Imported Upstream version 4.6.4

7 files changed, 124 insertions, 60 deletions

diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 666e22957..e7a3d780a 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -195,6 +195,9 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -203,6 +206,7 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -219,11 +223,13 @@ host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
+imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -267,6 +273,7 @@ sharedstatedir = @sharedstatedir@
 soup_CFLAGS = @soup_CFLAGS@
 soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
+starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
index df0c4c5b4..8c392405e 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c
@@ -20,6 +20,7 @@
 
 #include <simaka_message.h>
 #include <simaka_crypto.h>
+#include <simaka_manager.h>
 
 typedef struct private_eap_aka_peer_t private_eap_aka_peer_t;
 
@@ -34,6 +35,11 @@ struct private_eap_aka_peer_t {
 	eap_aka_peer_t public;
 
 	/**
+	 * AKA backend manager
+	 */
+	simaka_manager_t *mgr;
+
+	/**
 	 * EAP-AKA crypto helper
 	 */
 	simaka_crypto_t *crypto;
@@ -91,7 +97,7 @@ static eap_payload_t* create_client_error(private_eap_aka_peer_t *this)
 	encoded = htons(AKA_UNABLE_TO_PROCESS);
 	message->add_attribute(message, AT_CLIENT_ERROR_CODE,
 						   chunk_create((char*)&encoded, sizeof(encoded)));
-	out = message->generate(message, chunk_empty);
+	out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 	return out;
 }
@@ -140,7 +146,7 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 	switch (id_req)
 	{
 		case AT_ANY_ID_REQ:
-			this->reauth = charon->sim->card_get_reauth(charon->sim,
+			this->reauth = this->mgr->card_get_reauth(this->mgr,
 									this->permanent, this->mk, &this->counter);
 			if (this->reauth)
 			{
@@ -149,8 +155,8 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 			}
 			/* FALL */
 		case AT_FULLAUTH_ID_REQ:
-			this->pseudonym = charon->sim->card_get_pseudonym(charon->sim,
-															  this->permanent);
+			this->pseudonym = this->mgr->card_get_pseudonym(this->mgr,
+															this->permanent);
 			if (this->pseudonym)
 			{
 				id = this->pseudonym->get_encoding(this->pseudonym);
@@ -169,7 +175,7 @@ static status_t process_identity(private_eap_aka_peer_t *this,
 	{
 		message->add_attribute(message, AT_IDENTITY, id);
 	}
-	*out = message->generate(message, chunk_empty);
+	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 
 	return NEED_MORE;
@@ -220,10 +226,10 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 		return NEED_MORE;
 	}
 
-	status = charon->sim->card_get_quintuplet(charon->sim, this->permanent,
+	status = this->mgr->card_get_quintuplet(this->mgr, this->permanent,
 									rand.ptr, autn.ptr, ck, ik, res, &res_len);
 	if (status == INVALID_STATE &&
-		charon->sim->card_resync(charon->sim, this->permanent, rand.ptr, auts))
+		this->mgr->card_resync(this->mgr, this->permanent, rand.ptr, auts))
 	{
 		DBG1(DBG_IKE, "received SQN invalid, sending %N",
 			 simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
@@ -231,7 +237,8 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 									AKA_SYNCHRONIZATION_FAILURE, this->crypto);
 		message->add_attribute(message, AT_AUTS,
 							   chunk_create(auts, AKA_AUTS_LEN));
-		*out = message->generate(message, chunk_empty);
+		*out = eap_payload_create_data_own(message->generate(message,
+										   chunk_empty));
 		message->destroy(message);
 		return NEED_MORE;
 	}
@@ -241,7 +248,8 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			 this->permanent, simaka_subtype_names, AKA_AUTHENTICATION_REJECT);
 		message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
 										AKA_AUTHENTICATION_REJECT, this->crypto);
-		*out = message->generate(message, chunk_empty);
+		*out = eap_payload_create_data_own(message->generate(message,
+										   chunk_empty));
 		message->destroy(message);
 		return NEED_MORE;
 	}
@@ -274,13 +282,13 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 			case AT_NEXT_REAUTH_ID:
 				this->counter = 0;
 				id = identification_create_from_data(data);
-				charon->sim->card_set_reauth(charon->sim, this->permanent, id,
-											 this->mk, this->counter);
+				this->mgr->card_set_reauth(this->mgr, this->permanent, id,
+										   this->mk, this->counter);
 				id->destroy(id);
 				break;
 			case AT_NEXT_PSEUDONYM:
 				id = identification_create_from_data(data);
-				charon->sim->card_set_pseudonym(charon->sim, this->permanent, id);
+				this->mgr->card_set_pseudonym(this->mgr, this->permanent, id);
 				id->destroy(id);
 				break;
 			default:
@@ -292,7 +300,7 @@ static status_t process_challenge(private_eap_aka_peer_t *this,
 	message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 									AKA_CHALLENGE, this->crypto);
 	message->add_attribute(message, AT_RES, chunk_create(res, res_len));
-	*out = message->generate(message, chunk_empty);
+	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 	return NEED_MORE;
 }
@@ -389,13 +397,13 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
 			identification_t *reauth;
 
 			reauth = identification_create_from_data(data);
-			charon->sim->card_set_reauth(charon->sim, this->permanent, reauth,
-							 this->mk, this->counter);
+			this->mgr->card_set_reauth(this->mgr, this->permanent, reauth,
+									   this->mk, this->counter);
 			reauth->destroy(reauth);
 		}
 	}
 	message->add_attribute(message, AT_COUNTER, counter);
-	*out = message->generate(message, nonce);
+	*out = eap_payload_create_data_own(message->generate(message, nonce));
 	message->destroy(message);
 	return NEED_MORE;
 }
@@ -446,7 +454,8 @@ static status_t process_notification(private_eap_aka_peer_t *this,
 	{	/* empty notification reply */
 		message = simaka_message_create(FALSE, this->identifier, EAP_AKA,
 										AKA_NOTIFICATION, this->crypto);
-		*out = message->generate(message, chunk_empty);
+		*out = eap_payload_create_data_own(message->generate(message,
+															 chunk_empty));
 		message->destroy(message);
 	}
 	else
@@ -466,7 +475,7 @@ METHOD(eap_method_t, process, status_t,
 	/* store received EAP message identifier */
 	this->identifier = in->get_identifier(in);
 
-	message = simaka_message_create_from_payload(in, this->crypto);
+	message = simaka_message_create_from_payload(in->get_data(in), this->crypto);
 	if (!message)
 	{
 		*out = create_client_error(this);
@@ -578,7 +587,8 @@ eap_aka_peer_t *eap_aka_peer_create(identification_t *server,
 				.destroy = _destroy,
 			},
 		},
-		.crypto = simaka_crypto_create(),
+		.crypto = simaka_crypto_create(EAP_AKA),
+		.mgr = lib->get(lib, "aka-manager"),
 	);
 
 	if (!this->crypto)
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.h b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
index 65a210406..974ba2721 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_peer.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.h
@@ -26,7 +26,7 @@ typedef struct eap_aka_peer_t eap_aka_peer_t;
 #include <sa/authenticators/eap/eap_method.h>
 
 /**
- * Implementation of the eap_method_t interface using EAP-AKA as a client.
+ * EAP-AKA peer implementation.
  */
 struct eap_aka_peer_t {
 
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_plugin.c b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
index 394a14b59..83805d727 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_plugin.c
@@ -19,20 +19,61 @@
 #include "eap_aka_server.h"
 
 #include <daemon.h>
+#include <simaka_manager.h>
+
+typedef struct private_eap_aka_plugin_t private_eap_aka_plugin_t;
+
+/**
+ * Private data of an eap_sim_plugin_t object.
+ */
+struct private_eap_aka_plugin_t {
+
+	/**
+	 * Public interface.
+	 */
+	eap_aka_plugin_t public;
+
+	/**
+	 * EAP-AKA backend manager
+	 */
+	simaka_manager_t *mgr;
+};
 
 METHOD(plugin_t, get_name, char*,
-	eap_aka_plugin_t *this)
+	private_eap_aka_plugin_t *this)
 {
 	return "eap-aka";
 }
 
+METHOD(plugin_t, get_features, int,
+	private_eap_aka_plugin_t *this, plugin_feature_t *features[])
+{
+	static plugin_feature_t f[] = {
+		PLUGIN_PROVIDE(CUSTOM, "aka-manager"),
+		PLUGIN_CALLBACK(eap_method_register, eap_aka_server_create),
+			PLUGIN_PROVIDE(EAP_SERVER, EAP_AKA),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+				PLUGIN_DEPENDS(PRF, PRF_FIPS_SHA1_160),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA1_128),
+				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
+		PLUGIN_CALLBACK(eap_method_register, eap_aka_peer_create),
+			PLUGIN_PROVIDE(EAP_PEER, EAP_AKA),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+				PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+				PLUGIN_DEPENDS(PRF, PRF_FIPS_SHA1_160),
+				PLUGIN_DEPENDS(SIGNER, AUTH_HMAC_SHA1_128),
+				PLUGIN_DEPENDS(CRYPTER, ENCR_AES_CBC, 16),
+	};
+	*features = f;
+	return countof(f);
+}
+
 METHOD(plugin_t, destroy, void,
-	eap_aka_plugin_t *this)
+	private_eap_aka_plugin_t *this)
 {
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_server_create);
-	charon->eap->remove_method(charon->eap,
-							   (eap_constructor_t)eap_aka_peer_create);
+	lib->set(lib, "aka-manager", NULL);
+	this->mgr->destroy(this->mgr);
 	free(this);
 }
 
@@ -41,21 +82,19 @@ METHOD(plugin_t, destroy, void,
  */
 plugin_t *eap_aka_plugin_create()
 {
-	eap_aka_plugin_t *this;
+	private_eap_aka_plugin_t *this;
 
 	INIT(this,
-		.plugin = {
-			.get_name = _get_name,
-			.reload = (void*)return_false,
-			.destroy = _destroy,
+		.public = {
+			.plugin = {
+				.get_name = _get_name,
+				.get_features = _get_features,
+				.destroy = _destroy,
+			},
 		},
+		.mgr = simaka_manager_create(),
 	);
+	lib->set(lib, "aka-manager", this->mgr);
 
-	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_SERVER,
-							(eap_constructor_t)eap_aka_server_create);
-	charon->eap->add_method(charon->eap, EAP_AKA, 0, EAP_PEER,
-							(eap_constructor_t)eap_aka_peer_create);
-
-	return &this->plugin;
+	return &this->public.plugin;
 }
-
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_plugin.h b/src/libcharon/plugins/eap_aka/eap_aka_plugin.h
index d011904b3..8d4fbadfa 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_plugin.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_plugin.h
@@ -33,6 +33,11 @@ typedef struct eap_aka_plugin_t eap_aka_plugin_t;
  *
  * EAP-AKA uses 3rd generation mobile phone standard authentication
  * mechanism for authentication, as defined RFC4187.
+ *
+ * This plugin implements the protocol level of EAP-AKA and uses simaka_card_t
+ * and simaka_provider_t backends to provide triplets. It registers a
+ * simaka_manager_t on the library as "aka-manager", other plugins can use it
+ * to provide the required backends.
  */
 struct eap_aka_plugin_t {
 
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.c b/src/libcharon/plugins/eap_aka/eap_aka_server.c
index bf0020ad8..d8e85ceef 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.c
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.c
@@ -20,6 +20,7 @@
 
 #include <simaka_message.h>
 #include <simaka_crypto.h>
+#include <simaka_manager.h>
 
 /** length of the AT_NONCE_S value */
 #define NONCE_LEN 16
@@ -37,6 +38,11 @@ struct private_eap_aka_server_t {
 	eap_aka_server_t public;
 
 	/**
+	 * AKA backend manager
+	 */
+	simaka_manager_t *mgr;
+
+	/**
 	 * EAP-AKA crypto helper
 	 */
 	simaka_crypto_t *crypto;
@@ -133,7 +139,7 @@ static status_t identity(private_eap_aka_server_t *this, eap_payload_t **out)
 	{
 		message->add_attribute(message, AT_PERMANENT_ID_REQ, chunk_empty);
 	}
-	*out = message->generate(message, chunk_empty);
+	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 
 	this->pending = AKA_IDENTITY;
@@ -152,7 +158,7 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 	chunk_t data, mk;
 	identification_t *id;
 
-	if (!charon->sim->provider_get_quintuplet(charon->sim, this->permanent,
+	if (!this->mgr->provider_get_quintuplet(this->mgr, this->permanent,
 										rand, xres, &xres_len, ck, ik, autn))
 	{
 		if (this->use_pseudonym)
@@ -183,24 +189,21 @@ static status_t challenge(private_eap_aka_server_t *this, eap_payload_t **out)
 									AKA_CHALLENGE, this->crypto);
 	message->add_attribute(message, AT_RAND, this->rand);
 	message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
-	id = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk.ptr);
+	id = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk.ptr);
 	if (id)
 	{
 		message->add_attribute(message, AT_NEXT_REAUTH_ID,
 							   id->get_encoding(id));
 		id->destroy(id);
 	}
-	else
+	id = this->mgr->provider_gen_pseudonym(this->mgr, this->permanent);
+	if (id)
 	{
-		id = charon->sim->provider_gen_pseudonym(charon->sim, this->permanent);
-		if (id)
-		{
-			message->add_attribute(message, AT_NEXT_PSEUDONYM,
-								   id->get_encoding(id));
-			id->destroy(id);
-		}
+		message->add_attribute(message, AT_NEXT_PSEUDONYM,
+							   id->get_encoding(id));
+		id->destroy(id);
 	}
-	*out = message->generate(message, chunk_empty);
+	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 
 	free(mk.ptr);
@@ -237,14 +240,14 @@ static status_t reauthenticate(private_eap_aka_server_t *this,
 									AKA_REAUTHENTICATION, this->crypto);
 	message->add_attribute(message, AT_COUNTER, this->counter);
 	message->add_attribute(message, AT_NONCE_S, this->nonce);
-	next = charon->sim->provider_gen_reauth(charon->sim, this->permanent, mk);
+	next = this->mgr->provider_gen_reauth(this->mgr, this->permanent, mk);
 	if (next)
 	{
 		message->add_attribute(message, AT_NEXT_REAUTH_ID,
 							   next->get_encoding(next));
 		next->destroy(next);
 	}
-	*out = message->generate(message, chunk_empty);
+	*out = eap_payload_create_data_own(message->generate(message, chunk_empty));
 	message->destroy(message);
 
 	this->pending = SIM_REAUTHENTICATION;
@@ -310,8 +313,7 @@ static status_t process_identity(private_eap_aka_server_t *this,
 		char mk[HASH_SIZE_SHA1];
 		u_int16_t counter;
 
-		permanent = charon->sim->provider_is_reauth(charon->sim, id,
-													mk, &counter);
+		permanent = this->mgr->provider_is_reauth(this->mgr, id, mk, &counter);
 		if (permanent)
 		{
 			this->permanent->destroy(this->permanent);
@@ -325,7 +327,7 @@ static status_t process_identity(private_eap_aka_server_t *this,
 	}
 	if (this->use_pseudonym)
 	{
-		permanent = charon->sim->provider_is_pseudonym(charon->sim, id);
+		permanent = this->mgr->provider_is_pseudonym(this->mgr, id);
 		if (permanent)
 		{
 			this->permanent->destroy(this->permanent);
@@ -506,8 +508,8 @@ static status_t process_synchronize(private_eap_aka_server_t *this,
 		return FAILED;
 	}
 
-	if (!charon->sim->provider_resync(charon->sim, this->permanent,
-									  this->rand.ptr, auts.ptr))
+	if (!this->mgr->provider_resync(this->mgr, this->permanent,
+									this->rand.ptr, auts.ptr))
 	{
 		DBG1(DBG_IKE, "no AKA provider found supporting "
 			 "resynchronization for '%Y'", this->permanent);
@@ -564,7 +566,7 @@ METHOD(eap_method_t, process, status_t,
 	simaka_message_t *message;
 	status_t status;
 
-	message = simaka_message_create_from_payload(in, this->crypto);
+	message = simaka_message_create_from_payload(in->get_data(in), this->crypto);
 	if (!message)
 	{
 		return FAILED;
@@ -676,7 +678,8 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
 				.destroy = _destroy,
 			},
 		},
-		.crypto = simaka_crypto_create(),
+		.crypto = simaka_crypto_create(EAP_AKA),
+		.mgr = lib->get(lib, "aka-manager"),
 	);
 
 	if (!this->crypto)
diff --git a/src/libcharon/plugins/eap_aka/eap_aka_server.h b/src/libcharon/plugins/eap_aka/eap_aka_server.h
index d48fc4c34..5ab1c4dfd 100644
--- a/src/libcharon/plugins/eap_aka/eap_aka_server.h
+++ b/src/libcharon/plugins/eap_aka/eap_aka_server.h
@@ -26,7 +26,7 @@ typedef struct eap_aka_server_t eap_aka_server_t;
 #include <sa/authenticators/eap/eap_method.h>
 
 /**
- * Implementation of the eap_method_t interface using EAP-AKA as server.
+ * EAP-AKA server implementation.
  */
 struct eap_aka_server_t {