerate(payloads, &payload))
{
if (payload->get_type(payload) == DELETE)
{
@@ -202,10 +201,12 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
{
case ACTION_RESTART:
child_cfg->get_ref(child_cfg);
- status = this->ike_sa->initiate(this->ike_sa, child_cfg);
+ status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
+ NULL, NULL);
break;
- case ACTION_ROUTE:
- status = this->ike_sa->route(this->ike_sa, child_cfg);
+ case ACTION_ROUTE:
+ charon->traps->install(charon->traps,
+ this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
break;
default:
break;
diff --git a/src/charon/sa/tasks/child_delete.h b/src/charon/sa/tasks/child_delete.h
index 8886ff4a1..27d847035 100644
--- a/src/charon/sa/tasks/child_delete.h
+++ b/src/charon/sa/tasks/child_delete.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_delete.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 0d8cf2db7..6ab00dc5b 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_rekey.c 4730 2008-12-01 18:38:28Z martin $
*/
#include "child_rekey.h"
@@ -103,11 +101,11 @@ static status_t process_i_delete(private_child_rekey_t *this, message_t *message
*/
static void find_child(private_child_rekey_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
notify_payload_t *notify;
u_int32_t spi;
@@ -131,7 +129,7 @@ static void find_child(private_child_rekey_t *this, message_t *message)
break;
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -159,7 +157,7 @@ static status_t build_i(private_child_rekey_t *this, message_t *message)
/* ... our CHILD_CREATE task does the hard work for us. */
reqid = this->child_sa->get_reqid(this->child_sa);
- this->child_create = child_create_create(this->ike_sa, config);
+ this->child_create = child_create_create(this->ike_sa, config, NULL, NULL);
this->child_create->use_reqid(this->child_create, reqid);
this->child_create->task.build(&this->child_create->task, message);
@@ -220,12 +218,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
protocol_id_t protocol;
u_int32_t spi;
child_sa_t *to_delete;
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
/* handle NO_ADDITIONAL_SAS notify */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -239,12 +237,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
charon->processor->queue_job(charon->processor,
(job_t*)rekey_ike_sa_job_create(
this->ike_sa->get_id(this->ike_sa), TRUE));
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return SUCCESS;
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
if (this->child_create->task.process(&this->child_create->task, message) == NEED_MORE)
{
@@ -269,7 +267,7 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
"trying again in %d seconds", retry);
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
- charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, job, retry);
}
return SUCCESS;
}
@@ -418,7 +416,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
this->initiator = FALSE;
- this->child_create = child_create_create(ike_sa, NULL);
+ this->child_create = child_create_create(ike_sa, NULL, NULL, NULL);
}
this->ike_sa = ike_sa;
diff --git a/src/charon/sa/tasks/child_rekey.h b/src/charon/sa/tasks/child_rekey.h
index 42fce0742..5aae2fb39 100644
--- a/src/charon/sa/tasks/child_rekey.h
+++ b/src/charon/sa/tasks/child_rekey.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: child_rekey.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 93b145755..8d6cd56bd 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details
- *
- * $Id: ike_auth.c 4858 2009-02-10 17:21:44Z martin $
*/
#include "ike_auth.h"
@@ -21,14 +19,12 @@
#include <string.h>
#include <daemon.h>
-#include <crypto/diffie_hellman.h>
#include <encoding/payloads/id_payload.h>
#include <encoding/payloads/auth_payload.h>
#include <encoding/payloads/eap_payload.h>
#include <encoding/payloads/nonce_payload.h>
#include <sa/authenticators/eap_authenticator.h>
-
typedef struct private_ike_auth_t private_ike_auth_t;
/**
@@ -72,220 +68,65 @@ struct private_ike_auth_t {
packet_t *other_packet;
/**
- * EAP authenticator when using EAP
+ * completed authentication configs initiated by us (auth_cfg_t)
*/
- eap_authenticator_t *eap_auth;
+ linked_list_t *my_cfgs;
/**
- * EAP payload received and ready to process
+ * completed authentication configs initiated by other (auth_cfg_t)
*/
- eap_payload_t *eap_payload;
+ linked_list_t *other_cfgs;;
/**
- * has the peer been authenticated successfully?
+ * currently active authenticator, to authenticate us
*/
- bool peer_authenticated;
-};
-
-/**
- * get the authentication class of a config
- */
-auth_class_t get_auth_class(peer_cfg_t *config)
-{
- auth_class_t *class;
- auth_info_t *auth_info;
-
- auth_info = config->get_auth(config);
- if (auth_info->get_item(auth_info, AUTHN_AUTH_CLASS, (void**)&class))
- {
- return *class;
- }
- /* fallback to pubkey authentication */
- return AUTH_CLASS_PUBKEY;
-}
-
-/**
- * get the eap type/vendor
- */
-static eap_type_t get_eap_type(peer_cfg_t *config, u_int32_t *vendor)
-{
- auth_info_t *auth_info;
- u_int *ptr;
-
- *vendor = 0;
- auth_info = config->get_auth(config);
- if (auth_info->get_item(auth_info, AUTHN_EAP_VENDOR, (void**)&ptr))
- {
- *vendor = *ptr;
- }
- if (auth_info->get_item(auth_info, AUTHN_EAP_TYPE, (void**)&ptr))
- {
- return *ptr;
- }
- return EAP_NAK;
-}
-
-/**
- * build the AUTH payload
- */
-static status_t build_auth(private_ike_auth_t *this, message_t *message)
-{
- authenticator_t *auth;
- auth_payload_t *auth_payload;
- peer_cfg_t *config;
- status_t status;
-
- /* create own authenticator and add auth payload */
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (!config)
- {
- DBG1(DBG_IKE, "unable to authenticate, no peer config found");
- return FAILED;
- }
-
- auth = authenticator_create_from_class(this->ike_sa, get_auth_class(config));
- if (auth == NULL)
- {
- DBG1(DBG_IKE, "configured authentication class %N not supported",
- auth_class_names, get_auth_class(config));
- return FAILED;
- }
-
- status = auth->build(auth, this->my_packet->get_data(this->my_packet),
- this->other_nonce, &auth_payload);
- auth->destroy(auth);
- if (status != SUCCESS)
- {
- DBG1(DBG_IKE, "generating authentication data failed");
- return FAILED;
- }
- message->add_payload(message, (payload_t*)auth_payload);
- return SUCCESS;
-}
-
-/**
- * build ID payload(s)
- */
-static status_t build_id(private_ike_auth_t *this, message_t *message)
-{
- identification_t *me, *other;
- id_payload_t *id;
- peer_cfg_t *config;
+ authenticator_t *my_auth;
- me = this->ike_sa->get_my_id(this->ike_sa);
- other = this->ike_sa->get_other_id(this->ike_sa);
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
-
- if (me->contains_wildcards(me))
- {
- me = config->get_my_id(config);
- if (me->contains_wildcards(me))
- {
- DBG1(DBG_IKE, "negotiation of own ID failed");
- return FAILED;
- }
- this->ike_sa->set_my_id(this->ike_sa, me->clone(me));
- }
+ /**
+ * currently active authenticator, to authenticate peer
+ */
+ authenticator_t *other_auth;
- id = id_payload_create_from_identification(this->initiator ? ID_INITIATOR : ID_RESPONDER, me);
- message->add_payload(message, (payload_t*)id);
+ /**
+ * peer_cfg candidates, ordered by priority
+ */
+ linked_list_t *candidates;
- /* as initiator, include other ID if it does not contain wildcards */
- if (this->initiator && !other->contains_wildcards(other))
- {
- id = id_payload_create_from_identification(ID_RESPONDER, other);
- message->add_payload(message, (payload_t*)id);
- }
- return SUCCESS;
-}
-
-/**
- * process AUTH payload
- */
-static status_t process_auth(private_ike_auth_t *this, message_t *message)
-{
- auth_payload_t *auth_payload;
- authenticator_t *auth;
- auth_method_t auth_method;
- status_t status;
+ /**
+ * selected peer config (might change when using multiple authentications)
+ */
+ peer_cfg_t *peer_cfg;
- auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ /**
+ * have we planned an(other) authentication exchange?
+ */
+ bool do_another_auth;
- if (auth_payload == NULL)
- {
- /* AUTH payload is missing, client wants to use EAP authentication */
- return NOT_FOUND;
- }
+ /**
+ * has the peer announced another authentication exchange?
+ */
+ bool expect_another_auth;
- auth_method = auth_payload->get_auth_method(auth_payload);
- auth = authenticator_create_from_method(this->ike_sa,
- auth_payload->get_auth_method(auth_payload));
- if (auth == NULL)
- {
- DBG1(DBG_IKE, "authentication method %N used by '%D' not supported",
- auth_method_names, auth_method,
- this->ike_sa->get_other_id(this->ike_sa));
- return NOT_SUPPORTED;
- }
- status = auth->verify(auth, this->other_packet->get_data(this->other_packet),
- this->my_nonce, auth_payload);
- auth->destroy(auth);
- if (status != SUCCESS)
- {
- DBG0(DBG_IKE, "authentication of '%D' with %N failed",
- this->ike_sa->get_other_id(this->ike_sa),
- auth_method_names, auth_method);
- return FAILED;
- }
- return SUCCESS;
-}
+ /**
+ * should we send a AUTHENTICATION_FAILED notify?
+ */
+ bool authentication_failed;
+};
/**
- * process ID payload(s)
+ * check if multiple authentication extension is enabled, configuration-wise
*/
-static status_t process_id(private_ike_auth_t *this, message_t *message)
+static bool multiple_auth_enabled()
{
- identification_t *id, *req;
- id_payload_t *idr, *idi;
-
- idi = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
- idr = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
-
- if ((this->initiator && idr == NULL) || (!this->initiator && idi == NULL))
- {
- DBG1(DBG_IKE, "ID payload missing in message");
- return FAILED;
- }
-
- if (this->initiator)
- {
- id = idr->get_identification(idr);
- req = this->ike_sa->get_other_id(this->ike_sa);
- if (!id->matches(id, req))
- {
- DBG0(DBG_IKE, "peer ID '%D' unacceptable, '%D' required", id, req);
- id->destroy(id);
- return FAILED;
- }
- this->ike_sa->set_other_id(this->ike_sa, id);
- }
- else
- {
- id = idi->get_identification(idi);
- this->ike_sa->set_other_id(this->ike_sa, id);
- if (idr)
- {
- id = idr->get_identification(idr);
- this->ike_sa->set_my_id(this->ike_sa, id);
- }
- }
- return SUCCESS;
+ return lib->settings->get_bool(lib->settings,
+ "charon.multiple_authentication", TRUE);
}
/**
* collect the needed information in the IKE_SA_INIT exchange from our message
*/
-static status_t collect_my_init_data(private_ike_auth_t *this, message_t *message)
+static status_t collect_my_init_data(private_ike_auth_t *this,
+ message_t *message)
{
nonce_payload_t *nonce;
@@ -297,7 +138,7 @@ static status_t collect_my_init_data(private_ike_auth_t *this, message_t *messag
}
this->my_nonce = nonce->get_nonce(nonce);
- /* pre-generate the message, so we can store it for us */
+ /* pre-generate the message, keep a copy */
if (this->ike_sa->generate_message(this->ike_sa, message,
&this->my_packet) != SUCCESS)
{
@@ -309,7 +150,8 @@ static status_t collect_my_init_data(private_ike_auth_t *this, message_t *messag
/**
* collect the needed information in the IKE_SA_INIT exchange from others message
*/
-static status_t collect_other_init_data(private_ike_auth_t *this, message_t *message)
+static status_t collect_other_init_data(private_ike_auth_t *this,
+ message_t *message)
{
/* we collect the needed information in the IKE_SA_INIT exchange */
nonce_payload_t *nonce;
@@ -322,184 +164,186 @@ static status_t collect_other_init_data(private_ike_auth_t *this, message_t *mes
}
this->other_nonce = nonce->get_nonce(nonce);
- /* pre-generate the message, so we can store it for us */
+ /* keep a copy of the received packet */
this->other_packet = message->get_packet(message);
return NEED_MORE;
}
-
/**
- * Implementation of task_t.build to create AUTH payload from EAP data
+ * Get the next authentication configuration
*/
-static status_t build_auth_eap(private_ike_auth_t *this, message_t *message)
+static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
{
- authenticator_t *auth;
- auth_payload_t *auth_payload;
+ enumerator_t *e1, *e2;
+ auth_cfg_t *c1, *c2, *next = NULL;
- if (!this->initiator && !this->peer_authenticated)
+ /* find an available config not already done */
+ e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
+ while (e1->enumerate(e1, &c1))
{
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
- return FAILED;
- }
-
- auth = (authenticator_t*)this->eap_auth;
- if (auth->build(auth, this->my_packet->get_data(this->my_packet),
- this->other_nonce, &auth_payload) != SUCCESS)
- {
- DBG1(DBG_IKE, "generating authentication data failed");
- if (!this->initiator)
+ bool found = FALSE;
+
+ if (local)
{
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+ e2 = this->my_cfgs->create_enumerator(this->my_cfgs);
+ }
+ else
+ {
+ e2 = this->other_cfgs->create_enumerator(this->other_cfgs);
+ }
+ while (e2->enumerate(e2, &c2))
+ {
+ if (c2->complies(c2, c1, FALSE))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (!found)
+ {
+ next = c1;
+ break;
}
- return FAILED;
- }
- message->add_payload(message, (payload_t*)auth_payload);
- if (!this->initiator)
- {
- this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
- this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_unique_id(this->ike_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
- return SUCCESS;
}
- return NEED_MORE;
+ e1->destroy(e1);
+ return next;
}
/**
- * Implementation of task_t.process to verify AUTH payload after EAP
+ * Check if we have should initiate another authentication round
*/
-static status_t process_auth_eap(private_ike_auth_t *this, message_t *message)
+static bool do_another_auth(private_ike_auth_t *this)
{
- auth_payload_t *auth_payload;
- authenticator_t *auth;
-
- auth_payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
- this->peer_authenticated = FALSE;
+ bool do_another = FALSE;
+ enumerator_t *done, *todo;
+ auth_cfg_t *done_cfg, *todo_cfg;
- if (auth_payload)
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
{
- auth = (authenticator_t*)this->eap_auth;
- if (auth->verify(auth, this->other_packet->get_data(this->other_packet),
- this->my_nonce, auth_payload) == SUCCESS)
- {
- this->peer_authenticated = TRUE;
- }
+ return FALSE;
}
-
- if (!this->peer_authenticated)
+
+ done = this->my_cfgs->create_enumerator(this->my_cfgs);
+ todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
+ while (todo->enumerate(todo, &todo_cfg))
{
- DBG0(DBG_IKE, "authentication of '%D' with %N failed",
- this->ike_sa->get_other_id(this->ike_sa),
- auth_class_names, AUTH_CLASS_EAP);
- if (this->initiator)
+ if (!done->enumerate(done, &done_cfg))
{
- return FAILED;
+ done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ }
+ if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
+ {
+ do_another = TRUE;
+ break;
}
- return NEED_MORE;
- }
- if (this->initiator)
- {
- this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
- this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_unique_id(this->ike_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
- return SUCCESS;
}
- return NEED_MORE;
+ done->destroy(done);
+ todo->destroy(todo);
+ return do_another;
}
/**
- * Implementation of task_t.process for EAP exchanges
+ * Get peer configuration candidates from backends
*/
-static status_t process_eap_i(private_ike_auth_t *this, message_t *message)
+static bool load_cfg_candidates(private_ike_auth_t *this)
{
- eap_payload_t *eap;
-
- eap = (eap_payload_t*)message->get_payload(message, EXTENSIBLE_AUTHENTICATION);
- if (eap == NULL)
- {
- DBG1(DBG_IKE, "EAP payload missing");
- return FAILED;
+ enumerator_t *enumerator;
+ peer_cfg_t *peer_cfg;
+ host_t *me, *other;
+ identification_t *my_id, *other_id;
+
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ other = this->ike_sa->get_other_host(this->ike_sa);
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+
+ enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ me, other, my_id, other_id);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
+ {
+ peer_cfg->get_ref(peer_cfg);
+ if (this->peer_cfg == NULL)
+ { /* best match */
+ this->peer_cfg = peer_cfg;
+ this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
+ }
+ else
+ {
+ this->candidates->insert_last(this->candidates, peer_cfg);
+ }
}
- switch (this->eap_auth->process(this->eap_auth, eap, &eap))
+ enumerator->destroy(enumerator);
+ if (this->peer_cfg)
{
- case NEED_MORE:
- this->eap_payload = eap;
- return NEED_MORE;
- case SUCCESS:
- /* EAP exchange completed, now create and process AUTH */
- this->eap_payload = NULL;
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
- return NEED_MORE;
- default:
- this->eap_payload = NULL;
- DBG0(DBG_IKE, "failed to authenticate against '%D' using EAP",
- this->ike_sa->get_other_id(this->ike_sa));
- return FAILED;
+ DBG1(DBG_CFG, "selected peer config '%s'",
+ this->peer_cfg->get_name(this->peer_cfg));
+ return TRUE;
}
+ DBG1(DBG_CFG, "no matching peer config found");
+ return FALSE;
}
/**
- * Implementation of task_t.process for EAP exchanges
- */
-static status_t process_eap_r(private_ike_auth_t *this, message_t *message)
-{
- this->eap_payload = (eap_payload_t*)message->get_payload(message,
- EXTENSIBLE_AUTHENTICATION);
- return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for EAP exchanges
- */
-static status_t build_eap_i(private_ike_auth_t *this, message_t *message)
-{
- message->add_payload(message, (payload_t*)this->eap_payload);
- return NEED_MORE;
-}
-
-/**
- * Implementation of task_t.build for EAP exchanges
+ * update the current peer candidate if necessary, using candidates
*/
-static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
+static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
{
- status_t status = NEED_MORE;
- eap_payload_t *eap;
-
- if (this->eap_payload == NULL)
- {
- DBG1(DBG_IKE, "EAP payload missing");
- return FAILED;
- }
-
- switch (this->eap_auth->process(this->eap_auth, this->eap_payload, &eap))
+ do
{
- case NEED_MORE:
+ if (this->peer_cfg)
+ {
+ bool complies = TRUE;
+ enumerator_t *e1, *e2, *tmp;
+ auth_cfg_t *c1, *c2;
- break;
- case SUCCESS:
- /* EAP exchange completed, now create and process AUTH */
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_auth_eap;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_auth_eap;
- break;
- default:
- DBG0(DBG_IKE, "authentication of '%D' with %N failed",
- this->ike_sa->get_other_id(this->ike_sa),
- auth_class_names, AUTH_CLASS_EAP);
- status = FAILED;
- break;
+ e1 = this->other_cfgs->create_enumerator(this->other_cfgs);
+ e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+
+ if (strict)
+ { /* swap lists in strict mode: all configured rounds must be
+ * fulfilled. If !strict, we check only the rounds done so far. */
+ tmp = e1;
+ e1 = e2;
+ e2 = tmp;
+ }
+ while (e1->enumerate(e1, &c1))
+ {
+ /* check if done authentications comply to configured ones */
+ if ((!e2->enumerate(e2, &c2)) ||
+ (!strict && !c1->complies(c1, c2, TRUE)) ||
+ (strict && !c2->complies(c2, c1, TRUE)))
+ {
+ complies = FALSE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+ if (complies)
+ {
+ break;
+ }
+ DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+ this->peer_cfg->get_name(this->peer_cfg));
+ this->peer_cfg->destroy(this->peer_cfg);
+ }
+ if (this->candidates->remove_first(this->candidates,
+ (void**)&this->peer_cfg) != SUCCESS)
+ {
+ DBG1(DBG_CFG, "no alternative config found");
+ this->peer_cfg = NULL;
+ }
+ else
+ {
+ DBG1(DBG_CFG, "switching to peer config '%s'",
+ this->peer_cfg->get_name(this->peer_cfg));
+ this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+ }
}
- message->add_payload(message, (payload_t*)eap);
- return status;
+ while (this->peer_cfg);
+
+ return this->peer_cfg != NULL;
}
/**
@@ -507,31 +351,104 @@ static status_t build_eap_r(private_ike_auth_t *this, message_t *message)
*/
static status_t build_i(private_ike_auth_t *this, message_t *message)
{
- peer_cfg_t *config;
-
+ auth_cfg_t *cfg;
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
return collect_my_init_data(this, message);
}
-
- if (build_id(this, message) != SUCCESS)
+
+ if (this->peer_cfg == NULL)
{
- return FAILED;
+ this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ this->peer_cfg->get_ref(this->peer_cfg);
}
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (get_auth_class(config) == AUTH_CLASS_EAP)
- {
- this->eap_auth = eap_authenticator_create(this->ike_sa);
+ if (message->get_message_id(message) == 1 &&
+ this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+ { /* in the first IKE_AUTH, indicate support for multiple authentication */
+ message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED, chunk_empty);
}
- else
+
+ if (!this->do_another_auth && !this->my_auth)
+ { /* we have done our rounds */
+ return NEED_MORE;
+ }
+
+ /* check if an authenticator is in progress */
+ if (this->my_auth == NULL)
{
- if (build_auth(this, message) != SUCCESS)
+ identification_t *id;
+ id_payload_t *id_payload;
+
+ /* clean up authentication config from a previous round */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->purge(cfg, TRUE);
+
+ /* add (optional) IDr */
+ cfg = get_auth_cfg(this, FALSE);
+ if (cfg)
+ {
+ id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ if (id && !id->contains_wildcards(id))
+ {
+ this->ike_sa->set_other_id(this->ike_sa, id->clone(id));
+ id_payload = id_payload_create_from_identification(
+ ID_RESPONDER, id);
+ message->add_payload(message, (payload_t*)id_payload);
+ }
+ }
+ /* add IDi */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+ id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ if (!id)
+ {
+ DBG1(DBG_CFG, "configuration misses IDi");
+ return FAILED;
+ }
+ this->ike_sa->set_my_id(this->ike_sa, id->clone(id));
+ id_payload = id_payload_create_from_identification(ID_INITIATOR, id);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ /* build authentication data */
+ this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+ this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet));
+ if (!this->my_auth)
{
return FAILED;
}
}
-
+ switch (this->my_auth->build(this->my_auth, message))
+ {
+ case SUCCESS:
+ /* authentication step complete, reset authenticator */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
+ this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ return FAILED;
+ }
+
+ /* check for additional authentication rounds */
+ if (do_another_auth(this))
+ {
+ if (message->get_payload(message, AUTHENTICATION))
+ {
+ message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+ }
+ }
+ else
+ {
+ this->do_another_auth = FALSE;
+ }
return NEED_MORE;
}
@@ -540,45 +457,136 @@ static status_t build_i(private_ike_auth_t *this, message_t *message)
*/
static status_t process_r(private_ike_auth_t *this, message_t *message)
{
- peer_cfg_t *config;
+ auth_cfg_t *cfg, *cand;
+ id_payload_t *id_payload;
+ identification_t *id;
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
return collect_other_init_data(this, message);
}
- if (process_id(this, message) != SUCCESS)
+ if (this->my_auth == NULL && this->do_another_auth)
+ {
+ /* handle (optional) IDr payload, apply proposed identity */
+ id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+ if (id_payload)
+ {
+ id = id_payload->get_identification(id_payload);
+ }
+ else
+ {
+ id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ }
+ this->ike_sa->set_my_id(this->ike_sa, id);
+ }
+
+ if (!this->expect_another_auth)
{
return NEED_MORE;
}
+ if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+ }
- switch (process_auth(this, message))
+ if (this->other_auth == NULL)
+ {
+ /* handle IDi payload */
+ id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "IDi payload missing");
+ return FAILED;
+ }
+ id = id_payload->get_identification(id_payload);
+ this->ike_sa->set_other_id(this->ike_sa, id);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+ if (this->peer_cfg == NULL)
+ {
+ if (!load_cfg_candidates(this))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ }
+ if (message->get_payload(message, AUTHENTICATION) == NULL)
+ { /* before authenticating with EAP, we need a EAP config */
+ cand = get_auth_cfg(this, FALSE);
+ while (!cand || (
+ (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
+ (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
+ { /* peer requested EAP, but current config does not match */
+ this->peer_cfg->destroy(this->peer_cfg);
+ this->peer_cfg = NULL;
+ if (!update_cfg_candidates(this, FALSE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ cand = get_auth_cfg(this, FALSE);
+ }
+ cfg->merge(cfg, cand, TRUE);
+ }
+
+ /* verify authentication data */
+ this->other_auth = authenticator_create_verifier(this->ike_sa,
+ message, this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet));
+ if (!this->other_auth)
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ }
+ switch (this->other_auth->process(this->other_auth, message))
{
case SUCCESS:
- this->peer_authenticated = TRUE;
- break;
- case NOT_FOUND:
- /* use EAP if no AUTH payload found */
- this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE);
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
break;
+ case NEED_MORE:
+ if (message->get_payload(message, AUTHENTICATION))
+ { /* AUTH verification successful, but another build() needed */
+ break;
+ }
+ return NEED_MORE;
default:
+ this->authentication_failed = TRUE;
return NEED_MORE;
}
-
- config = charon->backends->get_peer_cfg(charon->backends,
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_auth(this->ike_sa));
- if (config)
+
+ /* store authentication information */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+ this->other_cfgs->insert_last(this->other_cfgs, cfg);
+
+ /* another auth round done, invoke authorize hook */
+ if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
{
- this->ike_sa->set_peer_cfg(this->ike_sa, config);
- config->destroy(config);
+ DBG1(DBG_IKE, "round %d authorization hook forbids IKE_SA, cancelling",
+ this->other_cfgs->get_count(this->other_cfgs));
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
}
- if (!this->peer_authenticated)
- {
- this->eap_auth = eap_authenticator_create(this->ike_sa);
+
+ if (!update_cfg_candidates(this, FALSE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+
+ if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+ {
+ this->expect_another_auth = FALSE;
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
}
return NEED_MORE;
}
@@ -588,54 +596,142 @@ static status_t process_r(private_ike_auth_t *this, message_t *message)
*/
static status_t build_r(private_ike_auth_t *this, message_t *message)
{
- peer_cfg_t *config;
- eap_type_t eap_type;
- u_int32_t eap_vendor;
- eap_payload_t *eap_payload;
- status_t status;
-
+ auth_cfg_t *cfg;
+
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
+ if (multiple_auth_enabled())
+ {
+ message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+ chunk_empty);
+ }
return collect_my_init_data(this, message);
}
- if (!this->peer_authenticated && this->eap_auth == NULL)
+ if (this->authentication_failed || this->peer_cfg == NULL)
{
- /* peer not authenticated, nor does it want to use EAP */
message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
return FAILED;
}
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (config == NULL)
+ if (this->my_auth == NULL && this->do_another_auth)
{
- DBG1(DBG_IKE, "no matching config found for '%D'...'%D'",
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
- return FAILED;
+ identification_t *id, *id_cfg;
+ id_payload_t *id_payload;
+
+ /* add IDr */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->purge(cfg, TRUE);
+ cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+
+ id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ id = this->ike_sa->get_my_id(this->ike_sa);
+ if (id->get_type(id) == ID_ANY)
+ { /* no IDr received, apply configured ID */
+ if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
+ {
+ DBG1(DBG_CFG, "IDr not configured and negotiation failed");
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
+ this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
+ id = id_cfg;
+ }
+ else
+ { /* IDr received, check if it matches configuration */
+ if (id_cfg && !id->matches(id, id_cfg))
+ {
+ DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
+ }
+
+ id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ /* build authentication data */
+ this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+ this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet));
+ if (!this->my_auth)
+ {
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
+ return FAILED;
+ }
}
- if (build_id(this, message) != SUCCESS ||
- build_auth(this, message) != SUCCESS)
+ if (this->other_auth)
{
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
- return FAILED;
+ switch (this->other_auth->build(this->other_auth, message))
+ {
+ case SUCCESS:
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ if (!message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+ { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ }
+ return FAILED;
+ }
}
-
- if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
- this->ike_sa))
+ if (this->my_auth)
{
- DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
- message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty);
- return FAILED;
+ switch (this->my_auth->build(this->my_auth, message))
+ {
+ case SUCCESS:
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+ TRUE);
+ this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
}
- /* use "traditional" authentication if we could authenticate peer */
- if (this->peer_authenticated)
+ /* check for additional authentication rounds */
+ if (do_another_auth(this))
+ {
+ message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+ }
+ else
+ {
+ this->do_another_auth = FALSE;
+ }
+ if (!this->do_another_auth && !this->expect_another_auth)
{
+ if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+ this->ike_sa))
+ {
+ DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy");
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
+ if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
@@ -644,21 +740,6 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->get_other_id(this->ike_sa));
return SUCCESS;
}
-
- /* initiate EAP authenitcation */
- eap_type = get_eap_type(config, &eap_vendor);
- status = this->eap_auth->initiate(this->eap_auth, eap_type,
- eap_vendor, &eap_payload);
- message->add_payload(message, (payload_t*)eap_payload);
- if (status != NEED_MORE)
- {
- DBG1(DBG_IKE, "unable to initiate EAP authentication");
- return FAILED;
- }
-
- /* switch to EAP methods */
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_r;
return NEED_MORE;
}
@@ -667,18 +748,22 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
*/
static status_t process_i(private_ike_auth_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
- peer_cfg_t *config;
- auth_info_t *auth;
+ auth_cfg_t *cfg;
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
+ if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+ multiple_auth_enabled())
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+ }
return collect_other_init_data(this, message);
}
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -714,7 +799,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
{
DBG1(DBG_IKE, "received %N notify error",
notify_type_names, type);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return FAILED;
}
DBG2(DBG_IKE, "received %N notify",
@@ -724,39 +809,116 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
- if (process_id(this, message) != SUCCESS ||
- process_auth(this, message) != SUCCESS)
+ if (this->my_auth)
{
- return FAILED;
+ switch (this->my_auth->process(this->my_auth, message))
+ {
+ case SUCCESS:
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+ TRUE);
+ this->my_cfgs->insert_last(this->my_cfgs, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ this->do_another_auth = do_another_auth(this);
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ return FAILED;
+ }
}
- if (this->eap_auth)
+ if (this->expect_another_auth)
{
- /* switch to EAP authentication methods */
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_eap_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_eap_i;
- return process_eap_i(this, message);
+ if (this->other_auth == NULL)
+ {
+ id_payload_t *id_payload;
+ identification_t *id;
+
+ /* responder is not allowed to do EAP */
+ if (!message->get_payload(message, AUTHENTICATION))
+ {
+ DBG1(DBG_IKE, "AUTH payload missing");
+ return FAILED;
+ }
+
+ /* handle IDr payload */
+ id_payload = (id_payload_t*)message->get_payload(message,
+ ID_RESPONDER);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "IDr payload missing");
+ return FAILED;
+ }
+ id = id_payload->get_identification(id_payload);
+ this->ike_sa->set_other_id(this->ike_sa, id);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+ /* verify authentication data */
+ this->other_auth = authenticator_create_verifier(this->ike_sa,
+ message, this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet));
+ if (!this->other_auth)
+ {
+ return FAILED;
+ }
+ }
+ switch (this->other_auth->process(this->other_auth, message))
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ default:
+ return FAILED;
+ }
+ /* store authentication information, reset authenticator */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+ this->other_cfgs->insert_last(this->other_cfgs, cfg);
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
+
+ /* another auth round done, invoke authorize hook */
+ if (!charon->bus->authorize(charon->bus, this->other_cfgs, FALSE))
+ {
+ DBG1(DBG_IKE, "round %d authorization forbids IKE_SA, cancelling",
+ this->other_cfgs->get_count(this->other_cfgs));
+ return FAILED;
+ }
}
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- auth = this->ike_sa->get_other_auth(this->ike_sa);
- if (!auth->complies(auth, config->get_auth(config)))
+ if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
{
- DBG0(DBG_IKE, "authorization of '%D' for config %s failed",
- this->ike_sa->get_other_id(this->ike_sa), config->get_name(config));
- return FAILED;
+ this->expect_another_auth = FALSE;
}
- this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
- this->ike_sa->get_name(this->ike_sa),
- this->ike_sa->get_unique_id(this->ike_sa),
- this->ike_sa->get_my_host(this->ike_sa),
- this->ike_sa->get_my_id(this->ike_sa),
- this->ike_sa->get_other_host(this->ike_sa),
- this->ike_sa->get_other_id(this->ike_sa));
- return SUCCESS;
+ if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+ {
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ return FAILED;
+ }
+ if (!charon->bus->authorize(charon->bus, this->other_cfgs, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ return FAILED;
+ }
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+ return SUCCESS;
+ }
+ return NEED_MORE;
}
/**
@@ -776,28 +938,25 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa)
chunk_free(&this->other_nonce);
DESTROY_IF(this->my_packet);
DESTROY_IF(this->other_packet);
- if (this->eap_auth)
- {
- this->eap_auth->authenticator_interface.destroy(
- &this->eap_auth->authenticator_interface);
- }
+ DESTROY_IF(this->peer_cfg);
+ DESTROY_IF(this->my_auth);
+ DESTROY_IF(this->other_auth);
+ this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
+ this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
+ this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
this->my_packet = NULL;
this->other_packet = NULL;
- this->peer_authenticated = FALSE;
- this->eap_auth = NULL;
- this->eap_payload = NULL;
this->ike_sa = ike_sa;
- if (this->initiator)
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
- }
- else
- {
- this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
- this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
- }
+ this->peer_cfg = NULL;
+ this->my_auth = NULL;
+ this->other_auth = NULL;
+ this->do_another_auth = TRUE;
+ this->expect_another_auth = TRUE;
+ this->authentication_failed = FALSE;
+ this->my_cfgs = linked_list_create();
+ this->other_cfgs = linked_list_create();
+ this->candidates = linked_list_create();
}
/**
@@ -809,11 +968,12 @@ static void destroy(private_ike_auth_t *this)
chunk_free(&this->other_nonce);
DESTROY_IF(this->my_packet);
DESTROY_IF(this->other_packet);
- if (this->eap_auth)
- {
- this->eap_auth->authenticator_interface.destroy(
- &this->eap_auth->authenticator_interface);
- }
+ DESTROY_IF(this->my_auth);
+ DESTROY_IF(this->other_auth);
+ DESTROY_IF(this->peer_cfg);
+ this->my_cfgs->destroy_offset(this->my_cfgs, offsetof(auth_cfg_t, destroy));
+ this->other_cfgs->destroy_offset(this->other_cfgs, offsetof(auth_cfg_t, destroy));
+ this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
free(this);
}
@@ -823,7 +983,7 @@ static void destroy(private_ike_auth_t *this)
ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
{
private_ike_auth_t *this = malloc_thing(private_ike_auth_t);
-
+
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
@@ -845,9 +1005,16 @@ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
this->other_nonce = chunk_empty;
this->my_packet = NULL;
this->other_packet = NULL;
- this->peer_authenticated = FALSE;
- this->eap_auth = NULL;
- this->eap_payload = NULL;
+ this->peer_cfg = NULL;
+ this->my_cfgs = linked_list_create();
+ this->other_cfgs = linked_list_create();
+ this->candidates = linked_list_create();
+ this->my_auth = NULL;
+ this->other_auth = NULL;
+ this->do_another_auth = TRUE;
+ this->expect_another_auth = TRUE;
+ this->authentication_failed = FALSE;
return &this->public;
}
+
diff --git a/src/charon/sa/tasks/ike_auth.h b/src/charon/sa/tasks/ike_auth.h
index a4719ec24..bba46d961 100644
--- a/src/charon/sa/tasks/ike_auth.h
+++ b/src/charon/sa/tasks/ike_auth.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_auth.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.c b/src/charon/sa/tasks/ike_auth_lifetime.c
index cb17cc2dc..a047e6b81 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.c
+++ b/src/charon/sa/tasks/ike_auth_lifetime.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_auth_lifetime.c 4576 2008-11-05 08:32:38Z martin $
*/
#include "ike_auth_lifetime.h"
@@ -64,12 +62,12 @@ static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *mess
*/
static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
notify_payload_t *notify;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -88,7 +86,7 @@ static void process_payloads(private_ike_auth_lifetime_t *this, message_t *messa
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
diff --git a/src/charon/sa/tasks/ike_auth_lifetime.h b/src/charon/sa/tasks/ike_auth_lifetime.h
index 46595e6ed..812caaf43 100644
--- a/src/charon/sa/tasks/ike_auth_lifetime.h
+++ b/src/charon/sa/tasks/ike_auth_lifetime.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_auth_lifetime.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_cert_post.c b/src/charon/sa/tasks/ike_cert_post.c
index cb533236e..70e87c2e7 100644
--- a/src/charon/sa/tasks/ike_cert_post.c
+++ b/src/charon/sa/tasks/ike_cert_post.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2008 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cert_post.c 4276 2008-08-22 10:44:51Z martin $
*/
#include "ike_cert_post.h"
@@ -22,6 +20,7 @@
#include <sa/ike_sa.h>
#include <encoding/payloads/cert_payload.h>
#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/auth_payload.h>
#include <credentials/certificates/x509.h>
@@ -98,70 +97,71 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, certifi
}
/**
- * from ike_auth.c
- */
-auth_class_t get_auth_class(peer_cfg_t *config);
-
-/**
* add certificates to message
*/
static void build_certs(private_ike_cert_post_t *this, message_t *message)
{
peer_cfg_t *peer_cfg;
+ auth_payload_t *payload;
+ payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
- if (peer_cfg && get_auth_class(peer_cfg) == AUTH_CLASS_PUBKEY)
+ if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
+ { /* no CERT payload for EAP/PSK */
+ return;
+ }
+
+ switch (peer_cfg->get_cert_policy(peer_cfg))
{
- switch (peer_cfg->get_cert_policy(peer_cfg))
+ case CERT_NEVER_SEND:
+ break;
+ case CERT_SEND_IF_ASKED:
+ if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
+ {
+ break;
+ }
+ /* FALL */
+ case CERT_ALWAYS_SEND:
{
- case CERT_NEVER_SEND:
+ cert_payload_t *payload;
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ auth_rule_t type;
+ auth_cfg_t *auth;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+ /* get subject cert first, then issuing certificates */
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert)
+ {
break;
- case CERT_SEND_IF_ASKED:
- if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
- {
- break;
- }
- /* FALL */
- case CERT_ALWAYS_SEND:
+ }
+ payload = build_cert_payload(this, cert);
+ if (!payload)
{
- cert_payload_t *payload;
- enumerator_t *enumerator;
- certificate_t *cert;
- auth_info_t *auth;
- auth_item_t item;
-
- auth = this->ike_sa->get_my_auth(this->ike_sa);
- /* get subject cert first, then issuing certificates */
- if (!auth->get_item(auth, AUTHZ_SUBJECT_CERT, (void**)&cert))
- {
- break;
- }
- payload = build_cert_payload(this, cert);
- if (!payload)
- {
- break;
- }
- DBG1(DBG_IKE, "sending end entity cert \"%D\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
-
- enumerator = auth->create_item_enumerator(auth);
- while (enumerator->enumerate(enumerator, &item, &cert))
+ break;
+ }
+ DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &cert))
+ {
+ if (type == AUTH_RULE_IM_CERT)
{
- if (item == AUTHZ_IM_CERT)
+ payload = cert_payload_create_from_cert(cert);
+ if (payload)
{
- payload = cert_payload_create_from_cert(cert);
- if (payload)
- {
- DBG1(DBG_IKE, "sending issuer cert \"%D\"",
- cert->get_subject(cert));
- message->add_payload(message, (payload_t*)payload);
- }
+ DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
}
}
- enumerator->destroy(enumerator);
- }
- }
+ }
+ enumerator->destroy(enumerator);
+ }
}
}
@@ -170,12 +170,9 @@ static void build_certs(private_ike_cert_post_t *this, message_t *message)
*/
static status_t build_i(private_ike_cert_post_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_SA_INIT)
- {
- return NEED_MORE;
- }
build_certs(this, message);
- return SUCCESS;
+
+ return NEED_MORE;
}
/**
@@ -191,11 +188,12 @@ static status_t process_r(private_ike_cert_post_t *this, message_t *message)
*/
static status_t build_r(private_ike_cert_post_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_SA_INIT)
- {
+ build_certs(this, message);
+
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* stay alive, we might have additional rounds with certs */
return NEED_MORE;
}
- build_certs(this, message);
return SUCCESS;
}
@@ -204,8 +202,8 @@ static status_t build_r(private_ike_cert_post_t *this, message_t *message)
*/
static status_t process_i(private_ike_cert_post_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_SA_INIT)
- {
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* stay alive, we might have additional rounds with CERTS */
return NEED_MORE;
}
return SUCCESS;
diff --git a/src/charon/sa/tasks/ike_cert_post.h b/src/charon/sa/tasks/ike_cert_post.h
index ec9d172e1..fa555eac7 100644
--- a/src/charon/sa/tasks/ike_cert_post.h
+++ b/src/charon/sa/tasks/ike_cert_post.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cert_post.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_cert_pre.c b/src/charon/sa/tasks/ike_cert_pre.c
index 353b76a22..1c72f289f 100644
--- a/src/charon/sa/tasks/ike_cert_pre.c
+++ b/src/charon/sa/tasks/ike_cert_pre.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2008 Tobias Brunner
- * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cert_pre.c 4285 2008-08-26 05:15:34Z andreas $
*/
#include "ike_cert_pre.h"
@@ -48,9 +46,14 @@ struct private_ike_cert_pre_t {
bool initiator;
/**
- * Did we send a HTTP_CERT_LOOKUP_SUPPORTED Notify?
+ * Do we accept HTTP certificate lookup requests
+ */
+ bool do_http_lookup;
+
+ /**
+ * wheter this is the final authentication round
*/
- bool http_cert_lookup_supported_sent;
+ bool final;
};
/**
@@ -58,23 +61,22 @@ struct private_ike_cert_pre_t {
*/
static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
- auth_info_t *auth;
- bool ca_found = FALSE;
+ auth_cfg_t *auth;
- auth = this->ike_sa->get_my_auth(this->ike_sa);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
switch(payload->get_type(payload))
{
case CERTIFICATE_REQUEST:
{
certreq_payload_t *certreq = (certreq_payload_t*)payload;
- chunk_t keyid;
enumerator_t *enumerator;
+ chunk_t keyid;
this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
@@ -96,17 +98,14 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
CERT_X509, KEY_ANY, id, TRUE);
if (cert)
{
- DBG1(DBG_IKE, "received cert request for \"%D\"",
+ DBG1(DBG_IKE, "received cert request for \"%Y\"",
cert->get_subject(cert));
- auth->add_item(auth, AUTHN_CA_CERT, cert);
- cert->destroy(cert);
- ca_found = TRUE;
+ auth->add(auth, AUTH_RULE_CA_CERT, cert);
}
else
{
DBG1(DBG_IKE, "received cert request for unknown ca "
- "with keyid %D", id);
- auth->add_item(auth, AUTHN_CA_CERT_KEYID, id);
+ "with keyid %Y", id);
}
id->destroy(id);
}
@@ -129,7 +128,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -140,6 +139,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
static certificate_t *try_get_cert(cert_payload_t *cert_payload)
{
certificate_t *cert = NULL;
+
switch (cert_payload->get_cert_encoding(cert_payload))
{
case ENC_X509_SIGNATURE:
@@ -158,7 +158,7 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
}
id = identification_create_from_encoding(ID_CERT_DER_SHA1, hash);
cert = charon->credentials->get_cert(charon->credentials,
- CERT_X509, KEY_ANY, id, FALSE);
+ CERT_X509, KEY_ANY, id, FALSE);
id->destroy(id);
break;
}
@@ -175,78 +175,81 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload)
*/
static void process_certs(private_ike_cert_pre_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
- auth_info_t *auth;
+ auth_cfg_t *auth;
bool first = TRUE;
- auth = this->ike_sa->get_other_auth(this->ike_sa);
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == CERTIFICATE)
{
- cert_payload_t *cert_payload = (cert_payload_t*)payload;
- cert_encoding_t type = cert_payload->get_cert_encoding(cert_payload);
- switch (type)
+ cert_payload_t *cert_payload;
+ cert_encoding_t encoding;
+ certificate_t *cert;
+ char *url;
+
+ cert_payload = (cert_payload_t*)payload;
+ encoding = cert_payload->get_cert_encoding(cert_payload);
+
+ switch (encoding)
{
- case ENC_X509_SIGNATURE:
case ENC_X509_HASH_AND_URL:
{
- if (type == ENC_X509_HASH_AND_URL &&
- !this->http_cert_lookup_supported_sent)
+ if (!this->do_http_lookup)
{
DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
" we don't accept them, ignore");
break;
}
-
- certificate_t *cert = try_get_cert(cert_payload);
-
+ /* FALL */
+ }
+ case ENC_X509_SIGNATURE:
+ {
+ cert = try_get_cert(cert_payload);
if (cert)
{
- /* we've got a certificate from the payload or the cache */
if (first)
- { /* the first certificate MUST be an end entity one */
- DBG1(DBG_IKE, "received end entity cert \"%D\"",
+ { /* the first is an end entity certificate */
+ DBG1(DBG_IKE, "received end entity cert \"%Y\"",
cert->get_subject(cert));
- auth->add_item(auth, AUTHN_SUBJECT_CERT, cert);
+ auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
first = FALSE;
}
else
{
- DBG1(DBG_IKE, "received issuer cert \"%D\"",
+ DBG1(DBG_IKE, "received issuer cert \"%Y\"",
cert->get_subject(cert));
- auth->add_item(auth, AUTHN_IM_CERT, cert);
+ auth->add(auth, AUTH_HELPER_IM_CERT, cert);
}
- cert->destroy(cert);
}
- else if (type == ENC_X509_HASH_AND_URL)
+ else if (encoding == ENC_X509_HASH_AND_URL)
{
- /* we received a "Hash and URL" encoded certificate that
- * we haven't fetched yet, we store the URL and fetch
- * it later */
- char *url = cert_payload->get_url(cert_payload);
+ /* we fetch the certificate not yet, but only if
+ * it is really needed during authentication */
+ url = cert_payload->get_url(cert_payload);
if (!url)
{
- DBG1(DBG_IKE, "received invalid hash-and-url encoded"
- " cert, ignore");
+ DBG1(DBG_IKE, "received invalid hash-and-url "
+ "encoded cert, ignore");
break;
}
-
+ url = strdup(url);
if (first)
- { /* the first certificate MUST be an end entity one */
+ { /* first URL is for an end entity certificate */
DBG1(DBG_IKE, "received hash-and-url for end"
- " entity cert \"%s\"", url);
- auth->add_item(auth, AUTHN_SUBJECT_HASH_URL, url);
+ " entity cert \"%s\"", url);
+ auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
first = FALSE;
}
else
{
DBG1(DBG_IKE, "received hash-and-url for issuer"
" cert \"%s\"", url);
- auth->add_item(auth, AUTHN_IM_HASH_URL, url);
+ auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
}
}
break;
@@ -264,31 +267,23 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message)
case ENC_OCSP_CONTENT:
default:
DBG1(DBG_ENC, "certificate encoding %N not supported",
- cert_encoding_names, cert_payload->get_cert_encoding(cert_payload));
+ cert_encoding_names, encoding);
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
- * add a certificate request to the message, building request payload if required.
+ * add the keyid of a certificate to the certificate request payload
*/
-static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
- certificate_t *cert)
+static void add_certreq(certreq_payload_t **req, certificate_t *cert)
{
- public_key_t *public;
- certreq_payload_t *req;
-
- public = cert->get_public_key(cert);
- if (!public)
- {
- return;
- }
switch (cert->get_type(cert))
{
case CERT_X509:
{
+ public_key_t *public;
identification_t *keyid;
x509_t *x509 = (x509_t*)cert;
@@ -296,22 +291,49 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
{ /* no CA cert, skip */
break;
}
- if (*reqp == NULL)
+ public = cert->get_public_key(cert);
+ if (!public)
{
- *reqp = certreq_payload_create_type(CERT_X509);
- message->add_payload(message, (payload_t*)*reqp);
+ break;
+ }
+ if (*req == NULL)
+ {
+ *req = certreq_payload_create_type(CERT_X509);
}
- req = *reqp;
keyid = public->get_id(public, ID_PUBKEY_INFO_SHA1);
- req->add_keyid(req, keyid->get_encoding(keyid));
- DBG1(DBG_IKE, "sending cert request for \"%D\"",
+ (*req)->add_keyid(*req, keyid->get_encoding(keyid));
+ public->destroy(public);
+ DBG1(DBG_IKE, "sending cert request for \"%Y\"",
cert->get_subject(cert));
break;
}
default:
break;
}
- public->destroy(public);
+}
+
+/**
+ * add a auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
+{
+ enumerator_t *enumerator;
+ auth_rule_t type;
+ void *value;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ switch (type)
+ {
+ case AUTH_RULE_CA_CERT:
+ add_certreq(req, (certificate_t*)value);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
}
/**
@@ -319,88 +341,96 @@ static void add_certreq_payload(message_t *message, certreq_payload_t **reqp,
*/
static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
{
+ enumerator_t *enumerator;
ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg;
- enumerator_t *enumerator;
certificate_t *cert;
- bool restricted = FALSE;
- certreq_payload_t *x509_req = NULL;
+ auth_cfg_t *auth;
+ certreq_payload_t *req = NULL;
ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
if (!ike_cfg->send_certreq(ike_cfg))
{
return;
}
-
+
/* check if we require a specific CA for that peer */
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
if (peer_cfg)
{
- void *ptr;
- identification_t *id;
- auth_item_t item;
- auth_info_t *auth = peer_cfg->get_auth(peer_cfg);
- enumerator_t *auth_enumerator = auth->create_item_enumerator(auth);
-
- while (auth_enumerator->enumerate(auth_enumerator, &item, &ptr))
+ enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+ while (enumerator->enumerate(enumerator, &auth))
{
- switch (item)
- {
- case AUTHZ_CA_CERT:
- cert = (certificate_t *)ptr;
- add_certreq_payload(message, &x509_req, cert);
- restricted = TRUE;
- break;
- case AUTHZ_CA_CERT_NAME:
- id = (identification_t *)ptr;
- enumerator = charon->credentials->create_cert_enumerator(
- charon->credentials, CERT_ANY, KEY_ANY, id, TRUE);
- while (enumerator->enumerate(enumerator, &cert, TRUE))
- {
- add_certreq_payload(message, &x509_req, cert);
- restricted = TRUE;
- }
- enumerator->destroy(enumerator);
- break;
- default:
- break;
- }
+ add_certreqs(&req, auth);
}
- auth_enumerator->destroy(auth_enumerator);
+ enumerator->destroy(enumerator);
}
-
- if (!restricted)
+
+ if (!req)
{
- /* otherwise include all trusted CA certificates */
+ /* otherwise add all trusted CA certificates */
enumerator = charon->credentials->create_cert_enumerator(
charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE);
- while (enumerator->enumerate(enumerator, &cert, TRUE))
+ while (enumerator->enumerate(enumerator, &cert))
{
- add_certreq_payload(message, &x509_req, cert);
+ add_certreq(&req, cert);
}
enumerator->destroy(enumerator);
}
- /* if we've added at least one certreq, we notify our peer that we support
- * "Hash and URL" for the requested certificates */
- if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE) &&
- message->get_payload(message, CERTIFICATE_REQUEST))
+ if (req)
{
- message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED, chunk_empty);
- this->http_cert_lookup_supported_sent = TRUE;
+ message->add_payload(message, (payload_t*)req);
+
+ if (lib->settings->get_bool(lib->settings, "charon.hash_and_url", FALSE))
+ {
+ message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
+ chunk_empty);
+ this->do_http_lookup = TRUE;
+ }
}
}
/**
+ * Check if this is the final authentication round
+ */
+static bool final_auth(message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ notify_payload_t *notify;
+
+ /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
+ if (message->get_payload(message, AUTHENTICATION) == NULL)
+ {
+ return FALSE;
+ }
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify = (notify_payload_t*)payload;
+ if (notify->get_notify_type(notify) == ANOTHER_AUTH_FOLLOWS)
+ {
+ enumerator->destroy(enumerator);
+ return FALSE;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ return TRUE;
+}
+
+/**
* Implementation of task_t.process for initiator
*/
static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_SA_INIT)
- {
- return NEED_MORE;
+ if (message->get_message_id(message) == 1)
+ { /* initiator sends CERTREQs in first IKE_AUTH */
+ build_certreqs(this, message);
}
- build_certreqs(this, message);
return NEED_MORE;
}
@@ -408,13 +438,13 @@ static status_t build_i(private_ike_cert_pre_t *this, message_t *message)
* Implementation of task_t.process for responder
*/
static status_t process_r(private_ike_cert_pre_t *this, message_t *message)
-{
- if (message->get_exchange_type(message) == IKE_SA_INIT)
- {
- return NEED_MORE;
+{
+ if (message->get_exchange_type(message) != IKE_SA_INIT)
+ { /* handle certreqs/certs in any IKE_AUTH, just in case */
+ process_certreqs(this, message);
+ process_certs(this, message);
}
- process_certreqs(this, message);
- process_certs(this, message);
+ this->final = final_auth(message);
return NEED_MORE;
}
@@ -426,9 +456,12 @@ static status_t build_r(private_ike_cert_pre_t *this, message_t *message)
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
build_certreqs(this, message);
- return NEED_MORE;
}
- return SUCCESS;
+ if (this->final)
+ {
+ return SUCCESS;
+ }
+ return NEED_MORE;
}
/**
@@ -439,10 +472,14 @@ static status_t process_i(private_ike_cert_pre_t *this, message_t *message)
if (message->get_exchange_type(message) == IKE_SA_INIT)
{
process_certreqs(this, message);
- return NEED_MORE;
}
process_certs(this, message);
- return SUCCESS;
+
+ if (final_auth(message))
+ {
+ return SUCCESS;
+ }
+ return NEED_MORE;
}
/**
@@ -493,7 +530,8 @@ ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
this->ike_sa = ike_sa;
this->initiator = initiator;
- this->http_cert_lookup_supported_sent = FALSE;
+ this->do_http_lookup = FALSE;
+ this->final = FALSE;
return &this->public;
}
diff --git a/src/charon/sa/tasks/ike_cert_pre.h b/src/charon/sa/tasks/ike_cert_pre.h
index d6d06b04f..d49005e68 100644
--- a/src/charon/sa/tasks/ike_cert_pre.h
+++ b/src/charon/sa/tasks/ike_cert_pre.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_cert_pre.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c
index b890e93ba..1f75521b6 100644
--- a/src/charon/sa/tasks/ike_config.c
+++ b/src/charon/sa/tasks/ike_config.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_config.c 4867 2009-02-13 11:57:50Z andreas $
*/
#include "ike_config.h"
@@ -50,54 +48,34 @@ struct private_ike_config_t {
* virtual ip
*/
host_t *virtual_ip;
-
- /**
- * list of DNS servers
- */
- linked_list_t *dns;
-
- /**
- * list of WINS servers
- */
- linked_list_t *nbns;
};
/**
- * build configuration payloads and attributes
+ * build INTERNAL_IPV4/6_ADDRESS from virtual ip
*/
-static void build_payloads(private_ike_config_t *this, message_t *message,
- config_type_t type)
+static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp)
{
- cp_payload_t *cp;
configuration_attribute_t *ca;
chunk_t chunk, prefix;
- if (!this->virtual_ip)
- {
- return;
- }
-
- cp = cp_payload_create();
- cp->set_config_type(cp, type);
-
ca = configuration_attribute_create();
- if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
+ if (vip->get_family(vip) == AF_INET)
{
ca->set_type(ca, INTERNAL_IP4_ADDRESS);
- if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+ if (vip->is_anyaddr(vip))
{
chunk = chunk_empty;
}
else
{
- chunk = this->virtual_ip->get_address(this->virtual_ip);
+ chunk = vip->get_address(vip);
}
}
else
{
ca->set_type(ca, INTERNAL_IP6_ADDRESS);
- if (this->virtual_ip->is_anyaddr(this->virtual_ip))
+ if (vip->is_anyaddr(vip))
{
chunk = chunk_empty;
}
@@ -105,71 +83,12 @@ static void build_payloads(private_ike_config_t *this, message_t *message,
{
prefix = chunk_alloca(1);
*prefix.ptr = 64;
- chunk = this->virtual_ip->get_address(this->virtual_ip);
+ chunk = vip->get_address(vip);
chunk = chunk_cata("cc", chunk, prefix);
}
}
ca->set_value(ca, chunk);
cp->add_configuration_attribute(cp, ca);
-
- /* we currently always add a DNS request if we request an IP */
- if (this->initiator)
- {
- ca = configuration_attribute_create();
- if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET)
- {
- ca->set_type(ca, INTERNAL_IP4_DNS);
- }
- else
- {
- ca->set_type(ca, INTERNAL_IP6_DNS);
- }
- cp->add_configuration_attribute(cp, ca);
- }
- else
- {
- host_t *ip;
- iterator_t *iterator;
-
- /* Add internal DNS servers */
- iterator = this->dns->create_iterator(this->dns, TRUE);
- while (iterator->iterate(iterator, (void**)&ip))
- {
- ca = configuration_attribute_create();
- if (ip->get_family(ip) == AF_INET)
- {
- ca->set_type(ca, INTERNAL_IP4_DNS);
- }
- else
- {
- ca->set_type(ca, INTERNAL_IP6_DNS);
- }
- chunk = ip->get_address(ip);
- ca->set_value(ca, chunk);
- cp->add_configuration_attribute(cp, ca);
- }
- iterator->destroy(iterator);
-
- /* Add internal WINS servers */
- iterator = this->nbns->create_iterator(this->nbns, TRUE);
- while (iterator->iterate(iterator, (void**)&ip))
- {
- ca = configuration_attribute_create();
- if (ip->get_family(ip) == AF_INET)
- {
- ca->set_type(ca, INTERNAL_IP4_NBNS);
- }
- else
- {
- ca->set_type(ca, INTERNAL_IP6_NBNS);
- }
- chunk = ip->get_address(ip);
- ca->set_value(ca, chunk);
- cp->add_configuration_attribute(cp, ca);
- }
- iterator->destroy(iterator);
- }
- message->add_payload(message, (payload_t*)cp);
}
/**
@@ -203,55 +122,23 @@ static void process_attribute(private_ike_config_t *this,
}
ip = host_create_from_chunk(family, addr, 0);
}
- if (ip && !this->virtual_ip)
- {
- this->virtual_ip = ip;
- }
- break;
- }
- case INTERNAL_IP4_DNS:
- family = AF_INET;
- /* fall */
- case INTERNAL_IP6_DNS:
- {
- addr = ca->get_value(ca);
- if (addr.len == 0)
- {
- ip = host_create_any(family);
- }
- else
- {
- ip = host_create_from_chunk(family, addr, 0);
- }
if (ip)
{
- this->dns->insert_last(this->dns, ip);
+ DESTROY_IF(this->virtual_ip);
+ this->virtual_ip = ip;
}
break;
}
- case INTERNAL_IP4_NBNS:
- case INTERNAL_IP6_NBNS:
- {
- addr = ca->get_value(ca);
- if (addr.len == 0)
+ default:
+ if (this->initiator)
{
- ip = host_create_any(family);
+ this->ike_sa->add_configuration_attribute(this->ike_sa,
+ ca->get_type(ca), ca->get_value(ca));
}
else
{
- ip = host_create_from_chunk(family, addr, 0);
+ /* we do not handle attribute requests other than for VIPs */
}
- if (ip)
- {
- this->nbns->insert_last(this->nbns, ip);
- }
- break;
- }
- default:
- DBG1(DBG_IKE, "ignoring %N config attribute",
- configuration_attribute_type_names,
- ca->get_type(ca));
- break;
}
}
@@ -260,11 +147,12 @@ static void process_attribute(private_ike_config_t *this,
*/
static void process_payloads(private_ike_config_t *this, message_t *message)
{
- iterator_t *iterator, *attributes;
+ enumerator_t *enumerator;
+ iterator_t *attributes;
payload_t *payload;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == CONFIGURATION)
{
@@ -290,7 +178,7 @@ static void process_payloads(private_ike_config_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -298,9 +186,8 @@ static void process_payloads(private_ike_config_t *this, message_t *message)
*/
static status_t build_i(private_ike_config_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- message->get_payload(message, ID_INITIATOR))
- {
+ if (message->get_message_id(message) == 1)
+ { /* in first IKE_AUTH only */
peer_cfg_t *config;
host_t *vip;
@@ -313,12 +200,28 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
}
if (vip)
{
- this->virtual_ip = vip->clone(vip);
+ configuration_attribute_t *ca;
+ cp_payload_t *cp;
+
+ cp = cp_payload_create();
+ cp->set_config_type(cp, CFG_REQUEST);
+
+ build_vip(this, vip, cp);
+
+ /* we currently always add a DNS request if we request an IP */
+ ca = configuration_attribute_create();
+ if (vip->get_family(vip) == AF_INET)
+ {
+ ca->set_type(ca, INTERNAL_IP4_DNS);
+ }
+ else
+ {
+ ca->set_type(ca, INTERNAL_IP6_DNS);
+ }
+ cp->add_configuration_attribute(cp, ca);
+ message->add_payload(message, (payload_t*)cp);
}
-
- build_payloads(this, message, CFG_REQUEST);
}
-
return NEED_MORE;
}
@@ -327,9 +230,8 @@ static status_t build_i(private_ike_config_t *this, message_t *message)
*/
static status_t process_r(private_ike_config_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- message->get_payload(message, ID_INITIATOR))
- {
+ if (message->get_message_id(message) == 1)
+ { /* in first IKE_AUTH only */
process_payloads(this, message);
}
return NEED_MORE;
@@ -340,25 +242,28 @@ static status_t process_r(private_ike_config_t *this, message_t *message)
*/
static status_t build_r(private_ike_config_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- message->get_payload(message, EXTENSIBLE_AUTHENTICATION) == NULL)
- {
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ { /* in last IKE_AUTH exchange */
peer_cfg_t *config = this->ike_sa->get_peer_cfg(this->ike_sa);
if (config && this->virtual_ip)
{
- host_t *ip = NULL;
+ enumerator_t *enumerator;
+ configuration_attribute_type_t type;
+ configuration_attribute_t *ca;
+ chunk_t value;
+ cp_payload_t *cp;
+ host_t *vip = NULL;
DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip);
if (config->get_pool(config))
{
- ip = charon->attributes->acquire_address(charon->attributes,
+ vip = charon->attributes->acquire_address(charon->attributes,
config->get_pool(config),
this->ike_sa->get_other_id(this->ike_sa),
- this->ike_sa->get_other_auth(this->ike_sa),
this->virtual_ip);
}
- if (ip == NULL)
+ if (vip == NULL)
{
DBG1(DBG_IKE, "no virtual IP found, sending %N",
notify_type_names, INTERNAL_ADDRESS_FAILURE);
@@ -366,13 +271,28 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
chunk_empty);
return SUCCESS;
}
- DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip);
- this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, ip);
+ DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip);
+ this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip);
+
+ cp = cp_payload_create();
+ cp->set_config_type(cp, CFG_REPLY);
- this->virtual_ip->destroy(this->virtual_ip);
- this->virtual_ip = ip;
+ build_vip(this, vip, cp);
+ vip->destroy(vip);
- build_payloads(this, message, CFG_REPLY);
+ /* if we add an IP, we also look for other attributes */
+ enumerator = charon->attributes->create_attribute_enumerator(
+ charon->attributes, this->ike_sa->get_other_id(this->ike_sa));
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ ca = configuration_attribute_create();
+ ca->set_type(ca, type);
+ ca->set_value(ca, value);
+ cp->add_configuration_attribute(cp, ca);
+ }
+ enumerator->destroy(enumerator);
+
+ message->add_payload(message, (payload_t*)cp);
}
return SUCCESS;
}
@@ -384,39 +304,14 @@ static status_t build_r(private_ike_config_t *this, message_t *message)
*/
static status_t process_i(private_ike_config_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- !message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
- {
- host_t *ip;
- peer_cfg_t *config;
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ { /* in last IKE_AUTH exchange */
- DESTROY_IF(this->virtual_ip);
- this->virtual_ip = NULL;
-
process_payloads(this, message);
- if (this->virtual_ip == NULL)
- { /* force a configured virtual IP, even if server didn't return one */
- config = this->ike_sa->get_peer_cfg(this->ike_sa);
- this->virtual_ip = config->get_virtual_ip(config);
- if (this->virtual_ip)
- {
- this->virtual_ip = this->virtual_ip->clone(this->virtual_ip);
- }
- }
-
- if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip))
+ if (this->virtual_ip)
{
this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip);
-
- while (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS)
- {
- if (!ip->is_anyaddr(ip))
- {
- this->ike_sa->add_dns_server(this->ike_sa, ip);
- }
- ip->destroy(ip);
- }
}
return SUCCESS;
}
@@ -437,11 +332,9 @@ static task_type_t get_type(private_ike_config_t *this)
static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
{
DESTROY_IF(this->virtual_ip);
- this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
this->ike_sa = ike_sa;
this->virtual_ip = NULL;
- this->dns = linked_list_create();
}
/**
@@ -450,8 +343,6 @@ static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa)
static void destroy(private_ike_config_t *this)
{
DESTROY_IF(this->virtual_ip);
- this->dns->destroy_offset(this->dns, offsetof(host_t, destroy));
- this->nbns->destroy_offset(this->nbns, offsetof(host_t, destroy));
free(this);
}
@@ -461,7 +352,7 @@ static void destroy(private_ike_config_t *this)
ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
{
private_ike_config_t *this = malloc_thing(private_ike_config_t);
-
+
this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
this->public.task.destroy = (void(*)(task_t*))destroy;
@@ -469,9 +360,7 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
this->initiator = initiator;
this->ike_sa = ike_sa;
this->virtual_ip = NULL;
- this->dns = linked_list_create();
- this->nbns = linked_list_create();
-
+
if (initiator)
{
this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
@@ -479,49 +368,10 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
}
else
{
- int i;
-
- /* assign DNS servers */
- for (i = 1; i <= DNS_SERVER_MAX; i++)
- {
- char dns_key[16], *dns_str;
-
- snprintf(dns_key, sizeof(dns_key), "charon.dns%d", i);
- dns_str = lib->settings->get_str(lib->settings, dns_key, NULL);
- if (dns_str)
- {
- host_t *dns = host_create_from_string(dns_str, 0);
-
- if (dns)
- {
- DBG2(DBG_CFG, "assigning DNS server %H to peer", dns);
- this->dns->insert_last(this->dns, dns);
- }
- }
- }
-
- /* assign WINS servers */
- for (i = 1; i <= NBNS_SERVER_MAX; i++)
- {
- char nbns_key[16], *nbns_str;
-
- snprintf(nbns_key, sizeof(nbns_key), "charon.nbns%d", i);
- nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL);
- if (nbns_str)
- {
- host_t *nbns = host_create_from_string(nbns_str, 0);
-
- if (nbns)
- {
- DBG2(DBG_CFG, "assigning NBNS server %H to peer", nbns);
- this->nbns->insert_last(this->nbns, nbns);
- }
- }
- }
-
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
}
-
+
return &this->public;
}
+
diff --git a/src/charon/sa/tasks/ike_config.h b/src/charon/sa/tasks/ike_config.h
index cc709f4d6..32635e85e 100644
--- a/src/charon/sa/tasks/ike_config.h
+++ b/src/charon/sa/tasks/ike_config.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_config.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index 1c051853c..f308a6358 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_delete.c 4458 2008-10-17 03:44:06Z andreas $
*/
#include "ike_delete.h"
@@ -56,7 +54,7 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
{
delete_payload_t *delete_payload;
- DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
@@ -95,7 +93,7 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa));
- DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
this->ike_sa->get_name(this->ike_sa),
this->ike_sa->get_unique_id(this->ike_sa),
this->ike_sa->get_my_host(this->ike_sa),
diff --git a/src/charon/sa/tasks/ike_delete.h b/src/charon/sa/tasks/ike_delete.h
index ea4e9832b..82782f393 100644
--- a/src/charon/sa/tasks/ike_delete.h
+++ b/src/charon/sa/tasks/ike_delete.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_delete.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_dpd.c b/src/charon/sa/tasks/ike_dpd.c
index 9f1d43cbf..3aa714049 100644
--- a/src/charon/sa/tasks/ike_dpd.c
+++ b/src/charon/sa/tasks/ike_dpd.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_dpd.c 3589 2008-03-13 14:14:44Z martin $
*/
#include "ike_dpd.h"
diff --git a/src/charon/sa/tasks/ike_dpd.h b/src/charon/sa/tasks/ike_dpd.h
index 0eadd0db7..36388d15b 100644
--- a/src/charon/sa/tasks/ike_dpd.h
+++ b/src/charon/sa/tasks/ike_dpd.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_dpd.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_init.c b/src/charon/sa/tasks/ike_init.c
index 139107480..2705f5886 100644
--- a/src/charon/sa/tasks/ike_init.c
+++ b/src/charon/sa/tasks/ike_init.c
@@ -13,8 +13,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_init.c 4717 2008-11-28 09:51:44Z martin $
*/
#include "ike_init.h"
@@ -170,11 +168,11 @@ static void build_payloads(private_ike_init_t *this, message_t *message)
*/
static void process_payloads(private_ike_init_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
-
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
switch (payload->get_type(payload))
{
@@ -182,7 +180,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
{
sa_payload_t *sa_payload = (sa_payload_t*)payload;
linked_list_t *proposal_list;
-
+
proposal_list = sa_payload->get_proposals(sa_payload);
this->proposal = this->config->select_proposal(this->config,
proposal_list);
@@ -225,7 +223,7 @@ static void process_payloads(private_ike_init_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -317,12 +315,12 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
#ifdef ME
{
chunk_t connect_id = chunk_empty;
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
-
+
/* check for a ME_CONNECTID notify */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -353,7 +351,7 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
if (connect_id.ptr)
{
@@ -458,12 +456,12 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
*/
static status_t process_i(private_ike_init_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
-
+
/* check for erronous notifies */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -489,19 +487,22 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
this->ike_sa->reset(this->ike_sa);
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return NEED_MORE;
}
case NAT_DETECTION_SOURCE_IP:
case NAT_DETECTION_DESTINATION_IP:
/* skip, handled in ike_natd_t */
break;
+ case MULTIPLE_AUTH_SUPPORTED:
+ /* handled in ike_auth_t */
+ break;
case COOKIE:
{
chunk_free(&this->cookie);
this->cookie = chunk_clone(notify->get_notification_data(notify));
this->ike_sa->reset(this->ike_sa);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
return NEED_MORE;
}
@@ -511,7 +512,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
{
DBG1(DBG_IKE, "received %N notify error",
notify_type_names, type);
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return FAILED;
}
DBG2(DBG_IKE, "received %N notify",
@@ -521,7 +522,7 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
process_payloads(this, message);
diff --git a/src/charon/sa/tasks/ike_init.h b/src/charon/sa/tasks/ike_init.h
index 84f28a98d..8d3810ef2 100644
--- a/src/charon/sa/tasks/ike_init.h
+++ b/src/charon/sa/tasks/ike_init.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_init.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_me.c b/src/charon/sa/tasks/ike_me.c
index f58d51341..d359aa339 100644
--- a/src/charon/sa/tasks/ike_me.c
+++ b/src/charon/sa/tasks/ike_me.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_me.c 4640 2008-11-12 16:07:17Z martin $
*/
#include "ike_me.h"
@@ -166,11 +164,11 @@ static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
*/
static void process_payloads(private_ike_me_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
-
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) != NOTIFY)
{
@@ -237,7 +235,7 @@ static void process_payloads(private_ike_me_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -339,7 +337,7 @@ static status_t process_r(private_ike_me_t *this, message_t *message)
if (this->callback)
{
- DBG1(DBG_IKE, "received ME_CALLBACK for '%D'", this->peer_id);
+ DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
break;
}
@@ -471,7 +469,7 @@ static status_t process_i(private_ike_me_t *this, message_t *message)
if (this->failed)
{
- DBG1(DBG_IKE, "peer '%D' is not online", this->peer_id);
+ DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
/* FIXME: notify the mediated connection (job?) */
}
else
diff --git a/src/charon/sa/tasks/ike_me.h b/src/charon/sa/tasks/ike_me.h
index 3bef0a7f1..4b35c313c 100644
--- a/src/charon/sa/tasks/ike_me.h
+++ b/src/charon/sa/tasks/ike_me.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_me.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_mobike.c b/src/charon/sa/tasks/ike_mobike.c
index b5e065081..9a1afe744 100644
--- a/src/charon/sa/tasks/ike_mobike.c
+++ b/src/charon/sa/tasks/ike_mobike.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_mobike.c 4816 2008-12-19 14:34:40Z martin $
*/
#include "ike_mobike.h"
@@ -97,12 +95,12 @@ static void flush_additional_addresses(private_ike_mobike_t *this)
*/
static void process_payloads(private_ike_mobike_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
bool first = TRUE;
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
int family = AF_INET;
notify_payload_t *notify;
@@ -181,7 +179,7 @@ static void process_payloads(private_ike_mobike_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
}
/**
@@ -332,9 +330,8 @@ static void transmit(private_ike_mobike_t *this, packet_t *packet)
*/
static status_t build_i(private_ike_mobike_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- message->get_payload(message, ID_INITIATOR))
- {
+ if (message->get_message_id(message) == 1)
+ { /* only in first IKE_AUTH */
message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
build_address_list(this, message);
}
@@ -381,9 +378,8 @@ static status_t build_i(private_ike_mobike_t *this, message_t *message)
*/
static status_t process_r(private_ike_mobike_t *this, message_t *message)
{
- if (message->get_exchange_type(message) == IKE_AUTH &&
- message->get_payload(message, ID_INITIATOR))
- {
+ if (message->get_message_id(message) == 1)
+ { /* only first IKE_AUTH */
process_payloads(this, message);
}
else if (message->get_exchange_type(message) == INFORMATIONAL)
diff --git a/src/charon/sa/tasks/ike_mobike.h b/src/charon/sa/tasks/ike_mobike.h
index 4a2006a80..919b5ddd3 100644
--- a/src/charon/sa/tasks/ike_mobike.h
+++ b/src/charon/sa/tasks/ike_mobike.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_mobike.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_natd.c b/src/charon/sa/tasks/ike_natd.c
index eb84c876f..bb18e7bda 100644
--- a/src/charon/sa/tasks/ike_natd.c
+++ b/src/charon/sa/tasks/ike_natd.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_natd.c 5029 2009-03-26 11:49:07Z martin $
*/
#include "ike_natd.h"
@@ -166,7 +164,7 @@ static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
*/
static void process_payloads(private_ike_natd_t *this, message_t *message)
{
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
notify_payload_t *notify;
chunk_t hash, src_hash, dst_hash;
@@ -184,8 +182,8 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) != NOTIFY)
{
@@ -235,7 +233,7 @@ static void process_payloads(private_ike_natd_t *this, message_t *message)
break;
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
chunk_free(&src_hash);
chunk_free(&dst_hash);
diff --git a/src/charon/sa/tasks/ike_natd.h b/src/charon/sa/tasks/ike_natd.h
index 155ae4b4c..698394842 100644
--- a/src/charon/sa/tasks/ike_natd.h
+++ b/src/charon/sa/tasks/ike_natd.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_natd.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_reauth.c b/src/charon/sa/tasks/ike_reauth.c
index 61701075f..80f1b7b8c 100644
--- a/src/charon/sa/tasks/ike_reauth.c
+++ b/src/charon/sa/tasks/ike_reauth.c
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_reauth.c 4495 2008-10-28 16:07:06Z martin $
*/
#include "ike_reauth.h"
@@ -100,7 +98,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
/* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
if (peer_cfg->is_mediation(peer_cfg))
{
- if (new->initiate(new, NULL) == DESTROY_ME)
+ if (new->initiate(new, NULL, 0, NULL, NULL) == DESTROY_ME)
{
charon->ike_sa_manager->checkin_and_destroy(
charon->ike_sa_manager, new);
@@ -128,7 +126,7 @@ static status_t process_i(private_ike_reauth_t *this, message_t *message)
/* initiate/queue all child SAs */
child_cfg_t *child_cfg = child_sa->get_config(child_sa);
child_cfg->get_ref(child_cfg);
- if (new->initiate(new, child_cfg) == DESTROY_ME)
+ if (new->initiate(new, child_cfg, 0, NULL, NULL) == DESTROY_ME)
{
iterator->destroy(iterator);
charon->ike_sa_manager->checkin_and_destroy(
diff --git a/src/charon/sa/tasks/ike_reauth.h b/src/charon/sa/tasks/ike_reauth.h
index 689550c92..5e97b719c 100644
--- a/src/charon/sa/tasks/ike_reauth.h
+++ b/src/charon/sa/tasks/ike_reauth.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_reauth.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index e61d161bc..bead408a6 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_rekey.c 4730 2008-12-01 18:38:28Z martin $
*/
#include "ike_rekey.h"
@@ -177,7 +175,7 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
this->new_sa->get_unique_id(this->new_sa),
this->ike_sa->get_my_host(this->ike_sa),
@@ -193,13 +191,12 @@ static status_t build_r(private_ike_rekey_t *this, message_t *message)
*/
static status_t process_i(private_ike_rekey_t *this, message_t *message)
{
- ike_sa_id_t *to_delete;
- iterator_t *iterator;
+ enumerator_t *enumerator;
payload_t *payload;
-
+
/* handle NO_ADDITIONAL_SAS notify */
- iterator = message->get_payload_iterator(message);
- while (iterator->iterate(iterator, (void**)&payload))
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
{
if (payload->get_type(payload) == NOTIFY)
{
@@ -213,12 +210,12 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
charon->processor->queue_job(charon->processor,
(job_t*)rekey_ike_sa_job_create(
this->ike_sa->get_id(this->ike_sa), TRUE));
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
return SUCCESS;
}
}
}
- iterator->destroy(iterator);
+ enumerator->destroy(enumerator);
switch (this->ike_init->task.process(&this->ike_init->task, message))
{
@@ -235,7 +232,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
DBG1(DBG_IKE, "IKE_SA rekeying failed, "
"trying again in %d seconds", retry);
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- charon->scheduler->schedule_job(charon->scheduler, job, retry * 1000);
+ charon->scheduler->schedule_job(charon->scheduler, job, retry);
}
return SUCCESS;
case NEED_MORE:
@@ -245,17 +242,15 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
default:
break;
}
-
+
this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
- DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%D]...%H[%D]",
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
this->new_sa->get_name(this->new_sa),
this->new_sa->get_unique_id(this->new_sa),
this->ike_sa->get_my_host(this->ike_sa),
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
-
- to_delete = this->ike_sa->get_id(this->ike_sa);
/* check for collisions */
if (this->collision &&
@@ -273,8 +268,13 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
if (memcmp(this_nonce.ptr, other_nonce.ptr,
min(this_nonce.len, other_nonce.len)) < 0)
{
+ /* peer should delete this SA. Add a timeout just in case. */
+ job_t *job = (job_t*)delete_ike_sa_job_create(
+ other->new_sa->get_id(other->new_sa), TRUE);
+ charon->scheduler->schedule_job(charon->scheduler, job, 10);
DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA");
charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+ other->new_sa = NULL;
}
else
{
@@ -285,11 +285,22 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message)
host = this->ike_sa->get_other_host(this->ike_sa);
this->new_sa->set_other_host(this->new_sa, host->clone(host));
this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
- to_delete = this->new_sa->get_id(this->new_sa);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+ if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+ {
+ charon->ike_sa_manager->checkin_and_destroy(
+ charon->ike_sa_manager, this->new_sa);
+ }
+ else
+ {
+ charon->ike_sa_manager->checkin(
+ charon->ike_sa_manager, this->new_sa);
+ }
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
/* inherit to other->new_sa in destroy() */
this->new_sa = other->new_sa;
other->new_sa = NULL;
+ return SUCCESS;
}
/* set threads active IKE_SA after checkin */
charon->bus->set_sa(charon->bus, this->ike_sa);
diff --git a/src/charon/sa/tasks/ike_rekey.h b/src/charon/sa/tasks/ike_rekey.h
index ab82789f3..6748279ab 100644
--- a/src/charon/sa/tasks/ike_rekey.h
+++ b/src/charon/sa/tasks/ike_rekey.h
@@ -11,8 +11,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: ike_rekey.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/tasks/task.c b/src/charon/sa/tasks/task.c
index fd15379f3..9e35b62a5 100644
--- a/src/charon/sa/tasks/task.c
+++ b/src/charon/sa/tasks/task.c
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: task.c 4618 2008-11-11 09:22:00Z tobias $
*/
#include "task.h"
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index a5eb2caa3..f9b409f35 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -12,8 +12,6 @@
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
- *
- * $Id: task.h 5003 2009-03-24 17:43:01Z martin $
*/
/**
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
new file mode 100644
index 000000000..a74fab93f
--- /dev/null
+++ b/src/charon/sa/trap_manager.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "trap_manager.h"
+
+#include <daemon.h>
+#include <utils/mutex.h>
+#include <utils/linked_list.h>
+
+
+typedef struct private_trap_manager_t private_trap_manager_t;
+typedef struct trap_listener_t trap_listener_t;
+
+/**
+ * listener to track acquires
+ */
+struct trap_listener_t {
+
+ /**
+ * Implements listener interface
+ */
+ listener_t listener;
+
+ /**
+ * points to trap_manager
+ */
+ private_trap_manager_t *traps;
+};
+
+/**
+ * Private data of an trap_manager_t object.
+ */
+struct private_trap_manager_t {
+
+ /**
+ * Public trap_manager_t interface.
+ */
+ trap_manager_t public;
+
+ /**
+ * Installed traps, as entry_t
+ */
+ linked_list_t *traps;
+
+ /**
+ * read write lock for traps list
+ */
+ rwlock_t *lock;
+
+ /**
+ * listener to track acquiring IKE_SAs
+ */
+ trap_listener_t listener;
+};
+
+/**
+ * A installed trap entry
+ */
+typedef struct {
+ /** ref to peer_cfg to initiate */
+ peer_cfg_t *peer_cfg;
+ /** ref to instanciated CHILD_SA */
+ child_sa_t *child_sa;
+ /** pending IKE_SA connecting upon acquire */
+ ike_sa_t *pending;
+} entry_t;
+
+/**
+ * actually uninstall and destroy an installed entry
+ */
+static void destroy_entry(entry_t *entry)
+{
+ entry->child_sa->destroy(entry->child_sa);
+ entry->peer_cfg->destroy(entry->peer_cfg);
+ free(entry);
+}
+
+/**
+ * Implementation of trap_manager_t.install
+ */
+static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
+ child_cfg_t *child)
+{
+ entry_t *entry;
+ ike_cfg_t *ike_cfg;
+ child_sa_t *child_sa;
+ host_t *me, *other;
+ linked_list_t *my_ts, *other_ts;
+ enumerator_t *enumerator;
+ bool found = FALSE;
+ status_t status;
+ u_int32_t reqid;
+
+ /* check if not already done */
+ this->lock->read_lock(this->lock);
+ enumerator = this->traps->create_enumerator(this->traps);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (streq(entry->child_sa->get_name(entry->child_sa),
+ child->get_name(child)))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+ if (found)
+ {
+ DBG1(DBG_CFG, "CHILD_SA named '%s' already routed",
+ child->get_name(child));
+ return 0;
+ }
+
+ /* try to resolve addresses */
+ ike_cfg = peer->get_ike_cfg(peer);
+ other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg),
+ 0, IKEV2_UDP_PORT);
+ if (!other)
+ {
+ DBG1(DBG_CFG, "installing trap failed, remote address unknown");
+ return 0;
+ }
+ me = host_create_from_dns(ike_cfg->get_my_addr(ike_cfg),
+ other->get_family(other), IKEV2_UDP_PORT);
+ if (!me || me->is_anyaddr(me))
+ {
+ DESTROY_IF(me);
+ me = charon->kernel_interface->get_source_addr(
+ charon->kernel_interface, other, NULL);
+ if (!me)
+ {
+ DBG1(DBG_CFG, "installing trap failed, local address unknown");
+ other->destroy(other);
+ return 0;
+ }
+ me->set_port(me, IKEV2_UDP_PORT);
+ }
+
+ /* create and route CHILD_SA */
+ child_sa = child_sa_create(me, other, child, 0, FALSE);
+ my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
+ other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
+ me->destroy(me);
+ other->destroy(other);
+
+ child_sa->set_mode(child_sa, child->get_mode(child));
+ status = child_sa->add_policies(child_sa, my_ts, other_ts);
+ my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+ other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+ if (status != SUCCESS)
+ {
+ child_sa->destroy(child_sa);
+ DBG1(DBG_CFG, "installing trap failed");
+ return 0;
+ }
+
+ reqid = child_sa->get_reqid(child_sa);
+ entry = malloc_thing(entry_t);
+ entry->child_sa = child_sa;
+ entry->peer_cfg = peer->get_ref(peer);
+ entry->pending = NULL;
+
+ this->lock->write_lock(this->lock);
+ this->traps->insert_last(this->traps, entry);
+ this->lock->unlock(this->lock);
+
+ return reqid;
+}
+
+/**
+ * Implementation of trap_manager_t.uninstall
+ */
+static bool uninstall(private_trap_manager_t *this, u_int32_t reqid)
+{
+ enumerator_t *enumerator;
+ entry_t *entry, *found = NULL;
+
+ this->lock->write_lock(this->lock);
+ enumerator = this->traps->create_enumerator(this->traps);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+ {
+ this->traps->remove_at(this->traps, enumerator);
+ found = entry;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ if (!found)
+ {
+ DBG1(DBG_CFG, "trap %d not found to uninstall", reqid);
+ return FALSE;
+ }
+
+ destroy_entry(found);
+ return TRUE;
+}
+
+/**
+ * convert enumerated entries to peer_cfg, child_sa
+ */
+static bool trap_filter(rwlock_t *lock, entry_t **entry, peer_cfg_t **peer_cfg,
+ void *none, child_sa_t **child_sa)
+{
+ if (peer_cfg)
+ {
+ *peer_cfg = (*entry)->peer_cfg;
+ }
+ if (child_sa)
+ {
+ *child_sa = (*entry)->child_sa;
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of trap_manager_t.create_enumerator
+ */
+static enumerator_t* create_enumerator(private_trap_manager_t *this)
+{
+ this->lock->read_lock(this->lock);
+ return enumerator_create_filter(this->traps->create_enumerator(this->traps),
+ (void*)trap_filter, this->lock,
+ (void*)this->lock->unlock);
+}
+
+/**
+ * Implementation of trap_manager_t.acquire
+ */
+static void acquire(private_trap_manager_t *this, u_int32_t reqid,
+ traffic_selector_t *src, traffic_selector_t *dst)
+{
+ enumerator_t *enumerator;
+ entry_t *entry, *found = NULL;
+ peer_cfg_t *peer;
+ child_cfg_t *child;
+ ike_sa_t *ike_sa;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->traps->create_enumerator(this->traps);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->child_sa->get_reqid(entry->child_sa) == reqid)
+ {
+ found = entry;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (!found)
+ {
+ DBG1(DBG_CFG, "trap not found, unable to acquire reqid %d",reqid);
+ }
+ else if (found->pending)
+ {
+ DBG1(DBG_CFG, "ignoring acquire, connection attempt pending");
+ }
+ else
+ {
+ child = found->child_sa->get_config(found->child_sa);
+ peer = found->peer_cfg;
+ ike_sa = charon->ike_sa_manager->checkout_by_config(
+ charon->ike_sa_manager, peer);
+ if (ike_sa->get_peer_cfg(ike_sa) == NULL)
+ {
+ ike_sa->set_peer_cfg(ike_sa, peer);
+ }
+ child->get_ref(child);
+ reqid = found->child_sa->get_reqid(found->child_sa);
+ if (ike_sa->initiate(ike_sa, child, reqid, src, dst) != DESTROY_ME)
+ {
+ found->pending = ike_sa;
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
+ }
+ else
+ {
+ charon->ike_sa_manager->checkin_and_destroy(
+ charon->ike_sa_manager, ike_sa);
+ }
+ }
+ this->lock->unlock(this->lock);
+}
+
+/**
+ * Implementation of listener_t.ike_state_change
+ */
+static bool ike_state_change(trap_listener_t *listener, ike_sa_t *ike_sa,
+ ike_sa_state_t state)
+{
+ private_trap_manager_t *this;
+ enumerator_t *enumerator;
+ entry_t *entry;
+
+ switch (state)
+ {
+ case IKE_ESTABLISHED:
+ case IKE_DESTROYING:
+ break;
+ default:
+ return TRUE;
+ }
+
+ this = listener->traps;
+ this->lock->read_lock(this->lock);
+ enumerator = this->traps->create_enumerator(this->traps);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->pending == ike_sa)
+ {
+ entry->pending = NULL;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+ return TRUE;
+}
+
+/**
+ * Implementation of trap_manager_t.destroy.
+ */
+static void destroy(private_trap_manager_t *this)
+{
+ charon->bus->remove_listener(charon->bus, &this->listener.listener);
+ this->traps->invoke_function(this->traps, (void*)destroy_entry);
+ this->traps->destroy(this->traps);
+ this->lock->destroy(this->lock);
+ free(this);
+}
+
+/**
+ * See header
+ */
+trap_manager_t *trap_manager_create()
+{
+ private_trap_manager_t *this = malloc_thing(private_trap_manager_t);
+
+ this->public.install = (u_int(*)(trap_manager_t*, peer_cfg_t *peer, child_cfg_t *child))install;
+ this->public.uninstall = (bool(*)(trap_manager_t*, u_int32_t id))uninstall;
+ this->public.create_enumerator = (enumerator_t*(*)(trap_manager_t*))create_enumerator;
+ this->public.acquire = (void(*)(trap_manager_t*, u_int32_t reqid, traffic_selector_t *src, traffic_selector_t *dst))acquire;
+ this->public.destroy = (void(*)(trap_manager_t*))destroy;
+
+ this->traps = linked_list_create();
+ this->lock = rwlock_create(RWLOCK_DEFAULT);
+
+ /* register listener for IKE state changes */
+ this->listener.traps = this;
+ memset(&this->listener.listener, 0, sizeof(listener_t));
+ this->listener.listener.ike_state_change = (void*)ike_state_change;
+ charon->bus->add_listener(charon->bus, &this->listener.listener);
+
+ return &this->public;
+}
+
diff --git a/src/charon/sa/trap_manager.h b/src/charon/sa/trap_manager.h
new file mode 100644
index 000000000..cb6907cdc
--- /dev/null
+++ b/src/charon/sa/trap_manager.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup trap_manager trap_manager
+ * @{ @ingroup sa
+ */
+
+#ifndef TRAP_MANAGER_H_
+#define TRAP_MANAGER_H_
+
+#include <library.h>
+#include <utils/enumerator.h>
+#include <config/peer_cfg.h>
+
+typedef struct trap_manager_t trap_manager_t;
+
+/**
+ * Manage policies to create SAs from traffic.
+ */
+struct trap_manager_t {
+
+ /**
+ * Install a policy as a trap.
+ *
+ * @param peer peer configuration to initiate on trap
+ * @param child child configuration to install as a trap
+ * @return reqid of installed CHILD_SA, 0 if failed
+ */
+ u_int32_t (*install)(trap_manager_t *this, peer_cfg_t *peer,
+ child_cfg_t *child);
+
+ /**
+ * Uninstall a trap policy.
+ *
+ * @param id reqid of CHILD_SA to uninstall, returned by install()
+ * @return TRUE if uninstalled successfully
+ */
+ bool (*uninstall)(trap_manager_t *this, u_int32_t reqid);
+
+ /**
+ * Create an enumerator over all installed traps.
+ *
+ * @return enumerator over (peer_cfg_t, child_sa_t)
+ */
+ enumerator_t* (*create_enumerator)(trap_manager_t *this);
+
+ /**
+ * Acquire an SA triggered by an installed trap.
+ *
+ * @param reqid requid of the triggering CHILD_SA
+ * @param src source of the triggering packet
+ * @param dst destination of the triggering packet
+ */
+ void (*acquire)(trap_manager_t *this, u_int32_t reqid,
+ traffic_selector_t *src, traffic_selector_t *dst);
+
+ /**
+ * Destroy a trap_manager_t.
+ */
+ void (*destroy)(trap_manager_t *this);
+};
+
+/**
+ * Create a trap_manager instance.
+ */
+trap_manager_t *trap_manager_create();
+
+#endif /* TRAP_MANAGER_ @}*/