diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
commit | 7585facf05d927eb6df3929ce09ed5e60d905437 (patch) | |
tree | e4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/conftest | |
parent | c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff) | |
download | vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip |
Imported Upstream version 5.0.2
Diffstat (limited to 'src/conftest')
-rw-r--r-- | src/conftest/Makefile.in | 26 | ||||
-rw-r--r-- | src/conftest/README | 9 | ||||
-rw-r--r-- | src/conftest/config.c | 34 | ||||
-rw-r--r-- | src/conftest/conftest.c | 57 | ||||
-rw-r--r-- | src/conftest/conftest.h | 5 | ||||
-rw-r--r-- | src/conftest/hooks/reset_seq.c | 77 |
6 files changed, 156 insertions, 52 deletions
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in index ea26b70e7..960705ce1 100644 --- a/src/conftest/Makefile.in +++ b/src/conftest/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -111,6 +111,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -138,6 +139,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -165,6 +167,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -177,6 +180,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -230,7 +234,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -379,7 +382,7 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list -conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) +conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) $(EXTRA_conftest_DEPENDENCIES) @rm -f conftest$(EXEEXT) $(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS) @@ -864,10 +867,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/conftest/README b/src/conftest/README index e2156921f..617195df9 100644 --- a/src/conftest/README +++ b/src/conftest/README @@ -98,9 +98,10 @@ The IKE_SA configuration uses the following options (as key/value pairs): src/libstrongswan/crypt/proposal/proposal_keywords.txt fake_nat: Fake the NAT_DETECTION_*_IP payloads to simulate a NAT scenario - rsa_strength: connection requires a trustchain with RSA keys of given bits - ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits - cert_policy: connection requries a certificate with the given OID policy + rsa_strength: Connection requires a trustchain with RSA keys of given bits + ecdsa_strength: Connection requires a trustchain with ECDSA keys of given bits + cert_policy: Connection requries a certificate with the given OID policy + named_pool: Name of an IP pool defined e.g. in a database backend The following CHILD_SA specific configuration options are supported: @@ -109,6 +110,7 @@ The following CHILD_SA specific configuration options are supported: transport: Propose IPsec transport mode instead of tunnel mode tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the given length + proposal: CHILD_SA proposal list, same syntax as IKE_SA proposal list 6. Credentials -------------- @@ -238,6 +240,7 @@ Currently, the following hooks are defined with the following options: rebuild_auth: rebuild AUTH payload, i.e. if ID payload changed reset_seq: Reset sequence numbers of an ESP SA delay: Seconds to delay reset after SA established + oseq: Sequence number to set, default is 0 set_critical: Set critical bit on existing payloads: request: yes to set in request, no in response id: IKEv2 message identifier of message to mangle payloads diff --git a/src/conftest/config.c b/src/conftest/config.c index cbc6ac05f..ae0d93460 100644 --- a/src/conftest/config.c +++ b/src/conftest/config.c @@ -101,12 +101,13 @@ static ike_cfg_t *load_ike_config(private_config_t *this, proposal_t *proposal; char *token; - ike_cfg = ike_cfg_create(TRUE, + ike_cfg = ike_cfg_create(IKEV2, TRUE, settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config), settings->get_str(settings, "configs.%s.lhost", "%any", config), FALSE, settings->get_int(settings, "configs.%s.lport", 500, config), settings->get_str(settings, "configs.%s.rhost", "%any", config), FALSE, - settings->get_int(settings, "configs.%s.rport", 500, config)); + settings->get_int(settings, "configs.%s.rport", 500, config), + FRAGMENTATION_NO); token = settings->get_str(settings, "configs.%s.proposal", NULL, config); if (token) { @@ -143,9 +144,7 @@ static child_cfg_t *load_child_config(private_config_t *this, proposal_t *proposal; traffic_selector_t *ts; ipsec_mode_t mode = MODE_TUNNEL; - host_t *net; char *token; - int bits; u_int32_t tfc; if (settings->get_bool(settings, "configs.%s.%s.transport", @@ -183,16 +182,15 @@ static child_cfg_t *load_child_config(private_config_t *this, child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); } - token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config); + token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config, child); if (token) { enumerator = enumerator_create_token(token, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - net = host_create_from_subnet(token, &bits); - if (net) + ts = traffic_selector_create_from_cidr(token, 0, 0); + if (ts) { - ts = traffic_selector_create_from_subnet(net, bits, 0, 0); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); } else @@ -208,16 +206,15 @@ static child_cfg_t *load_child_config(private_config_t *this, child_cfg->add_traffic_selector(child_cfg, TRUE, ts); } - token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config); + token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config, child); if (token) { enumerator = enumerator_create_token(token, ",", " "); while (enumerator->enumerate(enumerator, &token)) { - net = host_create_from_subnet(token, &bits); - if (net) + ts = traffic_selector_create_from_cidr(token, 0, 0); + if (ts) { - ts = traffic_selector_create_from_subnet(net, bits, 0, 0); child_cfg->add_traffic_selector(child_cfg, FALSE, ts); } else @@ -247,11 +244,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this, child_cfg_t *child_cfg; enumerator_t *enumerator; identification_t *lid, *rid; - char *child, *policy; + char *child, *policy, *pool; uintptr_t strength; ike_cfg = load_ike_config(this, settings, config); - peer_cfg = peer_cfg_create(config, IKEV2, ike_cfg, CERT_ALWAYS_SEND, + peer_cfg = peer_cfg_create(config, ike_cfg, CERT_ALWAYS_SEND, UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, FALSE, 0, 0, FALSE, NULL, NULL); @@ -266,12 +263,12 @@ static peer_cfg_t *load_peer_config(private_config_t *this, auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); rid = identification_create_from_string( settings->get_str(settings, "configs.%s.rid", "%any", config)); - strength = settings->get_int(settings, "configs.%s.rsa_strength", 0); + strength = settings->get_int(settings, "configs.%s.rsa_strength", 0, config); if (strength) { auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); } - strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0); + strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0, config); if (strength) { auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); @@ -283,6 +280,11 @@ static peer_cfg_t *load_peer_config(private_config_t *this, } auth->add(auth, AUTH_RULE_IDENTITY, rid); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + pool = settings->get_str(settings, "configs.%s.named_pool", NULL, config); + if (pool) + { + peer_cfg->add_pool(peer_cfg, pool); + } DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid); diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c index 6491fd294..c2251effa 100644 --- a/src/conftest/conftest.c +++ b/src/conftest/conftest.c @@ -26,6 +26,7 @@ #include "config.h" #include "hooks/hook.h" +#include <bus/listeners/file_logger.h> #include <threading/thread.h> #include <credentials/certificates/x509.h> @@ -322,6 +323,7 @@ static bool load_hooks() */ static void cleanup() { + file_logger_t *logger; hook_t *hook; DESTROY_IF(conftest->test); @@ -344,6 +346,13 @@ static void cleanup() } conftest->config->destroy(conftest->config); } + while (conftest->loggers->remove_last(conftest->loggers, + (void**)&logger) == SUCCESS) + { + charon->bus->remove_logger(charon->bus, &logger->logger); + logger->destroy(logger); + } + conftest->loggers->destroy(conftest->loggers); free(conftest->suite_dir); free(conftest); libcharon_deinit(); @@ -369,32 +378,46 @@ static void load_log_levels(file_logger_t *logger, char *section) } /** + * Load logger options for a logger from section + */ +static void load_logger_options(file_logger_t *logger, char *section) +{ + bool ike_name; + char *time_format; + + time_format = conftest->test->get_str(conftest->test, + "log.%s.time_format", NULL, section); + ike_name = conftest->test->get_bool(conftest->test, + "log.%s.ike_name", FALSE, section); + + logger->set_options(logger, time_format, ike_name); +} + +/** * Load logger configuration */ static void load_loggers(file_logger_t *logger) { enumerator_t *enumerator; char *section; - FILE *file; load_log_levels(logger, "stdout"); + load_logger_options(logger, "stdout"); + /* Re-add the logger to propagate configuration changes to the + * logging system */ + charon->bus->add_logger(charon->bus, &logger->logger); enumerator = conftest->test->create_section_enumerator(conftest->test, "log"); while (enumerator->enumerate(enumerator, §ion)) { if (!streq(section, "stdout")) { - file = fopen(section, "w"); - if (file == NULL) - { - fprintf(stderr, "opening file %s for logging failed: %s", - section, strerror(errno)); - continue; - } - logger = file_logger_create(file, NULL, FALSE); + logger = file_logger_create(section); + load_logger_options(logger, section); + logger->open(logger, FALSE, FALSE); load_log_levels(logger, section); charon->bus->add_logger(charon->bus, &logger->logger); - charon->file_loggers->insert_last(charon->file_loggers, logger); + conftest->loggers->insert_last(conftest->loggers, logger); } } enumerator->destroy(enumerator); @@ -433,16 +456,18 @@ int main(int argc, char *argv[]) INIT(conftest, .creds = mem_cred_create(), + .config = config_create(), + .hooks = linked_list_create(), + .loggers = linked_list_create(), ); + lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); - logger = file_logger_create(stdout, NULL, FALSE); + logger = file_logger_create("stdout"); + logger->set_options(logger, NULL, FALSE); + logger->open(logger, FALSE, FALSE); logger->set_level(logger, DBG_ANY, LEVEL_CTRL); charon->bus->add_logger(charon->bus, &logger->logger); - charon->file_loggers->insert_last(charon->file_loggers, logger); - - lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); - conftest->hooks = linked_list_create(); - conftest->config = config_create(); + conftest->loggers->insert_last(conftest->loggers, logger); atexit(cleanup); diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h index 2caf9b3ce..6bbdabd07 100644 --- a/src/conftest/conftest.h +++ b/src/conftest/conftest.h @@ -64,6 +64,11 @@ struct conftest_t { * Action handling */ actions_t *actions; + + /** + * Test specific loggers + */ + linked_list_t *loggers; }; /** diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c index 6fb7a2e4b..100977324 100644 --- a/src/conftest/hooks/reset_seq.c +++ b/src/conftest/hooks/reset_seq.c @@ -12,6 +12,27 @@ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ +/* + * Copyright (C) 2012 achelos GmbH + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ #include "hook.h" @@ -40,21 +61,46 @@ struct private_reset_seq_t { * Delay for reset */ int delay; + + /** + * Sequence number to set for outgoing packages + */ + int oseq; +}; + +typedef struct reset_cb_data_t reset_cb_data_t; + +/** + * Data needed for the callback job + */ +struct reset_cb_data_t { + + /** + * The SA to modify + */ + struct xfrm_usersa_id usersa; + + /** + * Sequence number to set for outgoing packages + */ + int oseq; }; /** * Callback job */ -static job_requeue_t reset_cb(struct xfrm_usersa_id *data) +static job_requeue_t reset_cb(struct reset_cb_data_t *data) { netlink_buf_t request; struct nlmsghdr *hdr; struct xfrm_aevent_id *id; struct rtattr *rthdr; + struct xfrm_replay_state *rpstate; struct sockaddr_nl addr; int s, len; - DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi)); + DBG1(DBG_CFG, "setting sequence number of SPI 0x%x to %d", + htonl(data->usersa.spi), data->oseq); memset(&request, 0, sizeof(request)); @@ -66,13 +112,22 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data) hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); - id->sa_id = *data; + id->sa_id = data->usersa; rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id); rthdr->rta_type = XFRMA_REPLAY_VAL; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); hdr->nlmsg_len += rthdr->rta_len; + /* xfrm_replay_state is the structure the kernel uses for + * replay detection, and the oseq element contains the + * sequence number for outgoing packets. Currently, this + * function sets the other elements seq (records the number of + * incoming packets) and bitmask to zero, but they could be + * adjusted in the same way as oseq if required. */ + rpstate = (struct xfrm_replay_state*)RTA_DATA(rthdr); + rpstate->oseq = data->oseq; + s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); if (s == -1) { @@ -97,17 +152,21 @@ static job_requeue_t reset_cb(struct xfrm_usersa_id *data) static void schedule_reset_job(private_reset_seq_t *this, host_t *dst, u_int32_t spi) { - struct xfrm_usersa_id *data; + struct reset_cb_data_t *data; chunk_t chunk; INIT(data, - .spi = spi, - .family = dst->get_family(dst), - .proto = IPPROTO_ESP, + .usersa = { + .spi = spi, + .family = dst->get_family(dst), + .proto = IPPROTO_ESP, + }, + .oseq = this->oseq, ); chunk = dst->get_address(dst); - memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); + memcpy(&data->usersa.daddr, chunk.ptr, + min(chunk.len, sizeof(xfrm_address_t))); lib->scheduler->schedule_job(lib->scheduler, (job_t*)callback_job_create( @@ -149,6 +208,8 @@ hook_t *reset_seq_hook_create(char *name) }, .delay = conftest->test->get_int(conftest->test, "hooks.%s.delay", 10, name), + .oseq = conftest->test->get_int(conftest->test, + "hooks.%s.oseq", 0, name), ); return &this->hook; |