diff options
| author | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:41:58 +0200 |
|---|---|---|
| committer | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:41:58 +0200 |
| commit | b590992f735393c97489fce191e7810eaae4f6d7 (patch) | |
| tree | 286595c4aa43dbf3d616d816e5fade6ac364771a /src/libhydra/plugins | |
| parent | 2fce29055b7b5bc2860d503d1ae822931f80b7aa (diff) | |
| parent | 0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff) | |
| download | vyos-strongswan-b590992f735393c97489fce191e7810eaae4f6d7.tar.gz vyos-strongswan-b590992f735393c97489fce191e7810eaae4f6d7.zip | |
Merge upstream version 4.5.2
Diffstat (limited to 'src/libhydra/plugins')
24 files changed, 473 insertions, 509 deletions
diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 45ecb9924..250ac9539 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -219,13 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -246,6 +240,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -264,14 +260,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c index 1edb92c1f..cb14495af 100644 --- a/src/libhydra/plugins/attr/attr_plugin.c +++ b/src/libhydra/plugins/attr/attr_plugin.c @@ -36,15 +36,21 @@ struct private_attr_plugin_t { attr_provider_t *provider; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_attr_plugin_t *this) +{ + return "attr"; +} + +METHOD(plugin_t, reload, bool, + private_attr_plugin_t *this) +{ + this->provider->reload(this->provider); + return TRUE; +} + METHOD(plugin_t, destroy, void, private_attr_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider); this->provider->destroy(this->provider); @@ -56,24 +62,18 @@ METHOD(plugin_t, destroy, void, */ plugin_t *attr_plugin_create() { -<<<<<<< HEAD - private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - this->provider = attr_provider_create(); -======= private_attr_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = _reload, .destroy = _destroy, }, }, .provider = attr_provider_create(), ); ->>>>>>> upstream/4.5.1 hydra->attributes->add_provider(hydra->attributes, &this->provider->provider); return &this->public.plugin; diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c index b3c0cc076..44242c259 100644 --- a/src/libhydra/plugins/attr/attr_provider.c +++ b/src/libhydra/plugins/attr/attr_provider.c @@ -21,6 +21,7 @@ #include <hydra.h> #include <debug.h> #include <utils/linked_list.h> +#include <threading/rwlock.h> #define SERVER_MAX 2 @@ -41,6 +42,11 @@ struct private_attr_provider_t { * List of attributes, attribute_entry_t */ linked_list_t *attributes; + + /** + * Lock for attribute list + */ + rwlock_t *lock; }; struct attribute_entry_t { @@ -51,6 +57,15 @@ struct attribute_entry_t { }; /** + * Destroy an entry + */ +static void attribute_destroy(attribute_entry_t *this) +{ + free(this->value.ptr); + free(this); +} + +/** * convert enumerator value from attribute_entry */ static bool attr_enum_filter(void *null, attribute_entry_t **in, @@ -61,35 +76,26 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in, return TRUE; } -/** - * Implementation of attribute_provider_t.create_attribute_enumerator - */ -static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this, - char *pool, identification_t *id, host_t *vip) +METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, + private_attr_provider_t *this, char *pool, + identification_t *id, host_t *vip) { if (vip) { + this->lock->read_lock(this->lock); return enumerator_create_filter( - this->attributes->create_enumerator(this->attributes), - (void*)attr_enum_filter, NULL, NULL); + this->attributes->create_enumerator(this->attributes), + (void*)attr_enum_filter, this->lock, (void*)this->lock->unlock); } return enumerator_create_empty(); } -/** - * Implementation of attr_provider_t.destroy - */ -static void destroy(private_attr_provider_t *this) +METHOD(attr_provider_t, destroy, void, + private_attr_provider_t *this) { - attribute_entry_t *entry; - - while (this->attributes->remove_last(this->attributes, - (void**)&entry) == SUCCESS) - { - free(entry->value.ptr); - free(entry); - } - this->attributes->destroy(this->attributes); + this->attributes->destroy_function(this->attributes, + (void*)attribute_destroy); + this->lock->destroy(this->lock); free(this); } @@ -129,6 +135,8 @@ static void add_legacy_entry(private_attr_provider_t *this, char *key, int nr, entry->type = type; entry->value = chunk_clone(host->get_address(host)); host->destroy(host); + DBG2(DBG_CFG, "loaded legacy entry attribute %N: %#B", + configuration_attribute_type_names, entry->type, &entry->value); this->attributes->insert_last(this->attributes, entry); } } @@ -158,6 +166,13 @@ static void load_entries(private_attr_provider_t *this) { enumerator_t *enumerator, *tokens; char *key, *value, *token; + int i; + + for (i = 1; i <= SERVER_MAX; i++) + { + add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS); + add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS); + } enumerator = lib->settings->create_key_value_enumerator(lib->settings, "%s.plugins.attr", hydra->daemon); @@ -231,6 +246,8 @@ static void load_entries(private_attr_provider_t *this) } } host->destroy(host); + DBG2(DBG_CFG, "loaded attribute %N: %#B", + configuration_attribute_type_names, entry->type, &entry->value); this->attributes->insert_last(this->attributes, entry); } tokens->destroy(tokens); @@ -238,28 +255,43 @@ static void load_entries(private_attr_provider_t *this) enumerator->destroy(enumerator); } +METHOD(attr_provider_t, reload, void, + private_attr_provider_t *this) +{ + this->lock->write_lock(this->lock); + + this->attributes->destroy_function(this->attributes, (void*)attribute_destroy); + this->attributes = linked_list_create(); + + load_entries(this); + + DBG1(DBG_CFG, "loaded %d entr%s for attr plugin configuration", + this->attributes->get_count(this->attributes), + this->attributes->get_count(this->attributes) == 1 ? "y" : "ies"); + + this->lock->unlock(this->lock); +} + /* * see header file */ attr_provider_t *attr_provider_create(database_t *db) { private_attr_provider_t *this; - int i; - - this = malloc_thing(private_attr_provider_t); - - this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null; - this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *vip))create_attribute_enumerator; - this->public.destroy = (void(*)(attr_provider_t*))destroy; - - this->attributes = linked_list_create(); - for (i = 1; i <= SERVER_MAX; i++) - { - add_legacy_entry(this, "dns", i, INTERNAL_IP4_DNS); - add_legacy_entry(this, "nbns", i, INTERNAL_IP4_NBNS); - } + INIT(this, + .public = { + .provider = { + .acquire_address = (void*)return_null, + .release_address = (void*)return_false, + .create_attribute_enumerator = _create_attribute_enumerator, + }, + .reload = _reload, + .destroy = _destroy, + }, + .attributes = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); load_entries(this); diff --git a/src/libhydra/plugins/attr/attr_provider.h b/src/libhydra/plugins/attr/attr_provider.h index a41466718..17db30408 100644 --- a/src/libhydra/plugins/attr/attr_provider.h +++ b/src/libhydra/plugins/attr/attr_provider.h @@ -36,6 +36,11 @@ struct attr_provider_t { attribute_provider_t provider; /** + * Reload configuration from strongswan.conf. + */ + void (*reload)(attr_provider_t *this); + + /** * Destroy a attr_provider instance. */ void (*destroy)(attr_provider_t *this); diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 729738d60..80d497f59 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -232,13 +232,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,6 +253,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -277,14 +273,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c index e47f9f03a..c04ec9a01 100644 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c +++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c @@ -40,18 +40,16 @@ struct private_attr_sql_plugin_t { * configuration attributes */ sql_attribute_t *attribute; - }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_sql_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_attr_sql_plugin_t *this) +{ + return "attr-sql"; +} + METHOD(plugin_t, destroy, void, private_attr_sql_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->attribute->destroy(this->attribute); @@ -64,41 +62,28 @@ METHOD(plugin_t, destroy, void, */ plugin_t *attr_sql_plugin_create() { -<<<<<<< HEAD - char *uri; - private_attr_sql_plugin_t *this; - - uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); -======= private_attr_sql_plugin_t *this; char *uri; uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); ->>>>>>> upstream/4.5.1 if (!uri) { DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); return NULL; } -<<<<<<< HEAD - this = malloc_thing(private_attr_sql_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - - this->db = lib->db->create(lib->db, uri); -======= INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, .db = lib->db->create(lib->db, uri), ); ->>>>>>> upstream/4.5.1 if (!this->db) { DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c index b4bdfc629..e81a23ed9 100644 --- a/src/libhydra/plugins/attr_sql/pool.c +++ b/src/libhydra/plugins/attr_sql/pool.c @@ -379,7 +379,7 @@ static void add(char *name, host_t *start, host_t *end, int timeout) chunk_increment(cur_addr); } commit_transaction(); - printf("done.\n", count); + printf("done.\n"); } static bool add_address(u_int pool_id, char *address_str, int *family) @@ -407,9 +407,11 @@ static bool add_address(u_int pool_id, char *address_str, int *family) fprintf(stderr, "invalid address '%s'.\n", address_str); return FALSE; } - if (family && *family && *family != address->get_family(address)) + if (family && *family != AF_UNSPEC && + *family != address->get_family(address)) { fprintf(stderr, "invalid address family '%s'.\n", address_str); + address->destroy(address); return FALSE; } @@ -421,9 +423,13 @@ static bool add_address(u_int pool_id, char *address_str, int *family) DB_UINT, user_id, DB_UINT, 0, DB_UINT, 1) != 1) { fprintf(stderr, "inserting address '%s' failed.\n", address_str); + address->destroy(address); return FALSE; } - *family = address->get_family(address); + if (family) + { + *family = address->get_family(address); + } address->destroy(address); return TRUE; @@ -469,6 +475,10 @@ static void add_addresses(char *pool, char *path, int timeout) } if (add_address(pool_id, address_str, &family) == FALSE) { + if (file != stdin) + { + fclose(file); + } exit(EXIT_FAILURE); } ++count; @@ -586,7 +596,7 @@ static void resize(char *name, host_t *end) DB_UINT, id, DB_BLOB, cur_addr, DB_UINT, 0, DB_UINT, 0, DB_UINT, 1); } commit_transaction(); - printf("done.\n", count); + printf("done.\n"); } @@ -1004,6 +1014,7 @@ static void do_args(int argc, char *argv[]) break; case '1': operation = OP_STATUS_ATTR; + break; case 'u': utc = TRUE; continue; diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c index 5f7afdfcd..5c7397476 100644 --- a/src/libhydra/plugins/attr_sql/pool_attributes.c +++ b/src/libhydra/plugins/attr_sql/pool_attributes.c @@ -241,7 +241,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type, /* clean up */ DESTROY_IF(addr); - /* is the attribute type numeric? */ + /* is the attribute type numeric? */ *type = strtol(name, &endptr, 10); if (*endptr != '\0') @@ -262,7 +262,7 @@ static bool parse_attributes(char *name, char *value, value_type_t *value_type, } return TRUE; } - + /** * Lookup/insert an attribute pool by name */ @@ -541,11 +541,11 @@ void del_attr(char *name, char *pool, char *identity, } } else - { + { if (value_type == VALUE_ADDR) { host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0); - + fprintf(stderr, "the %s server %H%s was not found.\n", name, server, id_pool_str); server->destroy(server); @@ -630,7 +630,7 @@ void status_attr(bool hexout) if (type == attr_info[i].type) { value_type = attr_info[i].value_type; - break; + break; } } } @@ -671,8 +671,8 @@ void status_attr(bool hexout) } break; case VALUE_STRING: - printf("\"%.*s\"\n", value.len, value.ptr); - break; + printf("\"%.*s\"\n", (int)value.len, value.ptr); + break; case VALUE_HEX: default: printf(" %#B\n", &value); @@ -692,13 +692,13 @@ void show_attr(void) for (i = 0; i < countof(attr_info); i++) { char value_name[10]; - - + + snprintf(value_name, sizeof(value_name), "%N", value_type_names, attr_info[i].value_type); - - printf("%-20s --%-6s (%N", - attr_info[i].keyword, value_name, + + printf("%-20s --%-6s (%N", + attr_info[i].keyword, value_name, configuration_attribute_type_names, attr_info[i].type); if (attr_info[i].type_ip6) diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index e4de26b60..5f6512b44 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -223,13 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -250,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -268,14 +264,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index f98dfcec5..ff4f0ed55 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1668,14 +1668,10 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, -<<<<<<< HEAD - u_int8_t protocol, u_int32_t reqid, mark_t mark, -======= u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, ->>>>>>> upstream/4.5.1 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c index cbfc59a10..7fe47f630 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c @@ -32,15 +32,14 @@ struct private_kernel_klips_plugin_t { kernel_klips_plugin_t public; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_klips_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_kernel_klips_plugin_t *this) +{ + return "kernel-klips"; +} + METHOD(plugin_t, destroy, void, private_kernel_klips_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); @@ -52,22 +51,17 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_klips_plugin_create() { -<<<<<<< HEAD - private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - -======= private_kernel_klips_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, ); ->>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index d293347cf..78dfb1b54 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -224,13 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -251,6 +245,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -269,14 +265,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index bd3f4a122..8b2a1aa77 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -58,13 +58,11 @@ #endif /*IPV6_XFRM_POLICY*/ /** default priority of installed policies */ -<<<<<<< HEAD -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 -======= #define PRIO_LOW 1024 #define PRIO_HIGH 512 ->>>>>>> upstream/4.5.1 + +/** default replay window size, if not set using charon.replay_window */ +#define DEFAULT_REPLAY_WINDOW 32 /** * map the limit for bytes and packets to XFRM_INF per default @@ -353,6 +351,16 @@ struct private_kernel_netlink_ipsec_t { * whether to install routes along policies */ bool install_routes; + + /** + * Size of the replay window, in packets + */ + u_int32_t replay_window; + + /** + * Size of the replay window bitmap, in bytes + */ + u_int32_t replay_bmp; }; /** @@ -871,13 +879,9 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, -<<<<<<< HEAD - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, -======= u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, ->>>>>>> upstream/4.5.1 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool inbound, + u_int16_t cpi, bool encap, bool esn, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) { netlink_buf_t request; @@ -885,19 +889,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t, struct nlmsghdr *hdr; struct xfrm_usersa_info *sa; u_int16_t icv_size = 64; + status_t status = FAILED; /* if IPComp is used, we install an additional IPComp SA. if the cpi is 0 * we are in the recursive call below */ if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; -<<<<<<< HEAD - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, -======= add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, ->>>>>>> upstream/4.5.1 &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, - mode, ipcomp, 0, FALSE, inbound, NULL, NULL); + mode, ipcomp, 0, FALSE, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ mode = MODE_TRANSPORT; @@ -933,10 +934,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->flags |= XFRM_STATE_AF_UNSPEC; break; case MODE_BEET: -<<<<<<< HEAD -======= case MODE_TRANSPORT: ->>>>>>> upstream/4.5.1 if(src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); @@ -946,7 +944,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, break; } - sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32; sa->reqid = reqid; sa->lft.soft_byte_limit = XFRM_LIMIT(lifetime->bytes.rekey); sa->lft.hard_byte_limit = XFRM_LIMIT(lifetime->bytes.life); @@ -987,17 +984,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { DBG1(DBG_KNL, "algorithm %N not supported by kernel!", encryption_algorithm_names, enc_alg); - return FAILED; + goto failed; } DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); rthdr->rta_type = XFRMA_ALG_AEAD; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr); @@ -1018,17 +1015,17 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { DBG1(DBG_KNL, "algorithm %N not supported by kernel!", encryption_algorithm_names, enc_alg); - return FAILED; + goto failed; } DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", encryption_algorithm_names, enc_alg, enc_key.len * 8); rthdr->rta_type = XFRMA_ALG_CRYPT; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } algo = (struct xfrm_algo*)RTA_DATA(rthdr); @@ -1047,7 +1044,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { DBG1(DBG_KNL, "algorithm %N not supported by kernel!", integrity_algorithm_names, int_alg); - return FAILED; + goto failed; } DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", integrity_algorithm_names, int_alg, int_key.len * 8); @@ -1061,10 +1058,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_auth) + int_key.len); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr); @@ -1080,10 +1077,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr->rta_type = XFRMA_ALG_AUTH; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + int_key.len); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } algo = (struct xfrm_algo*)RTA_DATA(rthdr); @@ -1102,16 +1099,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { DBG1(DBG_KNL, "algorithm %N not supported by kernel!", ipcomp_transform_names, ipcomp); - return FAILED; + goto failed; } DBG2(DBG_KNL, " using compression algorithm %N", ipcomp_transform_names, ipcomp); rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); @@ -1128,10 +1125,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr->rta_type = XFRMA_ENCAP; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); @@ -1158,10 +1155,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } mrk = (struct xfrm_mark*)RTA_DATA(rthdr); @@ -1170,8 +1167,6 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } -<<<<<<< HEAD -======= if (tfc) { u_int32_t *tfcpad; @@ -1179,10 +1174,10 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr->rta_type = XFRMA_TFCPAD; rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } tfcpad = (u_int32_t*)RTA_DATA(rthdr); @@ -1190,7 +1185,41 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } ->>>>>>> upstream/4.5.1 + if (protocol != IPPROTO_COMP) + { + if (esn || this->replay_window > DEFAULT_REPLAY_WINDOW) + { + /* for ESN or larger replay windows we need the new + * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */ + struct xfrm_replay_state_esn *replay; + + rthdr->rta_type = XFRMA_REPLAY_ESN_VAL; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) + + (this->replay_window + 7) / 8); + + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); + if (hdr->nlmsg_len > sizeof(request)) + { + goto failed; + } + + replay = (struct xfrm_replay_state_esn*)RTA_DATA(rthdr); + /* bmp_len contains number uf __u32's */ + replay->bmp_len = this->replay_bmp; + replay->replay_window = this->replay_window; + + rthdr = XFRM_RTA_NEXT(rthdr); + if (esn) + { + sa->flags |= XFRM_STATE_ESN; + } + } + else + { + sa->replay_window = DEFAULT_REPLAY_WINDOW; + } + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { if (mark.value) @@ -1202,17 +1231,25 @@ METHOD(kernel_ipsec_t, add_sa, status_t, { DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); } - return FAILED; + goto failed; } - return SUCCESS; + + status = SUCCESS; + +failed: + memwipe(request, sizeof(request)); + return status; } /** - * Get the replay state (i.e. sequence numbers) of an SA. + * Get the ESN replay state (i.e. sequence numbers) of an SA. + * + * Allocates into one the replay state structure we get from the kernel. */ -static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, - u_int32_t spi, u_int8_t protocol, host_t *dst, - struct xfrm_replay_state *replay) +static void get_replay_state(private_kernel_netlink_ipsec_t *this, + u_int32_t spi, u_int8_t protocol, host_t *dst, + struct xfrm_replay_state_esn **replay_esn, + struct xfrm_replay_state **replay) { netlink_buf_t request; struct nlmsghdr *hdr, *out = NULL; @@ -1223,7 +1260,8 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", ntohl(spi)); + DBG2(DBG_KNL, "querying replay state from SAD entry with SPI %.8x", + ntohl(spi)); hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; @@ -1267,32 +1305,30 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, } } - if (out_aevent == NULL) - { - DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", - ntohl(spi)); - free(out); - return FAILED; - } - - rta = XFRM_RTA(out, struct xfrm_aevent_id); - rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); - while(RTA_OK(rta, rtasize)) + if (out_aevent) { - if (rta->rta_type == XFRMA_REPLAY_VAL && - RTA_PAYLOAD(rta) == sizeof(struct xfrm_replay_state)) + rta = XFRM_RTA(out, struct xfrm_aevent_id); + rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id); + while (RTA_OK(rta, rtasize)) { - memcpy(replay, RTA_DATA(rta), RTA_PAYLOAD(rta)); - free(out); - return SUCCESS; + if (rta->rta_type == XFRMA_REPLAY_VAL && + RTA_PAYLOAD(rta) == sizeof(**replay)) + { + *replay = malloc(RTA_PAYLOAD(rta)); + memcpy(*replay, RTA_DATA(rta), RTA_PAYLOAD(rta)); + break; + } + if (rta->rta_type == XFRMA_REPLAY_ESN_VAL && + RTA_PAYLOAD(rta) >= sizeof(**replay_esn) + this->replay_bmp) + { + *replay_esn = malloc(RTA_PAYLOAD(rta)); + memcpy(*replay_esn, RTA_DATA(rta), RTA_PAYLOAD(rta)); + break; + } + rta = RTA_NEXT(rta, rtasize); } - rta = RTA_NEXT(rta, rtasize); } - - DBG1(DBG_KNL, "unable to query replay state from SAD entry with SPI %.8x", - ntohl(spi)); free(out); - return FAILED; } METHOD(kernel_ipsec_t, query_sa, status_t, @@ -1303,6 +1339,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, struct nlmsghdr *out = NULL, *hdr; struct xfrm_usersa_id *sa_id; struct xfrm_usersa_info *sa = NULL; + status_t status = FAILED; size_t len; memset(&request, 0, sizeof(request)); @@ -1334,7 +1371,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -1389,13 +1426,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t, if (sa == NULL) { DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; } - *bytes = sa->curlft.bytes; - + else + { + *bytes = sa->curlft.bytes; + status = SUCCESS; + } + memwipe(out, len); free(out); - return SUCCESS; + return status; } METHOD(kernel_ipsec_t, del_sa, status_t, @@ -1441,7 +1480,7 @@ METHOD(kernel_ipsec_t, del_sa, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -1491,8 +1530,9 @@ METHOD(kernel_ipsec_t, update_sa, status_t, struct rtattr *rta; size_t rtasize; struct xfrm_encap_tmpl* tmpl = NULL; - bool got_replay_state = FALSE; - struct xfrm_replay_state replay; + struct xfrm_replay_state *replay = NULL; + struct xfrm_replay_state_esn *replay_esn = NULL; + status_t status = FAILED; /* if IPComp is used, we first update the IPComp SA */ if (cpi) @@ -1548,22 +1588,16 @@ METHOD(kernel_ipsec_t, update_sa, status_t, if (out_sa == NULL) { DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; + goto failed; } - /* try to get the replay state */ - if (get_replay_state(this, spi, protocol, dst, &replay) == SUCCESS) - { - got_replay_state = TRUE; - } + get_replay_state(this, spi, protocol, dst, &replay_esn, &replay); /* delete the old SA (without affecting the IPComp SA) */ if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; + goto failed; } DBG2(DBG_KNL, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H", @@ -1613,10 +1647,10 @@ METHOD(kernel_ipsec_t, update_sa, status_t, rta->rta_type = XFRMA_ENCAP; rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - hdr->nlmsg_len += rta->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rta->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rta); @@ -1628,30 +1662,56 @@ METHOD(kernel_ipsec_t, update_sa, status_t, rta = XFRM_RTA_NEXT(rta); } - if (got_replay_state) - { /* copy the replay data if available */ + if (replay_esn) + { + rta->rta_type = XFRMA_REPLAY_ESN_VAL; + rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state_esn) + + this->replay_bmp); + + hdr->nlmsg_len += RTA_ALIGN(rta->rta_len); + if (hdr->nlmsg_len > sizeof(request)) + { + goto failed; + } + memcpy(RTA_DATA(rta), replay_esn, + sizeof(struct xfrm_replay_state_esn) + this->replay_bmp); + + rta = XFRM_RTA_NEXT(rta); + } + else if (replay) + { rta->rta_type = XFRMA_REPLAY_VAL; rta->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); - hdr->nlmsg_len += rta->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rta->rta_len); if (hdr->nlmsg_len > sizeof(request)) { - return FAILED; + goto failed; } - memcpy(RTA_DATA(rta), &replay, sizeof(replay)); + memcpy(RTA_DATA(rta), replay, sizeof(replay)); rta = XFRM_RTA_NEXT(rta); } + else + { + DBG1(DBG_KNL, "unable to copy replay state from old SAD entry " + "with SPI %.8x", ntohl(spi)); + } if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { DBG1(DBG_KNL, "unable to update SAD entry with SPI %.8x", ntohl(spi)); - free(out); - return FAILED; + goto failed; } + + status = SUCCESS; +failed: + free(replay); + free(replay_esn); + memwipe(out, len); free(out); - return SUCCESS; + return status; } METHOD(kernel_ipsec_t, add_policy, status_t, @@ -1725,13 +1785,6 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); policy_info->sel = policy->sel; policy_info->dir = policy->direction; -<<<<<<< HEAD - /* calculate priority based on source selector size, small size = high prio */ - policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; -======= /* calculate priority based on selector size, small size = high prio */ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; @@ -1742,7 +1795,6 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy->sel.dport_mask ? 0 : 2; policy_info->priority += policy->sel.proto ? 0 : 1; ->>>>>>> upstream/4.5.1 policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; @@ -1784,7 +1836,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, } rthdr->rta_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); - hdr->nlmsg_len += RTA_LENGTH(sizeof(struct xfrm_user_tmpl)); + hdr->nlmsg_len += RTA_ALIGN(RTA_LENGTH(sizeof(struct xfrm_user_tmpl))); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -1820,7 +1872,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -1864,11 +1916,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, if (route->if_name) { -<<<<<<< HEAD -======= DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", src_ts, route->gateway, route->src_ip, route->if_name); ->>>>>>> upstream/4.5.1 switch (hydra->kernel_interface->add_route( hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, @@ -1942,7 +1991,7 @@ METHOD(kernel_ipsec_t, query_policy, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -2084,7 +2133,7 @@ METHOD(kernel_ipsec_t, del_policy, status_t, rthdr->rta_type = XFRMA_MARK; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); - hdr->nlmsg_len += rthdr->rta_len; + hdr->nlmsg_len += RTA_ALIGN(rthdr->rta_len); if (hdr->nlmsg_len > sizeof(request)) { return FAILED; @@ -2225,10 +2274,14 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create() (hashtable_equals_t)policy_equals, 32), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .install_routes = lib->settings->get_bool(lib->settings, - "%s.install_routes", TRUE, - hydra->daemon), + "%s.install_routes", TRUE, hydra->daemon), + .replay_window = lib->settings->get_int(lib->settings, + "%s.replay_window", DEFAULT_REPLAY_WINDOW, hydra->daemon), ); + this->replay_bmp = (this->replay_window + sizeof(u_int32_t) * 8 - 1) / + (sizeof(u_int32_t) * 8); + if (streq(hydra->daemon, "pluto")) { /* no routes for pluto, they are installed via updown script */ this->install_routes = FALSE; diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c index 314c1acc1..8315ed310 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c @@ -350,7 +350,7 @@ static void process_link(private_kernel_netlink_net_t *this, entry->addrs = linked_list_create(); this->ifaces->insert_last(this->ifaces, entry); } - memcpy(entry->ifname, name, IFNAMSIZ); + strncpy(entry->ifname, name, IFNAMSIZ); entry->ifname[IFNAMSIZ-1] = '\0'; if (event) { @@ -534,6 +534,7 @@ static void process_route(private_kernel_netlink_net_t *this, struct nlmsghdr *h switch (rta->rta_type) { case RTA_PREFSRC: + DESTROY_IF(host); host = host_create_from_chunk(msg->rtm_family, chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta)), 0); break; @@ -652,7 +653,8 @@ static void address_enumerator_destroy(address_enumerator_t *data) /** * filter for addresses */ -static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) +static bool filter_addresses(address_enumerator_t *data, + addr_entry_t** in, host_t** out) { if (!data->include_virtual_ips && (*in)->virtual) { /* skip virtual interfaces added by us */ @@ -669,16 +671,19 @@ static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host /** * enumerator constructor for interfaces */ -static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) +static enumerator_t *create_iface_enumerator(iface_entry_t *iface, + address_enumerator_t *data) { - return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), + return enumerator_create_filter( + iface->addrs->create_enumerator(iface->addrs), (void*)filter_addresses, data, NULL); } /** * filter for interfaces */ -static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) +static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, + iface_entry_t** out) { if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) { /* skip interfaces not up */ @@ -688,11 +693,9 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, if return TRUE; } -/** - * implementation of kernel_net_t.create_address_enumerator - */ -static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *this, - bool include_down_ifaces, bool include_virtual_ips) +METHOD(kernel_net_t, create_address_enumerator, enumerator_t*, + private_kernel_netlink_net_t *this, + bool include_down_ifaces, bool include_virtual_ips) { address_enumerator_t *data = malloc_thing(address_enumerator_t); data->this = this; @@ -701,15 +704,15 @@ static enumerator_t *create_address_enumerator(private_kernel_netlink_net_t *thi this->mutex->lock(this->mutex); return enumerator_create_nested( - enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), - (void*)filter_interfaces, data, NULL), - (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); + enumerator_create_filter( + this->ifaces->create_enumerator(this->ifaces), + (void*)filter_interfaces, data, NULL), + (void*)create_iface_enumerator, data, + (void*)address_enumerator_destroy); } -/** - * implementation of kernel_net_t.get_interface_name - */ -static char *get_interface_name(private_kernel_netlink_net_t *this, host_t* ip) +METHOD(kernel_net_t, get_interface_name, char*, + private_kernel_netlink_net_t *this, host_t* ip) { enumerator_t *ifaces, *addrs; iface_entry_t *iface; @@ -1036,19 +1039,14 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest, return src; } -/** - * Implementation of kernel_net_t.get_source_addr. - */ -static host_t* get_source_addr(private_kernel_netlink_net_t *this, - host_t *dest, host_t *src) +METHOD(kernel_net_t, get_source_addr, host_t*, + private_kernel_netlink_net_t *this, host_t *dest, host_t *src) { return get_route(this, dest, FALSE, src); } -/** - * Implementation of kernel_net_t.get_nexthop. - */ -static host_t* get_nexthop(private_kernel_netlink_net_t *this, host_t *dest) +METHOD(kernel_net_t, get_nexthop, host_t*, + private_kernel_netlink_net_t *this, host_t *dest) { return get_route(this, dest, TRUE, NULL); } @@ -1086,11 +1084,8 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type return this->socket->send_ack(this->socket, hdr); } -/** - * Implementation of kernel_net_t.add_ip. - */ -static status_t add_ip(private_kernel_netlink_net_t *this, - host_t *virtual_ip, host_t *iface_ip) +METHOD(kernel_net_t, add_ip, status_t, + private_kernel_netlink_net_t *this, host_t *virtual_ip, host_t *iface_ip) { iface_entry_t *iface; addr_entry_t *addr; @@ -1165,10 +1160,8 @@ static status_t add_ip(private_kernel_netlink_net_t *this, return FAILED; } -/** - * Implementation of kernel_net_t.del_ip. - */ -static status_t del_ip(private_kernel_netlink_net_t *this, host_t *virtual_ip) +METHOD(kernel_net_t, del_ip, status_t, + private_kernel_netlink_net_t *this, host_t *virtual_ip) { iface_entry_t *iface; addr_entry_t *addr; @@ -1296,21 +1289,17 @@ static status_t manage_srcroute(private_kernel_netlink_net_t *this, int nlmsg_ty return this->socket->send_ack(this->socket, hdr); } -/** - * Implementation of kernel_net_t.add_route. - */ -static status_t add_route(private_kernel_netlink_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +METHOD(kernel_net_t, add_route, status_t, + private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, + host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, dst_net, prefixlen, gateway, src_ip, if_name); } -/** - * Implementation of kernel_net_t.del_route. - */ -static status_t del_route(private_kernel_netlink_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +METHOD(kernel_net_t, del_route, status_t, + private_kernel_netlink_net_t *this, chunk_t dst_net, u_int8_t prefixlen, + host_t *gateway, host_t *src_ip, char *if_name) { return manage_srcroute(this, RTM_DELROUTE, 0, dst_net, prefixlen, gateway, src_ip, if_name); @@ -1441,10 +1430,8 @@ static status_t manage_rule(private_kernel_netlink_net_t *this, int nlmsg_type, return this->socket->send_ack(this->socket, hdr); } -/** - * Implementation of kernel_netlink_net_t.destroy. - */ -static void destroy(private_kernel_netlink_net_t *this) +METHOD(kernel_net_t, destroy, void, + private_kernel_netlink_net_t *this) { if (this->routing_table) { @@ -1474,37 +1461,41 @@ static void destroy(private_kernel_netlink_net_t *this) */ kernel_netlink_net_t *kernel_netlink_net_create() { - private_kernel_netlink_net_t *this = malloc_thing(private_kernel_netlink_net_t); + private_kernel_netlink_net_t *this; struct sockaddr_nl addr; enumerator_t *enumerator; char *exclude; - /* public functions */ - this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; - this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; - this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; - this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; - this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; - this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; - this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; - this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; - this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; - - /* private members */ - this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); + INIT(this, + .public = { + .interface = { + .get_interface = _get_interface_name, + .create_address_enumerator = _create_address_enumerator, + .get_source_addr = _get_source_addr, + .get_nexthop = _get_nexthop, + .add_ip = _add_ip, + .del_ip = _del_ip, + .add_route = _add_route, + .del_route = _del_route, + .destroy = _destroy, + }, + }, + .socket = netlink_socket_create(NETLINK_ROUTE), + .rt_exclude = linked_list_create(), + .ifaces = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .routing_table = lib->settings->get_int(lib->settings, + "%s.routing_table", ROUTING_TABLE, hydra->daemon), + .routing_table_prio = lib->settings->get_int(lib->settings, + "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon), + .process_route = lib->settings->get_bool(lib->settings, + "%s.process_route", TRUE, hydra->daemon), + .install_virtual_ip = lib->settings->get_bool(lib->settings, + "%s.install_virtual_ip", TRUE, hydra->daemon), + ); timerclear(&this->last_roam); - this->routing_table = lib->settings->get_int(lib->settings, - "%s.routing_table", ROUTING_TABLE, hydra->daemon); - this->routing_table_prio = lib->settings->get_int(lib->settings, - "%s.routing_table_prio", ROUTING_TABLE_PRIO, hydra->daemon); - this->process_route = lib->settings->get_bool(lib->settings, - "%s.process_route", TRUE, hydra->daemon); - this->install_virtual_ip = lib->settings->get_bool(lib->settings, - "%s.install_virtual_ip", TRUE, hydra->daemon); - - this->rt_exclude = linked_list_create(); + exclude = lib->settings->get_str(lib->settings, "%s.ignore_routing_tables", NULL, hydra->daemon); if (exclude) @@ -1526,9 +1517,6 @@ kernel_netlink_net_t *kernel_netlink_net_create() enumerator->destroy(enumerator); } - this->socket = netlink_socket_create(NETLINK_ROUTE); - this->job = NULL; - memset(&addr, 0, sizeof(addr)); addr.nl_family = AF_NETLINK; diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c index b75a2be80..779466472 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -33,15 +33,14 @@ struct private_kernel_netlink_plugin_t { kernel_netlink_plugin_t public; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_netlink_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_kernel_netlink_plugin_t *this) +{ + return "kernel-netlink"; +} + METHOD(plugin_t, destroy, void, private_kernel_netlink_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); @@ -55,22 +54,17 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_netlink_plugin_create() { -<<<<<<< HEAD - private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - -======= private_kernel_netlink_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, ); ->>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index 3f2976959..251483017 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -223,13 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -250,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -268,14 +264,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 69d0da6e5..b252b7092 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -99,13 +99,8 @@ #endif /** default priority of installed policies */ -<<<<<<< HEAD -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 -======= #define PRIO_LOW 1024 #define PRIO_HIGH 512 ->>>>>>> upstream/4.5.1 #ifdef __APPLE__ /** from xnu/bsd/net/pfkeyv2.h */ @@ -1211,14 +1206,10 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, -<<<<<<< HEAD - u_int8_t protocol, u_int32_t reqid, mark_t mark, -======= u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, ->>>>>>> upstream/4.5.1 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, - u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; @@ -1660,13 +1651,6 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_dir = dir2kernel(direction); pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY -<<<<<<< HEAD - /* calculate priority based on source selector size, small size = high prio */ - pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; - pol->sadb_x_policy_priority -= policy->src.mask * 10; - pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; - pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; -======= /* calculate priority based on selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; pol->sadb_x_policy_priority -= policy->src.mask; @@ -1675,7 +1659,6 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) || policy->dst.net->get_port(policy->dst.net) ? 0 : 2; pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1; ->>>>>>> upstream/4.5.1 #endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c index e2ed954fb..842511181 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -32,15 +32,14 @@ struct private_kernel_pfkey_plugin_t { kernel_pfkey_plugin_t public; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfkey_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_kernel_pfkey_plugin_t *this) +{ + return "kernel-pfkey"; +} + METHOD(plugin_t, destroy, void, private_kernel_pfkey_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); @@ -52,22 +51,17 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_pfkey_plugin_create() { -<<<<<<< HEAD - private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - -======= private_kernel_pfkey_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, ); ->>>>>>> upstream/4.5.1 hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index 24f8ffc4e..b7e12561d 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -223,13 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -250,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -268,14 +264,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c index 59fc915fd..fca46bfd2 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_net.c @@ -412,7 +412,8 @@ static void address_enumerator_destroy(address_enumerator_t *data) /** * filter for addresses */ -static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host_t** out) +static bool filter_addresses(address_enumerator_t *data, + addr_entry_t** in, host_t** out) { host_t *ip; if (!data->include_virtual_ips && (*in)->virtual) @@ -435,7 +436,8 @@ static bool filter_addresses(address_enumerator_t *data, addr_entry_t** in, host /** * enumerator constructor for interfaces */ -static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enumerator_t *data) +static enumerator_t *create_iface_enumerator(iface_entry_t *iface, + address_enumerator_t *data) { return enumerator_create_filter(iface->addrs->create_enumerator(iface->addrs), (void*)filter_addresses, data, NULL); @@ -444,7 +446,8 @@ static enumerator_t *create_iface_enumerator(iface_entry_t *iface, address_enume /** * filter for interfaces */ -static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, iface_entry_t** out) +static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, + iface_entry_t** out) { if (!data->include_down_ifaces && !((*in)->flags & IFF_UP)) { /* skip interfaces not up */ @@ -454,11 +457,9 @@ static bool filter_interfaces(address_enumerator_t *data, iface_entry_t** in, if return TRUE; } -/** - * implementation of kernel_net_t.create_address_enumerator - */ -static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *this, - bool include_down_ifaces, bool include_virtual_ips) +METHOD(kernel_net_t, create_address_enumerator, enumerator_t*, + private_kernel_pfroute_net_t *this, + bool include_down_ifaces, bool include_virtual_ips) { address_enumerator_t *data = malloc_thing(address_enumerator_t); data->this = this; @@ -467,15 +468,15 @@ static enumerator_t *create_address_enumerator(private_kernel_pfroute_net_t *thi this->mutex->lock(this->mutex); return enumerator_create_nested( - enumerator_create_filter(this->ifaces->create_enumerator(this->ifaces), - (void*)filter_interfaces, data, NULL), - (void*)create_iface_enumerator, data, (void*)address_enumerator_destroy); + enumerator_create_filter( + this->ifaces->create_enumerator(this->ifaces), + (void*)filter_interfaces, data, NULL), + (void*)create_iface_enumerator, data, + (void*)address_enumerator_destroy); } -/** - * implementation of kernel_net_t.get_interface_name - */ -static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) +METHOD(kernel_net_t, get_interface_name, char*, + private_kernel_pfroute_net_t *this, host_t* ip) { enumerator_t *ifaces, *addrs; iface_entry_t *iface; @@ -517,54 +518,40 @@ static char *get_interface_name(private_kernel_pfroute_net_t *this, host_t* ip) return name; } -/** - * Implementation of kernel_net_t.get_source_addr. - */ -static host_t* get_source_addr(private_kernel_pfroute_net_t *this, - host_t *dest, host_t *src) +METHOD(kernel_net_t, get_source_addr, host_t*, + private_kernel_pfroute_net_t *this, host_t *dest, host_t *src) { return NULL; } -/** - * Implementation of kernel_net_t.get_nexthop. - */ -static host_t* get_nexthop(private_kernel_pfroute_net_t *this, host_t *dest) +METHOD(kernel_net_t, get_nexthop, host_t*, + private_kernel_pfroute_net_t *this, host_t *dest) { return NULL; } -/** - * Implementation of kernel_net_t.add_ip. - */ -static status_t add_ip(private_kernel_pfroute_net_t *this, - host_t *virtual_ip, host_t *iface_ip) +METHOD(kernel_net_t, add_ip, status_t, + private_kernel_pfroute_net_t *this, host_t *virtual_ip, host_t *iface_ip) { return FAILED; } -/** - * Implementation of kernel_net_t.del_ip. - */ -static status_t del_ip(private_kernel_pfroute_net_t *this, host_t *virtual_ip) +METHOD(kernel_net_t, del_ip, status_t, + private_kernel_pfroute_net_t *this, host_t *virtual_ip) { return FAILED; } -/** - * Implementation of kernel_net_t.add_route. - */ -static status_t add_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +METHOD(kernel_net_t, add_route, status_t, + private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen, + host_t *gateway, host_t *src_ip, char *if_name) { return FAILED; } -/** - * Implementation of kernel_net_t.del_route. - */ -static status_t del_route(private_kernel_pfroute_net_t *this, chunk_t dst_net, - u_int8_t prefixlen, host_t *gateway, host_t *src_ip, char *if_name) +METHOD(kernel_net_t, del_route, status_t, + private_kernel_pfroute_net_t *this, chunk_t dst_net, u_int8_t prefixlen, + host_t *gateway, host_t *src_ip, char *if_name) { return FAILED; } @@ -658,10 +645,8 @@ static status_t init_address_list(private_kernel_pfroute_net_t *this) return SUCCESS; } -/** - * Implementation of kernel_netlink_net_t.destroy. - */ -static void destroy(private_kernel_pfroute_net_t *this) +METHOD(kernel_net_t, destroy, void, + private_kernel_pfroute_net_t *this) { if (this->job) { @@ -686,28 +671,26 @@ static void destroy(private_kernel_pfroute_net_t *this) */ kernel_pfroute_net_t *kernel_pfroute_net_create() { - private_kernel_pfroute_net_t *this = malloc_thing(private_kernel_pfroute_net_t); - - /* public functions */ - this->public.interface.get_interface = (char*(*)(kernel_net_t*,host_t*))get_interface_name; - this->public.interface.create_address_enumerator = (enumerator_t*(*)(kernel_net_t*,bool,bool))create_address_enumerator; - this->public.interface.get_source_addr = (host_t*(*)(kernel_net_t*, host_t *dest, host_t *src))get_source_addr; - this->public.interface.get_nexthop = (host_t*(*)(kernel_net_t*, host_t *dest))get_nexthop; - this->public.interface.add_ip = (status_t(*)(kernel_net_t*,host_t*,host_t*)) add_ip; - this->public.interface.del_ip = (status_t(*)(kernel_net_t*,host_t*)) del_ip; - this->public.interface.add_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) add_route; - this->public.interface.del_route = (status_t(*)(kernel_net_t*,chunk_t,u_int8_t,host_t*,host_t*,char*)) del_route; - - this->public.interface.destroy = (void(*)(kernel_net_t*)) destroy; - - /* private members */ - this->ifaces = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT); - - this->seq = 0; - this->socket_events = 0; - this->job = NULL; + private_kernel_pfroute_net_t *this; + + INIT(this, + .public = { + .interface = { + .get_interface = _get_interface_name, + .create_address_enumerator = _create_address_enumerator, + .get_source_addr = _get_source_addr, + .get_nexthop = _get_nexthop, + .add_ip = _add_ip, + .del_ip = _del_ip, + .add_route = _add_route, + .del_route = _del_route, + .destroy = _destroy, + }, + }, + .ifaces = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT), + ); /* create a PF_ROUTE socket to communicate with the kernel */ this->socket = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC); diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c index bae3a2ac6..680caa5d0 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -32,15 +32,14 @@ struct private_kernel_pfroute_plugin_t { kernel_pfroute_plugin_t public; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfroute_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_kernel_pfroute_plugin_t *this) +{ + return "kernel-pfroute"; +} + METHOD(plugin_t, destroy, void, private_kernel_pfroute_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); @@ -52,22 +51,17 @@ METHOD(plugin_t, destroy, void, */ plugin_t *kernel_pfroute_plugin_create() { -<<<<<<< HEAD - private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - -======= private_kernel_pfroute_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, ); ->>>>>>> upstream/4.5.1 hydra->kernel_interface->add_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index 646d1dba9..d3cda309a 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -222,13 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -249,6 +243,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -267,14 +263,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c index cdc639038..feb2fd05a 100644 --- a/src/libhydra/plugins/resolve/resolve_handler.c +++ b/src/libhydra/plugins/resolve/resolve_handler.c @@ -116,7 +116,7 @@ static void release(private_resolve_handler_t *this, identification_t *server, configuration_attribute_type_t type, chunk_t data) { FILE *in, *out; - char line[1024], matcher[512], *pos; + char line[1024], matcher[512]; host_t *addr; int family; @@ -148,7 +148,7 @@ static void release(private_resolve_handler_t *this, identification_t *server, addr, server); /* copy all, but matching line */ - while ((pos = fgets(line, sizeof(line), in))) + while (fgets(line, sizeof(line), in)) { if (strneq(line, matcher, strlen(matcher))) { diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c index c60521cd1..d23d36127 100644 --- a/src/libhydra/plugins/resolve/resolve_plugin.c +++ b/src/libhydra/plugins/resolve/resolve_plugin.c @@ -36,15 +36,14 @@ struct private_resolve_plugin_t { resolve_handler_t *handler; }; -<<<<<<< HEAD -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_resolve_plugin_t *this) -======= +METHOD(plugin_t, get_name, char*, + private_resolve_plugin_t *this) +{ + return "resolve"; +} + METHOD(plugin_t, destroy, void, private_resolve_plugin_t *this) ->>>>>>> upstream/4.5.1 { hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->handler->destroy(this->handler); @@ -56,23 +55,18 @@ METHOD(plugin_t, destroy, void, */ plugin_t *resolve_plugin_create() { -<<<<<<< HEAD - private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->handler = resolve_handler_create(); -======= private_resolve_plugin_t *this; INIT(this, .public = { .plugin = { + .get_name = _get_name, + .reload = (void*)return_false, .destroy = _destroy, }, }, .handler = resolve_handler_create(), ); ->>>>>>> upstream/4.5.1 hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); return &this->public.plugin; |