diff options
author | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@debian.org> | 2016-03-24 11:59:32 +0100 |
commit | 518dd33c94e041db0444c7d1f33da363bb8e3faf (patch) | |
tree | e8d1665ffadff7ec40228dda47e81f8f4691cd07 /src/libstrongswan | |
parent | f42f239a632306ed082f6fde878977248eea85cf (diff) | |
download | vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.tar.gz vyos-strongswan-518dd33c94e041db0444c7d1f33da363bb8e3faf.zip |
Imported Upstream version 5.4.0
Diffstat (limited to 'src/libstrongswan')
101 files changed, 3081 insertions, 886 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index db3da8e15..da5f34e87 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -21,7 +21,8 @@ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ -credentials/certificates/ocsp_response.c \ +credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ +credentials/certificates/certificate_printer.c \ credentials/containers/container.c credentials/containers/pkcs12.c \ credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index ed3b85dd4..0bac61b44 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -19,7 +19,8 @@ credentials/credential_factory.c credentials/builder.c \ credentials/cred_encoding.c credentials/keys/private_key.c \ credentials/keys/public_key.c credentials/keys/shared_key.c \ credentials/certificates/certificate.c credentials/certificates/crl.c \ -credentials/certificates/ocsp_response.c \ +credentials/certificates/ocsp_response.c credentials/certificates/x509.c \ +credentials/certificates/certificate_printer.c \ credentials/containers/container.c credentials/containers/pkcs12.c \ credentials/credential_manager.c \ credentials/sets/auth_cfg_wrapper.c credentials/sets/ocsp_response_wrapper.c \ @@ -83,6 +84,7 @@ credentials/certificates/ac.h credentials/certificates/crl.h \ credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h \ credentials/certificates/pgp_certificate.h \ +credentials/certificates/certificate_printer.h \ credentials/containers/container.h credentials/containers/pkcs7.h \ credentials/containers/pkcs12.h \ credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \ diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 284960f5c..d88c96f03 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -322,6 +322,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ + credentials/certificates/x509.c \ + credentials/certificates/certificate_printer.c \ credentials/containers/container.c \ credentials/containers/pkcs12.c \ credentials/credential_manager.c \ @@ -407,6 +409,8 @@ am_libstrongswan_la_OBJECTS = library.lo asn1/asn1.lo \ credentials/certificates/certificate.lo \ credentials/certificates/crl.lo \ credentials/certificates/ocsp_response.lo \ + credentials/certificates/x509.lo \ + credentials/certificates/certificate_printer.lo \ credentials/containers/container.lo \ credentials/containers/pkcs12.lo \ credentials/credential_manager.lo \ @@ -539,6 +543,7 @@ am__nobase_strongswan_include_HEADERS_DIST = library.h asn1/asn1.h \ credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h \ credentials/certificates/pgp_certificate.h \ + credentials/certificates/certificate_printer.h \ credentials/containers/container.h \ credentials/containers/pkcs7.h credentials/containers/pkcs12.h \ credentials/credential_manager.h \ @@ -865,6 +870,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ @@ -900,6 +907,8 @@ libstrongswan_la_SOURCES = library.c asn1/asn1.c asn1/asn1_parser.c \ credentials/certificates/certificate.c \ credentials/certificates/crl.c \ credentials/certificates/ocsp_response.c \ + credentials/certificates/x509.c \ + credentials/certificates/certificate_printer.c \ credentials/containers/container.c \ credentials/containers/pkcs12.c \ credentials/credential_manager.c \ @@ -961,6 +970,7 @@ settings/settings_types.h @USE_DEV_HEADERS_TRUE@credentials/certificates/pkcs10.h credentials/certificates/ocsp_request.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/ocsp_response.h \ @USE_DEV_HEADERS_TRUE@credentials/certificates/pgp_certificate.h \ +@USE_DEV_HEADERS_TRUE@credentials/certificates/certificate_printer.h \ @USE_DEV_HEADERS_TRUE@credentials/containers/container.h credentials/containers/pkcs7.h \ @USE_DEV_HEADERS_TRUE@credentials/containers/pkcs12.h \ @USE_DEV_HEADERS_TRUE@credentials/credential_manager.h credentials/sets/auth_cfg_wrapper.h \ @@ -1341,6 +1351,12 @@ credentials/certificates/crl.lo: \ credentials/certificates/ocsp_response.lo: \ credentials/certificates/$(am__dirstamp) \ credentials/certificates/$(DEPDIR)/$(am__dirstamp) +credentials/certificates/x509.lo: \ + credentials/certificates/$(am__dirstamp) \ + credentials/certificates/$(DEPDIR)/$(am__dirstamp) +credentials/certificates/certificate_printer.lo: \ + credentials/certificates/$(am__dirstamp) \ + credentials/certificates/$(DEPDIR)/$(am__dirstamp) credentials/containers/$(am__dirstamp): @$(MKDIR_P) credentials/containers @: > credentials/containers/$(am__dirstamp) @@ -1735,8 +1751,10 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_factory.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/$(DEPDIR)/credential_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/certificate_printer.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/crl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/ocsp_response.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@credentials/certificates/$(DEPDIR)/x509.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/container.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/containers/$(DEPDIR)/pkcs12.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@credentials/keys/$(DEPDIR)/private_key.Plo@am__quote@ diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 7a48292af..8ac005610 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -26,6 +26,7 @@ #include <stdarg.h> #include <library.h> +#include <asn1/asn1.h> /** * Definition of some primitive ASN1 types diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index a088b0527..ed953d482 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -28,8 +28,8 @@ const oid_t oid_names[] = { { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ { 0x01, 17, 0, 9, "UID" }, /* 16 */ { 0x19, 0, 0, 9, "DC" }, /* 17 */ - {0x55, 65, 1, 0, "X.500" }, /* 18 */ - { 0x04, 37, 1, 1, "X.509" }, /* 19 */ + {0x55, 66, 1, 0, "X.500" }, /* 18 */ + { 0x04, 38, 1, 1, "X.509" }, /* 19 */ { 0x03, 21, 0, 2, "CN" }, /* 20 */ { 0x04, 22, 0, 2, "S" }, /* 21 */ { 0x05, 23, 0, 2, "SN" }, /* 22 */ @@ -46,446 +46,447 @@ const oid_t oid_names[] = { { 0x2B, 34, 0, 2, "I" }, /* 33 */ { 0x2D, 35, 0, 2, "ID" }, /* 34 */ { 0x2E, 36, 0, 2, "dnQualifier" }, /* 35 */ - { 0x48, 0, 0, 2, "role" }, /* 36 */ - { 0x1D, 0, 1, 1, "id-ce" }, /* 37 */ - { 0x09, 39, 0, 2, "subjectDirectoryAttrs" }, /* 38 */ - { 0x0E, 40, 0, 2, "subjectKeyIdentifier" }, /* 39 */ - { 0x0F, 41, 0, 2, "keyUsage" }, /* 40 */ - { 0x10, 42, 0, 2, "privateKeyUsagePeriod" }, /* 41 */ - { 0x11, 43, 0, 2, "subjectAltName" }, /* 42 */ - { 0x12, 44, 0, 2, "issuerAltName" }, /* 43 */ - { 0x13, 45, 0, 2, "basicConstraints" }, /* 44 */ - { 0x14, 46, 0, 2, "crlNumber" }, /* 45 */ - { 0x15, 47, 0, 2, "reasonCode" }, /* 46 */ - { 0x17, 48, 0, 2, "holdInstructionCode" }, /* 47 */ - { 0x18, 49, 0, 2, "invalidityDate" }, /* 48 */ - { 0x1B, 50, 0, 2, "deltaCrlIndicator" }, /* 49 */ - { 0x1C, 51, 0, 2, "issuingDistributionPoint" }, /* 50 */ - { 0x1D, 52, 0, 2, "certificateIssuer" }, /* 51 */ - { 0x1E, 53, 0, 2, "nameConstraints" }, /* 52 */ - { 0x1F, 54, 0, 2, "crlDistributionPoints" }, /* 53 */ - { 0x20, 56, 1, 2, "certificatePolicies" }, /* 54 */ - { 0x00, 0, 0, 3, "anyPolicy" }, /* 55 */ - { 0x21, 57, 0, 2, "policyMappings" }, /* 56 */ - { 0x23, 58, 0, 2, "authorityKeyIdentifier" }, /* 57 */ - { 0x24, 59, 0, 2, "policyConstraints" }, /* 58 */ - { 0x25, 61, 1, 2, "extendedKeyUsage" }, /* 59 */ - { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 60 */ - { 0x2E, 62, 0, 2, "freshestCRL" }, /* 61 */ - { 0x36, 63, 0, 2, "inhibitAnyPolicy" }, /* 62 */ - { 0x37, 64, 0, 2, "targetInformation" }, /* 63 */ - { 0x38, 0, 0, 2, "noRevAvail" }, /* 64 */ - {0x2A, 189, 1, 0, "" }, /* 65 */ - { 0x83, 78, 1, 1, "" }, /* 66 */ - { 0x08, 0, 1, 2, "jp" }, /* 67 */ - { 0x8C, 0, 1, 3, "" }, /* 68 */ - { 0x9A, 0, 1, 4, "" }, /* 69 */ - { 0x4B, 0, 1, 5, "" }, /* 70 */ - { 0x3D, 0, 1, 6, "" }, /* 71 */ - { 0x01, 0, 1, 7, "security" }, /* 72 */ - { 0x01, 0, 1, 8, "algorithm" }, /* 73 */ - { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 74 */ - { 0x02, 76, 0, 10, "camellia128-cbc" }, /* 75 */ - { 0x03, 77, 0, 10, "camellia192-cbc" }, /* 76 */ - { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 77 */ - { 0x86, 0, 1, 1, "" }, /* 78 */ - { 0x48, 0, 1, 2, "us" }, /* 79 */ - { 0x86, 148, 1, 3, "" }, /* 80 */ - { 0xF6, 86, 1, 4, "" }, /* 81 */ - { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 82 */ - { 0x07, 0, 1, 6, "Entrust" }, /* 83 */ - { 0x41, 0, 1, 7, "nsn-ce" }, /* 84 */ - { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 85 */ - { 0xF7, 0, 1, 4, "" }, /* 86 */ - { 0x0D, 0, 1, 5, "RSADSI" }, /* 87 */ - { 0x01, 143, 1, 6, "PKCS" }, /* 88 */ - { 0x01, 101, 1, 7, "PKCS-1" }, /* 89 */ - { 0x01, 91, 0, 8, "rsaEncryption" }, /* 90 */ - { 0x02, 92, 0, 8, "md2WithRSAEncryption" }, /* 91 */ - { 0x04, 93, 0, 8, "md5WithRSAEncryption" }, /* 92 */ - { 0x05, 94, 0, 8, "sha-1WithRSAEncryption" }, /* 93 */ - { 0x07, 95, 0, 8, "id-RSAES-OAEP" }, /* 94 */ - { 0x08, 96, 0, 8, "id-mgf1" }, /* 95 */ - { 0x09, 97, 0, 8, "id-pSpecified" }, /* 96 */ - { 0x0B, 98, 0, 8, "sha256WithRSAEncryption" }, /* 97 */ - { 0x0C, 99, 0, 8, "sha384WithRSAEncryption" }, /* 98 */ - { 0x0D, 100, 0, 8, "sha512WithRSAEncryption" }, /* 99 */ - { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 100 */ - { 0x05, 106, 1, 7, "PKCS-5" }, /* 101 */ - { 0x03, 103, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 102 */ - { 0x0A, 104, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 103 */ - { 0x0C, 105, 0, 8, "id-PBKDF2" }, /* 104 */ - { 0x0D, 0, 0, 8, "id-PBES2" }, /* 105 */ - { 0x07, 113, 1, 7, "PKCS-7" }, /* 106 */ - { 0x01, 108, 0, 8, "data" }, /* 107 */ - { 0x02, 109, 0, 8, "signedData" }, /* 108 */ - { 0x03, 110, 0, 8, "envelopedData" }, /* 109 */ - { 0x04, 111, 0, 8, "signedAndEnvelopedData" }, /* 110 */ - { 0x05, 112, 0, 8, "digestedData" }, /* 111 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 112 */ - { 0x09, 127, 1, 7, "PKCS-9" }, /* 113 */ - { 0x01, 115, 0, 8, "E" }, /* 114 */ - { 0x02, 116, 0, 8, "unstructuredName" }, /* 115 */ - { 0x03, 117, 0, 8, "contentType" }, /* 116 */ - { 0x04, 118, 0, 8, "messageDigest" }, /* 117 */ - { 0x05, 119, 0, 8, "signingTime" }, /* 118 */ - { 0x06, 120, 0, 8, "counterSignature" }, /* 119 */ - { 0x07, 121, 0, 8, "challengePassword" }, /* 120 */ - { 0x08, 122, 0, 8, "unstructuredAddress" }, /* 121 */ - { 0x0E, 123, 0, 8, "extensionRequest" }, /* 122 */ - { 0x0F, 124, 0, 8, "S/MIME Capabilities" }, /* 123 */ - { 0x16, 0, 1, 8, "certTypes" }, /* 124 */ - { 0x01, 126, 0, 9, "X.509" }, /* 125 */ - { 0x02, 0, 0, 9, "SDSI" }, /* 126 */ - { 0x0c, 0, 1, 7, "PKCS-12" }, /* 127 */ - { 0x01, 135, 1, 8, "pbeIds" }, /* 128 */ - { 0x01, 130, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 129 */ - { 0x02, 131, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 130 */ - { 0x03, 132, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 131 */ - { 0x04, 133, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 132 */ - { 0x05, 134, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 133 */ - { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 134 */ - { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 135 */ - { 0x01, 0, 1, 9, "bagIds" }, /* 136 */ - { 0x01, 138, 0, 10, "keyBag" }, /* 137 */ - { 0x02, 139, 0, 10, "pkcs8ShroudedKeyBag" }, /* 138 */ - { 0x03, 140, 0, 10, "certBag" }, /* 139 */ - { 0x04, 141, 0, 10, "crlBag" }, /* 140 */ - { 0x05, 142, 0, 10, "secretBag" }, /* 141 */ - { 0x06, 0, 0, 10, "safeContentsBag" }, /* 142 */ - { 0x02, 146, 1, 6, "digestAlgorithm" }, /* 143 */ - { 0x02, 145, 0, 7, "md2" }, /* 144 */ - { 0x05, 0, 0, 7, "md5" }, /* 145 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 146 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 147 */ - { 0xCE, 0, 1, 3, "" }, /* 148 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 149 */ - { 0x02, 152, 1, 5, "id-publicKeyType" }, /* 150 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 151 */ - { 0x03, 182, 1, 5, "ellipticCurve" }, /* 152 */ - { 0x00, 174, 1, 6, "c-TwoCurve" }, /* 153 */ - { 0x01, 155, 0, 7, "c2pnb163v1" }, /* 154 */ - { 0x02, 156, 0, 7, "c2pnb163v2" }, /* 155 */ - { 0x03, 157, 0, 7, "c2pnb163v3" }, /* 156 */ - { 0x04, 158, 0, 7, "c2pnb176w1" }, /* 157 */ - { 0x05, 159, 0, 7, "c2tnb191v1" }, /* 158 */ - { 0x06, 160, 0, 7, "c2tnb191v2" }, /* 159 */ - { 0x07, 161, 0, 7, "c2tnb191v3" }, /* 160 */ - { 0x08, 162, 0, 7, "c2onb191v4" }, /* 161 */ - { 0x09, 163, 0, 7, "c2onb191v5" }, /* 162 */ - { 0x0A, 164, 0, 7, "c2pnb208w1" }, /* 163 */ - { 0x0B, 165, 0, 7, "c2tnb239v1" }, /* 164 */ - { 0x0C, 166, 0, 7, "c2tnb239v2" }, /* 165 */ - { 0x0D, 167, 0, 7, "c2tnb239v3" }, /* 166 */ - { 0x0E, 168, 0, 7, "c2onb239v4" }, /* 167 */ - { 0x0F, 169, 0, 7, "c2onb239v5" }, /* 168 */ - { 0x10, 170, 0, 7, "c2pnb272w1" }, /* 169 */ - { 0x11, 171, 0, 7, "c2pnb304w1" }, /* 170 */ - { 0x12, 172, 0, 7, "c2tnb359v1" }, /* 171 */ - { 0x13, 173, 0, 7, "c2pnb368w1" }, /* 172 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 173 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 174 */ - { 0x01, 176, 0, 7, "prime192v1" }, /* 175 */ - { 0x02, 177, 0, 7, "prime192v2" }, /* 176 */ - { 0x03, 178, 0, 7, "prime192v3" }, /* 177 */ - { 0x04, 179, 0, 7, "prime239v1" }, /* 178 */ - { 0x05, 180, 0, 7, "prime239v2" }, /* 179 */ - { 0x06, 181, 0, 7, "prime239v3" }, /* 180 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 181 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 182 */ - { 0x01, 184, 0, 6, "ecdsa-with-SHA1" }, /* 183 */ - { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 184 */ - { 0x01, 186, 0, 7, "ecdsa-with-SHA224" }, /* 185 */ - { 0x02, 187, 0, 7, "ecdsa-with-SHA256" }, /* 186 */ - { 0x03, 188, 0, 7, "ecdsa-with-SHA384" }, /* 187 */ - { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 188 */ - {0x2B, 416, 1, 0, "" }, /* 189 */ - { 0x06, 330, 1, 1, "dod" }, /* 190 */ - { 0x01, 0, 1, 2, "internet" }, /* 191 */ - { 0x04, 281, 1, 3, "private" }, /* 192 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 193 */ - { 0x82, 231, 1, 5, "" }, /* 194 */ - { 0x37, 207, 1, 6, "Microsoft" }, /* 195 */ - { 0x0A, 200, 1, 7, "" }, /* 196 */ - { 0x03, 0, 1, 8, "" }, /* 197 */ - { 0x03, 199, 0, 9, "msSGC" }, /* 198 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 199 */ - { 0x14, 204, 1, 7, "msEnrollmentInfrastructure" }, /* 200 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 201 */ - { 0x02, 203, 0, 9, "msSmartcardLogon" }, /* 202 */ - { 0x03, 0, 0, 9, "msUPN" }, /* 203 */ - { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 204 */ - { 0x07, 206, 0, 8, "msCertTemplate" }, /* 205 */ - { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 206 */ - { 0xA0, 0, 1, 6, "" }, /* 207 */ - { 0x2A, 0, 1, 7, "ITA" }, /* 208 */ - { 0x01, 210, 0, 8, "strongSwan" }, /* 209 */ - { 0x02, 211, 0, 8, "cps" }, /* 210 */ - { 0x03, 212, 0, 8, "e-voting" }, /* 211 */ - { 0x05, 0, 1, 8, "BLISS" }, /* 212 */ - { 0x01, 215, 1, 9, "keyType" }, /* 213 */ - { 0x01, 0, 0, 10, "blissPublicKey" }, /* 214 */ - { 0x02, 224, 1, 9, "parameters" }, /* 215 */ - { 0x01, 217, 0, 10, "BLISS-I" }, /* 216 */ - { 0x02, 218, 0, 10, "BLISS-II" }, /* 217 */ - { 0x03, 219, 0, 10, "BLISS-III" }, /* 218 */ - { 0x04, 220, 0, 10, "BLISS-IV" }, /* 219 */ - { 0x05, 221, 0, 10, "BLISS-B-I" }, /* 220 */ - { 0x06, 222, 0, 10, "BLISS-B-II" }, /* 221 */ - { 0x07, 223, 0, 10, "BLISS-B-III" }, /* 222 */ - { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 223 */ - { 0x03, 0, 1, 9, "blissSigType" }, /* 224 */ - { 0x01, 226, 0, 10, "BLISS-with-SHA2-512" }, /* 225 */ - { 0x02, 227, 0, 10, "BLISS-with-SHA2-384" }, /* 226 */ - { 0x03, 228, 0, 10, "BLISS-with-SHA2-256" }, /* 227 */ - { 0x04, 229, 0, 10, "BLISS-with-SHA3-512" }, /* 228 */ - { 0x05, 230, 0, 10, "BLISS-with-SHA3-384" }, /* 229 */ - { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 230 */ - { 0x89, 238, 1, 5, "" }, /* 231 */ - { 0x31, 0, 1, 6, "" }, /* 232 */ - { 0x01, 0, 1, 7, "" }, /* 233 */ - { 0x01, 0, 1, 8, "" }, /* 234 */ - { 0x02, 0, 1, 9, "" }, /* 235 */ - { 0x02, 0, 1, 10, "" }, /* 236 */ - { 0x4B, 0, 0, 11, "TCGID" }, /* 237 */ - { 0x97, 242, 1, 5, "" }, /* 238 */ - { 0x55, 0, 1, 6, "" }, /* 239 */ - { 0x01, 0, 1, 7, "" }, /* 240 */ - { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 241 */ - { 0xC1, 0, 1, 5, "" }, /* 242 */ - { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 243 */ - { 0x01, 0, 1, 7, "eess" }, /* 244 */ - { 0x01, 0, 1, 8, "eess1" }, /* 245 */ - { 0x01, 250, 1, 9, "eess1-algs" }, /* 246 */ - { 0x01, 248, 0, 10, "ntru-EESS1v1-SVES" }, /* 247 */ - { 0x02, 249, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 248 */ - { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 249 */ - { 0x02, 280, 1, 9, "eess1-params" }, /* 250 */ - { 0x01, 252, 0, 10, "ees251ep1" }, /* 251 */ - { 0x02, 253, 0, 10, "ees347ep1" }, /* 252 */ - { 0x03, 254, 0, 10, "ees503ep1" }, /* 253 */ - { 0x07, 255, 0, 10, "ees251sp2" }, /* 254 */ - { 0x0C, 256, 0, 10, "ees251ep4" }, /* 255 */ - { 0x0D, 257, 0, 10, "ees251ep5" }, /* 256 */ - { 0x0E, 258, 0, 10, "ees251sp3" }, /* 257 */ - { 0x0F, 259, 0, 10, "ees251sp4" }, /* 258 */ - { 0x10, 260, 0, 10, "ees251sp5" }, /* 259 */ - { 0x11, 261, 0, 10, "ees251sp6" }, /* 260 */ - { 0x12, 262, 0, 10, "ees251sp7" }, /* 261 */ - { 0x13, 263, 0, 10, "ees251sp8" }, /* 262 */ - { 0x14, 264, 0, 10, "ees251sp9" }, /* 263 */ - { 0x22, 265, 0, 10, "ees401ep1" }, /* 264 */ - { 0x23, 266, 0, 10, "ees449ep1" }, /* 265 */ - { 0x24, 267, 0, 10, "ees677ep1" }, /* 266 */ - { 0x25, 268, 0, 10, "ees1087ep2" }, /* 267 */ - { 0x26, 269, 0, 10, "ees541ep1" }, /* 268 */ - { 0x27, 270, 0, 10, "ees613ep1" }, /* 269 */ - { 0x28, 271, 0, 10, "ees887ep1" }, /* 270 */ - { 0x29, 272, 0, 10, "ees1171ep1" }, /* 271 */ - { 0x2A, 273, 0, 10, "ees659ep1" }, /* 272 */ - { 0x2B, 274, 0, 10, "ees761ep1" }, /* 273 */ - { 0x2C, 275, 0, 10, "ees1087ep1" }, /* 274 */ - { 0x2D, 276, 0, 10, "ees1499ep1" }, /* 275 */ - { 0x2E, 277, 0, 10, "ees401ep2" }, /* 276 */ - { 0x2F, 278, 0, 10, "ees439ep1" }, /* 277 */ - { 0x30, 279, 0, 10, "ees593ep1" }, /* 278 */ - { 0x31, 0, 0, 10, "ees743ep1" }, /* 279 */ - { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 280 */ - { 0x05, 0, 1, 3, "security" }, /* 281 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 282 */ - { 0x07, 327, 1, 5, "id-pkix" }, /* 283 */ - { 0x01, 288, 1, 6, "id-pe" }, /* 284 */ - { 0x01, 286, 0, 7, "authorityInfoAccess" }, /* 285 */ - { 0x03, 287, 0, 7, "qcStatements" }, /* 286 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 287 */ - { 0x02, 291, 1, 6, "id-qt" }, /* 288 */ - { 0x01, 290, 0, 7, "cps" }, /* 289 */ - { 0x02, 0, 0, 7, "unotice" }, /* 290 */ - { 0x03, 301, 1, 6, "id-kp" }, /* 291 */ - { 0x01, 293, 0, 7, "serverAuth" }, /* 292 */ - { 0x02, 294, 0, 7, "clientAuth" }, /* 293 */ - { 0x03, 295, 0, 7, "codeSigning" }, /* 294 */ - { 0x04, 296, 0, 7, "emailProtection" }, /* 295 */ - { 0x05, 297, 0, 7, "ipsecEndSystem" }, /* 296 */ - { 0x06, 298, 0, 7, "ipsecTunnel" }, /* 297 */ - { 0x07, 299, 0, 7, "ipsecUser" }, /* 298 */ - { 0x08, 300, 0, 7, "timeStamping" }, /* 299 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 300 */ - { 0x08, 309, 1, 6, "id-otherNames" }, /* 301 */ - { 0x01, 303, 0, 7, "personalData" }, /* 302 */ - { 0x02, 304, 0, 7, "userGroup" }, /* 303 */ - { 0x03, 305, 0, 7, "id-on-permanentIdentifier" }, /* 304 */ - { 0x04, 306, 0, 7, "id-on-hardwareModuleName" }, /* 305 */ - { 0x05, 307, 0, 7, "xmppAddr" }, /* 306 */ - { 0x06, 308, 0, 7, "id-on-SIM" }, /* 307 */ - { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 308 */ - { 0x0A, 314, 1, 6, "id-aca" }, /* 309 */ - { 0x01, 311, 0, 7, "authenticationInfo" }, /* 310 */ - { 0x02, 312, 0, 7, "accessIdentity" }, /* 311 */ - { 0x03, 313, 0, 7, "chargingIdentity" }, /* 312 */ - { 0x04, 0, 0, 7, "group" }, /* 313 */ - { 0x0B, 315, 0, 6, "subjectInfoAccess" }, /* 314 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 315 */ - { 0x01, 324, 1, 7, "ocsp" }, /* 316 */ - { 0x01, 318, 0, 8, "basic" }, /* 317 */ - { 0x02, 319, 0, 8, "nonce" }, /* 318 */ - { 0x03, 320, 0, 8, "crl" }, /* 319 */ - { 0x04, 321, 0, 8, "response" }, /* 320 */ - { 0x05, 322, 0, 8, "noCheck" }, /* 321 */ - { 0x06, 323, 0, 8, "archiveCutoff" }, /* 322 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 323 */ - { 0x02, 325, 0, 7, "caIssuers" }, /* 324 */ - { 0x03, 326, 0, 7, "timeStamping" }, /* 325 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 326 */ - { 0x08, 0, 1, 5, "ipsec" }, /* 327 */ - { 0x02, 0, 1, 6, "certificate" }, /* 328 */ - { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 329 */ - { 0x0E, 336, 1, 1, "oiw" }, /* 330 */ - { 0x03, 0, 1, 2, "secsig" }, /* 331 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 332 */ - { 0x07, 334, 0, 4, "des-cbc" }, /* 333 */ - { 0x1A, 335, 0, 4, "sha-1" }, /* 334 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 335 */ - { 0x24, 382, 1, 1, "TeleTrusT" }, /* 336 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 337 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 338 */ - { 0x01, 343, 1, 4, "rsaSignature" }, /* 339 */ - { 0x02, 341, 0, 5, "rsaSigWithripemd160" }, /* 340 */ - { 0x03, 342, 0, 5, "rsaSigWithripemd128" }, /* 341 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 342 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 343 */ - { 0x01, 345, 0, 5, "ecSignWithsha1" }, /* 344 */ - { 0x02, 346, 0, 5, "ecSignWithripemd160" }, /* 345 */ - { 0x03, 347, 0, 5, "ecSignWithmd2" }, /* 346 */ - { 0x04, 348, 0, 5, "ecSignWithmd5" }, /* 347 */ - { 0x05, 365, 1, 5, "ttt-ecg" }, /* 348 */ - { 0x01, 353, 1, 6, "fieldType" }, /* 349 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 350 */ - { 0x01, 0, 1, 8, "basisType" }, /* 351 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 352 */ - { 0x02, 355, 1, 6, "keyType" }, /* 353 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 354 */ - { 0x03, 356, 0, 6, "curve" }, /* 355 */ - { 0x04, 363, 1, 6, "signatures" }, /* 356 */ - { 0x01, 358, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 357 */ - { 0x02, 359, 0, 7, "ecgdsa-with-SHA1" }, /* 358 */ - { 0x03, 360, 0, 7, "ecgdsa-with-SHA224" }, /* 359 */ - { 0x04, 361, 0, 7, "ecgdsa-with-SHA256" }, /* 360 */ - { 0x05, 362, 0, 7, "ecgdsa-with-SHA384" }, /* 361 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 362 */ - { 0x05, 0, 1, 6, "module" }, /* 363 */ - { 0x01, 0, 0, 7, "1" }, /* 364 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 365 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 366 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 367 */ - { 0x01, 369, 0, 8, "brainpoolP160r1" }, /* 368 */ - { 0x02, 370, 0, 8, "brainpoolP160t1" }, /* 369 */ - { 0x03, 371, 0, 8, "brainpoolP192r1" }, /* 370 */ - { 0x04, 372, 0, 8, "brainpoolP192t1" }, /* 371 */ - { 0x05, 373, 0, 8, "brainpoolP224r1" }, /* 372 */ - { 0x06, 374, 0, 8, "brainpoolP224t1" }, /* 373 */ - { 0x07, 375, 0, 8, "brainpoolP256r1" }, /* 374 */ - { 0x08, 376, 0, 8, "brainpoolP256t1" }, /* 375 */ - { 0x09, 377, 0, 8, "brainpoolP320r1" }, /* 376 */ - { 0x0A, 378, 0, 8, "brainpoolP320t1" }, /* 377 */ - { 0x0B, 379, 0, 8, "brainpoolP384r1" }, /* 378 */ - { 0x0C, 380, 0, 8, "brainpoolP384t1" }, /* 379 */ - { 0x0D, 381, 0, 8, "brainpoolP512r1" }, /* 380 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 381 */ - { 0x81, 0, 1, 1, "" }, /* 382 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 383 */ - { 0x00, 0, 1, 3, "curve" }, /* 384 */ - { 0x01, 386, 0, 4, "sect163k1" }, /* 385 */ - { 0x02, 387, 0, 4, "sect163r1" }, /* 386 */ - { 0x03, 388, 0, 4, "sect239k1" }, /* 387 */ - { 0x04, 389, 0, 4, "sect113r1" }, /* 388 */ - { 0x05, 390, 0, 4, "sect113r2" }, /* 389 */ - { 0x06, 391, 0, 4, "secp112r1" }, /* 390 */ - { 0x07, 392, 0, 4, "secp112r2" }, /* 391 */ - { 0x08, 393, 0, 4, "secp160r1" }, /* 392 */ - { 0x09, 394, 0, 4, "secp160k1" }, /* 393 */ - { 0x0A, 395, 0, 4, "secp256k1" }, /* 394 */ - { 0x0F, 396, 0, 4, "sect163r2" }, /* 395 */ - { 0x10, 397, 0, 4, "sect283k1" }, /* 396 */ - { 0x11, 398, 0, 4, "sect283r1" }, /* 397 */ - { 0x16, 399, 0, 4, "sect131r1" }, /* 398 */ - { 0x17, 400, 0, 4, "sect131r2" }, /* 399 */ - { 0x18, 401, 0, 4, "sect193r1" }, /* 400 */ - { 0x19, 402, 0, 4, "sect193r2" }, /* 401 */ - { 0x1A, 403, 0, 4, "sect233k1" }, /* 402 */ - { 0x1B, 404, 0, 4, "sect233r1" }, /* 403 */ - { 0x1C, 405, 0, 4, "secp128r1" }, /* 404 */ - { 0x1D, 406, 0, 4, "secp128r2" }, /* 405 */ - { 0x1E, 407, 0, 4, "secp160r2" }, /* 406 */ - { 0x1F, 408, 0, 4, "secp192k1" }, /* 407 */ - { 0x20, 409, 0, 4, "secp224k1" }, /* 408 */ - { 0x21, 410, 0, 4, "secp224r1" }, /* 409 */ - { 0x22, 411, 0, 4, "secp384r1" }, /* 410 */ - { 0x23, 412, 0, 4, "secp521r1" }, /* 411 */ - { 0x24, 413, 0, 4, "sect409k1" }, /* 412 */ - { 0x25, 414, 0, 4, "sect409r1" }, /* 413 */ - { 0x26, 415, 0, 4, "sect571k1" }, /* 414 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 415 */ - {0x60, 470, 1, 0, "" }, /* 416 */ - { 0x86, 0, 1, 1, "" }, /* 417 */ - { 0x48, 0, 1, 2, "" }, /* 418 */ - { 0x01, 0, 1, 3, "organization" }, /* 419 */ - { 0x65, 446, 1, 4, "gov" }, /* 420 */ - { 0x03, 0, 1, 5, "csor" }, /* 421 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 422 */ - { 0x01, 433, 1, 7, "aes" }, /* 423 */ - { 0x02, 425, 0, 8, "id-aes128-CBC" }, /* 424 */ - { 0x06, 426, 0, 8, "id-aes128-GCM" }, /* 425 */ - { 0x07, 427, 0, 8, "id-aes128-CCM" }, /* 426 */ - { 0x16, 428, 0, 8, "id-aes192-CBC" }, /* 427 */ - { 0x1A, 429, 0, 8, "id-aes192-GCM" }, /* 428 */ - { 0x1B, 430, 0, 8, "id-aes192-CCM" }, /* 429 */ - { 0x2A, 431, 0, 8, "id-aes256-CBC" }, /* 430 */ - { 0x2E, 432, 0, 8, "id-aes256-GCM" }, /* 431 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 432 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 433 */ - { 0x01, 435, 0, 8, "id-sha256" }, /* 434 */ - { 0x02, 436, 0, 8, "id-sha384" }, /* 435 */ - { 0x03, 437, 0, 8, "id-sha512" }, /* 436 */ - { 0x04, 438, 0, 8, "id-sha224" }, /* 437 */ - { 0x05, 439, 0, 8, "id-sha512-224" }, /* 438 */ - { 0x06, 440, 0, 8, "id-sha512-256" }, /* 439 */ - { 0x07, 441, 0, 8, "id-sha3-224" }, /* 440 */ - { 0x08, 442, 0, 8, "id-sha3-256" }, /* 441 */ - { 0x09, 443, 0, 8, "id-sha3-384" }, /* 442 */ - { 0x0A, 444, 0, 8, "id-sha3-512" }, /* 443 */ - { 0x0B, 445, 0, 8, "id-shake128" }, /* 444 */ - { 0x0C, 0, 0, 8, "id-shake256" }, /* 445 */ - { 0x86, 0, 1, 4, "" }, /* 446 */ - { 0xf8, 0, 1, 5, "" }, /* 447 */ - { 0x42, 460, 1, 6, "netscape" }, /* 448 */ - { 0x01, 455, 1, 7, "" }, /* 449 */ - { 0x01, 451, 0, 8, "nsCertType" }, /* 450 */ - { 0x03, 452, 0, 8, "nsRevocationUrl" }, /* 451 */ - { 0x04, 453, 0, 8, "nsCaRevocationUrl" }, /* 452 */ - { 0x08, 454, 0, 8, "nsCaPolicyUrl" }, /* 453 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 454 */ - { 0x03, 458, 1, 7, "directory" }, /* 455 */ - { 0x01, 0, 1, 8, "" }, /* 456 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 457 */ - { 0x04, 0, 1, 7, "policy" }, /* 458 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 459 */ - { 0x45, 0, 1, 6, "verisign" }, /* 460 */ - { 0x01, 0, 1, 7, "pki" }, /* 461 */ - { 0x09, 0, 1, 8, "attributes" }, /* 462 */ - { 0x02, 464, 0, 9, "messageType" }, /* 463 */ - { 0x03, 465, 0, 9, "pkiStatus" }, /* 464 */ - { 0x04, 466, 0, 9, "failInfo" }, /* 465 */ - { 0x05, 467, 0, 9, "senderNonce" }, /* 466 */ - { 0x06, 468, 0, 9, "recipientNonce" }, /* 467 */ - { 0x07, 469, 0, 9, "transID" }, /* 468 */ - { 0x08, 0, 0, 9, "extensionReq" }, /* 469 */ - {0x67, 0, 1, 0, "" }, /* 470 */ - { 0x81, 0, 1, 1, "" }, /* 471 */ - { 0x05, 0, 1, 2, "" }, /* 472 */ - { 0x02, 0, 1, 3, "tcg-attribute" }, /* 473 */ - { 0x01, 475, 0, 4, "tcg-at-tpmManufacturer" }, /* 474 */ - { 0x02, 476, 0, 4, "tcg-at-tpmModel" }, /* 475 */ - { 0x03, 477, 0, 4, "tcg-at-tpmVersion" }, /* 476 */ - { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 477 */ + { 0x41, 37, 0, 2, "pseudonym" }, /* 36 */ + { 0x48, 0, 0, 2, "role" }, /* 37 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 38 */ + { 0x09, 40, 0, 2, "subjectDirectoryAttrs" }, /* 39 */ + { 0x0E, 41, 0, 2, "subjectKeyIdentifier" }, /* 40 */ + { 0x0F, 42, 0, 2, "keyUsage" }, /* 41 */ + { 0x10, 43, 0, 2, "privateKeyUsagePeriod" }, /* 42 */ + { 0x11, 44, 0, 2, "subjectAltName" }, /* 43 */ + { 0x12, 45, 0, 2, "issuerAltName" }, /* 44 */ + { 0x13, 46, 0, 2, "basicConstraints" }, /* 45 */ + { 0x14, 47, 0, 2, "crlNumber" }, /* 46 */ + { 0x15, 48, 0, 2, "reasonCode" }, /* 47 */ + { 0x17, 49, 0, 2, "holdInstructionCode" }, /* 48 */ + { 0x18, 50, 0, 2, "invalidityDate" }, /* 49 */ + { 0x1B, 51, 0, 2, "deltaCrlIndicator" }, /* 50 */ + { 0x1C, 52, 0, 2, "issuingDistributionPoint" }, /* 51 */ + { 0x1D, 53, 0, 2, "certificateIssuer" }, /* 52 */ + { 0x1E, 54, 0, 2, "nameConstraints" }, /* 53 */ + { 0x1F, 55, 0, 2, "crlDistributionPoints" }, /* 54 */ + { 0x20, 57, 1, 2, "certificatePolicies" }, /* 55 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 56 */ + { 0x21, 58, 0, 2, "policyMappings" }, /* 57 */ + { 0x23, 59, 0, 2, "authorityKeyIdentifier" }, /* 58 */ + { 0x24, 60, 0, 2, "policyConstraints" }, /* 59 */ + { 0x25, 62, 1, 2, "extendedKeyUsage" }, /* 60 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 61 */ + { 0x2E, 63, 0, 2, "freshestCRL" }, /* 62 */ + { 0x36, 64, 0, 2, "inhibitAnyPolicy" }, /* 63 */ + { 0x37, 65, 0, 2, "targetInformation" }, /* 64 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 65 */ + {0x2A, 190, 1, 0, "" }, /* 66 */ + { 0x83, 79, 1, 1, "" }, /* 67 */ + { 0x08, 0, 1, 2, "jp" }, /* 68 */ + { 0x8C, 0, 1, 3, "" }, /* 69 */ + { 0x9A, 0, 1, 4, "" }, /* 70 */ + { 0x4B, 0, 1, 5, "" }, /* 71 */ + { 0x3D, 0, 1, 6, "" }, /* 72 */ + { 0x01, 0, 1, 7, "security" }, /* 73 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 74 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 75 */ + { 0x02, 77, 0, 10, "camellia128-cbc" }, /* 76 */ + { 0x03, 78, 0, 10, "camellia192-cbc" }, /* 77 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 78 */ + { 0x86, 0, 1, 1, "" }, /* 79 */ + { 0x48, 0, 1, 2, "us" }, /* 80 */ + { 0x86, 149, 1, 3, "" }, /* 81 */ + { 0xF6, 87, 1, 4, "" }, /* 82 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 83 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 84 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 85 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 86 */ + { 0xF7, 0, 1, 4, "" }, /* 87 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 88 */ + { 0x01, 144, 1, 6, "PKCS" }, /* 89 */ + { 0x01, 102, 1, 7, "PKCS-1" }, /* 90 */ + { 0x01, 92, 0, 8, "rsaEncryption" }, /* 91 */ + { 0x02, 93, 0, 8, "md2WithRSAEncryption" }, /* 92 */ + { 0x04, 94, 0, 8, "md5WithRSAEncryption" }, /* 93 */ + { 0x05, 95, 0, 8, "sha-1WithRSAEncryption" }, /* 94 */ + { 0x07, 96, 0, 8, "id-RSAES-OAEP" }, /* 95 */ + { 0x08, 97, 0, 8, "id-mgf1" }, /* 96 */ + { 0x09, 98, 0, 8, "id-pSpecified" }, /* 97 */ + { 0x0B, 99, 0, 8, "sha256WithRSAEncryption" }, /* 98 */ + { 0x0C, 100, 0, 8, "sha384WithRSAEncryption" }, /* 99 */ + { 0x0D, 101, 0, 8, "sha512WithRSAEncryption" }, /* 100 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 101 */ + { 0x05, 107, 1, 7, "PKCS-5" }, /* 102 */ + { 0x03, 104, 0, 8, "pbeWithMD5AndDES-CBC" }, /* 103 */ + { 0x0A, 105, 0, 8, "pbeWithSHA1AndDES-CBC" }, /* 104 */ + { 0x0C, 106, 0, 8, "id-PBKDF2" }, /* 105 */ + { 0x0D, 0, 0, 8, "id-PBES2" }, /* 106 */ + { 0x07, 114, 1, 7, "PKCS-7" }, /* 107 */ + { 0x01, 109, 0, 8, "data" }, /* 108 */ + { 0x02, 110, 0, 8, "signedData" }, /* 109 */ + { 0x03, 111, 0, 8, "envelopedData" }, /* 110 */ + { 0x04, 112, 0, 8, "signedAndEnvelopedData" }, /* 111 */ + { 0x05, 113, 0, 8, "digestedData" }, /* 112 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 113 */ + { 0x09, 128, 1, 7, "PKCS-9" }, /* 114 */ + { 0x01, 116, 0, 8, "E" }, /* 115 */ + { 0x02, 117, 0, 8, "unstructuredName" }, /* 116 */ + { 0x03, 118, 0, 8, "contentType" }, /* 117 */ + { 0x04, 119, 0, 8, "messageDigest" }, /* 118 */ + { 0x05, 120, 0, 8, "signingTime" }, /* 119 */ + { 0x06, 121, 0, 8, "counterSignature" }, /* 120 */ + { 0x07, 122, 0, 8, "challengePassword" }, /* 121 */ + { 0x08, 123, 0, 8, "unstructuredAddress" }, /* 122 */ + { 0x0E, 124, 0, 8, "extensionRequest" }, /* 123 */ + { 0x0F, 125, 0, 8, "S/MIME Capabilities" }, /* 124 */ + { 0x16, 0, 1, 8, "certTypes" }, /* 125 */ + { 0x01, 127, 0, 9, "X.509" }, /* 126 */ + { 0x02, 0, 0, 9, "SDSI" }, /* 127 */ + { 0x0c, 0, 1, 7, "PKCS-12" }, /* 128 */ + { 0x01, 136, 1, 8, "pbeIds" }, /* 129 */ + { 0x01, 131, 0, 9, "pbeWithSHAAnd128BitRC4" }, /* 130 */ + { 0x02, 132, 0, 9, "pbeWithSHAAnd40BitRC4" }, /* 131 */ + { 0x03, 133, 0, 9, "pbeWithSHAAnd3-KeyTripleDES-CBC"}, /* 132 */ + { 0x04, 134, 0, 9, "pbeWithSHAAnd2-KeyTripleDES-CBC"}, /* 133 */ + { 0x05, 135, 0, 9, "pbeWithSHAAnd128BitRC2-CBC" }, /* 134 */ + { 0x06, 0, 0, 9, "pbeWithSHAAnd40BitRC2-CBC" }, /* 135 */ + { 0x0a, 0, 1, 8, "PKCS-12v1" }, /* 136 */ + { 0x01, 0, 1, 9, "bagIds" }, /* 137 */ + { 0x01, 139, 0, 10, "keyBag" }, /* 138 */ + { 0x02, 140, 0, 10, "pkcs8ShroudedKeyBag" }, /* 139 */ + { 0x03, 141, 0, 10, "certBag" }, /* 140 */ + { 0x04, 142, 0, 10, "crlBag" }, /* 141 */ + { 0x05, 143, 0, 10, "secretBag" }, /* 142 */ + { 0x06, 0, 0, 10, "safeContentsBag" }, /* 143 */ + { 0x02, 147, 1, 6, "digestAlgorithm" }, /* 144 */ + { 0x02, 146, 0, 7, "md2" }, /* 145 */ + { 0x05, 0, 0, 7, "md5" }, /* 146 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 147 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 148 */ + { 0xCE, 0, 1, 3, "" }, /* 149 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 150 */ + { 0x02, 153, 1, 5, "id-publicKeyType" }, /* 151 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 152 */ + { 0x03, 183, 1, 5, "ellipticCurve" }, /* 153 */ + { 0x00, 175, 1, 6, "c-TwoCurve" }, /* 154 */ + { 0x01, 156, 0, 7, "c2pnb163v1" }, /* 155 */ + { 0x02, 157, 0, 7, "c2pnb163v2" }, /* 156 */ + { 0x03, 158, 0, 7, "c2pnb163v3" }, /* 157 */ + { 0x04, 159, 0, 7, "c2pnb176w1" }, /* 158 */ + { 0x05, 160, 0, 7, "c2tnb191v1" }, /* 159 */ + { 0x06, 161, 0, 7, "c2tnb191v2" }, /* 160 */ + { 0x07, 162, 0, 7, "c2tnb191v3" }, /* 161 */ + { 0x08, 163, 0, 7, "c2onb191v4" }, /* 162 */ + { 0x09, 164, 0, 7, "c2onb191v5" }, /* 163 */ + { 0x0A, 165, 0, 7, "c2pnb208w1" }, /* 164 */ + { 0x0B, 166, 0, 7, "c2tnb239v1" }, /* 165 */ + { 0x0C, 167, 0, 7, "c2tnb239v2" }, /* 166 */ + { 0x0D, 168, 0, 7, "c2tnb239v3" }, /* 167 */ + { 0x0E, 169, 0, 7, "c2onb239v4" }, /* 168 */ + { 0x0F, 170, 0, 7, "c2onb239v5" }, /* 169 */ + { 0x10, 171, 0, 7, "c2pnb272w1" }, /* 170 */ + { 0x11, 172, 0, 7, "c2pnb304w1" }, /* 171 */ + { 0x12, 173, 0, 7, "c2tnb359v1" }, /* 172 */ + { 0x13, 174, 0, 7, "c2pnb368w1" }, /* 173 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 174 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 175 */ + { 0x01, 177, 0, 7, "prime192v1" }, /* 176 */ + { 0x02, 178, 0, 7, "prime192v2" }, /* 177 */ + { 0x03, 179, 0, 7, "prime192v3" }, /* 178 */ + { 0x04, 180, 0, 7, "prime239v1" }, /* 179 */ + { 0x05, 181, 0, 7, "prime239v2" }, /* 180 */ + { 0x06, 182, 0, 7, "prime239v3" }, /* 181 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 182 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 183 */ + { 0x01, 185, 0, 6, "ecdsa-with-SHA1" }, /* 184 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 185 */ + { 0x01, 187, 0, 7, "ecdsa-with-SHA224" }, /* 186 */ + { 0x02, 188, 0, 7, "ecdsa-with-SHA256" }, /* 187 */ + { 0x03, 189, 0, 7, "ecdsa-with-SHA384" }, /* 188 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 189 */ + {0x2B, 417, 1, 0, "" }, /* 190 */ + { 0x06, 331, 1, 1, "dod" }, /* 191 */ + { 0x01, 0, 1, 2, "internet" }, /* 192 */ + { 0x04, 282, 1, 3, "private" }, /* 193 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 194 */ + { 0x82, 232, 1, 5, "" }, /* 195 */ + { 0x37, 208, 1, 6, "Microsoft" }, /* 196 */ + { 0x0A, 201, 1, 7, "" }, /* 197 */ + { 0x03, 0, 1, 8, "" }, /* 198 */ + { 0x03, 200, 0, 9, "msSGC" }, /* 199 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 200 */ + { 0x14, 205, 1, 7, "msEnrollmentInfrastructure" }, /* 201 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension" }, /* 202 */ + { 0x02, 204, 0, 9, "msSmartcardLogon" }, /* 203 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 204 */ + { 0x15, 0, 1, 7, "msCertSrvInfrastructure" }, /* 205 */ + { 0x07, 207, 0, 8, "msCertTemplate" }, /* 206 */ + { 0x0A, 0, 0, 8, "msApplicationCertPolicies" }, /* 207 */ + { 0xA0, 0, 1, 6, "" }, /* 208 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 209 */ + { 0x01, 211, 0, 8, "strongSwan" }, /* 210 */ + { 0x02, 212, 0, 8, "cps" }, /* 211 */ + { 0x03, 213, 0, 8, "e-voting" }, /* 212 */ + { 0x05, 0, 1, 8, "BLISS" }, /* 213 */ + { 0x01, 216, 1, 9, "keyType" }, /* 214 */ + { 0x01, 0, 0, 10, "blissPublicKey" }, /* 215 */ + { 0x02, 225, 1, 9, "parameters" }, /* 216 */ + { 0x01, 218, 0, 10, "BLISS-I" }, /* 217 */ + { 0x02, 219, 0, 10, "BLISS-II" }, /* 218 */ + { 0x03, 220, 0, 10, "BLISS-III" }, /* 219 */ + { 0x04, 221, 0, 10, "BLISS-IV" }, /* 220 */ + { 0x05, 222, 0, 10, "BLISS-B-I" }, /* 221 */ + { 0x06, 223, 0, 10, "BLISS-B-II" }, /* 222 */ + { 0x07, 224, 0, 10, "BLISS-B-III" }, /* 223 */ + { 0x08, 0, 0, 10, "BLISS-B-IV" }, /* 224 */ + { 0x03, 0, 1, 9, "blissSigType" }, /* 225 */ + { 0x01, 227, 0, 10, "BLISS-with-SHA2-512" }, /* 226 */ + { 0x02, 228, 0, 10, "BLISS-with-SHA2-384" }, /* 227 */ + { 0x03, 229, 0, 10, "BLISS-with-SHA2-256" }, /* 228 */ + { 0x04, 230, 0, 10, "BLISS-with-SHA3-512" }, /* 229 */ + { 0x05, 231, 0, 10, "BLISS-with-SHA3-384" }, /* 230 */ + { 0x06, 0, 0, 10, "BLISS-with-SHA3-256" }, /* 231 */ + { 0x89, 239, 1, 5, "" }, /* 232 */ + { 0x31, 0, 1, 6, "" }, /* 233 */ + { 0x01, 0, 1, 7, "" }, /* 234 */ + { 0x01, 0, 1, 8, "" }, /* 235 */ + { 0x02, 0, 1, 9, "" }, /* 236 */ + { 0x02, 0, 1, 10, "" }, /* 237 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 238 */ + { 0x97, 243, 1, 5, "" }, /* 239 */ + { 0x55, 0, 1, 6, "" }, /* 240 */ + { 0x01, 0, 1, 7, "" }, /* 241 */ + { 0x02, 0, 0, 8, "blowfish-cbc" }, /* 242 */ + { 0xC1, 0, 1, 5, "" }, /* 243 */ + { 0x16, 0, 1, 6, "ntruCryptosystems" }, /* 244 */ + { 0x01, 0, 1, 7, "eess" }, /* 245 */ + { 0x01, 0, 1, 8, "eess1" }, /* 246 */ + { 0x01, 251, 1, 9, "eess1-algs" }, /* 247 */ + { 0x01, 249, 0, 10, "ntru-EESS1v1-SVES" }, /* 248 */ + { 0x02, 250, 0, 10, "ntru-EESS1v1-SVSSA" }, /* 249 */ + { 0x03, 0, 0, 10, "ntru-EESS1v1-NTRUSign" }, /* 250 */ + { 0x02, 281, 1, 9, "eess1-params" }, /* 251 */ + { 0x01, 253, 0, 10, "ees251ep1" }, /* 252 */ + { 0x02, 254, 0, 10, "ees347ep1" }, /* 253 */ + { 0x03, 255, 0, 10, "ees503ep1" }, /* 254 */ + { 0x07, 256, 0, 10, "ees251sp2" }, /* 255 */ + { 0x0C, 257, 0, 10, "ees251ep4" }, /* 256 */ + { 0x0D, 258, 0, 10, "ees251ep5" }, /* 257 */ + { 0x0E, 259, 0, 10, "ees251sp3" }, /* 258 */ + { 0x0F, 260, 0, 10, "ees251sp4" }, /* 259 */ + { 0x10, 261, 0, 10, "ees251sp5" }, /* 260 */ + { 0x11, 262, 0, 10, "ees251sp6" }, /* 261 */ + { 0x12, 263, 0, 10, "ees251sp7" }, /* 262 */ + { 0x13, 264, 0, 10, "ees251sp8" }, /* 263 */ + { 0x14, 265, 0, 10, "ees251sp9" }, /* 264 */ + { 0x22, 266, 0, 10, "ees401ep1" }, /* 265 */ + { 0x23, 267, 0, 10, "ees449ep1" }, /* 266 */ + { 0x24, 268, 0, 10, "ees677ep1" }, /* 267 */ + { 0x25, 269, 0, 10, "ees1087ep2" }, /* 268 */ + { 0x26, 270, 0, 10, "ees541ep1" }, /* 269 */ + { 0x27, 271, 0, 10, "ees613ep1" }, /* 270 */ + { 0x28, 272, 0, 10, "ees887ep1" }, /* 271 */ + { 0x29, 273, 0, 10, "ees1171ep1" }, /* 272 */ + { 0x2A, 274, 0, 10, "ees659ep1" }, /* 273 */ + { 0x2B, 275, 0, 10, "ees761ep1" }, /* 274 */ + { 0x2C, 276, 0, 10, "ees1087ep1" }, /* 275 */ + { 0x2D, 277, 0, 10, "ees1499ep1" }, /* 276 */ + { 0x2E, 278, 0, 10, "ees401ep2" }, /* 277 */ + { 0x2F, 279, 0, 10, "ees439ep1" }, /* 278 */ + { 0x30, 280, 0, 10, "ees593ep1" }, /* 279 */ + { 0x31, 0, 0, 10, "ees743ep1" }, /* 280 */ + { 0x03, 0, 0, 9, "eess1-encodingMethods" }, /* 281 */ + { 0x05, 0, 1, 3, "security" }, /* 282 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 283 */ + { 0x07, 328, 1, 5, "id-pkix" }, /* 284 */ + { 0x01, 289, 1, 6, "id-pe" }, /* 285 */ + { 0x01, 287, 0, 7, "authorityInfoAccess" }, /* 286 */ + { 0x03, 288, 0, 7, "qcStatements" }, /* 287 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 288 */ + { 0x02, 292, 1, 6, "id-qt" }, /* 289 */ + { 0x01, 291, 0, 7, "cps" }, /* 290 */ + { 0x02, 0, 0, 7, "unotice" }, /* 291 */ + { 0x03, 302, 1, 6, "id-kp" }, /* 292 */ + { 0x01, 294, 0, 7, "serverAuth" }, /* 293 */ + { 0x02, 295, 0, 7, "clientAuth" }, /* 294 */ + { 0x03, 296, 0, 7, "codeSigning" }, /* 295 */ + { 0x04, 297, 0, 7, "emailProtection" }, /* 296 */ + { 0x05, 298, 0, 7, "ipsecEndSystem" }, /* 297 */ + { 0x06, 299, 0, 7, "ipsecTunnel" }, /* 298 */ + { 0x07, 300, 0, 7, "ipsecUser" }, /* 299 */ + { 0x08, 301, 0, 7, "timeStamping" }, /* 300 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 301 */ + { 0x08, 310, 1, 6, "id-otherNames" }, /* 302 */ + { 0x01, 304, 0, 7, "personalData" }, /* 303 */ + { 0x02, 305, 0, 7, "userGroup" }, /* 304 */ + { 0x03, 306, 0, 7, "id-on-permanentIdentifier" }, /* 305 */ + { 0x04, 307, 0, 7, "id-on-hardwareModuleName" }, /* 306 */ + { 0x05, 308, 0, 7, "xmppAddr" }, /* 307 */ + { 0x06, 309, 0, 7, "id-on-SIM" }, /* 308 */ + { 0x07, 0, 0, 7, "id-on-dnsSRV" }, /* 309 */ + { 0x0A, 315, 1, 6, "id-aca" }, /* 310 */ + { 0x01, 312, 0, 7, "authenticationInfo" }, /* 311 */ + { 0x02, 313, 0, 7, "accessIdentity" }, /* 312 */ + { 0x03, 314, 0, 7, "chargingIdentity" }, /* 313 */ + { 0x04, 0, 0, 7, "group" }, /* 314 */ + { 0x0B, 316, 0, 6, "subjectInfoAccess" }, /* 315 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 316 */ + { 0x01, 325, 1, 7, "ocsp" }, /* 317 */ + { 0x01, 319, 0, 8, "basic" }, /* 318 */ + { 0x02, 320, 0, 8, "nonce" }, /* 319 */ + { 0x03, 321, 0, 8, "crl" }, /* 320 */ + { 0x04, 322, 0, 8, "response" }, /* 321 */ + { 0x05, 323, 0, 8, "noCheck" }, /* 322 */ + { 0x06, 324, 0, 8, "archiveCutoff" }, /* 323 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 324 */ + { 0x02, 326, 0, 7, "caIssuers" }, /* 325 */ + { 0x03, 327, 0, 7, "timeStamping" }, /* 326 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 327 */ + { 0x08, 0, 1, 5, "ipsec" }, /* 328 */ + { 0x02, 0, 1, 6, "certificate" }, /* 329 */ + { 0x02, 0, 0, 7, "iKEIntermediate" }, /* 330 */ + { 0x0E, 337, 1, 1, "oiw" }, /* 331 */ + { 0x03, 0, 1, 2, "secsig" }, /* 332 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 333 */ + { 0x07, 335, 0, 4, "des-cbc" }, /* 334 */ + { 0x1A, 336, 0, 4, "sha-1" }, /* 335 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 336 */ + { 0x24, 383, 1, 1, "TeleTrusT" }, /* 337 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 338 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 339 */ + { 0x01, 344, 1, 4, "rsaSignature" }, /* 340 */ + { 0x02, 342, 0, 5, "rsaSigWithripemd160" }, /* 341 */ + { 0x03, 343, 0, 5, "rsaSigWithripemd128" }, /* 342 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 343 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 344 */ + { 0x01, 346, 0, 5, "ecSignWithsha1" }, /* 345 */ + { 0x02, 347, 0, 5, "ecSignWithripemd160" }, /* 346 */ + { 0x03, 348, 0, 5, "ecSignWithmd2" }, /* 347 */ + { 0x04, 349, 0, 5, "ecSignWithmd5" }, /* 348 */ + { 0x05, 366, 1, 5, "ttt-ecg" }, /* 349 */ + { 0x01, 354, 1, 6, "fieldType" }, /* 350 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 351 */ + { 0x01, 0, 1, 8, "basisType" }, /* 352 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 353 */ + { 0x02, 356, 1, 6, "keyType" }, /* 354 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 355 */ + { 0x03, 357, 0, 6, "curve" }, /* 356 */ + { 0x04, 364, 1, 6, "signatures" }, /* 357 */ + { 0x01, 359, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 358 */ + { 0x02, 360, 0, 7, "ecgdsa-with-SHA1" }, /* 359 */ + { 0x03, 361, 0, 7, "ecgdsa-with-SHA224" }, /* 360 */ + { 0x04, 362, 0, 7, "ecgdsa-with-SHA256" }, /* 361 */ + { 0x05, 363, 0, 7, "ecgdsa-with-SHA384" }, /* 362 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 363 */ + { 0x05, 0, 1, 6, "module" }, /* 364 */ + { 0x01, 0, 0, 7, "1" }, /* 365 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 366 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 367 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 368 */ + { 0x01, 370, 0, 8, "brainpoolP160r1" }, /* 369 */ + { 0x02, 371, 0, 8, "brainpoolP160t1" }, /* 370 */ + { 0x03, 372, 0, 8, "brainpoolP192r1" }, /* 371 */ + { 0x04, 373, 0, 8, "brainpoolP192t1" }, /* 372 */ + { 0x05, 374, 0, 8, "brainpoolP224r1" }, /* 373 */ + { 0x06, 375, 0, 8, "brainpoolP224t1" }, /* 374 */ + { 0x07, 376, 0, 8, "brainpoolP256r1" }, /* 375 */ + { 0x08, 377, 0, 8, "brainpoolP256t1" }, /* 376 */ + { 0x09, 378, 0, 8, "brainpoolP320r1" }, /* 377 */ + { 0x0A, 379, 0, 8, "brainpoolP320t1" }, /* 378 */ + { 0x0B, 380, 0, 8, "brainpoolP384r1" }, /* 379 */ + { 0x0C, 381, 0, 8, "brainpoolP384t1" }, /* 380 */ + { 0x0D, 382, 0, 8, "brainpoolP512r1" }, /* 381 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 382 */ + { 0x81, 0, 1, 1, "" }, /* 383 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 384 */ + { 0x00, 0, 1, 3, "curve" }, /* 385 */ + { 0x01, 387, 0, 4, "sect163k1" }, /* 386 */ + { 0x02, 388, 0, 4, "sect163r1" }, /* 387 */ + { 0x03, 389, 0, 4, "sect239k1" }, /* 388 */ + { 0x04, 390, 0, 4, "sect113r1" }, /* 389 */ + { 0x05, 391, 0, 4, "sect113r2" }, /* 390 */ + { 0x06, 392, 0, 4, "secp112r1" }, /* 391 */ + { 0x07, 393, 0, 4, "secp112r2" }, /* 392 */ + { 0x08, 394, 0, 4, "secp160r1" }, /* 393 */ + { 0x09, 395, 0, 4, "secp160k1" }, /* 394 */ + { 0x0A, 396, 0, 4, "secp256k1" }, /* 395 */ + { 0x0F, 397, 0, 4, "sect163r2" }, /* 396 */ + { 0x10, 398, 0, 4, "sect283k1" }, /* 397 */ + { 0x11, 399, 0, 4, "sect283r1" }, /* 398 */ + { 0x16, 400, 0, 4, "sect131r1" }, /* 399 */ + { 0x17, 401, 0, 4, "sect131r2" }, /* 400 */ + { 0x18, 402, 0, 4, "sect193r1" }, /* 401 */ + { 0x19, 403, 0, 4, "sect193r2" }, /* 402 */ + { 0x1A, 404, 0, 4, "sect233k1" }, /* 403 */ + { 0x1B, 405, 0, 4, "sect233r1" }, /* 404 */ + { 0x1C, 406, 0, 4, "secp128r1" }, /* 405 */ + { 0x1D, 407, 0, 4, "secp128r2" }, /* 406 */ + { 0x1E, 408, 0, 4, "secp160r2" }, /* 407 */ + { 0x1F, 409, 0, 4, "secp192k1" }, /* 408 */ + { 0x20, 410, 0, 4, "secp224k1" }, /* 409 */ + { 0x21, 411, 0, 4, "secp224r1" }, /* 410 */ + { 0x22, 412, 0, 4, "secp384r1" }, /* 411 */ + { 0x23, 413, 0, 4, "secp521r1" }, /* 412 */ + { 0x24, 414, 0, 4, "sect409k1" }, /* 413 */ + { 0x25, 415, 0, 4, "sect409r1" }, /* 414 */ + { 0x26, 416, 0, 4, "sect571k1" }, /* 415 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 416 */ + {0x60, 471, 1, 0, "" }, /* 417 */ + { 0x86, 0, 1, 1, "" }, /* 418 */ + { 0x48, 0, 1, 2, "" }, /* 419 */ + { 0x01, 0, 1, 3, "organization" }, /* 420 */ + { 0x65, 447, 1, 4, "gov" }, /* 421 */ + { 0x03, 0, 1, 5, "csor" }, /* 422 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 423 */ + { 0x01, 434, 1, 7, "aes" }, /* 424 */ + { 0x02, 426, 0, 8, "id-aes128-CBC" }, /* 425 */ + { 0x06, 427, 0, 8, "id-aes128-GCM" }, /* 426 */ + { 0x07, 428, 0, 8, "id-aes128-CCM" }, /* 427 */ + { 0x16, 429, 0, 8, "id-aes192-CBC" }, /* 428 */ + { 0x1A, 430, 0, 8, "id-aes192-GCM" }, /* 429 */ + { 0x1B, 431, 0, 8, "id-aes192-CCM" }, /* 430 */ + { 0x2A, 432, 0, 8, "id-aes256-CBC" }, /* 431 */ + { 0x2E, 433, 0, 8, "id-aes256-GCM" }, /* 432 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 433 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 434 */ + { 0x01, 436, 0, 8, "id-sha256" }, /* 435 */ + { 0x02, 437, 0, 8, "id-sha384" }, /* 436 */ + { 0x03, 438, 0, 8, "id-sha512" }, /* 437 */ + { 0x04, 439, 0, 8, "id-sha224" }, /* 438 */ + { 0x05, 440, 0, 8, "id-sha512-224" }, /* 439 */ + { 0x06, 441, 0, 8, "id-sha512-256" }, /* 440 */ + { 0x07, 442, 0, 8, "id-sha3-224" }, /* 441 */ + { 0x08, 443, 0, 8, "id-sha3-256" }, /* 442 */ + { 0x09, 444, 0, 8, "id-sha3-384" }, /* 443 */ + { 0x0A, 445, 0, 8, "id-sha3-512" }, /* 444 */ + { 0x0B, 446, 0, 8, "id-shake128" }, /* 445 */ + { 0x0C, 0, 0, 8, "id-shake256" }, /* 446 */ + { 0x86, 0, 1, 4, "" }, /* 447 */ + { 0xf8, 0, 1, 5, "" }, /* 448 */ + { 0x42, 461, 1, 6, "netscape" }, /* 449 */ + { 0x01, 456, 1, 7, "" }, /* 450 */ + { 0x01, 452, 0, 8, "nsCertType" }, /* 451 */ + { 0x03, 453, 0, 8, "nsRevocationUrl" }, /* 452 */ + { 0x04, 454, 0, 8, "nsCaRevocationUrl" }, /* 453 */ + { 0x08, 455, 0, 8, "nsCaPolicyUrl" }, /* 454 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 455 */ + { 0x03, 459, 1, 7, "directory" }, /* 456 */ + { 0x01, 0, 1, 8, "" }, /* 457 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 458 */ + { 0x04, 0, 1, 7, "policy" }, /* 459 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 460 */ + { 0x45, 0, 1, 6, "verisign" }, /* 461 */ + { 0x01, 0, 1, 7, "pki" }, /* 462 */ + { 0x09, 0, 1, 8, "attributes" }, /* 463 */ + { 0x02, 465, 0, 9, "messageType" }, /* 464 */ + { 0x03, 466, 0, 9, "pkiStatus" }, /* 465 */ + { 0x04, 467, 0, 9, "failInfo" }, /* 466 */ + { 0x05, 468, 0, 9, "senderNonce" }, /* 467 */ + { 0x06, 469, 0, 9, "recipientNonce" }, /* 468 */ + { 0x07, 470, 0, 9, "transID" }, /* 469 */ + { 0x08, 0, 0, 9, "extensionReq" }, /* 470 */ + {0x67, 0, 1, 0, "" }, /* 471 */ + { 0x81, 0, 1, 1, "" }, /* 472 */ + { 0x05, 0, 1, 2, "" }, /* 473 */ + { 0x02, 0, 1, 3, "tcg-attribute" }, /* 474 */ + { 0x01, 476, 0, 4, "tcg-at-tpmManufacturer" }, /* 475 */ + { 0x02, 477, 0, 4, "tcg-at-tpmModel" }, /* 476 */ + { 0x03, 478, 0, 4, "tcg-at-tpmVersion" }, /* 477 */ + { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 478 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index b9ed08d2e..1120156e5 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -40,220 +40,221 @@ extern const oid_t oid_names[]; #define OID_INITIALS 33 #define OID_UNIQUE_IDENTIFIER 34 #define OID_DN_QUALIFIER 35 -#define OID_ROLE 36 -#define OID_SUBJECT_KEY_ID 39 -#define OID_KEY_USAGE 40 -#define OID_SUBJECT_ALT_NAME 42 -#define OID_BASIC_CONSTRAINTS 44 -#define OID_CRL_NUMBER 45 -#define OID_CRL_REASON_CODE 46 -#define OID_DELTA_CRL_INDICATOR 49 -#define OID_ISSUING_DIST_POINT 50 -#define OID_NAME_CONSTRAINTS 52 -#define OID_CRL_DISTRIBUTION_POINTS 53 -#define OID_CERTIFICATE_POLICIES 54 -#define OID_ANY_POLICY 55 -#define OID_POLICY_MAPPINGS 56 -#define OID_AUTHORITY_KEY_ID 57 -#define OID_POLICY_CONSTRAINTS 58 -#define OID_EXTENDED_KEY_USAGE 59 -#define OID_FRESHEST_CRL 61 -#define OID_INHIBIT_ANY_POLICY 62 -#define OID_TARGET_INFORMATION 63 -#define OID_NO_REV_AVAIL 64 -#define OID_CAMELLIA128_CBC 75 -#define OID_CAMELLIA192_CBC 76 -#define OID_CAMELLIA256_CBC 77 -#define OID_RSA_ENCRYPTION 90 -#define OID_MD2_WITH_RSA 91 -#define OID_MD5_WITH_RSA 92 -#define OID_SHA1_WITH_RSA 93 -#define OID_RSAES_OAEP 94 -#define OID_SHA256_WITH_RSA 97 -#define OID_SHA384_WITH_RSA 98 -#define OID_SHA512_WITH_RSA 99 -#define OID_SHA224_WITH_RSA 100 -#define OID_PBE_MD5_DES_CBC 102 -#define OID_PBE_SHA1_DES_CBC 103 -#define OID_PBKDF2 104 -#define OID_PBES2 105 -#define OID_PKCS7_DATA 107 -#define OID_PKCS7_SIGNED_DATA 108 -#define OID_PKCS7_ENVELOPED_DATA 109 -#define OID_PKCS7_SIGNED_ENVELOPED_DATA 110 -#define OID_PKCS7_DIGESTED_DATA 111 -#define OID_PKCS7_ENCRYPTED_DATA 112 -#define OID_EMAIL_ADDRESS 114 -#define OID_UNSTRUCTURED_NAME 115 -#define OID_PKCS9_CONTENT_TYPE 116 -#define OID_PKCS9_MESSAGE_DIGEST 117 -#define OID_PKCS9_SIGNING_TIME 118 -#define OID_CHALLENGE_PASSWORD 120 -#define OID_UNSTRUCTURED_ADDRESS 121 -#define OID_EXTENSION_REQUEST 122 -#define OID_X509_CERTIFICATE 125 -#define OID_PBE_SHA1_RC4_128 129 -#define OID_PBE_SHA1_RC4_40 130 -#define OID_PBE_SHA1_3DES_CBC 131 -#define OID_PBE_SHA1_3DES_2KEY_CBC 132 -#define OID_PBE_SHA1_RC2_CBC_128 133 -#define OID_PBE_SHA1_RC2_CBC_40 134 -#define OID_P12_KEY_BAG 137 -#define OID_P12_PKCS8_KEY_BAG 138 -#define OID_P12_CERT_BAG 139 -#define OID_P12_CRL_BAG 140 -#define OID_MD2 144 -#define OID_MD5 145 -#define OID_3DES_EDE_CBC 147 -#define OID_EC_PUBLICKEY 151 -#define OID_C2PNB163V1 154 -#define OID_C2PNB163V2 155 -#define OID_C2PNB163V3 156 -#define OID_C2PNB176W1 157 -#define OID_C2PNB191V1 158 -#define OID_C2PNB191V2 159 -#define OID_C2PNB191V3 160 -#define OID_C2PNB191V4 161 -#define OID_C2PNB191V5 162 -#define OID_C2PNB208W1 163 -#define OID_C2PNB239V1 164 -#define OID_C2PNB239V2 165 -#define OID_C2PNB239V3 166 -#define OID_C2PNB239V4 167 -#define OID_C2PNB239V5 168 -#define OID_C2PNB272W1 169 -#define OID_C2PNB304W1 170 -#define OID_C2PNB359V1 171 -#define OID_C2PNB368W1 172 -#define OID_C2PNB431R1 173 -#define OID_PRIME192V1 175 -#define OID_PRIME192V2 176 -#define OID_PRIME192V3 177 -#define OID_PRIME239V1 178 -#define OID_PRIME239V2 179 -#define OID_PRIME239V3 180 -#define OID_PRIME256V1 181 -#define OID_ECDSA_WITH_SHA1 183 -#define OID_ECDSA_WITH_SHA224 185 -#define OID_ECDSA_WITH_SHA256 186 -#define OID_ECDSA_WITH_SHA384 187 -#define OID_ECDSA_WITH_SHA512 188 -#define OID_MS_SMARTCARD_LOGON 202 -#define OID_USER_PRINCIPAL_NAME 203 -#define OID_STRONGSWAN 209 -#define OID_BLISS_PUBLICKEY 214 -#define OID_BLISS_I 216 -#define OID_BLISS_II 217 -#define OID_BLISS_III 218 -#define OID_BLISS_IV 219 -#define OID_BLISS_B_I 220 -#define OID_BLISS_B_II 221 -#define OID_BLISS_B_III 222 -#define OID_BLISS_B_IV 223 -#define OID_BLISS_WITH_SHA2_512 225 -#define OID_BLISS_WITH_SHA2_384 226 -#define OID_BLISS_WITH_SHA2_256 227 -#define OID_BLISS_WITH_SHA3_512 228 -#define OID_BLISS_WITH_SHA3_384 229 -#define OID_BLISS_WITH_SHA3_256 230 -#define OID_TCGID 237 -#define OID_BLOWFISH_CBC 241 -#define OID_AUTHORITY_INFO_ACCESS 285 -#define OID_IP_ADDR_BLOCKS 287 -#define OID_POLICY_QUALIFIER_CPS 289 -#define OID_POLICY_QUALIFIER_UNOTICE 290 -#define OID_SERVER_AUTH 292 -#define OID_CLIENT_AUTH 293 -#define OID_OCSP_SIGNING 300 -#define OID_XMPP_ADDR 306 -#define OID_AUTHENTICATION_INFO 310 -#define OID_ACCESS_IDENTITY 311 -#define OID_CHARGING_IDENTITY 312 -#define OID_GROUP 313 -#define OID_OCSP 316 -#define OID_BASIC 317 -#define OID_NONCE 318 -#define OID_CRL 319 -#define OID_RESPONSE 320 -#define OID_NO_CHECK 321 -#define OID_ARCHIVE_CUTOFF 322 -#define OID_SERVICE_LOCATOR 323 -#define OID_CA_ISSUERS 324 -#define OID_IKE_INTERMEDIATE 329 -#define OID_DES_CBC 333 -#define OID_SHA1 334 -#define OID_SHA1_WITH_RSA_OIW 335 -#define OID_ECGDSA_PUBKEY 354 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 357 -#define OID_ECGDSA_SIG_WITH_SHA1 358 -#define OID_ECGDSA_SIG_WITH_SHA224 359 -#define OID_ECGDSA_SIG_WITH_SHA256 360 -#define OID_ECGDSA_SIG_WITH_SHA384 361 -#define OID_ECGDSA_SIG_WITH_SHA512 362 -#define OID_SECT163K1 385 -#define OID_SECT163R1 386 -#define OID_SECT239K1 387 -#define OID_SECT113R1 388 -#define OID_SECT113R2 389 -#define OID_SECT112R1 390 -#define OID_SECT112R2 391 -#define OID_SECT160R1 392 -#define OID_SECT160K1 393 -#define OID_SECT256K1 394 -#define OID_SECT163R2 395 -#define OID_SECT283K1 396 -#define OID_SECT283R1 397 -#define OID_SECT131R1 398 -#define OID_SECT131R2 399 -#define OID_SECT193R1 400 -#define OID_SECT193R2 401 -#define OID_SECT233K1 402 -#define OID_SECT233R1 403 -#define OID_SECT128R1 404 -#define OID_SECT128R2 405 -#define OID_SECT160R2 406 -#define OID_SECT192K1 407 -#define OID_SECT224K1 408 -#define OID_SECT224R1 409 -#define OID_SECT384R1 410 -#define OID_SECT521R1 411 -#define OID_SECT409K1 412 -#define OID_SECT409R1 413 -#define OID_SECT571K1 414 -#define OID_SECT571R1 415 -#define OID_AES128_CBC 424 -#define OID_AES128_GCM 425 -#define OID_AES128_CCM 426 -#define OID_AES192_CBC 427 -#define OID_AES192_GCM 428 -#define OID_AES192_CCM 429 -#define OID_AES256_CBC 430 -#define OID_AES256_GCM 431 -#define OID_AES256_CCM 432 -#define OID_SHA256 434 -#define OID_SHA384 435 -#define OID_SHA512 436 -#define OID_SHA224 437 -#define OID_SHA3_224 440 -#define OID_SHA3_256 441 -#define OID_SHA3_384 442 -#define OID_SHA3_512 443 -#define OID_NS_REVOCATION_URL 451 -#define OID_NS_CA_REVOCATION_URL 452 -#define OID_NS_CA_POLICY_URL 453 -#define OID_NS_COMMENT 454 -#define OID_EMPLOYEE_NUMBER 457 -#define OID_PKI_MESSAGE_TYPE 463 -#define OID_PKI_STATUS 464 -#define OID_PKI_FAIL_INFO 465 -#define OID_PKI_SENDER_NONCE 466 -#define OID_PKI_RECIPIENT_NONCE 467 -#define OID_PKI_TRANS_ID 468 -#define OID_TPM_MANUFACTURER 474 -#define OID_TPM_MODEL 475 -#define OID_TPM_VERSION 476 -#define OID_TPM_ID_LABEL 477 +#define OID_PSEUDONYM 36 +#define OID_ROLE 37 +#define OID_SUBJECT_KEY_ID 40 +#define OID_KEY_USAGE 41 +#define OID_SUBJECT_ALT_NAME 43 +#define OID_BASIC_CONSTRAINTS 45 +#define OID_CRL_NUMBER 46 +#define OID_CRL_REASON_CODE 47 +#define OID_DELTA_CRL_INDICATOR 50 +#define OID_ISSUING_DIST_POINT 51 +#define OID_NAME_CONSTRAINTS 53 +#define OID_CRL_DISTRIBUTION_POINTS 54 +#define OID_CERTIFICATE_POLICIES 55 +#define OID_ANY_POLICY 56 +#define OID_POLICY_MAPPINGS 57 +#define OID_AUTHORITY_KEY_ID 58 +#define OID_POLICY_CONSTRAINTS 59 +#define OID_EXTENDED_KEY_USAGE 60 +#define OID_FRESHEST_CRL 62 +#define OID_INHIBIT_ANY_POLICY 63 +#define OID_TARGET_INFORMATION 64 +#define OID_NO_REV_AVAIL 65 +#define OID_CAMELLIA128_CBC 76 +#define OID_CAMELLIA192_CBC 77 +#define OID_CAMELLIA256_CBC 78 +#define OID_RSA_ENCRYPTION 91 +#define OID_MD2_WITH_RSA 92 +#define OID_MD5_WITH_RSA 93 +#define OID_SHA1_WITH_RSA 94 +#define OID_RSAES_OAEP 95 +#define OID_SHA256_WITH_RSA 98 +#define OID_SHA384_WITH_RSA 99 +#define OID_SHA512_WITH_RSA 100 +#define OID_SHA224_WITH_RSA 101 +#define OID_PBE_MD5_DES_CBC 103 +#define OID_PBE_SHA1_DES_CBC 104 +#define OID_PBKDF2 105 +#define OID_PBES2 106 +#define OID_PKCS7_DATA 108 +#define OID_PKCS7_SIGNED_DATA 109 +#define OID_PKCS7_ENVELOPED_DATA 110 +#define OID_PKCS7_SIGNED_ENVELOPED_DATA 111 +#define OID_PKCS7_DIGESTED_DATA 112 +#define OID_PKCS7_ENCRYPTED_DATA 113 +#define OID_EMAIL_ADDRESS 115 +#define OID_UNSTRUCTURED_NAME 116 +#define OID_PKCS9_CONTENT_TYPE 117 +#define OID_PKCS9_MESSAGE_DIGEST 118 +#define OID_PKCS9_SIGNING_TIME 119 +#define OID_CHALLENGE_PASSWORD 121 +#define OID_UNSTRUCTURED_ADDRESS 122 +#define OID_EXTENSION_REQUEST 123 +#define OID_X509_CERTIFICATE 126 +#define OID_PBE_SHA1_RC4_128 130 +#define OID_PBE_SHA1_RC4_40 131 +#define OID_PBE_SHA1_3DES_CBC 132 +#define OID_PBE_SHA1_3DES_2KEY_CBC 133 +#define OID_PBE_SHA1_RC2_CBC_128 134 +#define OID_PBE_SHA1_RC2_CBC_40 135 +#define OID_P12_KEY_BAG 138 +#define OID_P12_PKCS8_KEY_BAG 139 +#define OID_P12_CERT_BAG 140 +#define OID_P12_CRL_BAG 141 +#define OID_MD2 145 +#define OID_MD5 146 +#define OID_3DES_EDE_CBC 148 +#define OID_EC_PUBLICKEY 152 +#define OID_C2PNB163V1 155 +#define OID_C2PNB163V2 156 +#define OID_C2PNB163V3 157 +#define OID_C2PNB176W1 158 +#define OID_C2PNB191V1 159 +#define OID_C2PNB191V2 160 +#define OID_C2PNB191V3 161 +#define OID_C2PNB191V4 162 +#define OID_C2PNB191V5 163 +#define OID_C2PNB208W1 164 +#define OID_C2PNB239V1 165 +#define OID_C2PNB239V2 166 +#define OID_C2PNB239V3 167 +#define OID_C2PNB239V4 168 +#define OID_C2PNB239V5 169 +#define OID_C2PNB272W1 170 +#define OID_C2PNB304W1 171 +#define OID_C2PNB359V1 172 +#define OID_C2PNB368W1 173 +#define OID_C2PNB431R1 174 +#define OID_PRIME192V1 176 +#define OID_PRIME192V2 177 +#define OID_PRIME192V3 178 +#define OID_PRIME239V1 179 +#define OID_PRIME239V2 180 +#define OID_PRIME239V3 181 +#define OID_PRIME256V1 182 +#define OID_ECDSA_WITH_SHA1 184 +#define OID_ECDSA_WITH_SHA224 186 +#define OID_ECDSA_WITH_SHA256 187 +#define OID_ECDSA_WITH_SHA384 188 +#define OID_ECDSA_WITH_SHA512 189 +#define OID_MS_SMARTCARD_LOGON 203 +#define OID_USER_PRINCIPAL_NAME 204 +#define OID_STRONGSWAN 210 +#define OID_BLISS_PUBLICKEY 215 +#define OID_BLISS_I 217 +#define OID_BLISS_II 218 +#define OID_BLISS_III 219 +#define OID_BLISS_IV 220 +#define OID_BLISS_B_I 221 +#define OID_BLISS_B_II 222 +#define OID_BLISS_B_III 223 +#define OID_BLISS_B_IV 224 +#define OID_BLISS_WITH_SHA2_512 226 +#define OID_BLISS_WITH_SHA2_384 227 +#define OID_BLISS_WITH_SHA2_256 228 +#define OID_BLISS_WITH_SHA3_512 229 +#define OID_BLISS_WITH_SHA3_384 230 +#define OID_BLISS_WITH_SHA3_256 231 +#define OID_TCGID 238 +#define OID_BLOWFISH_CBC 242 +#define OID_AUTHORITY_INFO_ACCESS 286 +#define OID_IP_ADDR_BLOCKS 288 +#define OID_POLICY_QUALIFIER_CPS 290 +#define OID_POLICY_QUALIFIER_UNOTICE 291 +#define OID_SERVER_AUTH 293 +#define OID_CLIENT_AUTH 294 +#define OID_OCSP_SIGNING 301 +#define OID_XMPP_ADDR 307 +#define OID_AUTHENTICATION_INFO 311 +#define OID_ACCESS_IDENTITY 312 +#define OID_CHARGING_IDENTITY 313 +#define OID_GROUP 314 +#define OID_OCSP 317 +#define OID_BASIC 318 +#define OID_NONCE 319 +#define OID_CRL 320 +#define OID_RESPONSE 321 +#define OID_NO_CHECK 322 +#define OID_ARCHIVE_CUTOFF 323 +#define OID_SERVICE_LOCATOR 324 +#define OID_CA_ISSUERS 325 +#define OID_IKE_INTERMEDIATE 330 +#define OID_DES_CBC 334 +#define OID_SHA1 335 +#define OID_SHA1_WITH_RSA_OIW 336 +#define OID_ECGDSA_PUBKEY 355 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 358 +#define OID_ECGDSA_SIG_WITH_SHA1 359 +#define OID_ECGDSA_SIG_WITH_SHA224 360 +#define OID_ECGDSA_SIG_WITH_SHA256 361 +#define OID_ECGDSA_SIG_WITH_SHA384 362 +#define OID_ECGDSA_SIG_WITH_SHA512 363 +#define OID_SECT163K1 386 +#define OID_SECT163R1 387 +#define OID_SECT239K1 388 +#define OID_SECT113R1 389 +#define OID_SECT113R2 390 +#define OID_SECT112R1 391 +#define OID_SECT112R2 392 +#define OID_SECT160R1 393 +#define OID_SECT160K1 394 +#define OID_SECT256K1 395 +#define OID_SECT163R2 396 +#define OID_SECT283K1 397 +#define OID_SECT283R1 398 +#define OID_SECT131R1 399 +#define OID_SECT131R2 400 +#define OID_SECT193R1 401 +#define OID_SECT193R2 402 +#define OID_SECT233K1 403 +#define OID_SECT233R1 404 +#define OID_SECT128R1 405 +#define OID_SECT128R2 406 +#define OID_SECT160R2 407 +#define OID_SECT192K1 408 +#define OID_SECT224K1 409 +#define OID_SECT224R1 410 +#define OID_SECT384R1 411 +#define OID_SECT521R1 412 +#define OID_SECT409K1 413 +#define OID_SECT409R1 414 +#define OID_SECT571K1 415 +#define OID_SECT571R1 416 +#define OID_AES128_CBC 425 +#define OID_AES128_GCM 426 +#define OID_AES128_CCM 427 +#define OID_AES192_CBC 428 +#define OID_AES192_GCM 429 +#define OID_AES192_CCM 430 +#define OID_AES256_CBC 431 +#define OID_AES256_GCM 432 +#define OID_AES256_CCM 433 +#define OID_SHA256 435 +#define OID_SHA384 436 +#define OID_SHA512 437 +#define OID_SHA224 438 +#define OID_SHA3_224 441 +#define OID_SHA3_256 442 +#define OID_SHA3_384 443 +#define OID_SHA3_512 444 +#define OID_NS_REVOCATION_URL 452 +#define OID_NS_CA_REVOCATION_URL 453 +#define OID_NS_CA_POLICY_URL 454 +#define OID_NS_COMMENT 455 +#define OID_EMPLOYEE_NUMBER 458 +#define OID_PKI_MESSAGE_TYPE 464 +#define OID_PKI_STATUS 465 +#define OID_PKI_FAIL_INFO 466 +#define OID_PKI_SENDER_NONCE 467 +#define OID_PKI_RECIPIENT_NONCE 468 +#define OID_PKI_TRANS_ID 469 +#define OID_TPM_MANUFACTURER 475 +#define OID_TPM_MODEL 476 +#define OID_TPM_VERSION 477 +#define OID_TPM_ID_LABEL 478 -#define OID_MAX 478 +#define OID_MAX 479 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 64dedcb33..b5ec15f3c 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -34,6 +34,7 @@ 0x2B "I" OID_INITIALS 0x2D "ID" OID_UNIQUE_IDENTIFIER 0x2E "dnQualifier" OID_DN_QUALIFIER + 0x41 "pseudonym" OID_PSEUDONYM 0x48 "role" OID_ROLE 0x1D "id-ce" 0x09 "subjectDirectoryAttrs" diff --git a/src/libstrongswan/collections/array.c b/src/libstrongswan/collections/array.c index 61c696bc1..a45a68aaf 100644 --- a/src/libstrongswan/collections/array.c +++ b/src/libstrongswan/collections/array.c @@ -277,6 +277,16 @@ void array_insert_create(array_t **array, int idx, void *ptr) array_insert(*array, idx, ptr); } +void array_insert_create_value(array_t **array, u_int esize, + int idx, void *val) +{ + if (*array == NULL) + { + *array = array_create(esize, 0); + } + array_insert(*array, idx, val); +} + void array_insert_enumerator(array_t *array, int idx, enumerator_t *enumerator) { void *ptr; diff --git a/src/libstrongswan/collections/array.h b/src/libstrongswan/collections/array.h index 0659c70bd..c3be1a15d 100644 --- a/src/libstrongswan/collections/array.h +++ b/src/libstrongswan/collections/array.h @@ -139,6 +139,21 @@ void array_insert(array_t *array, int idx, void *data); void array_insert_create(array_t **array, int idx, void *ptr); /** + * Create a value based array if it does not exist, insert value. + * + * This is a convenience function to insert a value and implicitly + * create a value based array if array is NULL. Array is set the the newly + * created array, if any. + * + * @param array pointer to array reference, potentially NULL + * @param esize element size of this array + * @param idx index to insert item at + * @param val pointer to value to insert + */ +void array_insert_create_value(array_t **array, u_int esize, + int idx, void *val); + +/** * Insert all items from an enumerator to an array. * * @param array array to add items to diff --git a/src/libstrongswan/collections/linked_list.c b/src/libstrongswan/collections/linked_list.c index a176e5a54..b8fe81578 100644 --- a/src/libstrongswan/collections/linked_list.c +++ b/src/libstrongswan/collections/linked_list.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Tobias Brunner + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -433,6 +433,56 @@ METHOD(linked_list_t, clone_offset, linked_list_t*, return clone; } +METHOD(linked_list_t, equals_offset, bool, + private_linked_list_t *this, linked_list_t *other_pub, size_t offset) +{ + private_linked_list_t *other = (private_linked_list_t*)other_pub; + element_t *cur_t, *cur_o; + + if (this->count != other->count) + { + return FALSE; + } + cur_t = this->first; + cur_o = other->first; + while (cur_t && cur_o) + { + bool (**method)(void*,void*) = cur_t->value + offset; + if (!(*method)(cur_t->value, cur_o->value)) + { + return FALSE; + } + cur_t = cur_t->next; + cur_o = cur_o->next; + } + return TRUE; +} + +METHOD(linked_list_t, equals_function, bool, + private_linked_list_t *this, linked_list_t *other_pub, + bool (*fn)(void*,void*)) +{ + private_linked_list_t *other = (private_linked_list_t*)other_pub; + element_t *cur_t, *cur_o; + + if (this->count != other->count) + { + return FALSE; + } + cur_t = this->first; + cur_o = other->first; + while (cur_t && cur_o) + { + if (!fn(cur_t->value, cur_o->value)) + { + return FALSE; + } + cur_t = cur_t->next; + cur_o = cur_o->next; + } + return TRUE; +} + METHOD(linked_list_t, destroy, void, private_linked_list_t *this) { @@ -503,6 +553,8 @@ linked_list_t *linked_list_create() .invoke_offset = (void*)_invoke_offset, .invoke_function = (void*)_invoke_function, .clone_offset = _clone_offset, + .equals_offset = _equals_offset, + .equals_function = _equals_function, .destroy = _destroy, .destroy_offset = _destroy_offset, .destroy_function = _destroy_function, diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h index abc33c12a..5edaa07aa 100644 --- a/src/libstrongswan/collections/linked_list.h +++ b/src/libstrongswan/collections/linked_list.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007-2011 Tobias Brunner + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -218,6 +218,27 @@ struct linked_list_t { linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset); /** + * Compare two lists and their objects for equality using the given equals + * method. + * + * @param other list to compare + * @param offset offset of the objects equals method + * @return TRUE if lists and objects are equal, FALSE otherwise + */ + bool (*equals_offset) (linked_list_t *this, linked_list_t *other, + size_t offset); + + /** + * Compare two lists and their objects for equality using the given function. + * + * @param other list to compare + * @param function function to compare the objects + * @return TRUE if lists and objects are equal, FALSE otherwise + */ + bool (*equals_function) (linked_list_t *this, linked_list_t *other, + bool (*)(void*,void*)); + + /** * Destroys a linked_list object. */ void (*destroy) (linked_list_t *this); diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 9988d8021..956ce08c9 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2015 Tobias Brunner + * Copyright (C) 2008-2016 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -46,11 +46,13 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT, "RULE_SUBJECT_CERT", "RULE_CRL_VALIDATION", "RULE_OCSP_VALIDATION", + "RULE_CERT_VALIDATION_SUSPENDED", "RULE_GROUP", "RULE_RSA_STRENGTH", "RULE_ECDSA_STRENGTH", "RULE_BLISS_STRENGTH", "RULE_SIGNATURE_SCHEME", + "RULE_IKE_SIGNATURE_SCHEME", "RULE_CERT_POLICY", "HELPER_IM_CERT", "HELPER_SUBJECT_CERT", @@ -79,6 +81,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_XAUTH_IDENTITY: case AUTH_RULE_XAUTH_BACKEND: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_RULE_MAX: @@ -91,6 +94,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_IM_CERT: case AUTH_RULE_CERT_POLICY: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_REVOCATION_CERT: @@ -211,6 +215,8 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -260,6 +266,8 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { return e1->value == e2->value; } @@ -351,6 +359,8 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_RULE_MAX: break; } @@ -383,6 +393,8 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -459,11 +471,13 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_BLISS_STRENGTH: return (void*)0; case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: return (void*)HASH_UNKNOWN; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: return (void*)VALIDATION_FAILED; case AUTH_RULE_IDENTITY_LOOSE: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: return (void*)FALSE; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: @@ -510,6 +524,183 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) } } +METHOD(auth_cfg_t, add_pubkey_constraints, void, + private_auth_cfg_t *this, char* constraints, bool ike) +{ + enumerator_t *enumerator; + bool is_ike = FALSE, ike_added = FALSE; + key_type_t expected_type = -1; + auth_rule_t expected_strength = AUTH_RULE_MAX; + int strength; + char *token; + auth_rule_t type; + void *value; + + enumerator = enumerator_create_token(constraints, "-", ""); + while (enumerator->enumerate(enumerator, &token)) + { + bool found = FALSE; + int i; + struct { + char *name; + signature_scheme_t scheme; + key_type_t key; + } schemes[] = { + { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, }, + { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, }, + { "sha224", SIGN_RSA_EMSA_PKCS1_SHA224, KEY_RSA, }, + { "sha256", SIGN_RSA_EMSA_PKCS1_SHA256, KEY_RSA, }, + { "sha384", SIGN_RSA_EMSA_PKCS1_SHA384, KEY_RSA, }, + { "sha512", SIGN_RSA_EMSA_PKCS1_SHA512, KEY_RSA, }, + { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, }, + { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, }, + { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, }, + { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, }, + { "sha256", SIGN_ECDSA_256, KEY_ECDSA, }, + { "sha384", SIGN_ECDSA_384, KEY_ECDSA, }, + { "sha512", SIGN_ECDSA_521, KEY_ECDSA, }, + { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, }, + { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, }, + { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, }, + }; + + if (expected_strength != AUTH_RULE_MAX) + { /* expecting a key strength token */ + strength = atoi(token); + if (strength) + { + add(this, expected_strength, (uintptr_t)strength); + } + expected_strength = AUTH_RULE_MAX; + if (strength) + { + continue; + } + } + if (streq(token, "rsa") || streq(token, "ike:rsa")) + { + expected_type = KEY_RSA; + expected_strength = AUTH_RULE_RSA_STRENGTH; + is_ike = strpfx(token, "ike:"); + continue; + } + if (streq(token, "ecdsa") || streq(token, "ike:ecdsa")) + { + expected_type = KEY_ECDSA; + expected_strength = AUTH_RULE_ECDSA_STRENGTH; + is_ike = strpfx(token, "ike:"); + continue; + } + if (streq(token, "bliss") || streq(token, "ike:bliss")) + { + expected_type = KEY_BLISS; + expected_strength = AUTH_RULE_BLISS_STRENGTH; + is_ike = strpfx(token, "ike:"); + continue; + } + if (streq(token, "pubkey") || streq(token, "ike:pubkey")) + { + expected_type = KEY_ANY; + is_ike = strpfx(token, "ike:"); + continue; + } + if (is_ike && !ike) + { + continue; + } + + for (i = 0; i < countof(schemes); i++) + { + if (streq(schemes[i].name, token)) + { + if (expected_type == KEY_ANY || expected_type == schemes[i].key) + { + if (is_ike) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, + (uintptr_t)schemes[i].scheme); + ike_added = TRUE; + } + else + { + add(this, AUTH_RULE_SIGNATURE_SCHEME, + (uintptr_t)schemes[i].scheme); + } + } + found = TRUE; + } + } + if (!found) + { + DBG1(DBG_CFG, "ignoring invalid auth token: '%s'", token); + } + } + enumerator->destroy(enumerator); + + /* if no explicit IKE signature contraints were added we add them for all + * configured signature contraints */ + if (ike && !ike_added && + lib->settings->get_bool(lib->settings, + "%s.signature_authentication_constraints", TRUE, + lib->ns)) + { + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, &type, &value)) + { + if (type == AUTH_RULE_SIGNATURE_SCHEME) + { + add(this, AUTH_RULE_IKE_SIGNATURE_SCHEME, + (uintptr_t)value); + } + } + enumerator->destroy(enumerator); + } +} + +/** + * Check if signature schemes of a specific type are compliant + */ +static bool complies_scheme(private_auth_cfg_t *this, auth_cfg_t *constraints, + auth_rule_t type, bool log_error) +{ + enumerator_t *e1, *e2; + auth_rule_t t1, t2; + signature_scheme_t scheme; + void *value; + bool success = TRUE; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &scheme)) + { + if (t2 == type) + { + success = FALSE; + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + if (t1 == type && (uintptr_t)value == scheme) + { + success = TRUE; + break; + } + } + e1->destroy(e1); + if (!success) + { + if (log_error) + { + DBG1(DBG_CFG, "%s signature scheme %N not acceptable", + AUTH_RULE_SIGNATURE_SCHEME == type ? "X.509" : "IKE", + signature_scheme_names, (int)scheme); + } + break; + } + } + } + e2->destroy(e2); + return success; +} + METHOD(auth_cfg_t, complies, bool, private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { @@ -518,7 +709,7 @@ METHOD(auth_cfg_t, complies, bool, bool ca_match = FALSE, cert_match = FALSE; identification_t *require_group = NULL; certificate_t *require_ca = NULL, *require_cert = NULL; - signature_scheme_t scheme = SIGN_UNKNOWN; + signature_scheme_t ike_scheme = SIGN_UNKNOWN, scheme = SIGN_UNKNOWN; u_int strength = 0; auth_rule_t t1, t2; char *key_type; @@ -573,6 +764,11 @@ METHOD(auth_cfg_t, complies, bool, { uintptr_t validated; + if (get(this, AUTH_RULE_CERT_VALIDATION_SUSPENDED)) + { /* skip validation, may happen later */ + break; + } + e2 = create_enumerator(this); while (e2->enumerate(e2, &t2, &validated)) { @@ -714,6 +910,11 @@ METHOD(auth_cfg_t, complies, bool, strength = (uintptr_t)value; break; } + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + { + ike_scheme = (uintptr_t)value; + break; + } case AUTH_RULE_SIGNATURE_SCHEME: { scheme = (uintptr_t)value; @@ -745,6 +946,8 @@ METHOD(auth_cfg_t, complies, bool, /* just an indication when verifying AUTH_RULE_IDENTITY */ case AUTH_RULE_XAUTH_BACKEND: /* not enforced, just a hint for local authentication */ + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: + /* not a constraint */ case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -766,35 +969,13 @@ METHOD(auth_cfg_t, complies, bool, * signature schemes. */ if (success && scheme != SIGN_UNKNOWN) { - e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &scheme)) - { - if (t2 == AUTH_RULE_SIGNATURE_SCHEME) - { - success = FALSE; - e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) - { - if (t1 == AUTH_RULE_SIGNATURE_SCHEME && - (uintptr_t)value == scheme) - { - success = TRUE; - break; - } - } - e1->destroy(e1); - if (!success) - { - if (log_error) - { - DBG1(DBG_CFG, "signature scheme %N not acceptable", - signature_scheme_names, (int)scheme); - } - break; - } - } - } - e2->destroy(e2); + success = complies_scheme(this, constraints, + AUTH_RULE_SIGNATURE_SCHEME, log_error); + } + if (success && ike_scheme != SIGN_UNKNOWN) + { + success = complies_scheme(this, constraints, + AUTH_RULE_IKE_SIGNATURE_SCHEME, log_error); } /* Check if we have a matching constraint (or none at all) for used @@ -918,6 +1099,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { add(this, type, (uintptr_t)value); break; @@ -1088,6 +1271,8 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_ECDSA_STRENGTH: case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: + case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: clone->add(clone, type, (uintptr_t)value); break; case AUTH_RULE_MAX: @@ -1116,6 +1301,7 @@ auth_cfg_t *auth_cfg_create() INIT(this, .public = { .add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add, + .add_pubkey_constraints = _add_pubkey_constraints, .get = _get, .create_enumerator = _create_enumerator, .replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace, diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 53f1b3805..6940069de 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -94,6 +94,8 @@ enum auth_rule_t { AUTH_RULE_CRL_VALIDATION, /** result of a OCSP validation, cert_validation_t */ AUTH_RULE_OCSP_VALIDATION, + /** CRL/OCSP validation is disabled, bool */ + AUTH_RULE_CERT_VALIDATION_SUSPENDED, /** subject is member of a group, identification_t* * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ @@ -106,6 +108,8 @@ enum auth_rule_t { AUTH_RULE_BLISS_STRENGTH, /** required signature scheme, signature_scheme_t */ AUTH_RULE_SIGNATURE_SCHEME, + /** required signature scheme for IKE authentication, signature_scheme_t */ + AUTH_RULE_IKE_SIGNATURE_SCHEME, /** certificatePolicy constraint, numerical OID as char* */ AUTH_RULE_CERT_POLICY, @@ -182,6 +186,15 @@ struct auth_cfg_t { void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); /** + * Add public key and signature scheme constraints to the set. + * + * @param constraints constraints string (e.g. "rsa-sha384") + * @param ike whether to add/parse constraints for IKE signatures + */ + void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints, + bool ike); + + /** * Get a rule value. * * For rules we expect only once the latest value is returned. diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index b281c1669..761082986 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -22,10 +23,10 @@ ENUM(certificate_type_names, CERT_ANY, CERT_GPG, "ANY", "X509", "X509_CRL", - "X509_OCSP_REQUEST", - "X509_OCSP_RESPONSE", + "OCSP_REQUEST", + "OCSP_RESPONSE", "X509_AC", - "TRUSTED_PUBKEY", + "PUBKEY", "PKCS10_REQUEST", "PGP", ); diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.c b/src/libstrongswan/credentials/certificates/certificate_printer.c new file mode 100644 index 000000000..c618e80bf --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate_printer.c @@ -0,0 +1,753 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "certificate_printer.h" +#include "credentials/certificates/x509.h" +#include "credentials/certificates/crl.h" +#include "credentials/certificates/ac.h" +#include "credentials/certificates/ocsp_response.h" +#include "credentials/certificates/pgp_certificate.h" + +#include <asn1/asn1.h> +#include <asn1/oid.h> +#include <selectors/traffic_selector.h> + +#include <time.h> + +typedef struct private_certificate_printer_t private_certificate_printer_t; + +/** + * Private data of an certificate_printer_t object. + */ +struct private_certificate_printer_t { + + /** + * Public certificate_printer_t interface. + */ + certificate_printer_t public; + + /** + * File to print to + */ + FILE *f; + + /** + * Print detailed certificate information + */ + bool detailed; + + /** + * Print time information in UTC + */ + bool utc; + + /** + * Previous certificate type + */ + certificate_type_t type; + + /** + * Previous X.509 certificate flag + */ + x509_flag_t flag; + +}; + +/** + * Print X509 specific certificate information + */ +static void print_x509(private_certificate_printer_t *this, x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len, explicit, inhibit; + x509_flag_t flags; + x509_cdp_t *cdp; + x509_cert_policy_t *policy; + x509_policy_mapping_t *mapping; + FILE *f = this->f; + + chunk = chunk_skip_zero(x509->get_serial(x509)); + fprintf(f, " serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " altNames: "); + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%Y", id); + } + if (!first) + { + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + if (this->detailed) + { + flags = x509->get_flags(x509); + if (flags != X509_NONE) + { + fprintf(f, " flags: "); + if (flags & X509_CA) + { + fprintf(f, "CA "); + } + if (flags & X509_CRL_SIGN) + { + fprintf(f, "CRLSign "); + } + if (flags & X509_OCSP_SIGNER) + { + fprintf(f, "ocspSigning "); + } + if (flags & X509_SERVER_AUTH) + { + fprintf(f, "serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + fprintf(f, "clientAuth "); + } + if (flags & X509_IKE_INTERMEDIATE) + { + fprintf(f, "ikeIntermediate "); + } + if (flags & X509_MS_SMARTCARD_LOGON) + { + fprintf(f, "msSmartcardLogon"); + } + if (flags & X509_SELF_SIGNED) + { + fprintf(f, "self-signed "); + } + fprintf(f, "\n"); + } + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " CRL URIs: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + fprintf(f, " OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + fprintf(f, " %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_constraint(x509, X509_PATH_LEN); + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " pathlen: %d\n", len); + } + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " permitted nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + fprintf(f, " excluded nameConstraints:\n"); + first = FALSE; + } + fprintf(f, " %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + char *oid; + + if (first) + { + fprintf(f, " certificatePolicies:\n"); + first = FALSE; + } + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + fprintf(f, " %s\n", oid); + free(oid); + } + else + { + fprintf(f, " %#B\n", &policy->oid); + } + if (policy->cps_uri) + { + fprintf(f, " CPS: %s\n", policy->cps_uri); + } + if (policy->unotice_text) + { + fprintf(f, " Notice: %s\n", policy->unotice_text); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_policy_mapping_enumerator(x509); + while (enumerator->enumerate(enumerator, &mapping)) + { + char *issuer_oid, *subject_oid; + + if (first) + { + fprintf(f, " policyMappings:\n"); + first = FALSE; + } + issuer_oid = asn1_oid_to_string(mapping->issuer); + subject_oid = asn1_oid_to_string(mapping->subject); + fprintf(f, " %s => %s\n", issuer_oid, subject_oid); + free(issuer_oid); + free(subject_oid); + } + enumerator->destroy(enumerator); + + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || + len != X509_NO_CONSTRAINT) + { + fprintf(f, " policyConstraints:\n"); + if (explicit != X509_NO_CONSTRAINT) + { + fprintf(f, " requireExplicitPolicy: %d\n", explicit); + } + if (inhibit != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitPolicyMapping: %d\n", inhibit); + } + if (len != X509_NO_CONSTRAINT) + { + fprintf(f, " inhibitAnyPolicy: %d\n", len); + } + } + + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + fprintf(f, " addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(f, ", "); + } + fprintf(f, "%R", block); + } + enumerator->destroy(enumerator); + fprintf(f, "\n"); + } + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + fprintf(f, " subjkeyId: %#B\n", &chunk); + } +} + +/** + * Print CRL specific information + */ +static void print_crl(private_certificate_printer_t *this, crl_t *crl) +{ + enumerator_t *enumerator; + time_t ts; + crl_reason_t reason; + chunk_t chunk; + int count = 0; + bool first; + x509_cdp_t *cdp; + FILE *f = this->f; + + chunk = chunk_skip_zero(crl->get_serial(crl)); + fprintf(f, " serial: %#B\n", &chunk); + + if (crl->is_delta_crl(crl, &chunk)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " delta CRL: for serial %#B\n", &chunk); + } + chunk = crl->get_authKeyIdentifier(crl); + fprintf(f, " authKeyId: %#B\n", &chunk); + + first = TRUE; + enumerator = crl->create_delta_crl_uri_enumerator(crl); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + fprintf(f, " freshest: %s", cdp->uri); + first = FALSE; + } + else + { + fprintf(f, " %s", cdp->uri); + } + if (cdp->issuer) + { + fprintf(f, " (CRL issuer: %Y)", cdp->issuer); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + count++; + } + enumerator->destroy(enumerator); + + fprintf(f, " %d revoked certificate%s%s\n", count, (count == 1) ? "" : "s", + (count && this->detailed) ? ":" : ""); + + if (this->detailed) + { + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) + { + chunk = chunk_skip_zero(chunk); + fprintf(f, " %#B: %T, %N\n", &chunk, &ts, this->utc, + crl_reason_names, reason); + } + enumerator->destroy(enumerator); + } +} + +/** + * Print AC specific information + */ +static void print_ac(private_certificate_printer_t *this, ac_t *ac) +{ + ac_group_type_t type; + identification_t *id; + enumerator_t *groups; + chunk_t chunk; + bool first = TRUE; + FILE *f = this->f; + + chunk = chunk_skip_zero(ac->get_serial(ac)); + fprintf(f, " serial: %#B\n", &chunk); + + id = ac->get_holderIssuer(ac); + if (id) + { + fprintf(f, " hissuer: \"%Y\"\n", id); + } + chunk = chunk_skip_zero(ac->get_holderSerial(ac)); + if (chunk.ptr) + { + fprintf(f, " hserial: %#B\n", &chunk); + } + groups = ac->create_group_enumerator(ac); + while (groups->enumerate(groups, &type, &chunk)) + { + int oid; + char *str; + + if (first) + { + fprintf(f, " groups: "); + first = FALSE; + } + else + { + fprintf(f, " "); + } + switch (type) + { + case AC_GROUP_TYPE_STRING: + fprintf(f, "%.*s", (int)chunk.len, chunk.ptr); + break; + case AC_GROUP_TYPE_OID: + oid = asn1_known_oid(chunk); + if (oid == OID_UNKNOWN) + { + str = asn1_oid_to_string(chunk); + if (str) + { + fprintf(f, "%s", str); + free(str); + } + else + { + fprintf(f, "OID:%#B", &chunk); + } + } + else + { + fprintf(f, "%s", oid_names[oid].name); + } + break; + case AC_GROUP_TYPE_OCTETS: + fprintf(f, "%#B", &chunk); + break; + } + fprintf(f, "\n"); + } + groups->destroy(groups); + + chunk = ac->get_authKeyIdentifier(ac); + if (chunk.ptr) + { + fprintf(f, " authkey: %#B\n", &chunk); + } +} + +/** + * Print OCSP response specific information + */ +static void print_ocsp_response(private_certificate_printer_t *this, + ocsp_response_t *ocsp_response) +{ + enumerator_t *enumerator; + chunk_t serialNumber; + cert_validation_t status; + char *status_text; + time_t revocationTime; + crl_reason_t *revocationReason; + bool first = TRUE; + FILE *f = this->f; + + if (this->detailed) + { + fprintf(f, " responses: "); + + enumerator = ocsp_response->create_response_enumerator(ocsp_response); + while (enumerator->enumerate(enumerator, &serialNumber, &status, + &revocationTime, &revocationReason)) + { + if (first) + { + first = FALSE; + } + else + { + fprintf(f, " "); + } + serialNumber = chunk_skip_zero(serialNumber); + + switch (status) + { + case VALIDATION_GOOD: + status_text = "good"; + break; + case VALIDATION_REVOKED: + status_text = "revoked"; + break; + default: + status_text = "unknown"; + } + fprintf(f, "%#B: %s", &serialNumber, status_text); + + if (status == VALIDATION_REVOKED) + { + fprintf(f, " on %T, %N", &revocationTime, this->utc, + crl_reason_names, revocationReason); + } + fprintf(f, "\n"); + } + enumerator->destroy(enumerator); + } +} + +/** + * Print public key information + */ +static void print_pubkey(private_certificate_printer_t *this, public_key_t *key, + bool has_privkey) +{ + chunk_t chunk; + FILE *f = this->f; + + fprintf(f, " pubkey: %N %d bits", key_type_names, key->get_type(key), + key->get_keysize(key)); + if (has_privkey) + { + fprintf(f, ", has private key"); + } + fprintf(f, "\n"); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + fprintf(f, " keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + fprintf(f, " subjkey: %#B\n", &chunk); + } +} + +METHOD(certificate_printer_t, print, void, + private_certificate_printer_t *this, certificate_t *cert, bool has_privkey) +{ + time_t now, notAfter, notBefore; + certificate_type_t type; + identification_t *subject; + char *t0, *t1, *t2; + public_key_t *key; + FILE *f = this->f; + + now = time(NULL); + type = cert->get_type(cert); + subject = cert->get_subject(cert); + + if ((type != CERT_X509_CRL && type != CERT_X509_OCSP_RESPONSE && + type != CERT_TRUSTED_PUBKEY) || + (type == CERT_TRUSTED_PUBKEY && subject->get_type(subject) != ID_KEY_ID)) + { + fprintf(f, " subject: \"%Y\"\n", subject); + } + if (type != CERT_TRUSTED_PUBKEY && type != CERT_GPG) + { + fprintf(f, " issuer: \"%Y\"\n", cert->get_issuer(cert)); + } + + /* list validity if set */ + cert->get_validity(cert, &now, ¬Before, ¬After); + if (notBefore != UNDEFINED_TIME && notAfter != UNDEFINED_TIME) + { + if (type == CERT_GPG) + { + fprintf(f, " created: %T\n", ¬Before, this->utc); + fprintf(f, " until: %T%s\n", ¬After, this->utc, + (notAfter == TIME_32_BIT_SIGNED_MAX) ?" expires never" : ""); + } + else + { + if (type == CERT_X509_CRL || type == CERT_X509_OCSP_RESPONSE) + { + t0 = "update: "; + t1 = "this on"; + t2 = "next on"; + } + else + { + t0 = "validity:"; + t1 = "not before"; + t2 = "not after "; + } + fprintf(f, " %s %s %T, ", t0, t1, ¬Before, this->utc); + if (now < notBefore) + { + fprintf(f, "not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + fprintf(f, "ok\n"); + } + fprintf(f, " %s %T, ", t2, ¬After, this->utc); + if (now > notAfter) + { + fprintf(f, "expired (%V ago)\n", &now, ¬After); + } + else + { + fprintf(f, "ok (expires in %V)\n", &now, ¬After); + } + } + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509(this, (x509_t*)cert); + break; + case CERT_X509_CRL: + print_crl(this, (crl_t*)cert); + break; + case CERT_X509_AC: + print_ac(this, (ac_t*)cert); + break; + case CERT_X509_OCSP_RESPONSE: + print_ocsp_response(this, (ocsp_response_t*)cert); + break; + case CERT_TRUSTED_PUBKEY: + default: + break; + } + if (type == CERT_GPG) + { + pgp_certificate_t *pgp_cert = (pgp_certificate_t*)cert; + chunk_t fingerprint = pgp_cert->get_fingerprint(pgp_cert); + + fprintf(f, " pgpDigest: %#B\n", &fingerprint); + } + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(this, key, has_privkey); + key->destroy(key); + } +} + +METHOD(certificate_printer_t, print_caption, void, + private_certificate_printer_t *this, certificate_type_t type, + x509_flag_t flag) +{ + char *caption; + + if (type != this->type || (type == CERT_X509 && flag != this->flag)) + { + switch (type) + { + case CERT_X509: + switch (flag) + { + case X509_NONE: + caption = "X.509 End Entity Certificate"; + break; + case X509_CA: + caption = "X.509 CA Certificate"; + break; + case X509_AA: + caption = "X.509 AA Certificate"; + break; + case X509_OCSP_SIGNER: + caption = "X.509 OCSP Signer Certificate"; + break; + default: + return; + } + break; + case CERT_X509_AC: + caption = "X.509 Attribute Certificate"; + break; + case CERT_X509_CRL: + caption = "X.509 CRL"; + break; + case CERT_X509_OCSP_RESPONSE: + caption = "OCSP Response"; + break; + case CERT_TRUSTED_PUBKEY: + caption = "Raw Public Key"; + break; + case CERT_GPG: + caption = "PGP End Entity Certificate"; + break; + default: + return; + } + fprintf(this->f, "\nList of %ss\n", caption); + + /* Update to current type and flag value */ + this->type = type; + if (type == CERT_X509) + { + this->flag = flag; + } + } + fprintf(this->f, "\n"); +} + +METHOD(certificate_printer_t, destroy, void, + private_certificate_printer_t *this) +{ + free(this); +} + +/** + * See header + */ +certificate_printer_t *certificate_printer_create(FILE *f, bool detailed, + bool utc) +{ + private_certificate_printer_t *this; + + INIT(this, + .public = { + .print = _print, + .print_caption = _print_caption, + .destroy = _destroy, + }, + .f = f, + .detailed = detailed, + .utc = utc, + .type = CERT_ANY, + .flag = X509_ANY, + ); + + return &this->public; +} diff --git a/src/libstrongswan/credentials/certificates/certificate_printer.h b/src/libstrongswan/credentials/certificates/certificate_printer.h new file mode 100644 index 000000000..7953eb060 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/certificate_printer.h @@ -0,0 +1,70 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup certificate_printer certificate_printer + * @{ @ingroup certificates + */ + +#ifndef CERTIFICATE_PRINTER_H_ +#define CERTIFICATE_PRINTER_H_ + +typedef struct certificate_printer_t certificate_printer_t; + +#include "credentials/certificates/certificate.h" +#include "credentials/certificates/x509.h" + +#include <stdio.h> + +/** + * An object for printing certificate information. + */ +struct certificate_printer_t { + + /** + * Print a certificate. + * + * @param cert certificate to be printed + * @param has_privkey indicates that certificate has a matching private key + */ + void (*print)(certificate_printer_t *this, certificate_t *cert, + bool has_privkey); + + /** + * Print a caption if the certificate type changed. + * + * @param type certificate type + * @param flag X.509 certificate flag + */ + void (*print_caption)(certificate_printer_t *this, certificate_type_t type, + x509_flag_t flag); + + /** + * Destroy the certificate_printer object. + */ + void (*destroy)(certificate_printer_t *this); +}; + +/** + * Create a certificate_printer object + * + * @param f file where print output is directed to (usually stdout) + * @param detailed print more detailed certificate information + * @param utc print time inforamtion in UTC + */ +certificate_printer_t* certificate_printer_create(FILE *f, bool detailed, + bool utc); + +#endif /** CERTIFICATE_PRINTER_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/ocsp_response.h b/src/libstrongswan/credentials/certificates/ocsp_response.h index 9c5637b9f..c6a4c1277 100644 --- a/src/libstrongswan/credentials/certificates/ocsp_response.h +++ b/src/libstrongswan/credentials/certificates/ocsp_response.h @@ -77,6 +77,13 @@ struct ocsp_response_t { * @return enumerator over certificate_t* */ enumerator_t* (*create_cert_enumerator)(ocsp_response_t *this); + + /** + * Create an enumerator over the contained responses. + * + * @return enumerator over major response fields + */ + enumerator_t* (*create_response_enumerator)(ocsp_response_t *this); }; #endif /** OCSP_RESPONSE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c new file mode 100644 index 000000000..5eefa0bb4 --- /dev/null +++ b/src/libstrongswan/credentials/certificates/x509.c @@ -0,0 +1,27 @@ +/* + * Copyright (C) 2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "x509.h" + +ENUM_BEGIN(x509_flag_names, X509_NONE, X509_AA, + "NONE", + "CA", + "AA"); +ENUM_NEXT(x509_flag_names, X509_OCSP_SIGNER, X509_OCSP_SIGNER, X509_AA, + "OCSP"); +ENUM_NEXT(x509_flag_names, X509_ANY, X509_ANY, X509_OCSP_SIGNER, + "ANY"); +ENUM_END(x509_flag_names, X509_ANY); + diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 6cbfcdeed..601c034ef 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -46,6 +46,8 @@ enum x509_flag_t { X509_AA = (1<<1), /** cert has OCSP signer constraint */ X509_OCSP_SIGNER = (1<<2), + /** cert has either CA, AA or OCSP constraint */ + X509_ANY = X509_CA | X509_AA | X509_OCSP_SIGNER, /** cert has serverAuth key usage */ X509_SERVER_AUTH = (1<<3), /** cert has clientAuth key usage */ @@ -62,6 +64,8 @@ enum x509_flag_t { X509_MS_SMARTCARD_LOGON = (1<<9), }; +extern enum_name_t *x509_flag_names; + /** * Different numerical X.509 constraints. */ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 371e6404d..95c5cd777 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -917,6 +918,8 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->auth); DESTROY_IF(this->candidates); this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); + /* check for delayed certificate cache queue */ + cache_queue(this->this); free(this); } @@ -985,7 +988,6 @@ METHOD(enumerator_t, public_destroy, void, this->wrapper->destroy(this->wrapper); } this->this->lock->unlock(this->this->lock); - /* check for delayed certificate cache queue */ cache_queue(this->this); free(this); @@ -993,7 +995,7 @@ METHOD(enumerator_t, public_destroy, void, METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, private_credential_manager_t *this, key_type_t type, identification_t *id, - auth_cfg_t *auth) + auth_cfg_t *auth, bool online) { public_enumerator_t *enumerator; @@ -1002,7 +1004,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, .enumerate = (void*)_public_enumerate, .destroy = _public_destroy, }, - .inner = create_trusted_enumerator(this, type, id, TRUE), + .inner = create_trusted_enumerator(this, type, id, online), .this = this, ); if (auth) diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 445ea3f9c..022ca566c 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -202,14 +203,18 @@ struct credential_manager_t { * where the auth config helper contains rules for constraint checks. * This function is very similar to create_trusted_enumerator(), but * gets public keys directly. + * If online is set, revocations are checked online for the whole + * trustchain. * * @param type type of the key to get * @param id owner of the key, signer of the signature * @param auth authentication infos + * @param online whether revocations should be checked online * @return enumerator */ enumerator_t* (*create_public_enumerator)(credential_manager_t *this, - key_type_t type, identification_t *id, auth_cfg_t *auth); + key_type_t type, identification_t *id, auth_cfg_t *auth, + bool online); /** * Cache a certificate by invoking cache_cert() on all registered sets. diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index dc73ccc68..e130b93ee 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Tobias Brunner + * Copyright (C) 2009-2016 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -61,6 +61,31 @@ struct private_library_t { refcount_t ref; }; +#define MAX_NAMESPACES 5 + +/** + * Additional namespaces registered using __atrribute__((constructor)) + */ +static char *namespaces[MAX_NAMESPACES]; +static int ns_count; + +/** + * Described in header + */ +void library_add_namespace(char *ns) +{ + if (ns_count < MAX_NAMESPACES - 1) + { + namespaces[ns_count] = ns; + ns_count++; + } + else + { + fprintf(stderr, "failed to register additional namespace alias, please " + "increase MAX_NAMESPACES"); + } +} + /** * library instance */ @@ -248,6 +273,7 @@ bool library_init(char *settings, const char *namespace) { private_library_t *this; printf_hook_t *pfh; + int i; if (lib) { /* already initialized, increase refcount */ @@ -311,6 +337,11 @@ bool library_init(char *settings, const char *namespace) (hashtable_equals_t)equals, 4); this->public.settings = settings_create(this->public.conf); + /* add registered aliases */ + for (i = 0; i < ns_count; ++i) + { + lib->settings->add_fallback(lib->settings, lib->ns, namespaces[i]); + } /* all namespace settings may fall back to libstrongswan */ lib->settings->add_fallback(lib->settings, lib->ns, "libstrongswan"); diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 3a6dd1ba4..08316fd13 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2014 Tobias Brunner + * Copyright (C) 2010-2016 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -276,4 +276,14 @@ void library_deinit(); */ extern library_t *lib; +/** + * Add additional names used as alias for the namespace registered with + * library_init(). + * + * To be called from __attribute__((constructor)) functions. + * + * @param ns additional namespace + */ +void library_add_namespace(char *ns); + #endif /** LIBRARY_H_ @}*/ diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in index 65542ea5d..034ab48e0 100644 --- a/src/libstrongswan/plugins/acert/Makefile.in +++ b/src/libstrongswan/plugins/acert/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 9d79c81ee..6ad68a55a 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in index 34adaa390..7f91e439c 100644 --- a/src/libstrongswan/plugins/aesni/Makefile.in +++ b/src/libstrongswan/plugins/aesni/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in index 4a86f9640..7aaea450c 100644 --- a/src/libstrongswan/plugins/af_alg/Makefile.in +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 292c2fd90..cbdc8e84e 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in index 1361dd340..8f91cdcbe 100644 --- a/src/libstrongswan/plugins/bliss/Makefile.in +++ b/src/libstrongswan/plugins/bliss/Makefile.in @@ -433,6 +433,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in index 5a1ce3d50..43e508ba0 100644 --- a/src/libstrongswan/plugins/bliss/tests/Makefile.in +++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index f19616552..a6c3287f4 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index ca7cadbe4..3d56b9802 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in index 98e1f4d9e..b3506587d 100644 --- a/src/libstrongswan/plugins/chapoly/Makefile.in +++ b/src/libstrongswan/plugins/chapoly/Makefile.in @@ -428,6 +428,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c index 54e934e6a..dfed4d53d 100644 --- a/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c +++ b/src/libstrongswan/plugins/chapoly/chapoly_drv_portable.c @@ -58,27 +58,6 @@ struct private_chapoly_drv_portable_t { }; /** - * Convert unaligned little endian to host byte order - */ -static inline u_int32_t uletoh32(void *p) -{ - u_int32_t ret; - - memcpy(&ret, p, sizeof(ret)); - ret = le32toh(ret); - return ret; -} - -/** - * Convert host byte order to unaligned little endian - */ -static inline void htoule32(void *p, u_int32_t v) -{ - v = htole32(v); - memcpy(p, &v, sizeof(v)); -} - -/** * XOR a 32-bit integer into an unaligned destination */ static inline void xor32u(void *p, u_int32_t x) diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in index 9e249399b..2ffaa0662 100644 --- a/src/libstrongswan/plugins/cmac/Makefile.in +++ b/src/libstrongswan/plugins/cmac/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in index 2e623ad3b..f263f7764 100644 --- a/src/libstrongswan/plugins/constraints/Makefile.in +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index 7b7231b85..9558f878e 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index d525eac02..8fc366cca 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 96b2f6055..6a09d63c9 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 910289906..55ebb3419 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in index 31dc4a3ac..6c2e792f5 100644 --- a/src/libstrongswan/plugins/files/Makefile.in +++ b/src/libstrongswan/plugins/files/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index b7ca1ce97..252035ca8 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index e125ab884..f9c4a6950 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 4ce7438fc..774c447f6 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 04f1f43ef..7ecba8fa9 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -98,14 +98,14 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(HASHER, HASH_SHA512), /* MODP DH groups */ PLUGIN_REGISTER(DH, gcrypt_dh_create), - PLUGIN_PROVIDE(DH, MODP_2048_BIT), - PLUGIN_PROVIDE(DH, MODP_2048_224), - PLUGIN_PROVIDE(DH, MODP_2048_256), - PLUGIN_PROVIDE(DH, MODP_1536_BIT), PLUGIN_PROVIDE(DH, MODP_3072_BIT), PLUGIN_PROVIDE(DH, MODP_4096_BIT), PLUGIN_PROVIDE(DH, MODP_6144_BIT), PLUGIN_PROVIDE(DH, MODP_8192_BIT), + PLUGIN_PROVIDE(DH, MODP_2048_BIT), + PLUGIN_PROVIDE(DH, MODP_2048_224), + PLUGIN_PROVIDE(DH, MODP_2048_256), + PLUGIN_PROVIDE(DH, MODP_1536_BIT), PLUGIN_PROVIDE(DH, MODP_1024_BIT), PLUGIN_PROVIDE(DH, MODP_1024_160), PLUGIN_PROVIDE(DH, MODP_768_BIT), diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 788cb931e..9a2d30192 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index d93aa14a1..ea75896a1 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -45,14 +45,6 @@ METHOD(plugin_t, get_features, int, static plugin_feature_t f[] = { /* DH groups */ PLUGIN_REGISTER(DH, gmp_diffie_hellman_create), - PLUGIN_PROVIDE(DH, MODP_2048_BIT), - PLUGIN_DEPENDS(RNG, RNG_STRONG), - PLUGIN_PROVIDE(DH, MODP_2048_224), - PLUGIN_DEPENDS(RNG, RNG_STRONG), - PLUGIN_PROVIDE(DH, MODP_2048_256), - PLUGIN_DEPENDS(RNG, RNG_STRONG), - PLUGIN_PROVIDE(DH, MODP_1536_BIT), - PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_PROVIDE(DH, MODP_3072_BIT), PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_PROVIDE(DH, MODP_4096_BIT), @@ -61,6 +53,14 @@ METHOD(plugin_t, get_features, int, PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_PROVIDE(DH, MODP_8192_BIT), PLUGIN_DEPENDS(RNG, RNG_STRONG), + PLUGIN_PROVIDE(DH, MODP_2048_BIT), + PLUGIN_DEPENDS(RNG, RNG_STRONG), + PLUGIN_PROVIDE(DH, MODP_2048_224), + PLUGIN_DEPENDS(RNG, RNG_STRONG), + PLUGIN_PROVIDE(DH, MODP_2048_256), + PLUGIN_DEPENDS(RNG, RNG_STRONG), + PLUGIN_PROVIDE(DH, MODP_1536_BIT), + PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_PROVIDE(DH, MODP_1024_BIT), PLUGIN_DEPENDS(RNG, RNG_STRONG), PLUGIN_PROVIDE(DH, MODP_1024_160), diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index a8c39cbab..46fac4a8c 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in index 8f6a6f54d..eb0bdf387 100644 --- a/src/libstrongswan/plugins/keychain/Makefile.in +++ b/src/libstrongswan/plugins/keychain/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 5316323a4..0a03fd819 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index d5f9c6c81..4dbdbe020 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 1dd3892cd..6fc25b023 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index e2fb7e720..17409dbc3 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in index 0b51ba5d8..68be3f44a 100644 --- a/src/libstrongswan/plugins/nonce/Makefile.in +++ b/src/libstrongswan/plugins/nonce/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in index 5636692ab..97a70679d 100644 --- a/src/libstrongswan/plugins/ntru/Makefile.in +++ b/src/libstrongswan/plugins/ntru/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a667ca47e..302016937 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -423,6 +423,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index e48efe3e9..aeb9be409 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -365,28 +365,41 @@ METHOD(plugin_t, get_features, int, #ifndef OPENSSL_NO_AES /* AES GCM */ PLUGIN_REGISTER(AEAD, openssl_gcm_create), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24), - PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 16), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 24), PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV16, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV12, 32), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 16), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 24), + PLUGIN_PROVIDE(AEAD, ENCR_AES_GCM_ICV8, 32), #endif /* OPENSSL_NO_AES */ #endif /* OPENSSL_VERSION_NUMBER */ +#ifndef OPENSSL_NO_ECDH + /* EC DH groups */ + PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create), + PLUGIN_PROVIDE(DH, ECP_256_BIT), + PLUGIN_PROVIDE(DH, ECP_384_BIT), + PLUGIN_PROVIDE(DH, ECP_521_BIT), + PLUGIN_PROVIDE(DH, ECP_224_BIT), + PLUGIN_PROVIDE(DH, ECP_192_BIT), + PLUGIN_PROVIDE(DH, ECP_256_BP), + PLUGIN_PROVIDE(DH, ECP_384_BP), + PLUGIN_PROVIDE(DH, ECP_512_BP), + PLUGIN_PROVIDE(DH, ECP_224_BP), +#endif #ifndef OPENSSL_NO_DH /* MODP DH groups */ PLUGIN_REGISTER(DH, openssl_diffie_hellman_create), - PLUGIN_PROVIDE(DH, MODP_2048_BIT), - PLUGIN_PROVIDE(DH, MODP_2048_224), - PLUGIN_PROVIDE(DH, MODP_2048_256), - PLUGIN_PROVIDE(DH, MODP_1536_BIT), PLUGIN_PROVIDE(DH, MODP_3072_BIT), PLUGIN_PROVIDE(DH, MODP_4096_BIT), PLUGIN_PROVIDE(DH, MODP_6144_BIT), PLUGIN_PROVIDE(DH, MODP_8192_BIT), + PLUGIN_PROVIDE(DH, MODP_2048_BIT), + PLUGIN_PROVIDE(DH, MODP_2048_224), + PLUGIN_PROVIDE(DH, MODP_2048_256), + PLUGIN_PROVIDE(DH, MODP_1536_BIT), PLUGIN_PROVIDE(DH, MODP_1024_BIT), PLUGIN_PROVIDE(DH, MODP_1024_160), PLUGIN_PROVIDE(DH, MODP_768_BIT), @@ -446,19 +459,6 @@ METHOD(plugin_t, get_features, int, #endif /* OPENSSL_VERSION_NUMBER */ PLUGIN_REGISTER(CONTAINER_DECODE, openssl_pkcs12_load, TRUE), PLUGIN_PROVIDE(CONTAINER_DECODE, CONTAINER_PKCS12), -#ifndef OPENSSL_NO_ECDH - /* EC DH groups */ - PLUGIN_REGISTER(DH, openssl_ec_diffie_hellman_create), - PLUGIN_PROVIDE(DH, ECP_256_BIT), - PLUGIN_PROVIDE(DH, ECP_384_BIT), - PLUGIN_PROVIDE(DH, ECP_521_BIT), - PLUGIN_PROVIDE(DH, ECP_224_BIT), - PLUGIN_PROVIDE(DH, ECP_192_BIT), - PLUGIN_PROVIDE(DH, ECP_224_BP), - PLUGIN_PROVIDE(DH, ECP_256_BP), - PLUGIN_PROVIDE(DH, ECP_384_BP), - PLUGIN_PROVIDE(DH, ECP_512_BP), -#endif #ifndef OPENSSL_NO_ECDSA /* EC private/public key loading */ PLUGIN_REGISTER(PRIVKEY, openssl_ec_private_key_load, TRUE), diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 44603afb1..2d6006bca 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 4c982fdf5..16dfbed3a 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 4d4215bfe..a55877952 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 2a708364a..a265818b0 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index de033a3fb..f4bded41a 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -418,6 +418,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in index 3fa0a3890..7fd31583b 100644 --- a/src/libstrongswan/plugins/pkcs12/Makefile.in +++ b/src/libstrongswan/plugins/pkcs12/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in index 3266e5d5f..5fc439b99 100644 --- a/src/libstrongswan/plugins/pkcs7/Makefile.in +++ b/src/libstrongswan/plugins/pkcs7/Makefile.in @@ -417,6 +417,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in index 2130c9c93..162868af5 100644 --- a/src/libstrongswan/plugins/pkcs8/Makefile.in +++ b/src/libstrongswan/plugins/pkcs8/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index a9f3dd14c..007bdbd00 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index b7ba5ad43..0631a6857 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -196,6 +196,13 @@ METHOD(certificate_t, destroy, void, } } +METHOD(pubkey_cert_t, set_subject, void, + private_pubkey_cert_t *this, identification_t *subject) +{ + DESTROY_IF(this->subject); + this->subject = subject->clone(subject); +} + /* * see header file */ @@ -222,6 +229,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key, .get_ref = _get_ref, .destroy = _destroy, }, + .set_subject = _set_subject, }, .ref = 1, .key = key, diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.h b/src/libstrongswan/plugins/pubkey/pubkey_cert.h index a2d735342..06e4e0fa3 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.h +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.h @@ -35,6 +35,13 @@ struct pubkey_cert_t { * Implements certificate_t. */ certificate_t interface; + + /** + * Set the subject of the trusted public key. + * + * @param subject subject to be set + */ + void (*set_subject)(pubkey_cert_t *this, identification_t *subject); }; /** diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 11a13463b..f6dc73e09 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in index b81acef55..b9fc8bdf6 100644 --- a/src/libstrongswan/plugins/rc2/Makefile.in +++ b/src/libstrongswan/plugins/rc2/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in index 028464bf3..f6bdf9c59 100644 --- a/src/libstrongswan/plugins/rdrand/Makefile.in +++ b/src/libstrongswan/plugins/rdrand/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 342c544d9..4c7f2723b 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 18771e4f9..1de07d754 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 6aaa06b20..d4af8fbcf 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in index 3034ea537..9aa58e236 100644 --- a/src/libstrongswan/plugins/sha3/Makefile.in +++ b/src/libstrongswan/plugins/sha3/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in index 02290b4a2..acb05d570 100644 --- a/src/libstrongswan/plugins/soup/Makefile.in +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -414,6 +414,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 3e234f1ca..ca59bb7df 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in index a8d5a1020..feb9313ff 100644 --- a/src/libstrongswan/plugins/sshkey/Makefile.in +++ b/src/libstrongswan/plugins/sshkey/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 100f3b15a..431b60724 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -432,6 +432,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in index c84717bdc..59590d1a9 100644 --- a/src/libstrongswan/plugins/unbound/Makefile.in +++ b/src/libstrongswan/plugins/unbound/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in index f8db1ffac..acfc57bb6 100644 --- a/src/libstrongswan/plugins/winhttp/Makefile.in +++ b/src/libstrongswan/plugins/winhttp/Makefile.in @@ -416,6 +416,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index b31bfbed1..c58dfe210 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -415,6 +415,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 96280a033..2b83f3328 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -2143,8 +2143,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, msSmartcardLogon = asn1_build_known_oid(OID_MS_SMARTCARD_LOGON); } - if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr || - ocspSigning.ptr) + if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr || + ocspSigning.ptr || msSmartcardLogon.ptr) { extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_EXTENDED_KEY_USAGE), diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 60133fc7f..b46af30fe 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -1,7 +1,8 @@ /** * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2007-2014 Andreas Steffen - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2007-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen * * This program is free software; you can redistribute it and/or modify it @@ -228,6 +229,42 @@ METHOD(ocsp_response_t, create_cert_enumerator, enumerator_t*, } /** + * enumerator filter callback for create_response_enumerator + */ +static bool filter(void *data, single_response_t **response, + chunk_t *serialNumber, + void *p2, cert_validation_t *status, + void *p3, time_t *revocationTime, + void *p4, crl_reason_t *revocationReason) +{ + if (serialNumber) + { + *serialNumber = (*response)->serialNumber; + } + if (status) + { + *status = (*response)->status; + } + if (revocationTime) + { + *revocationTime = (*response)->revocationTime; + } + if (revocationReason) + { + *revocationReason = (*response)->revocationReason; + } + return TRUE; +} + +METHOD(ocsp_response_t, create_response_enumerator, enumerator_t*, + private_x509_ocsp_response_t *this) +{ + return enumerator_create_filter( + this->responses->create_enumerator(this->responses), + (void*)filter, NULL, NULL); +} + +/** * ASN.1 definition of singleResponse */ static const asn1Object_t singleResponseObjects[] = { @@ -828,6 +865,7 @@ static x509_ocsp_response_t *load(chunk_t blob) }, .get_status = _get_status, .create_cert_enumerator = _create_cert_enumerator, + .create_response_enumerator = _create_response_enumerator, }, }, .ref = 1, diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index 6c9901e6c..6f69fb100 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -413,6 +413,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ diff --git a/src/libstrongswan/processing/watcher.c b/src/libstrongswan/processing/watcher.c index 5b94208bf..b7628501a 100644 --- a/src/libstrongswan/processing/watcher.c +++ b/src/libstrongswan/processing/watcher.c @@ -345,6 +345,13 @@ static job_requeue_t watch(private_watcher_t *this) old = thread_cancelability(TRUE); res = poll(pfd, count, -1); + if (res == -1 && errno == EINTR) + { + /* LinuxThreads interrupts poll(), but does not make it a + * cancellation point. Manually test if we got cancelled. */ + thread_cancellation_point(); + } + thread_cancelability(old); thread_cleanup_pop(FALSE); diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am index d86584ad1..b2d456035 100644 --- a/src/libstrongswan/tests/Makefile.am +++ b/src/libstrongswan/tests/Makefile.am @@ -44,6 +44,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_certpolicy.c \ suites/test_certnames.c \ suites/test_host.c \ + suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in index 13fd4cc25..0a0f5893d 100644 --- a/src/libstrongswan/tests/Makefile.in +++ b/src/libstrongswan/tests/Makefile.in @@ -140,6 +140,7 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \ suites/tests-test_certpolicy.$(OBJEXT) \ suites/tests-test_certnames.$(OBJEXT) \ suites/tests-test_host.$(OBJEXT) \ + suites/tests-test_auth_cfg.$(OBJEXT) \ suites/tests-test_hasher.$(OBJEXT) \ suites/tests-test_crypter.$(OBJEXT) \ suites/tests-test_crypto_factory.$(OBJEXT) \ @@ -452,6 +453,8 @@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ +systemd_CFLAGS = @systemd_CFLAGS@ +systemd_LIBS = @systemd_LIBS@ systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@ systemd_daemon_LIBS = @systemd_daemon_LIBS@ systemd_journal_CFLAGS = @systemd_journal_CFLAGS@ @@ -505,6 +508,7 @@ tests_SOURCES = tests.h tests.c \ suites/test_certpolicy.c \ suites/test_certnames.c \ suites/test_host.c \ + suites/test_auth_cfg.c \ suites/test_hasher.c \ suites/test_crypter.c \ suites/test_crypto_factory.c \ @@ -648,6 +652,8 @@ suites/tests-test_certnames.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_host.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) +suites/tests-test_auth_cfg.$(OBJEXT): suites/$(am__dirstamp) \ + suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_hasher.$(OBJEXT): suites/$(am__dirstamp) \ suites/$(DEPDIR)/$(am__dirstamp) suites/tests-test_crypter.$(OBJEXT): suites/$(am__dirstamp) \ @@ -690,6 +696,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_array.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_asn1_parser.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_auth_cfg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_reader.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_bio_writer.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@suites/$(DEPDIR)/tests-test_certnames.Po@am__quote@ @@ -1119,6 +1126,20 @@ suites/tests-test_host.obj: suites/test_host.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_host.obj `if test -f 'suites/test_host.c'; then $(CYGPATH_W) 'suites/test_host.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_host.c'; fi` +suites/tests-test_auth_cfg.o: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.o -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.o `test -f 'suites/test_auth_cfg.c' || echo '$(srcdir)/'`suites/test_auth_cfg.c + +suites/tests-test_auth_cfg.obj: suites/test_auth_cfg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_auth_cfg.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_auth_cfg.Tpo -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_auth_cfg.Tpo suites/$(DEPDIR)/tests-test_auth_cfg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_auth_cfg.c' object='suites/tests-test_auth_cfg.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_auth_cfg.obj `if test -f 'suites/test_auth_cfg.c'; then $(CYGPATH_W) 'suites/test_auth_cfg.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_auth_cfg.c'; fi` + suites/tests-test_hasher.o: suites/test_hasher.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_hasher.o -MD -MP -MF suites/$(DEPDIR)/tests-test_hasher.Tpo -c -o suites/tests-test_hasher.o `test -f 'suites/test_hasher.c' || echo '$(srcdir)/'`suites/test_hasher.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_hasher.Tpo suites/$(DEPDIR)/tests-test_hasher.Po diff --git a/src/libstrongswan/tests/suites/test_array.c b/src/libstrongswan/tests/suites/test_array.c index ba2aff460..eda72e10a 100644 --- a/src/libstrongswan/tests/suites/test_array.c +++ b/src/libstrongswan/tests/suites/test_array.c @@ -491,6 +491,44 @@ START_TEST(test_invoke_offset) } END_TEST +START_TEST(test_insert_create) +{ + array_t *array = NULL; + uintptr_t x; + + array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)1); + array_insert_create(&array, ARRAY_TAIL, (void*)(uintptr_t)2); + ck_assert(array != NULL); + + ck_assert(array_get(array, ARRAY_HEAD, &x)); + ck_assert_int_eq(x, 1); + ck_assert(array_get(array, ARRAY_TAIL, &x)); + ck_assert_int_eq(x, 2); + + array_destroy(array); +} +END_TEST + +START_TEST(test_insert_create_value) +{ + array_t *array = NULL; + u_int16_t v; + + v = 1; + array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v); + v = 2; + array_insert_create_value(&array, sizeof(v), ARRAY_TAIL, &v); + ck_assert(array != NULL); + + ck_assert(array_get(array, ARRAY_HEAD, &v)); + ck_assert_int_eq(v, 1); + ck_assert(array_get(array, ARRAY_TAIL, &v)); + ck_assert_int_eq(v, 2); + + array_destroy(array); +} +END_TEST + Suite *array_suite_create() { Suite *s; @@ -528,5 +566,10 @@ Suite *array_suite_create() tcase_add_test(tc, test_invoke_offset); suite_add_tcase(s, tc); + tc = tcase_create("insert create"); + tcase_add_test(tc, test_insert_create); + tcase_add_test(tc, test_insert_create_value); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c new file mode 100644 index 000000000..e046725b8 --- /dev/null +++ b/src/libstrongswan/tests/suites/test_auth_cfg.c @@ -0,0 +1,122 @@ +/* + * Copyright (C) 2016 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "test_suite.h" + +#include <credentials/auth_cfg.h> + +struct { + char *constraints; + signature_scheme_t sig[5]; + signature_scheme_t ike[5]; +} sig_constraints_tests[] = { + { "rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}}, + { "rsa-sha256-sha512", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_RSA_EMSA_PKCS1_SHA512, 0 }, {0}}, + { "ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, + { "rsa-sha256-ecdsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, + { "pubkey-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }, {0}}, + { "ike:rsa-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }}, + { "ike:rsa-sha256-rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }}, + { "rsa-sha256-ike:rsa-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }}, + { "ike:pubkey-sha256", {0}, { SIGN_RSA_EMSA_PKCS1_SHA256, SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, SIGN_BLISS_WITH_SHA2_256, 0 }}, + { "rsa-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, + { "rsa-4096-ecdsa-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, + { "rsa-4096-ecdsa-256-sha256", { SIGN_ECDSA_WITH_SHA256_DER, SIGN_ECDSA_256, 0 }, {0}}, + { "rsa-ecdsa256-sha256", { SIGN_RSA_EMSA_PKCS1_SHA256, 0 }, {0}}, + { "rsa4096-sha256", {0}, {0}}, + { "sha256", {0}, {0}}, + { "ike:sha256", {0}, {0}}, +}; + +static void check_sig_constraints(auth_cfg_t *cfg, auth_rule_t type, + signature_scheme_t expected[]) +{ + enumerator_t *enumerator; + auth_rule_t t; + void *value; + int i = 0; + + enumerator = cfg->create_enumerator(cfg); + while (enumerator->enumerate(enumerator, &t, &value)) + { + if (t == type) + { + ck_assert(expected[i]); + ck_assert_int_eq(expected[i], (signature_scheme_t)value); + i++; + } + } + enumerator->destroy(enumerator); + ck_assert(!expected[i]); +} + +START_TEST(test_sig_contraints) +{ + auth_cfg_t *cfg; + signature_scheme_t none[] = {0}; + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE); + check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); + check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, none); + cfg->destroy(cfg); + + lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", + FALSE, lib->ns); + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); + check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); + check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); + cfg->destroy(cfg); +} +END_TEST + +START_TEST(test_ike_contraints_fallback) +{ + auth_cfg_t *cfg; + + lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", + TRUE, lib->ns); + + cfg = auth_cfg_create(); + cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, TRUE); + check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); + if (sig_constraints_tests[_i].ike[0]) + { + check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].ike); + } + else + { + check_sig_constraints(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); + } + cfg->destroy(cfg); +} +END_TEST + +Suite *auth_cfg_suite_create() +{ + Suite *s; + TCase *tc; + + s = suite_create("auth_cfg"); + + tc = tcase_create("add_pubkey_constraints"); + tcase_add_loop_test(tc, test_sig_contraints, 0, countof(sig_constraints_tests)); + tcase_add_loop_test(tc, test_ike_contraints_fallback, 0, countof(sig_constraints_tests)); + suite_add_tcase(s, tc); + + return s; +} diff --git a/src/libstrongswan/tests/suites/test_identification.c b/src/libstrongswan/tests/suites/test_identification.c index 9554d2919..c0a21fe34 100644 --- a/src/libstrongswan/tests/suites/test_identification.c +++ b/src/libstrongswan/tests/suites/test_identification.c @@ -1,7 +1,8 @@ /* * Copyright (C) 2013-2015 Tobias Brunner + * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -122,67 +123,122 @@ static struct { } data; } result; } string_data[] = { - {NULL, ID_ANY, { .type = ENC_CHUNK }}, - {"", ID_ANY, { .type = ENC_CHUNK }}, - {"%any", ID_ANY, { .type = ENC_CHUNK }}, - {"%any6", ID_ANY, { .type = ENC_CHUNK }}, - {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, - {"0::0", ID_ANY, { .type = ENC_CHUNK }}, - {"::", ID_ANY, { .type = ENC_CHUNK }}, - {"*", ID_ANY, { .type = ENC_CHUNK }}, - {"any", ID_FQDN, { .type = ENC_SIMPLE }}, - {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, - {"0", ID_FQDN, { .type = ENC_SIMPLE }}, - {"**", ID_FQDN, { .type = ENC_SIMPLE }}, - {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, + {NULL, ID_ANY, { .type = ENC_CHUNK }}, + {"", ID_ANY, { .type = ENC_CHUNK }}, + {"%any", ID_ANY, { .type = ENC_CHUNK }}, + {"%any6", ID_ANY, { .type = ENC_CHUNK }}, + {"0.0.0.0", ID_ANY, { .type = ENC_CHUNK }}, + {"0::0", ID_ANY, { .type = ENC_CHUNK }}, + {"::", ID_ANY, { .type = ENC_CHUNK }}, + {"*", ID_ANY, { .type = ENC_CHUNK }}, + {"any", ID_FQDN, { .type = ENC_SIMPLE }}, + {"any6", ID_FQDN, { .type = ENC_SIMPLE }}, + {"0", ID_FQDN, { .type = ENC_SIMPLE }}, + {"**", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }}, - {".", ID_FQDN, { .type = ENC_SIMPLE }}, - {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, + {"192.168.", ID_FQDN, { .type = ENC_SIMPLE }}, + {".", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1/33", ID_FQDN, { .type = ENC_SIMPLE }}, + {"192.168.1.1/32", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01,0xff,0xff,0xff,0xff) }}, + {"192.168.1.1/31", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0xfe) }}, + {"192.168.1.8/30", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x08,0xff,0xff,0xff,0xfc) }}, + {"192.168.1.128/25", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x80,0xff,0xff,0xff,0x80) }}, + {"192.168.1.0/24", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xff,0xff,0xff,0x00) }}, + {"192.168.1.0/23", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x00,0x00,0xff,0xff,0xfe,0x00) }}, + {"192.168.4.0/22", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x04,0x00,0xff,0xff,0xfc,0x00) }}, + {"0.0.0.0/0", ID_IPV4_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, + {"192.168.1.0-192.168.1.40",ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x00,0xc0,0xa8,0x01,0x28) }}, + {"0.0.0.0-255.255.255.255", ID_IPV4_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xff) }}, + {"192.168.1.40-192.168.1.0",ID_FQDN, { .type = ENC_SIMPLE }}, + {"fec0::1", ID_IPV6_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }}, - {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01) }}, + {"fec0::", ID_IPV6_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, - 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, - {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, - {"@", ID_FQDN, { .type = ENC_CHUNK }}, - {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, - {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00) }}, + {"fec0:", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {":", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1/129", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1/128", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff ) }}, + {"fec0::1/127", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe ) }}, + {"fec0::4/126", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x04, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfc ) }}, + {"fec0::100/120", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, + 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00 ) }}, + {"::/0", ID_IPV6_ADDR_SUBNET, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 ) }}, + {"fec0::1-fec0::4fff", ID_IPV6_ADDR_RANGE, { .type = ENC_CHUNK, + .data.c = chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01, + 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff ) }}, + {"fec0::4fff-fec0::1", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"fec0::1-", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"alice@strongswan.org", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@strongswan", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice@", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"alice", ID_FQDN, { .type = ENC_SIMPLE }}, + {"@", ID_FQDN, { .type = ENC_CHUNK }}, + {" @", ID_RFC822_ADDR, { .type = ENC_SIMPLE }}, + {"@strongswan.org", ID_FQDN, { .type = ENC_STRING, .data.s = "strongswan.org" }}, - {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, + {"@#deadbeef", ID_KEY_ID, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xde,0xad,0xbe,0xef) }}, - {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, + {"@#deadbee", ID_KEY_ID, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x0d,0xea,0xdb,0xee) }}, - {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"foo=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"foo=", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"=bar", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"C=", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0b,0x31,0x09,0x30,0x07,0x06, 0x03,0x55,0x04,0x06,0x13,0x00) }}, - {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH,", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, + {"C=CH, ", ID_DER_ASN1_DN, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0x30,0x0d,0x31,0x0b,0x30,0x09,0x06, 0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48) }}, - {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, - {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + {"C=CH, O", ID_KEY_ID, { .type = ENC_SIMPLE }}, + {"IPv4:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING, + { "email:tester", ID_RFC822_ADDR, { .type = ENC_STRING, .data.s = "tester" }}, - { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, + { "{1}:#c0a80101", ID_IPV4_ADDR, { .type = ENC_CHUNK, .data.c = chunk_from_chars(0xc0,0xa8,0x01,0x01) }}, - { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING, + { "{0x02}:tester", ID_FQDN, { .type = ENC_STRING, .data.s = "tester" }}, - { "{99}:somedata", 99, { .type = ENC_STRING, + { "{99}:somedata", 99, { .type = ENC_STRING, .data.s = "somedata" }}, }; @@ -264,14 +320,33 @@ START_TEST(test_printf_hook) string_equals("192.168.1.1", "192.168.1.1"); string_equals_id("(invalid ID_IPV4_ADDR)", - identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty)); + identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty)); + string_equals("192.168.1.1/32", "192.168.1.1/32"); + string_equals("192.168.1.2/31", "192.168.1.2/31"); + string_equals("192.168.1.0/24", "192.168.1.0/24"); + string_equals("192.168.2.0/23", "192.168.2.0/23"); + string_equals("0.0.0.0/0", "0.0.0.0/0"); + string_equals_id("(invalid ID_IPV4_ADDR_SUBNET)", + identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty)); + string_equals("192.168.1.1-192.168.1.254", "192.168.1.1-192.168.1.254"); + string_equals("0.0.0.0-255.255.255.255", "0.0.0.0-255.255.255.255"); + string_equals_id("(invalid ID_IPV4_ADDR_RANGE)", + identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty)); string_equals("fec0::1", "fec0::1"); string_equals("fec0::1", "fec0:0:0::1"); string_equals_id("(invalid ID_IPV6_ADDR)", - identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty)); - + identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty)); + string_equals("fec0::1/128", "fec0::1/128"); + string_equals("fec0::2/127", "fec0::2/127"); + string_equals("fec0::100/120", "fec0::100/120"); + string_equals("::/0", "::/0"); + string_equals_id("(invalid ID_IPV6_ADDR_SUBNET)", + identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty)); + string_equals("fec0::1-fec0::4fff", "fec0::1-fec0::4fff"); + string_equals_id("(invalid ID_IPV6_ADDR_RANGE)", + identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty)); string_equals_id("(unknown ID type: 255)", - identification_create_from_encoding(255, chunk_empty)); + identification_create_from_encoding(255, chunk_empty)); string_equals("moon@strongswan.org", "moon@strongswan.org"); string_equals("MOON@STRONGSWAN.ORG", "MOON@STRONGSWAN.ORG"); @@ -324,11 +399,11 @@ START_TEST(test_printf_hook) string_equals("C=CH, E=moon@strongswan.org, CN=moon", "C=CH, emailAddress=moon@strongswan.org, CN=moon"); - /* C=CH, pseudonym=ANO (pseudonym is currently not recognized) */ - string_equals_id("C=CH, 55:04:41=ANO", identification_create_from_encoding(ID_DER_ASN1_DN, + /* C=CH, telexNumber=123 (telexNumber is currently not recognized) */ + string_equals_id("C=CH, 55:04:15=123", identification_create_from_encoding(ID_DER_ASN1_DN, chunk_from_chars(0x30, 0x19, 0x31, 0x17, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x43, 0x48, 0x30, 0x0a, 0x06, - 0x03, 0x55, 0x04, 0x41, 0x13, 0x03, 0x41, 0x4e, 0x4f))); + 0x03, 0x55, 0x04, 0x15, 0x13, 0x03, 0x31, 0x32, 0x33))); /* C=CH, O=strongSwan (but instead of a 2nd OID -0x06- we got NULL -0x05) */ string_equals_id("C=CH, (invalid ID_DER_ASN1_DN)", identification_create_from_encoding(ID_DER_ASN1_DN, chunk_from_chars(0x30, 0x20, 0x31, 0x1e, 0x30, 0x09, 0x06, 0x03, 0x55, @@ -595,6 +670,89 @@ START_TEST(test_matches_binary) } END_TEST +START_TEST(test_matches_range) +{ + identification_t *a, *b; + + /* IPv4 addresses */ + a = identification_create_from_string("192.168.1.1"); + ck_assert(a->get_type(a) == ID_IPV4_ADDR); + ck_assert(id_matches(a, "%any", ID_MATCH_ANY)); + ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_MAX_WILDCARDS)); + ck_assert(id_matches(a, "192.168.1.1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.2", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.1/32", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.0/32", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.0/24", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "192.168.0.0/24", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.1.1-192.168.1.1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "192.168.1.0-192.168.1.64", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "192.168.1.2-192.168.1.64", ID_MATCH_NONE)); + ck_assert(id_matches(a, "192.168.0.240-192.168.1.0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE)); + + /* Malformed IPv4 subnet and range encoding */ + b = identification_create_from_encoding(ID_IPV4_ADDR_SUBNET, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV4_ADDR_RANGE, + chunk_from_chars(0xc0,0xa8,0x01,0x28,0xc0,0xa8,0x01,0x00)); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + + a->destroy(a); + + /* IPv6 addresses */ + a = identification_create_from_string("fec0::1"); + ck_assert(a->get_type(a) == ID_IPV6_ADDR); + ck_assert(id_matches(a, "%any", ID_MATCH_ANY)); + ck_assert(id_matches(a, "::/0", ID_MATCH_MAX_WILDCARDS)); + ck_assert(id_matches(a, "fec0::1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::2", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::1/128", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::/128", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::/120", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "fec0::100/120", ID_MATCH_NONE)); + ck_assert(id_matches(a, "fec0::1-fec0::1", ID_MATCH_PERFECT)); + ck_assert(id_matches(a, "fec0::0-fec0::5", ID_MATCH_ONE_WILDCARD)); + ck_assert(id_matches(a, "fec0::4001-fec0::4ffe", ID_MATCH_NONE)); + ck_assert(id_matches(a, "feb0::1-fec0::0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "foo@bar", ID_MATCH_NONE)); + + /* Malformed IPv6 subnet and range encoding */ + b = identification_create_from_encoding(ID_IPV6_ADDR_SUBNET, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, chunk_empty); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + b = identification_create_from_encoding(ID_IPV6_ADDR_RANGE, + chunk_from_chars(0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x4f,0xff, + 0xfe,0xc0,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01 )); + ck_assert(a->matches(a, b) == ID_MATCH_NONE); + b->destroy(b); + + a->destroy(a); + + /* Malformed IPv4 address encoding */ + a = identification_create_from_encoding(ID_IPV4_ADDR, chunk_empty); + ck_assert(id_matches(a, "0.0.0.0/0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "0.0.0.0-255.255.255.255", ID_MATCH_NONE)); + a->destroy(a); + + /* Malformed IPv6 address encoding */ + a = identification_create_from_encoding(ID_IPV6_ADDR, chunk_empty); + ck_assert(id_matches(a, "::/0", ID_MATCH_NONE)); + ck_assert(id_matches(a, "::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", ID_MATCH_NONE)); + a->destroy(a); +} +END_TEST + START_TEST(test_matches_string) { identification_t *a; @@ -929,6 +1087,7 @@ Suite *identification_suite_create() tcase_add_test(tc, test_matches); tcase_add_test(tc, test_matches_any); tcase_add_test(tc, test_matches_binary); + tcase_add_test(tc, test_matches_range); tcase_add_test(tc, test_matches_string); tcase_add_loop_test(tc, test_matches_empty, ID_ANY, ID_KEY_ID + 1); tcase_add_loop_test(tc, test_matches_empty_reverse, ID_ANY, ID_KEY_ID + 1); diff --git a/src/libstrongswan/tests/suites/test_linked_list.c b/src/libstrongswan/tests/suites/test_linked_list.c index 922f954e3..7a161817c 100644 --- a/src/libstrongswan/tests/suites/test_linked_list.c +++ b/src/libstrongswan/tests/suites/test_linked_list.c @@ -348,6 +348,91 @@ START_TEST(test_clone_offset) } END_TEST + +/******************************************************************************* + * equals + */ + +typedef struct equals_t equals_t; + +struct equals_t { + int val; + bool (*equals)(equals_t *a, equals_t *b); +}; + +static bool equalsfn(equals_t *a, equals_t *b) +{ + return a->val == b->val; +} + +START_TEST(test_equals_offset) +{ + linked_list_t *other; + equals_t *x, items[] = { + { .val = 1, .equals = equalsfn, }, + { .val = 2, .equals = equalsfn, }, + { .val = 3, .equals = equalsfn, }, + { .val = 4, .equals = equalsfn, }, + { .val = 5, .equals = equalsfn, }, + }; + int i; + + for (i = 0; i < countof(items); i++) + { + list->insert_last(list, &items[i]); + } + ck_assert(list->equals_offset(list, list, offsetof(equals_t, equals))); + other = linked_list_create_from_enumerator(list->create_enumerator(list)); + ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals))); + other->remove_last(other, (void**)&x); + ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals))); + list->remove_last(list, (void**)&x); + ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals))); + other->remove_first(other, (void**)&x); + ck_assert(!list->equals_offset(list, other, offsetof(equals_t, equals))); + list->remove_first(list, (void**)&x); + ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals))); + while (list->remove_first(list, (void**)&x) == SUCCESS); + while (other->remove_first(other, (void**)&x) == SUCCESS); + ck_assert(list->equals_offset(list, other, offsetof(equals_t, equals))); + other->destroy(other); +} +END_TEST + +START_TEST(test_equals_function) +{ + linked_list_t *other; + equals_t *x, items[] = { + { .val = 1, }, + { .val = 2, }, + { .val = 3, }, + { .val = 4, }, + { .val = 5, }, + }; + int i; + + for (i = 0; i < countof(items); i++) + { + list->insert_last(list, &items[i]); + } + ck_assert(list->equals_function(list, list, (void*)equalsfn)); + other = linked_list_create_from_enumerator(list->create_enumerator(list)); + ck_assert(list->equals_function(list, other, (void*)equalsfn)); + other->remove_last(other, (void**)&x); + ck_assert(!list->equals_function(list, other, (void*)equalsfn)); + list->remove_last(list, (void**)&x); + ck_assert(list->equals_function(list, other, (void*)equalsfn)); + other->remove_first(other, (void**)&x); + ck_assert(!list->equals_function(list, other, (void*)equalsfn)); + list->remove_first(list, (void**)&x); + ck_assert(list->equals_function(list, other, (void*)equalsfn)); + while (list->remove_first(list, (void**)&x) == SUCCESS); + while (other->remove_first(other, (void**)&x) == SUCCESS); + ck_assert(list->equals_function(list, other, (void*)equalsfn)); + other->destroy(other); +} +END_TEST + Suite *linked_list_suite_create() { Suite *s; @@ -386,5 +471,11 @@ Suite *linked_list_suite_create() tcase_add_test(tc, test_clone_offset); suite_add_tcase(s, tc); + tc = tcase_create("equals"); + tcase_add_checked_fixture(tc, setup_list, teardown_list); + tcase_add_test(tc, test_equals_offset); + tcase_add_test(tc, test_equals_function); + suite_add_tcase(s, tc); + return s; } diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h index e1074b931..824c88022 100644 --- a/src/libstrongswan/tests/tests.h +++ b/src/libstrongswan/tests/tests.h @@ -37,6 +37,7 @@ TEST_SUITE_DEPEND(certpolicy_suite_create, CERT_ENCODE, CERT_X509) TEST_SUITE_DEPEND(certnames_suite_create, CERT_ENCODE, CERT_X509) TEST_SUITE(host_suite_create) TEST_SUITE(printf_suite_create) +TEST_SUITE(auth_cfg_suite_create) TEST_SUITE(hasher_suite_create) TEST_SUITE(crypter_suite_create) TEST_SUITE(crypto_factory_suite_create) diff --git a/src/libstrongswan/threading/thread.c b/src/libstrongswan/threading/thread.c index 7a243e826..3d87e7fca 100644 --- a/src/libstrongswan/threading/thread.c +++ b/src/libstrongswan/threading/thread.c @@ -48,7 +48,7 @@ struct private_thread_t { thread_t public; /** - * Human-readable ID of this thread. + * Identificator of this thread (human-readable/thread ID). */ u_int id; @@ -157,6 +157,23 @@ static void thread_destroy(private_thread_t *this) free(this); } +/** + * Determine the ID of the current thread + */ +static u_int get_thread_id() +{ + u_int id; + +#if defined(USE_THREAD_IDS) && defined(HAVE_GETTID) + id = gettid(); +#else + id_mutex->lock(id_mutex); + id = next_id++; + id_mutex->unlock(id_mutex); +#endif + return id; +} + METHOD(thread_t, cancel, void, private_thread_t *this) { @@ -284,6 +301,8 @@ static void *thread_main(private_thread_t *this) { void *res; + this->id = get_thread_id(); + current_thread->set(current_thread, this); pthread_cleanup_push((thread_cleanup_t)thread_cleanup, this); @@ -315,9 +334,6 @@ thread_t *thread_create(thread_main_t main, void *arg) this->main = main; this->arg = arg; - id_mutex->lock(id_mutex); - this->id = next_id++; - id_mutex->unlock(id_mutex); if (pthread_create(&this->thread_id, NULL, (void*)thread_main, this) != 0) { @@ -341,11 +357,7 @@ thread_t *thread_current() if (!this) { this = thread_create_internal(); - - id_mutex->lock(id_mutex); - this->id = next_id++; - id_mutex->unlock(id_mutex); - + this->id = get_thread_id(); current_thread->set(current_thread, (void*)this); } return &this->public; @@ -475,12 +487,12 @@ void threads_init() dummy1 = thread_value_create(NULL); - next_id = 1; - main_thread->id = 0; + next_id = 0; main_thread->thread_id = pthread_self(); current_thread = thread_value_create(NULL); current_thread->set(current_thread, (void*)main_thread); id_mutex = mutex_create(MUTEX_TYPE_DEFAULT); + main_thread->id = get_thread_id(); #ifndef HAVE_PTHREAD_CANCEL { /* install a signal handler for our custom SIG_CANCEL */ diff --git a/src/libstrongswan/threading/thread.h b/src/libstrongswan/threading/thread.h index c24772839..35da24459 100644 --- a/src/libstrongswan/threading/thread.h +++ b/src/libstrongswan/threading/thread.h @@ -97,11 +97,13 @@ thread_t *thread_create(thread_main_t main, void *arg); thread_t *thread_current(); /** - * Get the human-readable ID of the current thread. + * Get the ID of the current thread. * - * The IDs are assigned incrementally starting from 1. + * Depending on the build configuration thread IDs are either assigned + * incrementally starting from 1, or equal the value returned by an appropriate + * syscall (like gettid() or GetCurrentThreadId()), if available. * - * @return human-readable ID + * @return ID of the current thread */ u_int thread_current_id(); diff --git a/src/libstrongswan/threading/windows/thread.c b/src/libstrongswan/threading/windows/thread.c index 610524722..798d75be7 100644 --- a/src/libstrongswan/threading/windows/thread.c +++ b/src/libstrongswan/threading/windows/thread.c @@ -516,7 +516,11 @@ thread_t *thread_current() */ u_int thread_current_id() { +#ifdef USE_THREAD_IDS + return get_current_thread()->id; +#else return get_current_thread()->tid; +#endif } /** diff --git a/src/libstrongswan/utils/compat/windows.c b/src/libstrongswan/utils/compat/windows.c index 1f22ffa02..12ee59916 100644 --- a/src/libstrongswan/utils/compat/windows.c +++ b/src/libstrongswan/utils/compat/windows.c @@ -82,7 +82,6 @@ static void* dlsym_default(const char *name) { const char *dlls[] = { "libstrongswan-0.dll", - "libhydra-0.dll", "libcharon-0.dll", "libtnccs-0.dll", NULL /* .exe */ diff --git a/src/libstrongswan/utils/debug.c b/src/libstrongswan/utils/debug.c index e8c9e6b98..8a80b81a2 100644 --- a/src/libstrongswan/utils/debug.c +++ b/src/libstrongswan/utils/debug.c @@ -17,7 +17,7 @@ #include "debug.h" -ENUM(debug_names, DBG_DMN, DBG_LIB, +ENUM(debug_names, DBG_DMN, DBG_ANY, "DMN", "MGR", "IKE", @@ -36,9 +36,10 @@ ENUM(debug_names, DBG_DMN, DBG_LIB, "APP", "ESP", "LIB", + "ANY", ); -ENUM(debug_lower_names, DBG_DMN, DBG_LIB, +ENUM(debug_lower_names, DBG_DMN, DBG_ANY, "dmn", "mgr", "ike", @@ -57,6 +58,7 @@ ENUM(debug_lower_names, DBG_DMN, DBG_LIB, "app", "esp", "lib", + "any", ); /** diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index da23d143c..2b2e907f0 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -1,8 +1,9 @@ /* + * Copyright (C) 2016 Andreas Steffen * Copyright (C) 2009-2015 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -79,6 +80,7 @@ static const x501rdn_t x501rdns[] = { {"G", OID_GIVEN_NAME, ASN1_PRINTABLESTRING}, {"I", OID_INITIALS, ASN1_PRINTABLESTRING}, {"dnQualifier", OID_DN_QUALIFIER, ASN1_PRINTABLESTRING}, + {"pseudonym", OID_PSEUDONYM, ASN1_PRINTABLESTRING}, {"ID", OID_UNIQUE_IDENTIFIER, ASN1_PRINTABLESTRING}, {"EN", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING}, {"employeeNumber", OID_EMPLOYEE_NUMBER, ASN1_PRINTABLESTRING}, @@ -218,6 +220,7 @@ METHOD(enumerator_t, rdn_part_enumerate, bool, {OID_GIVEN_NAME, ID_PART_RDN_G}, {OID_INITIALS, ID_PART_RDN_I}, {OID_DN_QUALIFIER, ID_PART_RDN_DNQ}, + {OID_PSEUDONYM, ID_PART_RDN_PN}, {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID}, {OID_EMAIL_ADDRESS, ID_PART_RDN_E}, {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN}, @@ -822,6 +825,154 @@ METHOD(identification_t, matches_dn, id_match_t, } /** + * Transform netmask to CIDR bits + */ +static int netmask_to_cidr(char *netmask, size_t address_size) +{ + uint8_t byte; + int i, netbits = 0; + + for (i = 0; i < address_size; i++) + { + byte = netmask[i]; + + if (byte == 0x00) + { + break; + } + if (byte == 0xff) + { + netbits += 8; + } + else + { + while (byte & 0x80) + { + netbits++; + byte <<= 1; + } + } + } + return netbits; +} + +METHOD(identification_t, matches_range, id_match_t, + private_identification_t *this, identification_t *other) +{ + chunk_t other_encoding; + uint8_t *address, *from, *to, *network, *netmask; + size_t address_size = 0; + int netbits, range_sign, i; + + if (other->get_type(other) == ID_ANY) + { + return ID_MATCH_ANY; + } + if (this->type == other->get_type(other) && + chunk_equals(this->encoded, other->get_encoding(other))) + { + return ID_MATCH_PERFECT; + } + if ((this->type == ID_IPV4_ADDR && + other->get_type(other) == ID_IPV4_ADDR_SUBNET)) + { + address_size = sizeof(struct in_addr); + } + else if ((this->type == ID_IPV6_ADDR && + other->get_type(other) == ID_IPV6_ADDR_SUBNET)) + { + address_size = sizeof(struct in6_addr); + } + if (address_size) + { + other_encoding = other->get_encoding(other); + if (this->encoded.len != address_size || + other_encoding.len != 2 * address_size) + { + return ID_MATCH_NONE; + } + address = this->encoded.ptr; + network = other_encoding.ptr; + netmask = other_encoding.ptr + address_size; + netbits = netmask_to_cidr(netmask, address_size); + + if (netbits == 0) + { + return ID_MATCH_MAX_WILDCARDS; + } + if (netbits == 8 * address_size) + { + return memeq(address, network, address_size) ? + ID_MATCH_PERFECT : ID_MATCH_NONE; + } + for (i = 0; i < (netbits + 7)/8; i++) + { + if ((address[i] ^ network[i]) & netmask[i]) + { + return ID_MATCH_NONE; + } + } + return ID_MATCH_ONE_WILDCARD; + } + if ((this->type == ID_IPV4_ADDR && + other->get_type(other) == ID_IPV4_ADDR_RANGE)) + { + address_size = sizeof(struct in_addr); + } + else if ((this->type == ID_IPV6_ADDR && + other->get_type(other) == ID_IPV6_ADDR_RANGE)) + { + address_size = sizeof(struct in6_addr); + } + if (address_size) + { + other_encoding = other->get_encoding(other); + if (this->encoded.len != address_size || + other_encoding.len != 2 * address_size) + { + return ID_MATCH_NONE; + } + address = this->encoded.ptr; + from = other_encoding.ptr; + to = other_encoding.ptr + address_size; + + range_sign = memcmp(to, from, address_size); + if (range_sign < 0) + { /* to is smaller than from */ + return ID_MATCH_NONE; + } + + /* check lower bound */ + for (i = 0; i < address_size; i++) + { + if (address[i] != from[i]) + { + if (address[i] < from[i]) + { + return ID_MATCH_NONE; + } + break; + } + } + + /* check upper bound */ + for (i = 0; i < address_size; i++) + { + if (address[i] != to[i]) + { + if (address[i] > to[i]) + { + return ID_MATCH_NONE; + } + break; + } + } + return range_sign ? ID_MATCH_ONE_WILDCARD : ID_MATCH_PERFECT; + } + return ID_MATCH_NONE; +} + +/** * Described in header. */ int identification_printf_hook(printf_hook_data_t *data, @@ -829,7 +980,9 @@ int identification_printf_hook(printf_hook_data_t *data, { private_identification_t *this = *((private_identification_t**)(args[0])); chunk_t proper; - char buf[512]; + char buf[BUF_LEN], *pos; + size_t len, address_size; + int written; if (this == NULL) { @@ -839,49 +992,115 @@ int identification_printf_hook(printf_hook_data_t *data, switch (this->type) { case ID_ANY: - snprintf(buf, sizeof(buf), "%%any"); + snprintf(buf, BUF_LEN, "%%any"); break; case ID_IPV4_ADDR: if (this->encoded.len < sizeof(struct in_addr) || - inet_ntop(AF_INET, this->encoded.ptr, buf, sizeof(buf)) == NULL) + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) { - snprintf(buf, sizeof(buf), "(invalid ID_IPV4_ADDR)"); + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR)"); + } + break; + case ID_IPV4_ADDR_SUBNET: + address_size = sizeof(struct in_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_SUBNET)"); + break; + } + written = strlen(buf); + snprintf(buf + written, BUF_LEN - written, "/%d", + netmask_to_cidr(this->encoded.ptr + address_size, + address_size)); + break; + case ID_IPV4_ADDR_RANGE: + address_size = sizeof(struct in_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)"); + break; + } + written = strlen(buf); + pos = buf + written; + len = BUF_LEN - written; + written = snprintf(pos, len, "-"); + if (written < 0 || written >= len || + inet_ntop(AF_INET, this->encoded.ptr + address_size, + pos + written, len - written) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV4_ADDR_RANGE)"); } break; case ID_IPV6_ADDR: if (this->encoded.len < sizeof(struct in6_addr) || - inet_ntop(AF_INET6, this->encoded.ptr, buf, INET6_ADDRSTRLEN) == NULL) + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR)"); + } + break; + case ID_IPV6_ADDR_SUBNET: + address_size = sizeof(struct in6_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_SUBNET)"); + } + else { - snprintf(buf, sizeof(buf), "(invalid ID_IPV6_ADDR)"); + written = strlen(buf); + snprintf(buf + written, BUF_LEN - written, "/%d", + netmask_to_cidr(this->encoded.ptr + address_size, + address_size)); + } + break; + case ID_IPV6_ADDR_RANGE: + address_size = sizeof(struct in6_addr); + if (this->encoded.len < 2 * address_size || + inet_ntop(AF_INET6, this->encoded.ptr, buf, BUF_LEN) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)"); + break; + } + written = strlen(buf); + pos = buf + written; + len = BUF_LEN - written; + written = snprintf(pos, len, "-"); + if (written < 0 || written >= len || + inet_ntop(AF_INET6, this->encoded.ptr + address_size, + pos + written, len - written) == NULL) + { + snprintf(buf, BUF_LEN, "(invalid ID_IPV6_ADDR_RANGE)"); } break; case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: chunk_printable(this->encoded, &proper, '?'); - snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); + snprintf(buf, BUF_LEN, "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); break; case ID_DER_ASN1_DN: - dntoa(this->encoded, buf, sizeof(buf)); + dntoa(this->encoded, buf, BUF_LEN); break; case ID_DER_ASN1_GN: - snprintf(buf, sizeof(buf), "(ASN.1 general name)"); + snprintf(buf, BUF_LEN, "(ASN.1 general name)"); break; case ID_KEY_ID: if (chunk_printable(this->encoded, NULL, '?') && this->encoded.len != HASH_SIZE_SHA1) { /* fully printable, use ascii version */ - snprintf(buf, sizeof(buf), "%.*s", (int)this->encoded.len, + snprintf(buf, BUF_LEN, "%.*s", (int)this->encoded.len, this->encoded.ptr); } else { /* not printable, hex dump */ - snprintf(buf, sizeof(buf), "%#B", &this->encoded); + snprintf(buf, BUF_LEN, "%#B", &this->encoded); } break; default: - snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type); + snprintf(buf, BUF_LEN, "(unknown ID type: %d)", this->type); break; } if (spec->minus) @@ -950,6 +1169,13 @@ static private_identification_t *identification_create(id_type_t type) this->public.matches = _matches_dn; this->public.contains_wildcards = _contains_wildcards_dn; break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + this->public.hash = _hash_binary; + this->public.equals = _equals_binary; + this->public.matches = _matches_range; + this->public.contains_wildcards = return_false; + break; default: this->public.hash = _hash_binary; this->public.equals = _equals_binary; @@ -971,6 +1197,10 @@ static private_identification_t* create_from_string_with_prefix_type(char *str) } prefixes[] = { { "ipv4:", ID_IPV4_ADDR }, { "ipv6:", ID_IPV6_ADDR }, + { "ipv4net:", ID_IPV4_ADDR_SUBNET }, + { "ipv6net:", ID_IPV6_ADDR_SUBNET }, + { "ipv4range:", ID_IPV4_ADDR_RANGE }, + { "ipv6range:", ID_IPV6_ADDR_RANGE }, { "rfc822:", ID_RFC822_ADDR }, { "email:", ID_RFC822_ADDR }, { "userfqdn:", ID_USER_FQDN }, @@ -1036,6 +1266,115 @@ static private_identification_t* create_from_string_with_num_type(char *str) return this; } +/** + * Convert to an IPv4/IPv6 host address, subnet or address range + */ +static private_identification_t* create_ip_address_from_string(char *string, + bool is_ipv4) +{ + private_identification_t *this; + uint8_t encoding[32]; + uint8_t *str, *pos, *address, *to_address, *netmask; + size_t address_size; + int bits, bytes, i; + bool has_subnet = FALSE, has_range = FALSE; + + address = encoding; + address_size = is_ipv4 ? sizeof(struct in_addr) : sizeof(struct in6_addr); + + str = strdup(string); + pos = strchr(str, '/'); + if (pos) + { /* separate IP address from optional netmask */ + + *pos = '\0'; + has_subnet = TRUE; + } + else + { + pos = strchr(str, '-'); + if (pos) + { /* separate lower address from upper address of IP range */ + *pos = '\0'; + has_range = TRUE; + } + } + + if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, str, address) != 1) + { + free(str); + return NULL; + } + + if (has_subnet) + { /* is IP subnet */ + bits = atoi(pos + 1); + if (bits > 8 * address_size) + { + free(str); + return NULL; + } + bytes = bits / 8; + bits -= 8 * bytes; + netmask = encoding + address_size; + + for (i = 0; i < address_size; i++) + { + if (bytes) + { + *netmask = 0xff; + bytes--; + } + else if (bits) + { + *netmask = 0xff << (8 - bits); + bits = 0; + } + else + { + *netmask = 0x00; + } + *address++ &= *netmask++; + } + this = identification_create(is_ipv4 ? ID_IPV4_ADDR_SUBNET : + ID_IPV6_ADDR_SUBNET); + this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size)); + } + else if (has_range) + { /* is IP range */ + to_address = encoding + address_size; + + if (inet_pton(is_ipv4 ? AF_INET : AF_INET6, pos + 1, to_address) != 1) + { + free(str); + return NULL; + } + for (i = 0; i < address_size; i++) + { + if (address[i] != to_address[i]) + { + if (address[i] > to_address[i]) + { + free(str); + return NULL; + } + break; + } + } + this = identification_create(is_ipv4 ? ID_IPV4_ADDR_RANGE : + ID_IPV6_ADDR_RANGE); + this->encoded = chunk_clone(chunk_create(encoding, 2 * address_size)); + } + else + { /* is IP host address */ + this = identification_create(is_ipv4 ? ID_IPV4_ADDR : ID_IPV6_ADDR); + this->encoded = chunk_clone(chunk_create(encoding, address_size)); + } + free(str); + + return this; +} + /* * Described in header. */ @@ -1093,15 +1432,9 @@ identification_t *identification_create_from_string(char *string) { if (strchr(string, ':') == NULL) { - struct in_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET, string, &address) > 0) - { /* is IPv4 */ - this = identification_create(ID_IPV4_ADDR); - this->encoded = chunk_clone(chunk); - } - else + /* IPv4 address or subnet */ + this = create_ip_address_from_string(string, TRUE); + if (!this) { /* not IPv4, mostly FQDN */ this = identification_create(ID_FQDN); this->encoded = chunk_from_str(strdup(string)); @@ -1110,15 +1443,9 @@ identification_t *identification_create_from_string(char *string) } else { - struct in6_addr address; - chunk_t chunk = {(void*)&address, sizeof(address)}; - - if (inet_pton(AF_INET6, string, &address) > 0) - { /* is IPv6 */ - this = identification_create(ID_IPV6_ADDR); - this->encoded = chunk_clone(chunk); - } - else + /* IPv6 address or subnet */ + this = create_ip_address_from_string(string, FALSE); + if (!this) { /* not IPv4/6 fallback to KEY_ID */ this = identification_create(ID_KEY_ID); this->encoded = chunk_from_str(strdup(string)); diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index 5f27ba112..51d132491 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -168,6 +168,8 @@ enum id_part_t { ID_PART_RDN_I, /** DN Qualifier RDN of a DN */ ID_PART_RDN_DNQ, + /** Pseudonym RDN of a DN */ + ID_PART_RDN_PN, /** UniqueIdentifier RDN of a DN */ ID_PART_RDN_ID, /** Locality RDN of a DN */ diff --git a/src/libstrongswan/utils/utils/byteorder.h b/src/libstrongswan/utils/utils/byteorder.h index 48cf1d526..3ccbad5f1 100644 --- a/src/libstrongswan/utils/utils/byteorder.h +++ b/src/libstrongswan/utils/utils/byteorder.h @@ -44,6 +44,36 @@ #define BITFIELD5(t, a, b, c, d, e,...) struct { t e; t d; t c; t b; t a; __VA_ARGS__} #endif +#ifndef le32toh +# if BYTE_ORDER == BIG_ENDIAN +# define le32toh(x) __builtin_bswap32(x) +# define htole32(x) __builtin_bswap32(x) +# else +# define le32toh(x) (x) +# define htole32(x) (x) +# endif +#endif + +#ifndef le64toh +# if BYTE_ORDER == BIG_ENDIAN +# define le64toh(x) __builtin_bswap64(x) +# define htole64(x) __builtin_bswap64(x) +# else +# define le64toh(x) (x) +# define htole64(x) (x) +# endif +#endif + +#ifndef be64toh +# if BYTE_ORDER == BIG_ENDIAN +# define be64toh(x) (x) +# define htobe64(x) (x) +# else +# define be64toh(x) __builtin_bswap64(x) +# define htobe64(x) __builtin_bswap64(x) +# endif +#endif + /** * Write a 16-bit host order value in network order to an unaligned address. * @@ -82,21 +112,8 @@ static inline void htoun64(void *network, u_int64_t host) { char *unaligned = (char*)network; -#ifdef be64toh host = htobe64(host); memcpy((char*)unaligned, &host, sizeof(host)); -#else - u_int32_t high_part, low_part; - - high_part = host >> 32; - high_part = htonl(high_part); - low_part = host & 0xFFFFFFFFLL; - low_part = htonl(low_part); - - memcpy(unaligned, &high_part, sizeof(high_part)); - unaligned += sizeof(high_part); - memcpy(unaligned, &low_part, sizeof(low_part)); -#endif } /** @@ -138,24 +155,37 @@ static inline u_int32_t untoh32(void *network) static inline u_int64_t untoh64(void *network) { char *unaligned = (char*)network; - -#ifdef be64toh u_int64_t tmp; memcpy(&tmp, unaligned, sizeof(tmp)); return be64toh(tmp); -#else - u_int32_t high_part, low_part; +} - memcpy(&high_part, unaligned, sizeof(high_part)); - unaligned += sizeof(high_part); - memcpy(&low_part, unaligned, sizeof(low_part)); +/** + * Read a 32-bit value in little-endian order from unaligned address. + * + * @param p unaligned address to read little endian value from + * @return host order value + */ +static inline u_int32_t uletoh32(void *p) +{ + u_int32_t ret; - high_part = ntohl(high_part); - low_part = ntohl(low_part); + memcpy(&ret, p, sizeof(ret)); + ret = le32toh(ret); + return ret; +} - return (((u_int64_t)high_part) << 32) + low_part; -#endif +/** + * Write a 32-bit value in little-endian to an unaligned address. + * + * @param p host order 32-bit value + * @param v unaligned address to write little endian value to + */ +static inline void htoule32(void *p, u_int32_t v) +{ + v = htole32(v); + memcpy(p, &v, sizeof(v)); } #endif /** BYTEORDER_H_ @} */ |