summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2009-10-21 11:18:20 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2009-10-21 11:18:20 +0000
commita9b7f8d4a4a4202facd9690580b38542e7933f00 (patch)
treed82a9d506c62cff257e5292845b68df3ca5c60dc /src
parent12263dccbbb6747d53b97333c3d6f0f17e1bffea (diff)
downloadvyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.tar.gz
vyos-strongswan-a9b7f8d4a4a4202facd9690580b38542e7933f00.zip
- New upstream release.
- Don't disable internal crypto plugins, pluto expects to find them in some cases. - Enable integrity checking.
Diffstat (limited to 'src')
-rw-r--r--src/Makefile.am6
-rw-r--r--src/Makefile.in12
-rw-r--r--src/_copyright/Makefile.in5
-rw-r--r--src/_updown/Makefile.in5
-rw-r--r--src/_updown_espmark/Makefile.in5
-rw-r--r--src/charon/Makefile.am7
-rw-r--r--src/charon/Makefile.in152
-rw-r--r--src/charon/bus/bus.c187
-rw-r--r--src/charon/bus/bus.h148
-rw-r--r--src/charon/bus/listeners/file_logger.h4
-rw-r--r--src/charon/bus/listeners/listener.h179
-rw-r--r--src/charon/bus/listeners/sys_logger.c1
-rw-r--r--src/charon/bus/listeners/sys_logger.h6
-rw-r--r--src/charon/config/attributes/attribute_manager.c2
-rw-r--r--src/charon/config/backend_manager.c2
-rw-r--r--src/charon/config/child_cfg.c30
-rw-r--r--src/charon/config/child_cfg.h12
-rw-r--r--src/charon/config/peer_cfg.c70
-rw-r--r--src/charon/config/proposal.c3
-rw-r--r--src/charon/credentials/credential_manager.c2
-rw-r--r--src/charon/credentials/sets/cert_cache.c2
-rw-r--r--src/charon/daemon.c46
-rw-r--r--src/charon/kernel/kernel_interface.c14
-rw-r--r--src/charon/kernel/kernel_interface.h13
-rw-r--r--src/charon/kernel/kernel_ipsec.h13
-rw-r--r--src/charon/network/sender.c6
-rw-r--r--src/charon/network/socket.c35
-rw-r--r--src/charon/plugins/attr/Makefile.am2
-rw-r--r--src/charon/plugins/attr/Makefile.in7
-rw-r--r--src/charon/plugins/eap_aka/Makefile.am2
-rw-r--r--src/charon/plugins/eap_aka/Makefile.in7
-rw-r--r--src/charon/plugins/eap_gtc/Makefile.am2
-rw-r--r--src/charon/plugins/eap_gtc/Makefile.in7
-rw-r--r--src/charon/plugins/eap_identity/Makefile.am2
-rw-r--r--src/charon/plugins/eap_identity/Makefile.in7
-rw-r--r--src/charon/plugins/eap_md5/Makefile.am2
-rw-r--r--src/charon/plugins/eap_md5/Makefile.in7
-rw-r--r--src/charon/plugins/eap_mschapv2/Makefile.am2
-rw-r--r--src/charon/plugins/eap_mschapv2/Makefile.in7
-rw-r--r--src/charon/plugins/eap_radius/Makefile.am2
-rw-r--r--src/charon/plugins/eap_radius/Makefile.in7
-rw-r--r--src/charon/plugins/eap_radius/eap_radius.c21
-rw-r--r--src/charon/plugins/eap_radius/radius_client.c5
-rw-r--r--src/charon/plugins/eap_sim/Makefile.am2
-rw-r--r--src/charon/plugins/eap_sim/Makefile.in7
-rw-r--r--src/charon/plugins/eap_sim_file/Makefile.am2
-rw-r--r--src/charon/plugins/eap_sim_file/Makefile.in7
-rw-r--r--src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c2
-rw-r--r--src/charon/plugins/kernel_klips/Makefile.am2
-rw-r--r--src/charon/plugins/kernel_klips/Makefile.in7
-rw-r--r--src/charon/plugins/kernel_klips/kernel_klips_ipsec.c15
-rw-r--r--src/charon/plugins/kernel_netlink/Makefile.am2
-rw-r--r--src/charon/plugins/kernel_netlink/Makefile.in7
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c87
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_net.c4
-rw-r--r--src/charon/plugins/kernel_netlink/kernel_netlink_shared.c2
-rw-r--r--src/charon/plugins/kernel_pfkey/Makefile.am2
-rw-r--r--src/charon/plugins/kernel_pfkey/Makefile.in7
-rw-r--r--src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c192
-rw-r--r--src/charon/plugins/kernel_pfroute/Makefile.am2
-rw-r--r--src/charon/plugins/kernel_pfroute/Makefile.in7
-rw-r--r--src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c4
-rw-r--r--src/charon/plugins/load_tester/Makefile.am2
-rw-r--r--src/charon/plugins/load_tester/Makefile.in7
-rw-r--r--src/charon/plugins/load_tester/load_tester_ipsec.c11
-rw-r--r--src/charon/plugins/load_tester/load_tester_plugin.c4
-rw-r--r--src/charon/plugins/medcli/Makefile.am2
-rw-r--r--src/charon/plugins/medcli/Makefile.in7
-rw-r--r--src/charon/plugins/medsrv/Makefile.am2
-rw-r--r--src/charon/plugins/medsrv/Makefile.in7
-rw-r--r--src/charon/plugins/nm/Makefile.am2
-rw-r--r--src/charon/plugins/nm/Makefile.in7
-rw-r--r--src/charon/plugins/nm/nm_creds.c2
-rw-r--r--src/charon/plugins/nm/nm_service.c179
-rw-r--r--src/charon/plugins/resolv_conf/Makefile.am2
-rw-r--r--src/charon/plugins/resolv_conf/Makefile.in7
-rw-r--r--src/charon/plugins/resolv_conf/resolv_conf_handler.c2
-rw-r--r--src/charon/plugins/smp/Makefile.am2
-rw-r--r--src/charon/plugins/smp/Makefile.in7
-rw-r--r--src/charon/plugins/sql/Makefile.am2
-rw-r--r--src/charon/plugins/sql/Makefile.in7
-rw-r--r--src/charon/plugins/sql/pool.c13
-rw-r--r--src/charon/plugins/sql/sql_attribute.c149
-rw-r--r--src/charon/plugins/sql/sql_config.c4
-rw-r--r--src/charon/plugins/stroke/Makefile.am2
-rw-r--r--src/charon/plugins/stroke/Makefile.in7
-rw-r--r--src/charon/plugins/stroke/stroke_attribute.c2
-rw-r--r--src/charon/plugins/stroke/stroke_ca.c2
-rw-r--r--src/charon/plugins/stroke/stroke_config.c2
-rw-r--r--src/charon/plugins/stroke/stroke_cred.c96
-rw-r--r--src/charon/plugins/stroke/stroke_list.c37
-rw-r--r--src/charon/plugins/stroke/stroke_socket.c1
-rw-r--r--src/charon/plugins/uci/Makefile.am2
-rw-r--r--src/charon/plugins/uci/Makefile.in7
-rw-r--r--src/charon/plugins/unit_tester/Makefile.am2
-rw-r--r--src/charon/plugins/unit_tester/Makefile.in7
-rw-r--r--src/charon/plugins/unit_tester/tests.h3
-rw-r--r--src/charon/plugins/unit_tester/tests/test_id.c180
-rw-r--r--src/charon/plugins/unit_tester/tests/test_mutex.c2
-rw-r--r--src/charon/plugins/updown/Makefile.am2
-rw-r--r--src/charon/plugins/updown/Makefile.in7
-rw-r--r--src/charon/processing/jobs/callback_job.c2
-rw-r--r--src/charon/processing/processor.c6
-rw-r--r--src/charon/processing/scheduler.c4
-rw-r--r--src/charon/sa/authenticators/eap/eap_manager.c2
-rw-r--r--src/charon/sa/child_sa.c135
-rw-r--r--src/charon/sa/child_sa.h34
-rw-r--r--src/charon/sa/connect_manager.c2
-rw-r--r--src/charon/sa/ike_sa.c45
-rw-r--r--src/charon/sa/ike_sa.h5
-rw-r--r--src/charon/sa/ike_sa_manager.c40
-rw-r--r--src/charon/sa/keymat.c3
-rw-r--r--src/charon/sa/mediation_manager.c2
-rw-r--r--src/charon/sa/task_manager.c30
-rw-r--r--src/charon/sa/tasks/child_create.c39
-rw-r--r--src/charon/sa/tasks/child_create.h4
-rw-r--r--src/charon/sa/tasks/child_delete.c29
-rw-r--r--src/charon/sa/tasks/child_rekey.c15
-rw-r--r--src/charon/sa/tasks/ike_auth.c2
-rw-r--r--src/charon/sa/tasks/ike_delete.c36
-rw-r--r--src/charon/sa/tasks/ike_rekey.c2
-rw-r--r--src/charon/sa/tasks/task.h4
-rw-r--r--src/charon/sa/trap_manager.c6
-rw-r--r--src/checksum/Makefile.am36
-rw-r--r--src/checksum/Makefile.in (renamed from src/libstrongswan/fips/Makefile.in)138
-rw-r--r--src/checksum/checksum_builder.c135
-rw-r--r--src/dumm/Makefile.in5
-rw-r--r--src/dumm/mconsole.c2
-rw-r--r--src/include/Makefile.in5
-rw-r--r--src/ipsec/Makefile.in5
-rw-r--r--src/libfast/Makefile.in5
-rw-r--r--src/libfreeswan/Makefile.in5
-rw-r--r--src/libfreeswan/anyaddr.c13
-rw-r--r--src/libfreeswan/atoaddr.310
-rw-r--r--src/libfreeswan/atoaddr.c37
-rw-r--r--src/libfreeswan/freeswan.h5
-rw-r--r--src/libfreeswan/pfkeyv2.h33
-rw-r--r--src/libfreeswan/ttoaddr.312
-rw-r--r--src/libfreeswan/ttoaddr.c77
-rw-r--r--src/libstrongswan/Makefile.am19
-rw-r--r--src/libstrongswan/Makefile.in347
-rw-r--r--src/libstrongswan/asn1/asn1.c72
-rw-r--r--src/libstrongswan/asn1/asn1.h13
-rw-r--r--src/libstrongswan/asn1/oid.c440
-rw-r--r--src/libstrongswan/asn1/oid.h245
-rw-r--r--src/libstrongswan/asn1/oid.txt6
-rw-r--r--src/libstrongswan/chunk.c27
-rw-r--r--src/libstrongswan/chunk.h22
-rw-r--r--src/libstrongswan/credentials/credential_factory.c2
-rw-r--r--src/libstrongswan/credentials/keys/public_key.c10
-rw-r--r--src/libstrongswan/credentials/keys/public_key.h2
-rw-r--r--src/libstrongswan/crypto/crypto_factory.c2
-rw-r--r--src/libstrongswan/crypto/crypto_tester.c22
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.c10
-rw-r--r--src/libstrongswan/crypto/hashers/hasher.h8
-rw-r--r--src/libstrongswan/database/database_factory.c2
-rw-r--r--src/libstrongswan/fetcher/fetcher_manager.c2
-rw-r--r--src/libstrongswan/fips/Makefile.am19
-rw-r--r--src/libstrongswan/fips/fips.c96
-rw-r--r--src/libstrongswan/fips/fips.h44
-rw-r--r--src/libstrongswan/fips/fips_canister_end.c166
-rw-r--r--src/libstrongswan/fips/fips_canister_start.c167
-rw-r--r--src/libstrongswan/fips/fips_signer.c68
-rw-r--r--src/libstrongswan/integrity_checker.c332
-rw-r--r--src/libstrongswan/integrity_checker.h111
-rw-r--r--src/libstrongswan/library.c27
-rw-r--r--src/libstrongswan/library.h23
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/aes/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/agent/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/blowfish/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/curl/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/des/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/des/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/fips_prf/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/gcrypt/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c3
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c4
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c61
-rw-r--r--src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c14
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/gmp/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c2
-rw-r--r--src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c4
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/hmac/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/ldap/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/md4/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/md5/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/mysql/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/mysql/mysql_database.c2
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/openssl/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_crypter.c18
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c20
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_hasher.c1
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c8
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c2
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_util.c15
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/padlock/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/padlock/padlock_plugin.c2
-rw-r--r--src/libstrongswan/plugins/plugin_loader.c27
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/pubkey/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/random/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/random/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sha1/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sha2/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_hasher.c64
-rw-r--r--src/libstrongswan/plugins/sha2/sha2_plugin.c2
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/sqlite/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/sqlite/sqlite_database.c2
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/test_vectors/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors.h3
-rw-r--r--src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c35
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/x509/Makefile.in7
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.am2
-rw-r--r--src/libstrongswan/plugins/xcbc/Makefile.in7
-rw-r--r--src/libstrongswan/utils.c42
-rw-r--r--src/libstrongswan/utils.h23
-rw-r--r--src/libstrongswan/utils/enumerator.c6
-rw-r--r--src/libstrongswan/utils/host.c139
-rw-r--r--src/libstrongswan/utils/identification.c878
-rw-r--r--src/libstrongswan/utils/mutex.c8
-rw-r--r--src/libstrongswan/utils/mutex.h35
-rw-r--r--src/manager/Makefile.in5
-rw-r--r--src/medsrv/Makefile.in5
-rw-r--r--src/openac/Makefile.in5
-rwxr-xr-xsrc/openac/openac.c37
-rw-r--r--src/pluto/Makefile.am5
-rw-r--r--src/pluto/Makefile.in17
-rw-r--r--src/pluto/alg_info.c32
-rw-r--r--src/pluto/connections.c1
-rw-r--r--src/pluto/constants.c3
-rw-r--r--src/pluto/crypto.c15
-rw-r--r--src/pluto/crypto.h2
-rw-r--r--src/pluto/ipsec_doi.c122
-rw-r--r--src/pluto/kernel.c187
-rw-r--r--src/pluto/kernel_alg.c54
-rw-r--r--src/pluto/kernel_netlink.c357
-rw-r--r--src/pluto/keys.c3
-rw-r--r--src/pluto/ocsp.c2
-rw-r--r--src/pluto/pem.c1
-rw-r--r--src/pluto/pgpcert.c62
-rw-r--r--src/pluto/plutomain.c41
-rw-r--r--src/pluto/spdb.c88
-rw-r--r--src/pluto/state.c1
-rw-r--r--src/pluto/timer.c10
-rw-r--r--src/pluto/timer.h2
-rw-r--r--src/pluto/vendor.c8
-rw-r--r--src/pluto/vendor.h10
-rw-r--r--src/scepclient/Makefile.in5
-rw-r--r--src/scepclient/loglite.c7
-rw-r--r--src/scepclient/scepclient.818
-rw-r--r--src/scepclient/scepclient.c67
-rw-r--r--src/starter/Makefile.am22
-rw-r--r--src/starter/Makefile.in31
-rw-r--r--src/starter/args.c68
-rw-r--r--src/starter/interfaces.c4
-rw-r--r--src/starter/invokecharon.c28
-rw-r--r--src/starter/invokecharon.h2
-rw-r--r--src/starter/invokepluto.c14
-rw-r--r--src/starter/invokepluto.h2
-rw-r--r--src/starter/keywords.h5
-rw-r--r--src/starter/loglite.c4
-rw-r--r--src/starter/starter.c39
-rw-r--r--src/stroke/Makefile.am1
-rw-r--r--src/stroke/Makefile.in11
-rw-r--r--src/stroke/stroke_msg.h2
-rw-r--r--src/whack/Makefile.in5
286 files changed, 5315 insertions, 3202 deletions
diff --git a/src/Makefile.am b/src/Makefile.am
index 09eb13fe3..ebdaa6a63 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -44,8 +44,12 @@ if USE_MEDSRV
SUBDIRS += medsrv
endif
+if USE_INTEGRITY_TEST
+ SUBDIRS += checksum
+endif
+
EXTRA_DIST = strongswan.conf
install-exec-local :
test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
- test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+ test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
diff --git a/src/Makefile.in b/src/Makefile.in
index 26046e6a1..18da06f7b 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -42,6 +42,7 @@ host_triplet = @host@
@USE_FAST_TRUE@am__append_9 = libfast
@USE_MANAGER_TRUE@am__append_10 = manager
@USE_MEDSRV_TRUE@am__append_11 = medsrv
+@USE_INTEGRITY_TEST_TRUE@am__append_12 = checksum
subdir = src
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -65,15 +66,17 @@ ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = . include libstrongswan libfreeswan starter ipsec \
_copyright pluto whack charon stroke _updown _updown_espmark \
- openac scepclient dumm libfast manager medsrv
+ openac scepclient dumm libfast manager medsrv checksum
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -138,6 +141,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -178,7 +182,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -215,7 +221,7 @@ xml_LIBS = @xml_LIBS@
SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
$(am__append_4) $(am__append_5) $(am__append_6) \
$(am__append_7) $(am__append_8) $(am__append_9) \
- $(am__append_10) $(am__append_11)
+ $(am__append_10) $(am__append_11) $(am__append_12)
EXTRA_DIST = strongswan.conf
all: all-recursive
@@ -532,7 +538,7 @@ uninstall-am:
install-exec-local :
test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)"
- test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 640 strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
+ test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index 9f178fdfa..fabc84a29 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -71,12 +71,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -181,7 +184,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 3db887ef0..60755da69 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
MANS = $(dist_man8_MANS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in
index 2852b7e67..55d3c6b4d 100644
--- a/src/_updown_espmark/Makefile.in
+++ b/src/_updown_espmark/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
MANS = $(dist_man8_MANS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am
index 3b5b9c068..dd51555c0 100644
--- a/src/charon/Makefile.am
+++ b/src/charon/Makefile.am
@@ -2,6 +2,7 @@ ipsec_PROGRAMS = charon
charon_SOURCES = \
bus/bus.c bus/bus.h \
+bus/listeners/listener.h \
bus/listeners/file_logger.c bus/listeners/file_logger.h \
bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
config/backend_manager.c config/backend_manager.h config/backend.h \
@@ -107,7 +108,7 @@ AM_CFLAGS = -rdynamic \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" \
-DSTRONGSWAN_CONF=\"${strongswan_conf}\"
-charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB)
+charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lpthread -lm $(DLLIB) $(SOCKLIB)
# compile options
#################
@@ -128,10 +129,6 @@ if USE_ME
sa/tasks/ike_me.c sa/tasks/ike_me.h
endif
-if USE_INTEGRITY_TEST
- AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
if USE_CAPABILITIES
charon_LDADD += -lcap
endif
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index 77884d50e..59c0228f8 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -47,56 +47,55 @@ ipsec_PROGRAMS = charon$(EXEEXT)
@USE_ME_TRUE@ sa/mediation_manager.c sa/mediation_manager.h \
@USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h
-@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
-@USE_CAPABILITIES_TRUE@am__append_5 = -lcap
-@USE_LOAD_TESTS_TRUE@am__append_6 = plugins/load_tester
-@USE_LOAD_TESTS_TRUE@am__append_7 = load-tester
-@USE_KERNEL_PFKEY_TRUE@am__append_8 = plugins/kernel_pfkey
-@USE_KERNEL_PFKEY_TRUE@am__append_9 = kernel-pfkey
-@USE_KERNEL_PFROUTE_TRUE@am__append_10 = plugins/kernel_pfroute
-@USE_KERNEL_PFROUTE_TRUE@am__append_11 = kernel-pfroute
-@USE_KERNEL_KLIPS_TRUE@am__append_12 = plugins/kernel_klips
-@USE_KERNEL_KLIPS_TRUE@am__append_13 = kernel-klips
-@USE_KERNEL_NETLINK_TRUE@am__append_14 = plugins/kernel_netlink
-@USE_KERNEL_NETLINK_TRUE@am__append_15 = kernel-netlink
-@USE_STROKE_TRUE@am__append_16 = plugins/stroke
-@USE_STROKE_TRUE@am__append_17 = stroke
-@USE_SMP_TRUE@am__append_18 = plugins/smp
-@USE_SMP_TRUE@am__append_19 = smp
-@USE_SQL_TRUE@am__append_20 = plugins/sql
-@USE_SQL_TRUE@am__append_21 = sql
-@USE_UPDOWN_TRUE@am__append_22 = plugins/updown
-@USE_UPDOWN_TRUE@am__append_23 = updown
-@USE_ATTR_TRUE@am__append_24 = plugins/attr
-@USE_ATTR_TRUE@am__append_25 = attr
-@USE_EAP_IDENTITY_TRUE@am__append_26 = plugins/eap_identity
-@USE_EAP_IDENTITY_TRUE@am__append_27 = eapidentity
-@USE_EAP_SIM_TRUE@am__append_28 = plugins/eap_sim
-@USE_EAP_SIM_TRUE@am__append_29 = eapsim
-@USE_EAP_SIM_FILE_TRUE@am__append_30 = plugins/eap_sim_file
-@USE_EAP_SIM_FILE_TRUE@am__append_31 = eapsim-file
-@USE_EAP_MD5_TRUE@am__append_32 = plugins/eap_md5
-@USE_EAP_MD5_TRUE@am__append_33 = eapmd5
-@USE_EAP_GTC_TRUE@am__append_34 = plugins/eap_gtc
-@USE_EAP_GTC_TRUE@am__append_35 = eapgtc
-@USE_EAP_AKA_TRUE@am__append_36 = plugins/eap_aka
-@USE_EAP_AKA_TRUE@am__append_37 = eapaka
-@USE_EAP_MSCHAPV2_TRUE@am__append_38 = plugins/eap_mschapv2
-@USE_EAP_MSCHAPV2_TRUE@am__append_39 = eapmschapv2
-@USE_EAP_RADIUS_TRUE@am__append_40 = plugins/eap_radius
-@USE_EAP_RADIUS_TRUE@am__append_41 = eapradius
-@USE_MEDSRV_TRUE@am__append_42 = plugins/medsrv
-@USE_MEDSRV_TRUE@am__append_43 = medsrv
-@USE_MEDCLI_TRUE@am__append_44 = plugins/medcli
-@USE_MEDCLI_TRUE@am__append_45 = medcli
-@USE_NM_TRUE@am__append_46 = plugins/nm
-@USE_NM_TRUE@am__append_47 = nm
-@USE_RESOLV_CONF_TRUE@am__append_48 = plugins/resolv_conf
-@USE_RESOLV_CONF_TRUE@am__append_49 = resolv-conf
-@USE_UCI_TRUE@am__append_50 = plugins/uci
-@USE_UCI_TRUE@am__append_51 = uci
-@USE_UNIT_TESTS_TRUE@am__append_52 = plugins/unit_tester
-@USE_UNIT_TESTS_TRUE@am__append_53 = unit-tester
+@USE_CAPABILITIES_TRUE@am__append_4 = -lcap
+@USE_LOAD_TESTS_TRUE@am__append_5 = plugins/load_tester
+@USE_LOAD_TESTS_TRUE@am__append_6 = load-tester
+@USE_KERNEL_PFKEY_TRUE@am__append_7 = plugins/kernel_pfkey
+@USE_KERNEL_PFKEY_TRUE@am__append_8 = kernel-pfkey
+@USE_KERNEL_PFROUTE_TRUE@am__append_9 = plugins/kernel_pfroute
+@USE_KERNEL_PFROUTE_TRUE@am__append_10 = kernel-pfroute
+@USE_KERNEL_KLIPS_TRUE@am__append_11 = plugins/kernel_klips
+@USE_KERNEL_KLIPS_TRUE@am__append_12 = kernel-klips
+@USE_KERNEL_NETLINK_TRUE@am__append_13 = plugins/kernel_netlink
+@USE_KERNEL_NETLINK_TRUE@am__append_14 = kernel-netlink
+@USE_STROKE_TRUE@am__append_15 = plugins/stroke
+@USE_STROKE_TRUE@am__append_16 = stroke
+@USE_SMP_TRUE@am__append_17 = plugins/smp
+@USE_SMP_TRUE@am__append_18 = smp
+@USE_SQL_TRUE@am__append_19 = plugins/sql
+@USE_SQL_TRUE@am__append_20 = sql
+@USE_UPDOWN_TRUE@am__append_21 = plugins/updown
+@USE_UPDOWN_TRUE@am__append_22 = updown
+@USE_ATTR_TRUE@am__append_23 = plugins/attr
+@USE_ATTR_TRUE@am__append_24 = attr
+@USE_EAP_IDENTITY_TRUE@am__append_25 = plugins/eap_identity
+@USE_EAP_IDENTITY_TRUE@am__append_26 = eapidentity
+@USE_EAP_SIM_TRUE@am__append_27 = plugins/eap_sim
+@USE_EAP_SIM_TRUE@am__append_28 = eapsim
+@USE_EAP_SIM_FILE_TRUE@am__append_29 = plugins/eap_sim_file
+@USE_EAP_SIM_FILE_TRUE@am__append_30 = eapsim-file
+@USE_EAP_MD5_TRUE@am__append_31 = plugins/eap_md5
+@USE_EAP_MD5_TRUE@am__append_32 = eapmd5
+@USE_EAP_GTC_TRUE@am__append_33 = plugins/eap_gtc
+@USE_EAP_GTC_TRUE@am__append_34 = eapgtc
+@USE_EAP_AKA_TRUE@am__append_35 = plugins/eap_aka
+@USE_EAP_AKA_TRUE@am__append_36 = eapaka
+@USE_EAP_MSCHAPV2_TRUE@am__append_37 = plugins/eap_mschapv2
+@USE_EAP_MSCHAPV2_TRUE@am__append_38 = eapmschapv2
+@USE_EAP_RADIUS_TRUE@am__append_39 = plugins/eap_radius
+@USE_EAP_RADIUS_TRUE@am__append_40 = eapradius
+@USE_MEDSRV_TRUE@am__append_41 = plugins/medsrv
+@USE_MEDSRV_TRUE@am__append_42 = medsrv
+@USE_MEDCLI_TRUE@am__append_43 = plugins/medcli
+@USE_MEDCLI_TRUE@am__append_44 = medcli
+@USE_NM_TRUE@am__append_45 = plugins/nm
+@USE_NM_TRUE@am__append_46 = nm
+@USE_RESOLV_CONF_TRUE@am__append_47 = plugins/resolv_conf
+@USE_RESOLV_CONF_TRUE@am__append_48 = resolv-conf
+@USE_UCI_TRUE@am__append_49 = plugins/uci
+@USE_UCI_TRUE@am__append_50 = uci
+@USE_UNIT_TESTS_TRUE@am__append_51 = plugins/unit_tester
+@USE_UNIT_TESTS_TRUE@am__append_52 = unit-tester
subdir = src/charon
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -108,7 +107,7 @@ CONFIG_CLEAN_FILES =
am__installdirs = "$(DESTDIR)$(ipsecdir)"
ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(ipsec_PROGRAMS)
-am__charon_SOURCES_DIST = bus/bus.c bus/bus.h \
+am__charon_SOURCES_DIST = bus/bus.c bus/bus.h bus/listeners/listener.h \
bus/listeners/file_logger.c bus/listeners/file_logger.h \
bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
config/backend_manager.c config/backend_manager.h \
@@ -289,7 +288,8 @@ charon_OBJECTS = $(am_charon_OBJECTS)
am__DEPENDENCIES_1 =
charon_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -325,12 +325,14 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \
plugins/resolv_conf plugins/uci plugins/unit_tester
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -395,6 +397,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -435,7 +438,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -469,14 +474,15 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/file_logger.c \
- bus/listeners/file_logger.h bus/listeners/sys_logger.c \
- bus/listeners/sys_logger.h config/backend_manager.c \
- config/backend_manager.h config/backend.h config/child_cfg.c \
- config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \
- config/peer_cfg.c config/peer_cfg.h config/proposal.c \
- config/proposal.h config/auth_cfg.c config/auth_cfg.h \
- config/traffic_selector.c config/traffic_selector.h \
+charon_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \
+ bus/listeners/file_logger.c bus/listeners/file_logger.h \
+ bus/listeners/sys_logger.c bus/listeners/sys_logger.h \
+ config/backend_manager.c config/backend_manager.h \
+ config/backend.h config/child_cfg.c config/child_cfg.h \
+ config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \
+ config/peer_cfg.h config/proposal.c config/proposal.h \
+ config/auth_cfg.c config/auth_cfg.h config/traffic_selector.c \
+ config/traffic_selector.h \
config/attributes/attribute_provider.h \
config/attributes/attribute_handler.h \
config/attributes/attribute_manager.c \
@@ -593,30 +599,30 @@ INCLUDES = -I${linuxdir} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/c
AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" \
- -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_4) \
+ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
-DPLUGINS=\""${PLUGINS}\""
charon_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \
- -lpthread -lm $(DLLIB) $(am__append_5)
+ -lpthread -lm $(DLLIB) $(SOCKLIB) $(am__append_4)
# build optional plugins
########################
-SUBDIRS = . $(am__append_6) $(am__append_8) $(am__append_10) \
- $(am__append_12) $(am__append_14) $(am__append_16) \
- $(am__append_18) $(am__append_20) $(am__append_22) \
- $(am__append_24) $(am__append_26) $(am__append_28) \
- $(am__append_30) $(am__append_32) $(am__append_34) \
- $(am__append_36) $(am__append_38) $(am__append_40) \
- $(am__append_42) $(am__append_44) $(am__append_46) \
- $(am__append_48) $(am__append_50) $(am__append_52)
-PLUGINS = ${libstrongswan_plugins} $(am__append_7) $(am__append_9) \
+SUBDIRS = . $(am__append_5) $(am__append_7) $(am__append_9) \
$(am__append_11) $(am__append_13) $(am__append_15) \
$(am__append_17) $(am__append_19) $(am__append_21) \
$(am__append_23) $(am__append_25) $(am__append_27) \
$(am__append_29) $(am__append_31) $(am__append_33) \
$(am__append_35) $(am__append_37) $(am__append_39) \
$(am__append_41) $(am__append_43) $(am__append_45) \
- $(am__append_47) $(am__append_49) $(am__append_51) \
- $(am__append_53)
+ $(am__append_47) $(am__append_49) $(am__append_51)
+PLUGINS = ${libstrongswan_plugins} $(am__append_6) $(am__append_8) \
+ $(am__append_10) $(am__append_12) $(am__append_14) \
+ $(am__append_16) $(am__append_18) $(am__append_20) \
+ $(am__append_22) $(am__append_24) $(am__append_26) \
+ $(am__append_28) $(am__append_30) $(am__append_32) \
+ $(am__append_34) $(am__append_36) $(am__append_38) \
+ $(am__append_40) $(am__append_42) $(am__append_44) \
+ $(am__append_46) $(am__append_48) $(am__append_50) \
+ $(am__append_52)
all: all-recursive
.SUFFIXES:
diff --git a/src/charon/bus/bus.c b/src/charon/bus/bus.c
index bb7014b0b..2671f848e 100644
--- a/src/charon/bus/bus.c
+++ b/src/charon/bus/bus.c
@@ -117,7 +117,7 @@ static entry_t *entry_create(listener_t *listener, bool blocker)
this->listener = listener;
this->blocker = blocker;
this->calling = 0;
- this->condvar = condvar_create(CONDVAR_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
return this;
}
@@ -351,6 +351,41 @@ static void unregister_listener(private_bus_t *this, entry_t *entry,
}
/**
+ * Implementation of bus_t.alert
+ */
+static void alert(private_bus_t *this, alert_t alert, ...)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ va_list args;
+ bool keep;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->alert)
+ {
+ continue;
+ }
+ entry->calling++;
+ va_start(args, alert);
+ keep = entry->listener->alert(entry->listener, ike_sa, alert, args);
+ va_end(args);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
* Implementation of bus_t.ike_state_change
*/
static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
@@ -374,7 +409,6 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa,
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
}
}
enumerator->destroy(enumerator);
@@ -409,7 +443,6 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa,
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
}
}
enumerator->destroy(enumerator);
@@ -443,7 +476,6 @@ static void message(private_bus_t *this, message_t *message, bool incoming)
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
}
}
enumerator->destroy(enumerator);
@@ -476,7 +508,6 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa,
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
}
}
enumerator->destroy(enumerator);
@@ -511,7 +542,143 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa,
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_updown
+ */
+static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ bool keep;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->child_updown)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->child_updown(entry->listener,
+ ike_sa, child_sa, up);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.child_rekey
+ */
+static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new)
+{
+ enumerator_t *enumerator;
+ ike_sa_t *ike_sa;
+ entry_t *entry;
+ bool keep;
+
+ ike_sa = pthread_getspecific(this->thread_sa);
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->child_rekey)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->child_rekey(entry->listener, ike_sa, old, new);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+}
+
+/**
+ * Implementation of bus_t.ike_updown
+ */
+static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool keep;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->ike_updown)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->ike_updown(entry->listener, ike_sa, up);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+
+ /* a down event for IKE_SA implicitly downs all CHILD_SAs */
+ if (!up)
+ {
+ iterator_t *iterator;
+ child_sa_t *child_sa;
+
+ iterator = ike_sa->create_child_sa_iterator(ike_sa);
+ while (iterator->iterate(iterator, (void**)&child_sa))
+ {
+ child_updown(this, child_sa, FALSE);
+ }
+ iterator->destroy(iterator);
+ }
+}
+
+/**
+ * Implementation of bus_t.ike_rekey
+ */
+static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new)
+{
+ enumerator_t *enumerator;
+ entry_t *entry;
+ bool keep;
+
+ this->mutex->lock(this->mutex);
+ enumerator = this->listeners->create_enumerator(this->listeners);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->calling || !entry->listener->ike_rekey)
+ {
+ continue;
+ }
+ entry->calling++;
+ keep = entry->listener->ike_rekey(entry->listener, old, new);
+ entry->calling--;
+ if (!keep)
+ {
+ unregister_listener(this, entry, enumerator);
}
}
enumerator->destroy(enumerator);
@@ -545,7 +712,6 @@ static bool authorize(private_bus_t *this, linked_list_t *auth, bool final)
if (!keep)
{
unregister_listener(this, entry, enumerator);
- break;
}
if (!success)
{
@@ -580,16 +746,21 @@ bus_t *bus_create()
this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa;
this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_;
this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog;
+ this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert;
this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change;
this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change;
this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message;
this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
+ this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown;
+ this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey;
+ this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown;
+ this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey;
this->public.authorize = (bool(*)(bus_t*, linked_list_t *auth, bool final))authorize;
this->public.destroy = (void(*)(bus_t*)) destroy;
this->listeners = linked_list_create();
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
pthread_key_create(&this->thread_id, NULL);
pthread_key_create(&this->thread_sa, NULL);
diff --git a/src/charon/bus/bus.h b/src/charon/bus/bus.h
index 5faea088f..9c90db6f9 100644
--- a/src/charon/bus/bus.h
+++ b/src/charon/bus/bus.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006 Martin Willi
+ * Copyright (C) 2006-2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
typedef enum debug_t debug_t;
typedef enum level_t level_t;
-typedef struct listener_t listener_t;
+typedef enum alert_t alert_t;
typedef struct bus_t bus_t;
#include <stdarg.h>
@@ -31,6 +31,7 @@ typedef struct bus_t bus_t;
#include <sa/ike_sa.h>
#include <sa/child_sa.h>
#include <processing/jobs/job.h>
+#include <bus/listeners/listener.h>
/**
* Debug message group.
@@ -126,105 +127,12 @@ enum level_t {
# define DBG4(...) {}
#endif /* DBG4 */
-
/**
- * Listener interface, listens to events if registered to the bus.
+ * Kind of alerts to raise.
*/
-struct listener_t {
-
- /**
- * Log a debugging message.
- *
- * The implementing signal function returns TRUE to stay registered
- * to the bus, or FALSE to unregister itself.
- * Calling bus_t.log() inside of a registered listener is possible,
- * but the bus does not invoke listeners recursively.
- *
- * @param singal kind of the signal (up, down, rekeyed, ...)
- * @param level verbosity level of the signal
- * @param thread ID of the thread raised this signal
- * @param ike_sa IKE_SA associated to the event
- * @param format printf() style format string
- * @param args vprintf() style va_list argument list
- " @return TRUE to stay registered, FALSE to unregister
- */
- bool (*log) (listener_t *this, debug_t group, level_t level, int thread,
- ike_sa_t *ike_sa, char* format, va_list args);
-
- /**
- * Handle state changes in an IKE_SA.
- *
- * @param ike_sa IKE_SA which changes its state
- * @param state new IKE_SA state this IKE_SA changes to
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
- ike_sa_state_t state);
-
- /**
- * Handle state changes in a CHILD_SA.
- *
- * @param ike_sa IKE_SA containing the affected CHILD_SA
- * @param child_sa CHILD_SA which changes its state
- * @param state new CHILD_SA state this CHILD_SA changes to
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
- child_sa_t *child_sa, child_sa_state_t state);
-
- /**
- * Hook called for received/sent messages of an IKE_SA.
- *
- * @param ike_sa IKE_SA sending/receving a message
- * @param message message object
- * @param incoming TRUE for incoming messages, FALSE for outgoing
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
- bool incoming);
-
- /**
- * Hook called with IKE_SA key material.
- *
- * @param ike_sa IKE_SA this keymat belongs to
- * @param dh diffie hellman shared secret
- * @param nonce_i initiators nonce
- * @param nonce_r responders nonce
- * @param rekey IKE_SA we are rekeying, if any
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
- chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
-
- /**
- * Hook called with CHILD_SA key material.
- *
- * @param ike_sa IKE_SA the child sa belongs to
- * @param child_sa CHILD_SA this keymat is used for
- * @param dh diffie hellman shared secret
- * @param nonce_i initiators nonce
- * @param nonce_r responders nonce
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
- diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
-
- /**
- * Hook called to invoke additional authorization rules.
- *
- * An authorization hook gets invoked several times: After each
- * authentication round, the hook gets invoked with with final = FALSE.
- * After authentication is complete and the peer configuration is selected,
- * it is invoked again, but with final = TRUE.
- *
- * @param ike_sa IKE_SA to authorize
- * @param auth list of auth_cfg_t, done in peers authentication rounds
- * @param final TRUE if this is the final hook invocation
- * @param success set to TRUE to complete IKE_SA, FALSE abort
- * @return TRUE to stay registered, FALSE to unregister
- */
- bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
- bool final, bool *success);
+enum alert_t {
+ /* a RADIUS server did not respond, no additional arguments */
+ ALERT_RADIUS_NOT_RESPONDING,
};
/**
@@ -307,6 +215,15 @@ struct bus_t {
*/
void (*vlog)(bus_t *this, debug_t group, level_t level,
char* format, va_list args);
+
+ /**
+ * Raise an alert over the bus.
+ *
+ * @param alert kind of alert
+ * @param ... alert specific attributes
+ */
+ void (*alert)(bus_t *this, alert_t alert, ...);
+
/**
* Send a IKE_SA state change event to the bus.
*
@@ -361,6 +278,39 @@ struct bus_t {
*/
void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
chunk_t nonce_i, chunk_t nonce_r);
+
+ /**
+ * IKE_SA up/down hook.
+ *
+ * @param ike_sa IKE_SA coming up/going down
+ * @param up TRUE for an up event, FALSE for a down event
+ */
+ void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
+
+ /**
+ * IKE_SA rekeying hook.
+ *
+ * @param old rekeyed and obsolete IKE_SA
+ * @param new new IKE_SA replacing old
+ */
+ void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
+
+ /**
+ * CHILD_SA up/down hook.
+ *
+ * @param child_sa CHILD_SA coming up/going down
+ * @param up TRUE for an up event, FALSE for a down event
+ */
+ void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
+
+ /**
+ * CHILD_SA rekeying hook.
+ *
+ * @param old rekeyed and obsolete CHILD_SA
+ * @param new new CHILD_SA replacing old
+ */
+ void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
+
/**
* Destroy the event bus.
*/
diff --git a/src/charon/bus/listeners/file_logger.h b/src/charon/bus/listeners/file_logger.h
index 7282224a5..a69374f23 100644
--- a/src/charon/bus/listeners/file_logger.h
+++ b/src/charon/bus/listeners/file_logger.h
@@ -21,9 +21,9 @@
#ifndef FILE_LOGGER_H_
#define FILE_LOGGER_H_
-typedef struct file_logger_t file_logger_t;
+#include <bus/listeners/listener.h>
-#include <bus/bus.h>
+typedef struct file_logger_t file_logger_t;
/**
* Logger to files which implements listener_t.
diff --git a/src/charon/bus/listeners/listener.h b/src/charon/bus/listeners/listener.h
new file mode 100644
index 000000000..578f08ebe
--- /dev/null
+++ b/src/charon/bus/listeners/listener.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup listener listener
+ * @{ @ingroup listeners
+ */
+
+#ifndef LISTENER_H_
+#define LISTENER_H_
+
+typedef struct listener_t listener_t;
+
+#include <bus/bus.h>
+
+/**
+ * Listener interface, listens to events if registered to the bus.
+ */
+struct listener_t {
+
+ /**
+ * Log a debugging message.
+ *
+ * The implementing signal function returns TRUE to stay registered
+ * to the bus, or FALSE to unregister itself.
+ * Calling bus_t.log() inside of a registered listener is possible,
+ * but the bus does not invoke listeners recursively.
+ *
+ * @param group kind of the signal (up, down, rekeyed, ...)
+ * @param level verbosity level of the signal
+ * @param thread ID of the thread raised this signal
+ * @param ike_sa IKE_SA associated to the event
+ * @param format printf() style format string
+ * @param args vprintf() style va_list argument list
+ " @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*log)(listener_t *this, debug_t group, level_t level, int thread,
+ ike_sa_t *ike_sa, char* format, va_list args);
+
+ /**
+ * Hook called if a critical alert is risen.
+ *
+ * @param ike_sa IKE_SA associated to the alert, if any
+ * @param alert kind of alert
+ * @param ... alert specific argument list
+ " @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*alert)(listener_t *this, ike_sa_t *ike_sa,
+ alert_t alert, va_list args);
+
+ /**
+ * Handle state changes in an IKE_SA.
+ *
+ * @param ike_sa IKE_SA which changes its state
+ * @param state new IKE_SA state this IKE_SA changes to
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_state_change)(listener_t *this, ike_sa_t *ike_sa,
+ ike_sa_state_t state);
+
+ /**
+ * Handle state changes in a CHILD_SA.
+ *
+ * @param ike_sa IKE_SA containing the affected CHILD_SA
+ * @param child_sa CHILD_SA which changes its state
+ * @param state new CHILD_SA state this CHILD_SA changes to
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*child_state_change)(listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, child_sa_state_t state);
+
+ /**
+ * Hook called for received/sent messages of an IKE_SA.
+ *
+ * @param ike_sa IKE_SA sending/receving a message
+ * @param message message object
+ * @param incoming TRUE for incoming messages, FALSE for outgoing
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*message)(listener_t *this, ike_sa_t *ike_sa, message_t *message,
+ bool incoming);
+
+ /**
+ * Hook called with IKE_SA key material.
+ *
+ * @param ike_sa IKE_SA this keymat belongs to
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ * @param rekey IKE_SA we are rekeying, if any
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_keys)(listener_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
+ chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey);
+
+ /**
+ * Hook called with CHILD_SA key material.
+ *
+ * @param ike_sa IKE_SA the child sa belongs to
+ * @param child_sa CHILD_SA this keymat is used for
+ * @param dh diffie hellman shared secret
+ * @param nonce_i initiators nonce
+ * @param nonce_r responders nonce
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
+
+ /**
+ * Hook called if an IKE_SA gets up or down.
+ *
+ * @param ike_sa IKE_SA coming up/going down
+ * @param up TRUE for an up event, FALSE for a down event
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_updown)(listener_t *this, ike_sa_t *ike_sa, bool up);
+
+ /**
+ * Hook called when an IKE_SA gets rekeyed.
+ *
+ * @param old rekeyed IKE_SA getting obsolete
+ * @param new new IKE_SA replacing old
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*ike_rekey)(listener_t *this, ike_sa_t *old, ike_sa_t *new);
+
+ /**
+ * Hook called when a CHILD_SA gets up or down.
+ *
+ * @param ike_sa IKE_SA containing the handled CHILD_SA
+ * @param child_sa CHILD_SA coming up/going down
+ * @param up TRUE for an up event, FALSE for a down event
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*child_updown)(listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, bool up);
+
+ /**
+ * Hook called when an CHILD_SA gets rekeyed.
+ *
+ * @param ike_sa IKE_SA containing the rekeyed CHILD_SA
+ * @param old rekeyed CHILD_SA getting obsolete
+ * @param new new CHILD_SA replacing old
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*child_rekey)(listener_t *this, ike_sa_t *ike_sa,
+ child_sa_t *old, child_sa_t *new);
+
+ /**
+ * Hook called to invoke additional authorization rules.
+ *
+ * An authorization hook gets invoked several times: After each
+ * authentication round, the hook gets invoked with with final = FALSE.
+ * After authentication is complete and the peer configuration is selected,
+ * it is invoked again, but with final = TRUE.
+ *
+ * @param ike_sa IKE_SA to authorize
+ * @param auth list of auth_cfg_t, done in peers authentication rounds
+ * @param final TRUE if this is the final hook invocation
+ * @param success set to TRUE to complete IKE_SA, FALSE abort
+ * @return TRUE to stay registered, FALSE to unregister
+ */
+ bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, linked_list_t *auth,
+ bool final, bool *success);
+};
+
+#endif /* LISTENER_ @}*/
diff --git a/src/charon/bus/listeners/sys_logger.c b/src/charon/bus/listeners/sys_logger.c
index 5bcf28f24..0b579ce92 100644
--- a/src/charon/bus/listeners/sys_logger.c
+++ b/src/charon/bus/listeners/sys_logger.c
@@ -15,7 +15,6 @@
#include <stdio.h>
#include <string.h>
-#include <pthread.h>
#include "sys_logger.h"
diff --git a/src/charon/bus/listeners/sys_logger.h b/src/charon/bus/listeners/sys_logger.h
index 6eda096a9..3ed0f02fa 100644
--- a/src/charon/bus/listeners/sys_logger.h
+++ b/src/charon/bus/listeners/sys_logger.h
@@ -21,11 +21,11 @@
#ifndef SYS_LOGGER_H_
#define SYS_LOGGER_H_
-typedef struct sys_logger_t sys_logger_t;
-
#include <syslog.h>
-#include <bus/bus.h>
+#include <bus/listeners/listener.h>
+
+typedef struct sys_logger_t sys_logger_t;
/**
* Logger for syslog which implements listener_t.
diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c
index 83e431c43..bf45fdb42 100644
--- a/src/charon/config/attributes/attribute_manager.c
+++ b/src/charon/config/attributes/attribute_manager.c
@@ -260,7 +260,7 @@ attribute_manager_t *attribute_manager_create()
this->providers = linked_list_create();
this->handlers = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c
index 3a3a78466..cfd611858 100644
--- a/src/charon/config/backend_manager.c
+++ b/src/charon/config/backend_manager.c
@@ -438,7 +438,7 @@ backend_manager_t *backend_manager_create()
this->public.destroy = (void (*)(backend_manager_t*))destroy;
this->backends = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 43e41671a..990ee3fd6 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -345,35 +345,6 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca
}
/**
- * Implementation of child_cfg_t.equal_traffic_selectors.
- */
-bool equal_traffic_selectors(private_child_cfg_t *this, bool local,
- linked_list_t *ts_list, host_t *host)
-{
- linked_list_t *this_list;
- traffic_selector_t *this_ts, *ts;
- bool result;
-
- this_list = (local) ? this->my_ts : this->other_ts;
-
- /* currently equality is established for single traffic selectors only */
- if (this_list->get_count(this_list) != 1 || ts_list->get_count(ts_list) != 1)
- {
- return FALSE;
- }
-
- this_list->get_first(this_list, (void**)&this_ts);
- this_ts = this_ts->clone(this_ts);
- this_ts->set_address(this_ts, host);
- ts_list->get_first(ts_list, (void**)&ts);
-
- result = ts->equals(ts, this_ts);
-
- this_ts->destroy(this_ts);
- return result;
-}
-
-/**
* Implementation of child_cfg_t.get_updown.
*/
static char* get_updown(private_child_cfg_t *this)
@@ -525,7 +496,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->public.get_name = (char* (*) (child_cfg_t*))get_name;
this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector;
this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors;
- this->public.equal_traffic_selectors = (bool (*)(child_cfg_t*,bool,linked_list_t*,host_t*))equal_traffic_selectors;
this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal;
this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals;
this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 185fee3da..33c75701c 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -150,18 +150,6 @@ struct child_cfg_t {
linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
linked_list_t *supplied,
host_t *host);
-
- /**
- * Checks [single] traffic selectors for equality
- *
- * @param local TRUE for TS on local side, FALSE for remote
- * @param ts list with single traffic selector to compare with
- * @param host address to use for narrowing "dynamic" TS', or NULL
- * @return TRUE if TS are equal, FALSE otherwise
- */
- bool (*equal_traffic_selectors)(child_cfg_t *this, bool local,
- linked_list_t *ts_list, host_t *host);
-
/**
* Get the updown script to run for the CHILD_SA.
*
diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c
index da796d6a2..f096f269e 100644
--- a/src/charon/config/peer_cfg.c
+++ b/src/charon/config/peer_cfg.c
@@ -250,22 +250,46 @@ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this)
}
/**
- * Check if child_cfg contains traffic selectors
+ * Check how good a list of TS matches a given child config
*/
-static int contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts,
- host_t *host)
+static int get_ts_match(child_cfg_t *cfg, bool local,
+ linked_list_t *sup_list, host_t *host)
{
- linked_list_t *selected;
- int prio;
+ linked_list_t *cfg_list;
+ enumerator_t *sup_enum, *cfg_enum;
+ traffic_selector_t *sup_ts, *cfg_ts;
+ int match = 0, round;
- if (child->equal_traffic_selectors(child, mine, ts, host))
+ /* fetch configured TS list, narrowing dynamic TS */
+ cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+
+ /* use a round counter to rate leading TS with higher priority */
+ round = sup_list->get_count(sup_list);
+
+ sup_enum = sup_list->create_enumerator(sup_list);
+ while (sup_enum->enumerate(sup_enum, &sup_ts))
{
- return 2;
+ cfg_enum = cfg_list->create_enumerator(cfg_list);
+ while (cfg_enum->enumerate(cfg_enum, &cfg_ts))
+ {
+ if (cfg_ts->equals(cfg_ts, sup_ts))
+ { /* equality is honored better than matches */
+ match += round * 5;
+ }
+ else if (cfg_ts->is_contained_in(cfg_ts, sup_ts) ||
+ sup_ts->is_contained_in(sup_ts, cfg_ts))
+ {
+ match += round * 1;
+ }
+ }
+ cfg_enum->destroy(cfg_enum);
+ round--;
}
- selected = child->get_traffic_selectors(child, mine, ts, host);
- prio = selected->get_count(selected) ? 1 : 0;
- selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy));
- return prio;
+ sup_enum->destroy(sup_enum);
+
+ cfg_list->destroy_offset(cfg_list, offsetof(traffic_selector_t, destroy));
+
+ return match;
}
/**
@@ -279,21 +303,23 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this,
child_cfg_t *current, *found = NULL;
enumerator_t *enumerator;
int best = 0;
-
- DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
+
+ DBG2(DBG_CFG, "looking for a child config for %#R=== %#R", my_ts, other_ts);
enumerator = create_child_cfg_enumerator(this);
while (enumerator->enumerate(enumerator, &current))
{
- int prio = contains_ts(current, TRUE, my_ts, my_host) +
- contains_ts(current, FALSE, other_ts, other_host);
-
- if (prio)
+ int my_prio, other_prio;
+
+ my_prio = get_ts_match(current, TRUE, my_ts, my_host);
+ other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+
+ if (my_prio && other_prio)
{
- DBG2(DBG_CFG, " candidate \"%s\" with prio %d",
- current->get_name(current), prio);
- if (prio > best)
+ DBG2(DBG_CFG, " candidate \"%s\" with prio %d+%d",
+ current->get_name(current), my_prio, other_prio);
+ if (my_prio + other_prio > best)
{
- best = prio;
+ best = my_prio + other_prio;
DESTROY_IF(found);
found = current->get_ref(current);
}
@@ -637,7 +663,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
this->ike_version = ike_version;
this->ike_cfg = ike_cfg;
this->child_cfgs = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->cert_policy = cert_policy;
this->unique = unique;
this->keyingtries = keyingtries;
diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c
index e2dfcca4f..cf7e19605 100644
--- a/src/charon/config/proposal.c
+++ b/src/charon/config/proposal.c
@@ -266,6 +266,9 @@ static bool is_authenticated_encryption(u_int16_t alg)
case ENCR_AES_GCM_ICV8:
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
return TRUE;
}
return FALSE;
diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c
index 776dbe599..0967cbc81 100644
--- a/src/charon/credentials/credential_manager.c
+++ b/src/charon/credentials/credential_manager.c
@@ -1591,7 +1591,7 @@ credential_manager_t *credential_manager_create()
this->cache = cert_cache_create();
this->cache_queue = linked_list_create();
this->sets->insert_first(this->sets, this->cache);
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/charon/credentials/sets/cert_cache.c b/src/charon/credentials/sets/cert_cache.c
index 907f5072f..dee0463e6 100644
--- a/src/charon/credentials/sets/cert_cache.c
+++ b/src/charon/credentials/sets/cert_cache.c
@@ -383,7 +383,7 @@ cert_cache_t *cert_cache_create()
this->relations[i].subject = NULL;
this->relations[i].issuer = NULL;
this->relations[i].hits = 0;
- this->relations[i].lock = rwlock_create(RWLOCK_DEFAULT);
+ this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
}
return &this->public;
}
diff --git a/src/charon/daemon.c b/src/charon/daemon.c
index c646ef9b4..0689c448e 100644
--- a/src/charon/daemon.c
+++ b/src/charon/daemon.c
@@ -20,7 +20,9 @@
#ifdef HAVE_PRCTL
#include <sys/prctl.h>
#endif
+#define _POSIX_PTHREAD_SEMANTICS /* for two param sigwait on OpenSolaris */
#include <signal.h>
+#undef _POSIX_PTHREAD_SEMANTICS
#include <pthread.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -42,10 +44,9 @@
#include <config/traffic_selector.h>
#include <config/proposal.h>
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
+#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
typedef struct private_daemon_t private_daemon_t;
@@ -469,6 +470,13 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")");
+ if (lib->integrity)
+ {
+ DBG1(DBG_DMN, "integrity tests enabled:");
+ DBG1(DBG_DMN, "lib 'libstrongswan': passed file and segment integrity tests");
+ DBG1(DBG_DMN, "daemon 'charon': passed file integrity test");
+ }
+
/* load secrets, ca certificates and crls */
this->public.processor = processor_create();
this->public.scheduler = scheduler_create();
@@ -487,19 +495,6 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[])
lib->settings->get_str(lib->settings, "charon.load", PLUGINS));
print_plugins();
-
-#ifdef INTEGRITY_TEST
- DBG1(DBG_DMN, "integrity test of libstrongswan code");
- if (fips_verify_hmac_signature(hmac_key, hmac_signature))
- {
- DBG1(DBG_DMN, " integrity test passed");
- }
- else
- {
- DBG1(DBG_DMN, " integrity test failed");
- return FALSE;
- }
-#endif /* INTEGRITY_TEST */
this->public.ike_sa_manager = ike_sa_manager_create();
if (this->public.ike_sa_manager == NULL)
@@ -686,7 +681,20 @@ int main(int argc, char *argv[])
dbg = dbg_stderr;
/* initialize library */
- library_init(STRONGSWAN_CONF);
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "charon", argv[0]))
+ {
+ dbg_stderr(1, "integrity check of charon failed");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
+
lib->printf_hook->add_handler(lib->printf_hook, 'R',
traffic_selector_printf_hook,
PRINTF_HOOK_ARGTYPE_POINTER,
@@ -757,7 +765,7 @@ int main(int argc, char *argv[])
{
DBG1(DBG_DMN, "initialization failed - aborting charon");
destroy(private_charon);
- exit(-1);
+ exit(SS_RC_INITIALIZATION_FAILED);
}
if (check_pidfile())
diff --git a/src/charon/kernel/kernel_interface.c b/src/charon/kernel/kernel_interface.c
index 5188b79fe..53ae1d200 100644
--- a/src/charon/kernel/kernel_interface.c
+++ b/src/charon/kernel/kernel_interface.c
@@ -104,6 +104,19 @@ static status_t update_sa(private_kernel_interface_t *this, u_int32_t spi,
}
/**
+ * Implementation of kernel_interface_t.query_sa
+ */
+static status_t query_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes)
+{
+ if (!this->ipsec)
+ {
+ return NOT_SUPPORTED;
+ }
+ return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes);
+}
+
+/**
* Implementation of kernel_interface_t.del_sa
*/
static status_t del_sa(private_kernel_interface_t *this, host_t *src, host_t *dst,
@@ -387,6 +400,7 @@ kernel_interface_t *kernel_interface_create()
this->public.get_cpi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.update_sa = (status_t(*)(kernel_interface_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h
index 8c58c959a..c4a273a34 100644
--- a/src/charon/kernel/kernel_interface.h
+++ b/src/charon/kernel/kernel_interface.h
@@ -141,6 +141,19 @@ struct kernel_interface_t {
bool encap, bool new_encap);
/**
+ * Query the number of bytes processed by an SA from the SAD.
+ *
+ * @param src source address for this SA
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param[out] bytes the number of bytes processed by SA
+ * @return SUCCESS if operation completed
+ */
+ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+
+ /**
* Delete a previously installed SA from the SAD.
*
* @param src source address for this SA
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
index 6e8c5bc63..d6438c197 100644
--- a/src/charon/kernel/kernel_ipsec.h
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -171,6 +171,19 @@ struct kernel_ipsec_t {
bool encap, bool new_encap);
/**
+ * Query the number of bytes processed by an SA from the SAD.
+ *
+ * @param src source address for this SA
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param[out] bytes the number of bytes processed by SA
+ * @return SUCCESS if operation completed
+ */
+ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes);
+
+ /**
* Delete a previusly installed SA from the SAD.
*
* @param src source address for this SA
diff --git a/src/charon/network/sender.c b/src/charon/network/sender.c
index 4910fe2e8..19f589115 100644
--- a/src/charon/network/sender.c
+++ b/src/charon/network/sender.c
@@ -139,9 +139,9 @@ sender_t * sender_create()
this->public.destroy = (void(*)(sender_t*)) destroy;
this->list = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->got = condvar_create(CONDVAR_DEFAULT);
- this->sent = condvar_create(CONDVAR_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->got = condvar_create(CONDVAR_TYPE_DEFAULT);
+ this->sent = condvar_create(CONDVAR_TYPE_DEFAULT);
this->job = callback_job_create((callback_job_cb_t)send_packets,
this, NULL, NULL);
diff --git a/src/charon/network/socket.c b/src/charon/network/socket.c
index 8627ca76d..97c88be79 100644
--- a/src/charon/network/socket.c
+++ b/src/charon/network/socket.c
@@ -18,6 +18,10 @@
/* for struct in6_pktinfo */
#define _GNU_SOURCE
+#ifdef __sun
+#define _XPG4_2
+#define __EXTENSIONS__
+#endif
#include <pthread.h>
#include <sys/types.h>
@@ -34,6 +38,9 @@
#include <netinet/ip6.h>
#include <netinet/udp.h>
#include <net/if.h>
+#ifdef __APPLE__
+#include <sys/sysctl.h>
+#endif
#include "socket.h"
@@ -431,7 +438,6 @@ status_t sender(private_socket_t *this, packet_t *packet)
static int open_socket(private_socket_t *this, int family, u_int16_t port)
{
int on = TRUE;
- int type = UDP_ENCAP_ESPINUDP;
struct sockaddr_storage addr;
socklen_t addrlen;
u_int sol, pktinfo = 0;
@@ -502,13 +508,18 @@ static int open_socket(private_socket_t *this, int family, u_int16_t port)
return 0;
}
}
-
- /* enable UDP decapsulation globally, only for one socket needed */
- if (family == AF_INET && port == IKEV2_NATT_PORT &&
- setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+
+#ifndef __APPLE__
{
- DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+ /* enable UDP decapsulation globally, only for one socket needed */
+ int type = UDP_ENCAP_ESPINUDP;
+ if (family == AF_INET && port == IKEV2_NATT_PORT &&
+ setsockopt(skt, SOL_UDP, UDP_ENCAP, &type, sizeof(type)) < 0)
+ {
+ DBG1(DBG_NET, "unable to set UDP_ENCAP: %s", strerror(errno));
+ }
}
+#endif
return skt;
}
@@ -611,6 +622,18 @@ socket_t *socket_create()
this->ipv6 = 0;
this->ipv4_natt = 0;
this->ipv6_natt = 0;
+
+#ifdef __APPLE__
+ {
+ int natt_port = IKEV2_NATT_PORT;
+ if (sysctlbyname("net.inet.ipsec.esp_port", NULL, NULL, &natt_port,
+ sizeof(natt_port)) != 0)
+ {
+ DBG1(DBG_NET, "could not set net.inet.ipsec.esp_port to %d: %s",
+ natt_port, strerror(errno));
+ }
+ }
+#endif
this->ipv4 = open_socket(this, AF_INET, IKEV2_UDP_PORT);
if (this->ipv4 == 0)
diff --git a/src/charon/plugins/attr/Makefile.am b/src/charon/plugins/attr/Makefile.am
index d5eb99d9f..b4b3b7da6 100644
--- a/src/charon/plugins/attr/Makefile.am
+++ b/src/charon/plugins/attr/Makefile.am
@@ -6,4 +6,4 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-attr.la
libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
attr_provider.h attr_provider.c
-libstrongswan_attr_la_LDFLAGS = -module
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/attr/Makefile.in b/src/charon/plugins/attr/Makefile.in
index c0467054e..5c94771e1 100644
--- a/src/charon/plugins/attr/Makefile.in
+++ b/src/charon/plugins/attr/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-attr.la
libstrongswan_attr_la_SOURCES = attr_plugin.h attr_plugin.c \
attr_provider.h attr_provider.c
-libstrongswan_attr_la_LDFLAGS = -module
+libstrongswan_attr_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_aka/Makefile.am b/src/charon/plugins/eap_aka/Makefile.am
index e1ad1eaf9..1a3ea1857 100644
--- a/src/charon/plugins/eap_aka/Makefile.am
+++ b/src/charon/plugins/eap_aka/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapaka.la
libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module
+libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
libstrongswan_eapaka_la_LIBADD = -lgmp
diff --git a/src/charon/plugins/eap_aka/Makefile.in b/src/charon/plugins/eap_aka/Makefile.in
index 74d49ac73..2d2405379 100644
--- a/src/charon/plugins/eap_aka/Makefile.in
+++ b/src/charon/plugins/eap_aka/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapaka.la
libstrongswan_eapaka_la_SOURCES = eap_aka_plugin.h eap_aka_plugin.c eap_aka.h eap_aka.c
-libstrongswan_eapaka_la_LDFLAGS = -module
+libstrongswan_eapaka_la_LDFLAGS = -module -avoid-version
libstrongswan_eapaka_la_LIBADD = -lgmp
all: all-am
diff --git a/src/charon/plugins/eap_gtc/Makefile.am b/src/charon/plugins/eap_gtc/Makefile.am
index 1057bd506..547a8dfc5 100644
--- a/src/charon/plugins/eap_gtc/Makefile.am
+++ b/src/charon/plugins/eap_gtc/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapgtc.la
libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/charon/plugins/eap_gtc/Makefile.in b/src/charon/plugins/eap_gtc/Makefile.in
index 19d648bbd..46d438a97 100644
--- a/src/charon/plugins/eap_gtc/Makefile.in
+++ b/src/charon/plugins/eap_gtc/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapgtc.la
libstrongswan_eapgtc_la_SOURCES = eap_gtc_plugin.h eap_gtc_plugin.c eap_gtc.h eap_gtc.c
-libstrongswan_eapgtc_la_LDFLAGS = -module -lpam
+libstrongswan_eapgtc_la_LDFLAGS = -module -avoid-version -lpam
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_identity/Makefile.am b/src/charon/plugins/eap_identity/Makefile.am
index dbf66e74b..79ddee3e8 100644
--- a/src/charon/plugins/eap_identity/Makefile.am
+++ b/src/charon/plugins/eap_identity/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapidentity.la
libstrongswan_eapidentity_la_SOURCES = \
eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-libstrongswan_eapidentity_la_LDFLAGS = -module
+libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_identity/Makefile.in b/src/charon/plugins/eap_identity/Makefile.in
index f275cd770..0adb9ce10 100644
--- a/src/charon/plugins/eap_identity/Makefile.in
+++ b/src/charon/plugins/eap_identity/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-eapidentity.la
libstrongswan_eapidentity_la_SOURCES = \
eap_identity_plugin.h eap_identity_plugin.c eap_identity.h eap_identity.c
-libstrongswan_eapidentity_la_LDFLAGS = -module
+libstrongswan_eapidentity_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_md5/Makefile.am b/src/charon/plugins/eap_md5/Makefile.am
index d7964fee9..8bad64368 100644
--- a/src/charon/plugins/eap_md5/Makefile.am
+++ b/src/charon/plugins/eap_md5/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapmd5.la
libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module
+libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_md5/Makefile.in b/src/charon/plugins/eap_md5/Makefile.in
index 372b80b3e..c11837b91 100644
--- a/src/charon/plugins/eap_md5/Makefile.in
+++ b/src/charon/plugins/eap_md5/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-eapmd5.la
libstrongswan_eapmd5_la_SOURCES = eap_md5_plugin.h eap_md5_plugin.c eap_md5.h eap_md5.c
-libstrongswan_eapmd5_la_LDFLAGS = -module
+libstrongswan_eapmd5_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.am b/src/charon/plugins/eap_mschapv2/Makefile.am
index 6ab931905..179da70fc 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.am
+++ b/src/charon/plugins/eap_mschapv2/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-eapmschapv2.la
libstrongswan_eapmschapv2_la_SOURCES = \
eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
eap_mschapv2.h eap_mschapv2.c
-libstrongswan_eapmschapv2_la_LDFLAGS = -module
+libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_mschapv2/Makefile.in b/src/charon/plugins/eap_mschapv2/Makefile.in
index 5ae41d896..d6dd74b88 100644
--- a/src/charon/plugins/eap_mschapv2/Makefile.in
+++ b/src/charon/plugins/eap_mschapv2/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_eapmschapv2_la_SOURCES = \
eap_mschapv2_plugin.h eap_mschapv2_plugin.c \
eap_mschapv2.h eap_mschapv2.c
-libstrongswan_eapmschapv2_la_LDFLAGS = -module
+libstrongswan_eapmschapv2_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_radius/Makefile.am b/src/charon/plugins/eap_radius/Makefile.am
index f7de2f14f..df5c94656 100644
--- a/src/charon/plugins/eap_radius/Makefile.am
+++ b/src/charon/plugins/eap_radius/Makefile.am
@@ -10,5 +10,5 @@ libstrongswan_eapradius_la_SOURCES = \
eap_radius.h eap_radius.c \
radius_client.h radius_client.c \
radius_message.h radius_message.c
-libstrongswan_eapradius_la_LDFLAGS = -module
+libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_radius/Makefile.in b/src/charon/plugins/eap_radius/Makefile.in
index e7a4cd0f8..c30111fad 100644
--- a/src/charon/plugins/eap_radius/Makefile.in
+++ b/src/charon/plugins/eap_radius/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -229,7 +234,7 @@ libstrongswan_eapradius_la_SOURCES = \
radius_client.h radius_client.c \
radius_message.h radius_message.c
-libstrongswan_eapradius_la_LDFLAGS = -module
+libstrongswan_eapradius_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_radius/eap_radius.c b/src/charon/plugins/eap_radius/eap_radius.c
index ee2477440..deb3b648b 100644
--- a/src/charon/plugins/eap_radius/eap_radius.c
+++ b/src/charon/plugins/eap_radius/eap_radius.c
@@ -66,6 +66,11 @@ struct private_eap_radius_t {
* TRUE to use EAP-Start, FALSE to send EAP-Identity Response directly
*/
bool eap_start;
+
+ /**
+ * Prefix to prepend to EAP identity
+ */
+ char *id_prefix;
};
/**
@@ -86,18 +91,20 @@ static void add_eap_identity(private_eap_radius_t *this,
/** identity data */
u_int8_t data[];
} __attribute__((__packed__)) *hdr;
- chunk_t id;
+ chunk_t id, prefix;
size_t len;
id = this->peer->get_encoding(this->peer);
- len = sizeof(*hdr) + id.len;
+ prefix = chunk_create(this->id_prefix, strlen(this->id_prefix));
+ len = sizeof(*hdr) + prefix.len + id.len;
hdr = alloca(len);
hdr->code = EAP_RESPONSE;
hdr->identifier = 0;
hdr->length = htons(len);
hdr->type = EAP_IDENTITY;
- memcpy(hdr->data, id.ptr, id.len);
+ memcpy(hdr->data, prefix.ptr, prefix.len);
+ memcpy(hdr->data + prefix.len, id.ptr, id.len);
request->add(request, RAT_EAP_MESSAGE, chunk_create((u_char*)hdr, len));
}
@@ -136,9 +143,12 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out)
{
radius_message_t *request, *response;
status_t status = FAILED;
+ chunk_t username;
request = radius_message_create_request();
- request->add(request, RAT_USER_NAME, this->peer->get_encoding(this->peer));
+ username = chunk_create(this->id_prefix, strlen(this->id_prefix));
+ username = chunk_cata("cc", username, this->peer->get_encoding(this->peer));
+ request->add(request, RAT_USER_NAME, username);
if (this->eap_start)
{
@@ -283,7 +293,8 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer
this->msk = chunk_empty;
this->eap_start = lib->settings->get_bool(lib->settings,
"charon.plugins.eap_radius.eap_start", FALSE);
-
+ this->id_prefix = lib->settings->get_str(lib->settings,
+ "charon.plugins.eap_radius.id_prefix", "");
return &this->public;
}
diff --git a/src/charon/plugins/eap_radius/radius_client.c b/src/charon/plugins/eap_radius/radius_client.c
index 57d3f8f21..de1bafc6d 100644
--- a/src/charon/plugins/eap_radius/radius_client.c
+++ b/src/charon/plugins/eap_radius/radius_client.c
@@ -161,8 +161,8 @@ bool radius_client_init()
"charon.plugins.eap_radius.sockets", 1);
sockets = linked_list_create();
- mutex = mutex_create(MUTEX_DEFAULT);
- condvar = condvar_create(CONDVAR_DEFAULT);
+ mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
for (i = 0; i < count; i++)
{
fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP);
@@ -353,6 +353,7 @@ static radius_message_t* request(private_radius_client_t *this,
}
DBG1(DBG_CFG, "RADIUS server is not responding");
put_socket(socket);
+ charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING);
return NULL;
}
diff --git a/src/charon/plugins/eap_sim/Makefile.am b/src/charon/plugins/eap_sim/Makefile.am
index 6cb53ebb5..e503bddab 100644
--- a/src/charon/plugins/eap_sim/Makefile.am
+++ b/src/charon/plugins/eap_sim/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la
libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
eap_sim_plugin.h eap_sim_plugin.c
-libstrongswan_eapsim_la_LDFLAGS = -module
+libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_sim/Makefile.in b/src/charon/plugins/eap_sim/Makefile.in
index 2374567bc..8f6daacad 100644
--- a/src/charon/plugins/eap_sim/Makefile.in
+++ b/src/charon/plugins/eap_sim/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-eapsim.la
libstrongswan_eapsim_la_SOURCES = eap_sim.h eap_sim.c \
eap_sim_plugin.h eap_sim_plugin.c
-libstrongswan_eapsim_la_LDFLAGS = -module
+libstrongswan_eapsim_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_sim_file/Makefile.am b/src/charon/plugins/eap_sim_file/Makefile.am
index fc3a0fa14..1cd1dd9e2 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.am
+++ b/src/charon/plugins/eap_sim_file/Makefile.am
@@ -10,5 +10,5 @@ libstrongswan_eapsim_file_la_SOURCES = \
eap_sim_file_card.h eap_sim_file_card.c \
eap_sim_file_provider.h eap_sim_file_provider.c \
eap_sim_file_triplets.h eap_sim_file_triplets.c
-libstrongswan_eapsim_file_la_LDFLAGS = -module
+libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/eap_sim_file/Makefile.in b/src/charon/plugins/eap_sim_file/Makefile.in
index 554b3a7bc..b19cc839f 100644
--- a/src/charon/plugins/eap_sim_file/Makefile.in
+++ b/src/charon/plugins/eap_sim_file/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -230,7 +235,7 @@ libstrongswan_eapsim_file_la_SOURCES = \
eap_sim_file_provider.h eap_sim_file_provider.c \
eap_sim_file_triplets.h eap_sim_file_triplets.c
-libstrongswan_eapsim_file_la_LDFLAGS = -module
+libstrongswan_eapsim_file_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
index d093851c2..e27ed6860 100644
--- a/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
+++ b/src/charon/plugins/eap_sim_file/eap_sim_file_triplets.c
@@ -251,7 +251,7 @@ eap_sim_file_triplets_t *eap_sim_file_triplets_create(char *file)
this->public.destroy = (void(*)(eap_sim_file_triplets_t*))destroy;
this->triplets = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
read_triplets(this, file);
diff --git a/src/charon/plugins/kernel_klips/Makefile.am b/src/charon/plugins/kernel_klips/Makefile.am
index dc0234775..0c0987cca 100644
--- a/src/charon/plugins/kernel_klips/Makefile.am
+++ b/src/charon/plugins/kernel_klips/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-libstrongswan_kernel_klips_la_LDFLAGS = -module
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_klips/Makefile.in b/src/charon/plugins/kernel_klips/Makefile.in
index a1efe9d5a..4b1c27352 100644
--- a/src/charon/plugins/kernel_klips/Makefile.in
+++ b/src/charon/plugins/kernel_klips/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-klips.la
libstrongswan_kernel_klips_la_SOURCES = kernel_klips_plugin.h kernel_klips_plugin.c \
kernel_klips_ipsec.h kernel_klips_ipsec.c pfkeyv2.h
-libstrongswan_kernel_klips_la_LDFLAGS = -module
+libstrongswan_kernel_klips_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
index c69ce4c9a..9a903d027 100644
--- a/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
+++ b/src/charon/plugins/kernel_klips/kernel_klips_ipsec.c
@@ -1934,6 +1934,16 @@ static status_t update_sa(private_kernel_klips_ipsec_t *this,
}
/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_klips_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int64_t *bytes)
+{
+ return NOT_SUPPORTED; /* TODO */
+}
+
+/**
* Implementation of kernel_interface_t.del_sa.
*/
static status_t del_sa(private_kernel_klips_ipsec_t *this, host_t *src,
@@ -2609,6 +2619,7 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -2621,8 +2632,8 @@ kernel_klips_ipsec_t *kernel_klips_ipsec_create()
this->allocated_spis = linked_list_create();
this->installed_sas = linked_list_create();
this->ipsec_devices = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings, "charon.install_routes", TRUE);
this->seq = 0;
diff --git a/src/charon/plugins/kernel_netlink/Makefile.am b/src/charon/plugins/kernel_netlink/Makefile.am
index e0efe5779..6351280d6 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.am
+++ b/src/charon/plugins/kernel_netlink/Makefile.am
@@ -8,4 +8,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-netlink.la
libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink_plugin.c \
kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
kernel_netlink_shared.h kernel_netlink_shared.c
-libstrongswan_kernel_netlink_la_LDFLAGS = -module
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_netlink/Makefile.in b/src/charon/plugins/kernel_netlink/Makefile.in
index b97738bff..46d2a1c65 100644
--- a/src/charon/plugins/kernel_netlink/Makefile.in
+++ b/src/charon/plugins/kernel_netlink/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -228,7 +233,7 @@ libstrongswan_kernel_netlink_la_SOURCES = kernel_netlink_plugin.h kernel_netlink
kernel_netlink_ipsec.h kernel_netlink_ipsec.c kernel_netlink_net.h kernel_netlink_net.c \
kernel_netlink_shared.h kernel_netlink_shared.c
-libstrongswan_kernel_netlink_la_LDFLAGS = -module
+libstrongswan_kernel_netlink_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 9322d8dfe..2051316f6 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -984,16 +984,20 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
break;
case ENCR_AES_CCM_ICV16:
case ENCR_AES_GCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV16:
icv_size += 32;
/* FALL */
case ENCR_AES_CCM_ICV12:
case ENCR_AES_GCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV12:
icv_size += 32;
/* FALL */
case ENCR_AES_CCM_ICV8:
case ENCR_AES_GCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV8:
{
- rthdr->rta_type = XFRMA_ALG_AEAD;
+ struct xfrm_algo_aead *algo;
+
alg_name = lookup_algorithm(encryption_algs, enc_alg);
if (alg_name == NULL)
{
@@ -1004,6 +1008,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
+ rthdr->rta_type = XFRMA_ALG_AEAD;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
@@ -1011,7 +1016,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
return FAILED;
}
- struct xfrm_algo_aead* algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
+ algo = (struct xfrm_algo_aead*)RTA_DATA(rthdr);
algo->alg_key_len = enc_key.len * 8;
algo->alg_icv_len = icv_size;
strcpy(algo->alg_name, alg_name);
@@ -1022,7 +1027,8 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
}
default:
{
- rthdr->rta_type = XFRMA_ALG_CRYPT;
+ struct xfrm_algo *algo;
+
alg_name = lookup_algorithm(encryption_algs, enc_alg);
if (alg_name == NULL)
{
@@ -1033,6 +1039,7 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
DBG2(DBG_KNL, " using encryption algorithm %N with key size %d",
encryption_algorithm_names, enc_alg, enc_key.len * 8);
+ rthdr->rta_type = XFRMA_ALG_CRYPT;
rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + enc_key.len);
hdr->nlmsg_len += rthdr->rta_len;
if (hdr->nlmsg_len > sizeof(request))
@@ -1040,13 +1047,12 @@ static status_t add_sa(private_kernel_netlink_ipsec_t *this,
return FAILED;
}
- struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr);
+ algo = (struct xfrm_algo*)RTA_DATA(rthdr);
algo->alg_key_len = enc_key.len * 8;
strcpy(algo->alg_name, alg_name);
memcpy(algo->alg_key, enc_key.ptr, enc_key.len);
rthdr = XFRM_RTA_NEXT(rthdr);
- break;
}
}
@@ -1230,6 +1236,74 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this,
}
/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int64_t *bytes)
+{
+ netlink_buf_t request;
+ struct nlmsghdr *out = NULL, *hdr;
+ struct xfrm_usersa_id *sa_id;
+ struct xfrm_usersa_info *sa = NULL;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+ hdr = (struct nlmsghdr*)request;
+ hdr->nlmsg_flags = NLM_F_REQUEST;
+ hdr->nlmsg_type = XFRM_MSG_GETSA;
+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id));
+
+ sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr);
+ host2xfrm(dst, &sa_id->daddr);
+ sa_id->spi = spi;
+ sa_id->proto = proto_ike2kernel(protocol);
+ sa_id->family = dst->get_family(dst);
+
+ if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS)
+ {
+ hdr = out;
+ while (NLMSG_OK(hdr, len))
+ {
+ switch (hdr->nlmsg_type)
+ {
+ case XFRM_MSG_NEWSA:
+ {
+ sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr);
+ break;
+ }
+ case NLMSG_ERROR:
+ {
+ struct nlmsgerr *err = NLMSG_DATA(hdr);
+ DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)",
+ ntohl(spi), strerror(-err->error), -err->error);
+ break;
+ }
+ default:
+ hdr = NLMSG_NEXT(hdr, len);
+ continue;
+ case NLMSG_DONE:
+ break;
+ }
+ break;
+ }
+ }
+
+ if (sa == NULL)
+ {
+ DBG2(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return FAILED;
+ }
+ *bytes = sa->curlft.bytes;
+
+ free(out);
+ return SUCCESS;
+}
+/**
* Implementation of kernel_interface_t.del_sa.
*/
static status_t del_sa(private_kernel_netlink_ipsec_t *this, host_t *src,
@@ -1888,6 +1962,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -1897,7 +1972,7 @@ kernel_netlink_ipsec_t *kernel_netlink_ipsec_create()
/* private members */
this->policies = hashtable_create((hashtable_hash_t)policy_hash,
(hashtable_equals_t)policy_equals, 32);
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings,
"charon.install_routes", TRUE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
index 32154a7ea..e5c0b5da7 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -1370,8 +1370,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
/* private members */
this->ifaces = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->condvar = condvar_create(CONDVAR_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
timerclear(&this->last_roam);
this->routing_table = lib->settings->get_int(lib->settings,
"charon.routing_table", IPSEC_ROUTING_TABLE);
diff --git a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
index 7ef7cc56e..ec1187083 100644
--- a/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/charon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -255,7 +255,7 @@ netlink_socket_t *netlink_socket_create(int protocol) {
/* private members */
this->seq = 200;
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
memset(&addr, 0, sizeof(addr));
addr.nl_family = AF_NETLINK;
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.am b/src/charon/plugins/kernel_pfkey/Makefile.am
index c9d66b5de..e03a0ca02 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.am
+++ b/src/charon/plugins/kernel_pfkey/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfkey/Makefile.in b/src/charon/plugins/kernel_pfkey/Makefile.in
index df2492ef7..e01510127 100644
--- a/src/charon/plugins/kernel_pfkey/Makefile.in
+++ b/src/charon/plugins/kernel_pfkey/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfkey.la
libstrongswan_kernel_pfkey_la_SOURCES = kernel_pfkey_plugin.h kernel_pfkey_plugin.c \
kernel_pfkey_ipsec.h kernel_pfkey_ipsec.c
-libstrongswan_kernel_pfkey_la_LDFLAGS = -module
+libstrongswan_kernel_pfkey_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 56f0320dc..1f83e8f39 100644
--- a/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/charon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -17,6 +17,10 @@
#include <sys/types.h>
#include <sys/socket.h>
+#ifdef __FreeBSD__
+#include <limits.h> /* for LONG_MAX */
+#endif
+
#ifdef HAVE_NET_PFKEYV2_H
#include <net/pfkeyv2.h>
#else
@@ -37,11 +41,11 @@
#endif
#ifdef HAVE_NATT
-#ifdef HAVE_NETINET_UDP_H
-#include <netinet/udp.h>
-#else
+#ifdef HAVE_LINUX_UDP_H
#include <linux/udp.h>
-#endif /*HAVE_NETINET_UDP_H*/
+#else
+#include <netinet/udp.h>
+#endif /*HAVE_LINUX_UDP_H*/
#endif /*HAVE_NATT*/
#include <unistd.h>
@@ -89,7 +93,7 @@
#define IP_IPSEC_POLICY 16
#endif
-/* missing on uclibc */
+/** missing on uclibc */
#ifndef IPV6_IPSEC_POLICY
#define IPV6_IPSEC_POLICY 34
#endif
@@ -98,6 +102,17 @@
#define PRIO_LOW 3000
#define PRIO_HIGH 2000
+#ifdef __APPLE__
+/** from xnu/bsd/net/pfkeyv2.h */
+#define SADB_X_EXT_NATT 0x002
+ struct sadb_sa_2 {
+ struct sadb_sa sa;
+ u_int16_t sadb_sa_natt_port;
+ u_int16_t sadb_reserved0;
+ u_int32_t sadb_reserved1;
+ };
+#endif
+
/** buffer size for PF_KEY messages */
#define PFKEY_BUFFER_SIZE 4096
@@ -467,7 +482,7 @@ static u_int8_t dir2kernel(policy_dir_t dir)
return IPSEC_DIR_FWD;
#endif
default:
- return dir;
+ return IPSEC_DIR_INVALID;
}
}
@@ -693,7 +708,7 @@ static status_t parse_pfkey_message(struct sadb_msg *msg, pfkey_msg_t *out)
while (len >= PFKEY_LEN(sizeof(struct sadb_ext)))
{
- DBG2(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
+ DBG3(DBG_KNL, " %N", sadb_ext_type_names, ext->sadb_ext_type);
if (ext->sadb_ext_len < PFKEY_LEN(sizeof(struct sadb_ext)) ||
ext->sadb_ext_len > len)
{
@@ -740,6 +755,8 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
this->mutex_pfkey->lock(this->mutex_pfkey);
+ /* FIXME: our usage of sequence numbers is probably wrong. check RFC 2367,
+ * in particular the behavior in response to an SADB_ACQUIRE. */
in->sadb_msg_seq = ++this->seq;
in->sadb_msg_pid = getpid();
@@ -801,14 +818,23 @@ static status_t pfkey_send_socket(private_kernel_pfkey_ipsec_t *this, int socket
}
if (msg->sadb_msg_seq != this->seq)
{
- DBG1(DBG_KNL, "received PF_KEY message with invalid sequence number, "
- "was %d expected %d", msg->sadb_msg_seq, this->seq);
- if (msg->sadb_msg_seq < this->seq)
+ DBG1(DBG_KNL, "received PF_KEY message with unexpected sequence "
+ "number, was %d expected %d", msg->sadb_msg_seq, this->seq);
+ if (msg->sadb_msg_seq == 0)
+ {
+ /* FreeBSD and Mac OS X do this for the response to
+ * SADB_X_SPDGET (but not for the response to SADB_GET).
+ * FreeBSD: 'key_spdget' in /usr/src/sys/netipsec/key.c. */
+ }
+ else if (msg->sadb_msg_seq < this->seq)
{
continue;
}
- this->mutex_pfkey->unlock(this->mutex_pfkey);
- return FAILED;
+ else
+ {
+ this->mutex_pfkey->unlock(this->mutex_pfkey);
+ return FAILED;
+ }
}
if (msg->sadb_msg_type != in->sadb_msg_type)
{
@@ -1223,10 +1249,25 @@ static status_t add_sa(private_kernel_pfkey_ipsec_t *this,
msg->sadb_msg_type = inbound ? SADB_UPDATE : SADB_ADD;
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
-
- sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+
+#ifdef __APPLE__
+ if (encap)
+ {
+ struct sadb_sa_2 *sa_2;
+ sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa_2->sadb_sa_natt_port = dst->get_port(dst);
+ sa = &sa_2->sa;
+ sa->sadb_sa_flags |= SADB_X_EXT_NATT;
+ len = sizeof(struct sadb_sa_2);
+ }
+ else
+#endif
+ {
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ len = sizeof(struct sadb_sa);
+ }
sa->sadb_sa_exttype = SADB_EXT_SA;
- sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_len = PFKEY_LEN(len);
sa->sadb_sa_spi = spi;
sa->sadb_sa_replay = (protocol == IPPROTO_COMP) ? 0 : 32;
sa->sadb_sa_auth = lookup_algorithm(integrity_algs, int_alg);
@@ -1403,7 +1444,21 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
msg->sadb_msg_satype = proto_ike2satype(protocol);
msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+#ifdef __APPLE__
+ {
+ struct sadb_sa_2 *sa_2;
+ sa_2 = (struct sadb_sa_2*)PFKEY_EXT_ADD_NEXT(msg);
+ sa_2->sa.sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa_2));
+ memcpy(&sa_2->sa, response.sa, sizeof(struct sadb_sa));
+ if (encap)
+ {
+ sa_2->sadb_sa_natt_port = new_dst->get_port(new_dst);
+ sa_2->sa.sadb_sa_flags |= SADB_X_EXT_NATT;
+ }
+ }
+#else
PFKEY_EXT_COPY(msg, response.sa);
+#endif
PFKEY_EXT_COPY(msg, response.x_sa2);
PFKEY_EXT_COPY(msg, response.src);
@@ -1421,7 +1476,7 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
{
PFKEY_EXT_COPY(msg, response.key_auth);
}
-
+
#ifdef HAVE_NATT
if (new_encap)
{
@@ -1449,6 +1504,65 @@ static status_t update_sa(private_kernel_pfkey_ipsec_t *this,
}
/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int64_t *bytes)
+{
+ unsigned char request[PFKEY_BUFFER_SIZE];
+ struct sadb_msg *msg, *out;
+ struct sadb_sa *sa;
+ pfkey_msg_t response;
+ size_t len;
+
+ memset(&request, 0, sizeof(request));
+
+ DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi));
+
+ msg = (struct sadb_msg*)request;
+ msg->sadb_msg_version = PF_KEY_V2;
+ msg->sadb_msg_type = SADB_GET;
+ msg->sadb_msg_satype = proto_ike2satype(protocol);
+ msg->sadb_msg_len = PFKEY_LEN(sizeof(struct sadb_msg));
+
+ sa = (struct sadb_sa*)PFKEY_EXT_ADD_NEXT(msg);
+ sa->sadb_sa_exttype = SADB_EXT_SA;
+ sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
+ sa->sadb_sa_spi = spi;
+ PFKEY_EXT_ADD(msg, sa);
+
+ /* the Linux Kernel doesn't care for the src address, but other systems do
+ * (e.g. FreeBSD)
+ */
+ add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
+ add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
+
+ if (pfkey_send(this, msg, &out, &len) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ return FAILED;
+ }
+ else if (out->sadb_msg_errno)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x: %s (%d)",
+ ntohl(spi), strerror(out->sadb_msg_errno), out->sadb_msg_errno);
+ free(out);
+ return FAILED;
+ }
+ else if (parse_pfkey_message(out, &response) != SUCCESS)
+ {
+ DBG1(DBG_KNL, "unable to query SAD entry with SPI %.8x", ntohl(spi));
+ free(out);
+ return FAILED;
+ }
+ *bytes = response.lft_current->sadb_lifetime_bytes;
+
+ free(out);
+ return SUCCESS;
+}
+
+/**
* Implementation of kernel_interface_t.del_sa.
*/
static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
@@ -1476,7 +1590,9 @@ static status_t del_sa(private_kernel_pfkey_ipsec_t *this, host_t *src,
sa->sadb_sa_spi = spi;
PFKEY_EXT_ADD(msg, sa);
- /* the Linux Kernel doesn't care for the src address, but other systems do (e.g. FreeBSD) */
+ /* the Linux Kernel doesn't care for the src address, but other systems do
+ * (e.g. FreeBSD)
+ */
add_addr_ext(msg, src, SADB_EXT_ADDRESS_SRC, 0, 0);
add_addr_ext(msg, dst, SADB_EXT_ADDRESS_DST, 0, 0);
@@ -1518,6 +1634,12 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
pfkey_msg_t response;
size_t len;
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ {
+ /* FWD policies are not supported on all platforms */
+ return SUCCESS;
+ }
+
/* create a policy */
policy = create_policy_entry(src_ts, dst_ts, direction, reqid);
@@ -1594,6 +1716,18 @@ static status_t add_policy(private_kernel_pfkey_ipsec_t *this,
add_addr_ext(msg, policy->dst.net, SADB_EXT_ADDRESS_DST, policy->dst.proto,
policy->dst.mask);
+#ifdef __FreeBSD__
+ { /* on FreeBSD a lifetime has to be defined to be able to later query
+ * the current use time. */
+ struct sadb_lifetime *lft;
+ lft = (struct sadb_lifetime*)PFKEY_EXT_ADD_NEXT(msg);
+ lft->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD;
+ lft->sadb_lifetime_len = PFKEY_LEN(sizeof(struct sadb_lifetime));
+ lft->sadb_lifetime_addtime = LONG_MAX;
+ PFKEY_EXT_ADD(msg, lft);
+ }
+#endif
+
this->mutex->unlock(this->mutex);
if (pfkey_send(this, msg, &out, &len) != SUCCESS)
@@ -1700,6 +1834,12 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
pfkey_msg_t response;
size_t len;
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ {
+ /* FWD policies are not supported on all platforms */
+ return NOT_FOUND;
+ }
+
DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
@@ -1764,6 +1904,13 @@ static status_t query_policy(private_kernel_pfkey_ipsec_t *this,
free(out);
return FAILED;
}
+ else if (response.lft_current == NULL)
+ {
+ DBG1(DBG_KNL, "unable to query policy %R === %R %N: kernel reports no "
+ "use time", src_ts, dst_ts, policy_dir_names, direction);
+ free(out);
+ return FAILED;
+ }
*use_time = response.lft_current->sadb_lifetime_usetime;
@@ -1787,6 +1934,12 @@ static status_t del_policy(private_kernel_pfkey_ipsec_t *this,
route_entry_t *route;
size_t len;
+ if (dir2kernel(direction) == IPSEC_DIR_INVALID)
+ {
+ /* FWD policies are not supported on all platforms */
+ return SUCCESS;
+ }
+
DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts,
policy_dir_names, direction);
@@ -1995,6 +2148,7 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t,protocol_id_t,u_int32_t,ipsec_mode_t,u_int16_t,u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
@@ -2004,8 +2158,8 @@ kernel_pfkey_ipsec_t *kernel_pfkey_ipsec_create()
/* private members */
this->policies = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->mutex_pfkey = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->mutex_pfkey = mutex_create(MUTEX_TYPE_DEFAULT);
this->install_routes = lib->settings->get_bool(lib->settings,
"charon.install_routes", TRUE);
this->seq = 0;
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.am b/src/charon/plugins/kernel_pfroute/Makefile.am
index 3ad445c09..b6e6587a7 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.am
+++ b/src/charon/plugins/kernel_pfroute/Makefile.am
@@ -7,4 +7,4 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
kernel_pfroute_net.h kernel_pfroute_net.c
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/kernel_pfroute/Makefile.in b/src/charon/plugins/kernel_pfroute/Makefile.in
index e585a7db2..05da8e271 100644
--- a/src/charon/plugins/kernel_pfroute/Makefile.in
+++ b/src/charon/plugins/kernel_pfroute/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ plugin_LTLIBRARIES = libstrongswan-kernel-pfroute.la
libstrongswan_kernel_pfroute_la_SOURCES = kernel_pfroute_plugin.h kernel_pfroute_plugin.c \
kernel_pfroute_net.h kernel_pfroute_net.c
-libstrongswan_kernel_pfroute_la_LDFLAGS = -module
+libstrongswan_kernel_pfroute_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
index c2b35a5ce..d5a864b1c 100644
--- a/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/charon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -681,8 +681,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
/* private members */
this->ifaces = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->mutex_pfroute = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->mutex_pfroute = mutex_create(MUTEX_TYPE_DEFAULT);
this->seq = 0;
diff --git a/src/charon/plugins/load_tester/Makefile.am b/src/charon/plugins/load_tester/Makefile.am
index 121f0b080..e6e04229a 100644
--- a/src/charon/plugins/load_tester/Makefile.am
+++ b/src/charon/plugins/load_tester/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_load_tester_la_SOURCES = \
load_tester_listener.c load_tester_listener.h \
load_tester_diffie_hellman.c load_tester_diffie_hellman.h
-libstrongswan_load_tester_la_LDFLAGS = -module
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/load_tester/Makefile.in b/src/charon/plugins/load_tester/Makefile.in
index 056ac16d3..3b494cea2 100644
--- a/src/charon/plugins/load_tester/Makefile.in
+++ b/src/charon/plugins/load_tester/Makefile.in
@@ -78,12 +78,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -188,7 +191,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -233,7 +238,7 @@ libstrongswan_load_tester_la_SOURCES = \
load_tester_listener.c load_tester_listener.h \
load_tester_diffie_hellman.c load_tester_diffie_hellman.h
-libstrongswan_load_tester_la_LDFLAGS = -module
+libstrongswan_load_tester_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/load_tester/load_tester_ipsec.c b/src/charon/plugins/load_tester/load_tester_ipsec.c
index d37f7a7bd..e463d2adc 100644
--- a/src/charon/plugins/load_tester/load_tester_ipsec.c
+++ b/src/charon/plugins/load_tester/load_tester_ipsec.c
@@ -84,6 +84,16 @@ static status_t update_sa(private_load_tester_ipsec_t *this,
}
/**
+ * Implementation of kernel_interface_t.query_sa.
+ */
+static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src,
+ host_t *dst, u_int32_t spi, protocol_id_t protocol,
+ u_int64_t *bytes)
+{
+ return NOT_SUPPORTED;
+}
+
+/**
* Implementation of kernel_interface_t.del_sa.
*/
static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src,
@@ -151,6 +161,7 @@ load_tester_ipsec_t *load_tester_ipsec_create()
this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi;
this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool))add_sa;
this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa;
+ this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa;
this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa;
this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy;
this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
diff --git a/src/charon/plugins/load_tester/load_tester_plugin.c b/src/charon/plugins/load_tester/load_tester_plugin.c
index 12ac7b090..93ed2e3c5 100644
--- a/src/charon/plugins/load_tester/load_tester_plugin.c
+++ b/src/charon/plugins/load_tester/load_tester_plugin.c
@@ -202,8 +202,8 @@ plugin_t *plugin_create()
shutdown_on = this->iterations * this->initiators;
}
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->condvar = condvar_create(CONDVAR_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
this->config = load_tester_config_create();
this->creds = load_tester_creds_create();
this->listener = load_tester_listener_create(shutdown_on);
diff --git a/src/charon/plugins/medcli/Makefile.am b/src/charon/plugins/medcli/Makefile.am
index f15950af9..a5f018f82 100644
--- a/src/charon/plugins/medcli/Makefile.am
+++ b/src/charon/plugins/medcli/Makefile.am
@@ -8,5 +8,5 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
medcli_creds.h medcli_creds.c \
medcli_config.h medcli_config.c \
medcli_listener.h medcli_listener.c
-libstrongswan_medcli_la_LDFLAGS = -module
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/medcli/Makefile.in b/src/charon/plugins/medcli/Makefile.in
index cef486411..9a2b3f889 100644
--- a/src/charon/plugins/medcli/Makefile.in
+++ b/src/charon/plugins/medcli/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_medcli_la_SOURCES = medcli_plugin.h medcli_plugin.c \
medcli_config.h medcli_config.c \
medcli_listener.h medcli_listener.c
-libstrongswan_medcli_la_LDFLAGS = -module
+libstrongswan_medcli_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/medsrv/Makefile.am b/src/charon/plugins/medsrv/Makefile.am
index 476da1878..f3611a79e 100644
--- a/src/charon/plugins/medsrv/Makefile.am
+++ b/src/charon/plugins/medsrv/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-medsrv.la
libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
medsrv_creds.h medsrv_creds.c \
medsrv_config.h medsrv_config.c
-libstrongswan_medsrv_la_LDFLAGS = -module
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/medsrv/Makefile.in b/src/charon/plugins/medsrv/Makefile.in
index ec537e505..ba599499b 100644
--- a/src/charon/plugins/medsrv/Makefile.in
+++ b/src/charon/plugins/medsrv/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_medsrv_la_SOURCES = medsrv_plugin.h medsrv_plugin.c \
medsrv_creds.h medsrv_creds.c \
medsrv_config.h medsrv_config.c
-libstrongswan_medsrv_la_LDFLAGS = -module
+libstrongswan_medsrv_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index 9a0b48cd2..b74a4e46f 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_nm_la_SOURCES = \
nm_service.h nm_service.c \
nm_creds.h nm_creds.c \
nm_handler.h nm_handler.c
-libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
libstrongswan_nm_la_LIBADD = ${nm_LIBS}
diff --git a/src/charon/plugins/nm/Makefile.in b/src/charon/plugins/nm/Makefile.in
index a75af8a0f..c7c428c2a 100644
--- a/src/charon/plugins/nm/Makefile.in
+++ b/src/charon/plugins/nm/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -228,7 +233,7 @@ libstrongswan_nm_la_SOURCES = \
nm_creds.h nm_creds.c \
nm_handler.h nm_handler.c
-libstrongswan_nm_la_LDFLAGS = -module
+libstrongswan_nm_la_LDFLAGS = -module -avoid-version
libstrongswan_nm_la_LIBADD = ${nm_LIBS}
all: all-am
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index d93b81c9a..4ea2c36dd 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -322,7 +322,7 @@ nm_creds_t *nm_creds_create()
this->public.clear = (void(*)(nm_creds_t*))clear;
this->public.destroy = (void(*)(nm_creds_t*))destroy;
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->cert = NULL;
this->user = NULL;
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index bca4d9e09..88a3cc95e 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -14,6 +14,7 @@
*/
#include <nm-setting-vpn.h>
+#include <nm-setting-connection.h>
#include "nm_service.h"
#include <daemon.h>
@@ -25,8 +26,6 @@
#include <stdio.h>
-#define CONFIG_NAME "NetworkManager"
-
G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
/**
@@ -43,6 +42,8 @@ typedef struct {
nm_creds_t *creds;
/* attribute handler for DNS/NBNS server information */
nm_handler_t *handler;
+ /* name of the connection */
+ char *name;
} NMStrongswanPluginPrivate;
#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
@@ -121,14 +122,14 @@ static void signal_ipv4_config(NMVPNPlugin *plugin,
/**
* signal failure to NM, connecting failed
*/
-static void signal_failure(NMVPNPlugin *plugin)
+static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
{
nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
handler->reset(handler);
/* TODO: NM does not handle this failure!? */
- nm_vpn_plugin_failure(plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+ nm_vpn_plugin_failure(plugin, failure);
nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
}
@@ -140,16 +141,10 @@ static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
- if (private->ike_sa == ike_sa)
+ if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
{
- switch (state)
- {
- case IKE_DESTROYING:
- signal_failure(private->plugin);
- return FALSE;
- default:
- break;
- }
+ signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+ return FALSE;
}
return TRUE;
}
@@ -161,32 +156,63 @@ static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
child_sa_t *child_sa, child_sa_state_t state)
{
NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+ if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
+ {
+ signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+ return FALSE;
+ }
+ return TRUE;
+}
+/**
+ * Implementation of listener_t.child_updown
+ */
+static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
+ child_sa_t *child_sa, bool up)
+{
+ NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
if (private->ike_sa == ike_sa)
{
- switch (state)
+ if (up)
+ { /* disable initiate-failure-detection hooks */
+ private->listener.ike_state_change = NULL;
+ private->listener.child_state_change = NULL;
+ signal_ipv4_config(private->plugin, ike_sa, child_sa);
+ }
+ else
{
- case CHILD_INSTALLED:
- signal_ipv4_config(private->plugin, ike_sa, child_sa);
- return FALSE;
- case CHILD_DESTROYING:
- signal_failure(private->plugin);
- return FALSE;
- default:
- break;
+ signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+ return FALSE;
}
}
return TRUE;
}
/**
+ * Implementation of listener_t.ike_rekey
+ */
+static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
+{
+ NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+
+ if (private->ike_sa == old)
+ { /* follow a rekeyed IKE_SA */
+ private->ike_sa = new;
+ }
+ return TRUE;
+}
+
+/**
* Connect function called from NM via DBUS
*/
static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
GError **err)
{
- nm_creds_t *creds;
- NMSettingVPN *settings;
+ NMStrongswanPluginPrivate *priv;
+ NMSettingConnection *conn;
+ NMSettingVPN *vpn;
identification_t *user = NULL, *gateway;
const char *address, *str;
bool virtual, encap, ipcomp;
@@ -204,25 +230,34 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
/**
* Read parameters
*/
- settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
- NM_TYPE_SETTING_VPN));
-
- DBG4(DBG_CFG, "received NetworkManager connection: %s",
- nm_setting_to_string(NM_SETTING(settings)));
- address = nm_setting_vpn_get_data_item(settings, "address");
+ priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+ conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
+ NM_TYPE_SETTING_CONNECTION));
+ vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
+ NM_TYPE_SETTING_VPN));
+ if (priv->name)
+ {
+ free(priv->name);
+ }
+ priv->name = strdup(nm_setting_connection_get_id(conn));
+ DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
+ priv->name);
+ DBG4(DBG_CFG, "%s",
+ nm_setting_to_string(NM_SETTING(vpn)));
+ address = nm_setting_vpn_get_data_item(vpn, "address");
if (!address || !*address)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Gateway address missing.");
return FALSE;
}
- str = nm_setting_vpn_get_data_item(settings, "virtual");
+ str = nm_setting_vpn_get_data_item(vpn, "virtual");
virtual = str && streq(str, "yes");
- str = nm_setting_vpn_get_data_item(settings, "encap");
+ str = nm_setting_vpn_get_data_item(vpn, "encap");
encap = str && streq(str, "yes");
- str = nm_setting_vpn_get_data_item(settings, "ipcomp");
+ str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
ipcomp = str && streq(str, "yes");
- str = nm_setting_vpn_get_data_item(settings, "method");
+ str = nm_setting_vpn_get_data_item(vpn, "method");
if (str)
{
if (streq(str, "psk"))
@@ -243,16 +278,15 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
/**
* Register credentials
*/
- creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
- creds->clear(creds);
+ priv->creds->clear(priv->creds);
/* gateway/CA cert */
- str = nm_setting_vpn_get_data_item(settings, "certificate");
+ str = nm_setting_vpn_get_data_item(vpn, "certificate");
if (str)
{
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, str, BUILD_END);
- creds->set_certificate(creds, cert);
+ priv->creds->set_certificate(priv->creds, cert);
}
if (!cert)
{
@@ -279,19 +313,19 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
if (auth_class == AUTH_CLASS_EAP)
{
/* username/password authentication ... */
- str = nm_setting_vpn_get_data_item(settings, "user");
+ str = nm_setting_vpn_get_data_item(vpn, "user");
if (str)
{
user = identification_create_from_string((char*)str);
- str = nm_setting_vpn_get_secret(settings, "password");
- creds->set_username_password(creds, user, (char*)str);
+ str = nm_setting_vpn_get_secret(vpn, "password");
+ priv->creds->set_username_password(priv->creds, user, (char*)str);
}
}
if (auth_class == AUTH_CLASS_PUBKEY)
{
/* ... or certificate/private key authenitcation */
- str = nm_setting_vpn_get_data_item(settings, "usercert");
+ str = nm_setting_vpn_get_data_item(vpn, "usercert");
if (str)
{
public_key_t *public;
@@ -308,7 +342,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
return FALSE;
}
/* try agent */
- str = nm_setting_vpn_get_secret(settings, "agent");
+ str = nm_setting_vpn_get_secret(vpn, "agent");
if (agent && str)
{
public = cert->get_public_key(cert);
@@ -329,14 +363,13 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
}
}
/* ... or key file */
- str = nm_setting_vpn_get_data_item(settings, "userkey");
+ str = nm_setting_vpn_get_data_item(vpn, "userkey");
if (!agent && str)
{
chunk_t secret, chunk;
bool pgp = FALSE;
- secret.ptr = (char*)nm_setting_vpn_get_secret(settings,
- "password");
+ secret.ptr = (char*)nm_setting_vpn_get_secret(vpn, "password");
if (secret.ptr)
{
secret.len = strlen(secret.ptr);
@@ -358,7 +391,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
{
user = cert->get_subject(cert);
user = user->clone(user);
- creds->set_cert_and_key(creds, cert, private);
+ priv->creds->set_cert_and_key(priv->creds, cert, private);
}
else
{
@@ -382,7 +415,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
*/
ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
- peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
+ peer_cfg = peer_cfg_create(priv->name, 2, ike_cfg,
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
@@ -398,11 +431,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(CONFIG_NAME,
+ child_cfg = child_cfg_create(priv->name,
10800, 10200, /* lifetime 3h, rekey 2h50min */
300, /* jitter 5min */
NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
- ACTION_NONE, ACTION_RESTART, ipcomp);
+ ACTION_NONE, ACTION_NONE, ipcomp);
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
@@ -413,7 +446,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
/**
- * Start to initiate
+ * Prepare IKE_SA
*/
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
peer_cfg);
@@ -425,21 +458,27 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
{
peer_cfg->destroy(peer_cfg);
}
+
+ /**
+ * Register listener, enable initiate-failure-detection hooks
+ */
+ priv->ike_sa = ike_sa;
+ priv->listener.ike_state_change = ike_state_change;
+ priv->listener.child_state_change = child_state_change;
+ charon->bus->add_listener(charon->bus, &priv->listener);
+
+ /**
+ * Initiate
+ */
if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
{
+ charon->bus->remove_listener(charon->bus, &priv->listener);
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
"Initiating failed.");
return FALSE;
}
-
- /**
- * Register listener
- */
- NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa;
- charon->bus->add_listener(charon->bus,
- &NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
return TRUE;
}
@@ -501,14 +540,16 @@ static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
*/
static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
{
+ NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
enumerator_t *enumerator;
ike_sa_t *ike_sa;
u_int id;
+ /* our ike_sa pointer might be invalid, lookup sa */
enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
while (enumerator->enumerate(enumerator, &ike_sa))
{
- if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa)))
+ if (priv->ike_sa == ike_sa)
{
id = ike_sa->get_unique_id(ike_sa);
enumerator->destroy(enumerator);
@@ -529,13 +570,13 @@ static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
*/
static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
{
- NMStrongswanPluginPrivate *private;
+ NMStrongswanPluginPrivate *priv;
- private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
- private->plugin = NM_VPN_PLUGIN(plugin);
- memset(&private->listener.log, 0, sizeof(listener_t));
- private->listener.ike_state_change = ike_state_change;
- private->listener.child_state_change = child_state_change;
+ priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+ priv->plugin = NM_VPN_PLUGIN(plugin);
+ memset(&priv->listener.log, 0, sizeof(listener_t));
+ priv->listener.child_updown = child_updown;
+ priv->listener.ike_rekey = ike_rekey;
}
/**
@@ -565,8 +606,12 @@ NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
NULL);
if (plugin)
{
- NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
- NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler;
+ NMStrongswanPluginPrivate *priv;
+
+ priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+ priv->creds = creds;
+ priv->handler = handler;
+ priv->name = NULL;
}
return plugin;
}
diff --git a/src/charon/plugins/resolv_conf/Makefile.am b/src/charon/plugins/resolv_conf/Makefile.am
index 917964f93..be7f862f2 100644
--- a/src/charon/plugins/resolv_conf/Makefile.am
+++ b/src/charon/plugins/resolv_conf/Makefile.am
@@ -8,6 +8,6 @@ plugin_LTLIBRARIES = libstrongswan-resolv-conf.la
libstrongswan_resolv_conf_la_SOURCES = \
resolv_conf_plugin.h resolv_conf_plugin.c \
resolv_conf_handler.h resolv_conf_handler.c
-libstrongswan_resolv_conf_la_LDFLAGS = -module
+libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/resolv_conf/Makefile.in b/src/charon/plugins/resolv_conf/Makefile.in
index 91ddae582..19c20467a 100644
--- a/src/charon/plugins/resolv_conf/Makefile.in
+++ b/src/charon/plugins/resolv_conf/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -229,7 +234,7 @@ libstrongswan_resolv_conf_la_SOURCES = \
resolv_conf_plugin.h resolv_conf_plugin.c \
resolv_conf_handler.h resolv_conf_handler.c
-libstrongswan_resolv_conf_la_LDFLAGS = -module
+libstrongswan_resolv_conf_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/resolv_conf/resolv_conf_handler.c b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
index 19e3b3275..749cfbc5b 100644
--- a/src/charon/plugins/resolv_conf/resolv_conf_handler.c
+++ b/src/charon/plugins/resolv_conf/resolv_conf_handler.c
@@ -183,7 +183,7 @@ resolv_conf_handler_t *resolv_conf_handler_create()
this->public.handler.release = (void(*)(attribute_handler_t*, ike_sa_t*, configuration_attribute_type_t, chunk_t))release;
this->public.destroy = (void(*)(resolv_conf_handler_t*))destroy;
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->file = lib->settings->get_str(lib->settings,
"charon.plugins.resolv-conf.file", RESOLV_CONF);
diff --git a/src/charon/plugins/smp/Makefile.am b/src/charon/plugins/smp/Makefile.am
index 1679f1c68..a434b388b 100644
--- a/src/charon/plugins/smp/Makefile.am
+++ b/src/charon/plugins/smp/Makefile.am
@@ -5,6 +5,6 @@ AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
plugin_LTLIBRARIES = libstrongswan-smp.la
libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
libstrongswan_smp_la_LIBADD = ${xml_LIBS}
diff --git a/src/charon/plugins/smp/Makefile.in b/src/charon/plugins/smp/Makefile.in
index f06321ba7..d23d2d001 100644
--- a/src/charon/plugins/smp/Makefile.in
+++ b/src/charon/plugins/smp/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -222,7 +227,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${xml_CF
AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
plugin_LTLIBRARIES = libstrongswan-smp.la
libstrongswan_smp_la_SOURCES = smp.h smp.c
-libstrongswan_smp_la_LDFLAGS = -module
+libstrongswan_smp_la_LDFLAGS = -module -avoid-version
libstrongswan_smp_la_LIBADD = ${xml_LIBS}
all: all-am
diff --git a/src/charon/plugins/sql/Makefile.am b/src/charon/plugins/sql/Makefile.am
index ea39ce0d5..bf4963f29 100644
--- a/src/charon/plugins/sql/Makefile.am
+++ b/src/charon/plugins/sql/Makefile.am
@@ -10,7 +10,7 @@ plugin_LTLIBRARIES = libstrongswan-sql.la
libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
sql_config.h sql_config.c sql_cred.h sql_cred.c \
sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
ipsec_PROGRAMS = pool
pool_SOURCES = pool.c
diff --git a/src/charon/plugins/sql/Makefile.in b/src/charon/plugins/sql/Makefile.in
index 0848ea0dd..f6fd8e4f7 100644
--- a/src/charon/plugins/sql/Makefile.in
+++ b/src/charon/plugins/sql/Makefile.in
@@ -82,12 +82,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -152,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -192,7 +195,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -237,7 +242,7 @@ libstrongswan_sql_la_SOURCES = sql_plugin.h sql_plugin.c \
sql_config.h sql_config.c sql_cred.h sql_cred.c \
sql_attribute.h sql_attribute.c sql_logger.h sql_logger.c
-libstrongswan_sql_la_LDFLAGS = -module
+libstrongswan_sql_la_LDFLAGS = -module -avoid-version
pool_SOURCES = pool.c
pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
all: all-am
diff --git a/src/charon/plugins/sql/pool.c b/src/charon/plugins/sql/pool.c
index 7d393b6f7..ebcc9adc7 100644
--- a/src/charon/plugins/sql/pool.c
+++ b/src/charon/plugins/sql/pool.c
@@ -637,8 +637,19 @@ int main(int argc, char *argv[])
} operation = OP_USAGE;
dbg = dbg_stderr;
- library_init(STRONGSWAN_CONF);
atexit(library_deinit);
+
+ /* initialize library */
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "pool", argv[0]))
+ {
+ fprintf(stderr, "integrity check of pool failed\n");
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "pool.load", PLUGINS));
diff --git a/src/charon/plugins/sql/sql_attribute.c b/src/charon/plugins/sql/sql_attribute.c
index 95d0d30d4..77601e612 100644
--- a/src/charon/plugins/sql/sql_attribute.c
+++ b/src/charon/plugins/sql/sql_attribute.c
@@ -92,25 +92,18 @@ static u_int get_pool(private_sql_attribute_t *this, char *name, u_int *timeout)
}
/**
- * Lookup a lease
+ * Look up an existing lease
*/
-static host_t *get_address(private_sql_attribute_t *this, char *name,
- u_int pool, u_int timeout, u_int identity)
+static host_t* check_lease(private_sql_attribute_t *this, char *name,
+ u_int pool, u_int identity)
{
- enumerator_t *e;
- u_int id;
- chunk_t address;
- host_t *host;
- time_t now = time(NULL);
-
- /* We check for leases for that identity first and for other expired
- * leases afterwards. We select an address as a candidate, but double
- * check if it is still valid in the update. This allows us to work
- * without locking. */
-
- /* check for an existing lease for that identity */
while (TRUE)
{
+ u_int id;
+ chunk_t address;
+ enumerator_t *e;
+ time_t now = time(NULL);
+
e = this->db->query(this->db,
"SELECT id, address FROM addresses "
"WHERE pool = ? AND identity = ? AND released != 0 LIMIT 1",
@@ -122,11 +115,14 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
}
address = chunk_clonea(address);
e->destroy(e);
+
if (this->db->execute(this->db, NULL,
"UPDATE addresses SET acquired = ?, released = 0 "
"WHERE id = ? AND identity = ? AND released != 0",
DB_UINT, now, DB_UINT, id, DB_UINT, identity) > 0)
{
+ host_t *host;
+
host = host_create_from_chunk(AF_UNSPEC, address, 0);
if (host)
{
@@ -136,14 +132,43 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
}
}
}
-
- /* check for an expired lease */
+ return NULL;
+}
+
+/**
+ * We check for unallocated addresses or expired leases. First we select an
+ * address as a candidate, but double check later on if it is still available
+ * during the update operation. This allows us to work without locking.
+ */
+static host_t* get_lease(private_sql_attribute_t *this, char *name,
+ u_int pool, u_int timeout, u_int identity)
+{
while (TRUE)
{
- e = this->db->query(this->db,
+ u_int id;
+ chunk_t address;
+ enumerator_t *e;
+ time_t now = time(NULL);
+ int hits;
+
+ if (timeout)
+ {
+ /* check for an expired lease */
+ e = this->db->query(this->db,
"SELECT id, address FROM addresses "
"WHERE pool = ? AND released != 0 AND released < ? LIMIT 1",
DB_UINT, pool, DB_UINT, now - timeout, DB_UINT, DB_BLOB);
+ }
+ else
+ {
+ /* with static leases, check for an unallocated address */
+ e = this->db->query(this->db,
+ "SELECT id, address FROM addresses "
+ "WHERE pool = ? AND identity = 0 LIMIT 1",
+ DB_UINT, pool, DB_UINT, DB_BLOB);
+
+ }
+
if (!e || !e->enumerate(e, &id, &address))
{
DESTROY_IF(e);
@@ -152,13 +177,27 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
address = chunk_clonea(address);
e->destroy(e);
- if (this->db->execute(this->db, NULL,
- "UPDATE addresses SET "
- "acquired = ?, released = 0, identity = ? "
- "WHERE id = ? AND released != 0 AND released < ?",
- DB_UINT, now, DB_UINT, identity,
- DB_UINT, id, DB_UINT, now - timeout) > 0)
+ if (timeout)
+ {
+ hits = this->db->execute(this->db, NULL,
+ "UPDATE addresses SET "
+ "acquired = ?, released = 0, identity = ? "
+ "WHERE id = ? AND released != 0 AND released < ?",
+ DB_UINT, now, DB_UINT, identity,
+ DB_UINT, id, DB_UINT, now - timeout);
+ }
+ else
{
+ hits = this->db->execute(this->db, NULL,
+ "UPDATE addresses SET "
+ "acquired = ?, released = 0, identity = ? "
+ "WHERE id = ? AND identity = 0",
+ DB_UINT, now, DB_UINT, identity, DB_UINT, id);
+ }
+ if (hits > 0)
+ {
+ host_t *host;
+
host = host_create_from_chunk(AF_UNSPEC, address, 0);
if (host)
{
@@ -169,37 +208,75 @@ static host_t *get_address(private_sql_attribute_t *this, char *name,
}
}
DBG1(DBG_CFG, "no available address found in pool '%s'", name);
- return 0;
+ return NULL;
}
/**
* Implementation of attribute_provider_t.acquire_address
*/
static host_t* acquire_address(private_sql_attribute_t *this,
- char *name, identification_t *id,
+ char *names, identification_t *id,
host_t *requested)
{
- enumerator_t *enumerator;
- u_int pool, timeout, identity;
host_t *address = NULL;
-
+ u_int identity, pool, timeout;
+
identity = get_identity(this, id);
if (identity)
{
- enumerator = enumerator_create_token(name, ",", " ");
- while (enumerator->enumerate(enumerator, &name))
+ /* check for a single pool first (no concatenation and enumeration) */
+ if (strchr(names, ',') == NULL)
{
- pool = get_pool(this, name, &timeout);
+ pool = get_pool(this, names, &timeout);
if (pool)
{
- address = get_address(this, name, pool, timeout, identity);
- if (address)
+ /* check for an existing lease */
+ address = check_lease(this, names, pool, identity);
+ if (address == NULL)
+ {
+ /* get an unallocated address or expired lease */
+ address = get_lease(this, names, pool, timeout, identity);
+ }
+ }
+ }
+ else
+ {
+ enumerator_t *enumerator;
+ char *name;
+
+ /* in a first step check for an existing lease over all pools */
+ enumerator = enumerator_create_token(names, ",", " ");
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ pool = get_pool(this, name, &timeout);
+ if (pool)
+ {
+ address = check_lease(this, name, pool, identity);
+ if (address)
+ {
+ enumerator->destroy(enumerator);
+ return address;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* in a second step get an unallocated address or expired lease */
+ enumerator = enumerator_create_token(names, ",", " ");
+ while (enumerator->enumerate(enumerator, &name))
+ {
+ pool = get_pool(this, name, &timeout);
+ if (pool)
{
- break;
+ address = get_lease(this, name, pool, timeout, identity);
+ if (address)
+ {
+ break;
+ }
}
}
+ enumerator->destroy(enumerator);
}
- enumerator->destroy(enumerator);
}
return address;
}
diff --git a/src/charon/plugins/sql/sql_config.c b/src/charon/plugins/sql/sql_config.c
index 3e5efce34..e7dfe573b 100644
--- a/src/charon/plugins/sql/sql_config.c
+++ b/src/charon/plugins/sql/sql_config.c
@@ -295,10 +295,10 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
mediation, mediated_cfg, peer_id);
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_method);
- auth->add(auth, AUTH_RULE_IDENTITY, local_id->clone(local_id));
+ auth->add(auth, AUTH_RULE_IDENTITY, local_id);
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
auth = auth_cfg_create();
- auth->add(auth, AUTH_RULE_IDENTITY, remote_id->clone(remote_id));
+ auth->add(auth, AUTH_RULE_IDENTITY, remote_id);
if (eap_type)
{
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
diff --git a/src/charon/plugins/stroke/Makefile.am b/src/charon/plugins/stroke/Makefile.am
index fb58ba62b..79a63f2c2 100644
--- a/src/charon/plugins/stroke/Makefile.am
+++ b/src/charon/plugins/stroke/Makefile.am
@@ -18,5 +18,5 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
stroke_list.h stroke_list.c \
stroke_shared_key.h stroke_shared_key.c
-libstrongswan_stroke_la_LDFLAGS = -module
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/stroke/Makefile.in b/src/charon/plugins/stroke/Makefile.in
index f246286a0..19822ebc8 100644
--- a/src/charon/plugins/stroke/Makefile.in
+++ b/src/charon/plugins/stroke/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -237,7 +242,7 @@ libstrongswan_stroke_la_SOURCES = stroke_plugin.h stroke_plugin.c \
stroke_list.h stroke_list.c \
stroke_shared_key.h stroke_shared_key.c
-libstrongswan_stroke_la_LDFLAGS = -module
+libstrongswan_stroke_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/stroke/stroke_attribute.c b/src/charon/plugins/stroke/stroke_attribute.c
index a7925ce3e..d3211fd67 100644
--- a/src/charon/plugins/stroke/stroke_attribute.c
+++ b/src/charon/plugins/stroke/stroke_attribute.c
@@ -539,7 +539,7 @@ stroke_attribute_t *stroke_attribute_create()
this->public.destroy = (void(*)(stroke_attribute_t*))destroy;
this->pools = linked_list_create();
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
return &this->public;
}
diff --git a/src/charon/plugins/stroke/stroke_ca.c b/src/charon/plugins/stroke/stroke_ca.c
index fab06e6c5..c354d8cb8 100644
--- a/src/charon/plugins/stroke/stroke_ca.c
+++ b/src/charon/plugins/stroke/stroke_ca.c
@@ -447,7 +447,7 @@ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred)
this->public.destroy = (void(*)(stroke_ca_t*))destroy;
this->sections = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->cred = cred;
return &this->public;
diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c
index 028e71e71..0b6a4ac31 100644
--- a/src/charon/plugins/stroke/stroke_config.c
+++ b/src/charon/plugins/stroke/stroke_config.c
@@ -924,7 +924,7 @@ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred)
this->public.destroy = (void(*)(stroke_config_t*))destroy;
this->list = linked_list_create();
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
this->ca = ca;
this->cred = cred;
diff --git a/src/charon/plugins/stroke/stroke_cred.c b/src/charon/plugins/stroke/stroke_cred.c
index dc73299b8..31bcfe9f4 100644
--- a/src/charon/plugins/stroke/stroke_cred.c
+++ b/src/charon/plugins/stroke/stroke_cred.c
@@ -16,6 +16,8 @@
#include <sys/stat.h>
#include <limits.h>
+#include <glob.h>
+#include <libgen.h>
#include "stroke_cred.h"
#include "stroke_shared_key.h"
@@ -41,6 +43,8 @@
#define CRL_DIR IPSEC_D_DIR "/crls"
#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
+#define MAX_SECRETS_RECURSION 10
+
typedef struct private_stroke_cred_t private_stroke_cred_t;
/**
@@ -691,7 +695,7 @@ static err_t extract_secret(chunk_t *secret, chunk_t *line)
/**
* reload ipsec.secrets
*/
-static void load_secrets(private_stroke_cred_t *this)
+static void load_secrets(private_stroke_cred_t *this, char *file, int level)
{
size_t bytes;
int line_nr = 0;
@@ -700,9 +704,9 @@ static void load_secrets(private_stroke_cred_t *this)
private_key_t *private;
shared_key_t *shared;
- DBG1(DBG_CFG, "loading secrets from '%s'", SECRETS_FILE);
+ DBG1(DBG_CFG, "loading secrets from '%s'", file);
- fd = fopen(SECRETS_FILE, "r");
+ fd = fopen(file, "r");
if (fd == NULL)
{
DBG1(DBG_CFG, "opening secrets file '%s' failed");
@@ -719,15 +723,19 @@ static void load_secrets(private_stroke_cred_t *this)
src = chunk;
this->lock->write_lock(this->lock);
- while (this->shared->remove_last(this->shared,
- (void**)&shared) == SUCCESS)
- {
- shared->destroy(shared);
- }
- while (this->private->remove_last(this->private,
- (void**)&private) == SUCCESS)
+ if (level == 0)
{
- private->destroy(private);
+ /* flush secrets on non-recursive invocation */
+ while (this->shared->remove_last(this->shared,
+ (void**)&shared) == SUCCESS)
+ {
+ shared->destroy(shared);
+ }
+ while (this->private->remove_last(this->private,
+ (void**)&private) == SUCCESS)
+ {
+ private->destroy(private);
+ }
}
while (fetchline(&src, &line))
@@ -741,6 +749,66 @@ static void load_secrets(private_stroke_cred_t *this)
{
continue;
}
+ if (line.len > strlen("include ") &&
+ strneq(line.ptr, "include ", strlen("include ")))
+ {
+ glob_t buf;
+ char **expanded, *dir, pattern[PATH_MAX];
+ u_char *pos;
+
+ if (level > MAX_SECRETS_RECURSION)
+ {
+ DBG1(DBG_CFG, "maximum level of %d includes reached, ignored",
+ MAX_SECRETS_RECURSION);
+ continue;
+ }
+ /* terminate filename by space */
+ line = chunk_skip(line, strlen("include "));
+ pos = memchr(line.ptr, ' ', line.len);
+ if (pos)
+ {
+ line.len = pos - line.ptr;
+ }
+ if (line.len && line.ptr[0] == '/')
+ {
+ if (line.len + 1 > sizeof(pattern))
+ {
+ DBG1(DBG_CFG, "include pattern too long, ignored");
+ continue;
+ }
+ snprintf(pattern, sizeof(pattern), "%.*s", line.len, line.ptr);
+ }
+ else
+ { /* use directory of current file if relative */
+ dir = strdup(file);
+ dir = dirname(dir);
+
+ if (line.len + 1 + strlen(dir) + 1 > sizeof(pattern))
+ {
+ DBG1(DBG_CFG, "include pattern too long, ignored");
+ free(dir);
+ continue;
+ }
+ snprintf(pattern, sizeof(pattern), "%s/%.*s",
+ dir, line.len, line.ptr);
+ free(dir);
+ }
+ if (glob(pattern, GLOB_ERR, NULL, &buf) != 0)
+ {
+ DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern);
+ globfree(&buf);
+ }
+ else
+ {
+ for (expanded = buf.gl_pathv; *expanded != NULL; expanded++)
+ {
+ load_secrets(this, *expanded, level + 1);
+ }
+ }
+ globfree(&buf);
+ continue;
+ }
+
if (line.len > 2 && strneq(": ", line.ptr, 2))
{
/* no ids, skip the ':' */
@@ -989,7 +1057,7 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg)
if (msg->reread.flags & REREAD_SECRETS)
{
DBG1(DBG_CFG, "rereading secrets");
- load_secrets(this);
+ load_secrets(this, SECRETS_FILE, 0);
}
if (msg->reread.flags & REREAD_CACERTS)
{
@@ -1057,10 +1125,10 @@ stroke_cred_t *stroke_cred_create()
this->certs = linked_list_create();
this->shared = linked_list_create();
this->private = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
load_certs(this);
- load_secrets(this);
+ load_secrets(this, SECRETS_FILE, 0);
this->cachecrl = FALSE;
diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c
index 564a511a1..6f421bd30 100644
--- a/src/charon/plugins/stroke/stroke_list.c
+++ b/src/charon/plugins/stroke/stroke_list.c
@@ -146,8 +146,8 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
*/
static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
- u_int32_t rekey, now = time(NULL);
- u_int32_t use_in, use_out;
+ time_t use_in, use_out, rekey, now = time(NULL);
+ u_int64_t bytes_in, bytes_out;
proposal_t *proposal;
child_cfg_t *config = child_sa->get_config(child_sa);
@@ -205,6 +205,20 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
}
}
+
+ child_sa->get_usestats(child_sa, TRUE, &use_in, &bytes_in);
+ fprintf(out, ", %llu bytes_i", bytes_in);
+ if (use_in)
+ {
+ fprintf(out, " (%ds ago)", now - use_in);
+ }
+
+ child_sa->get_usestats(child_sa, FALSE, &use_out, &bytes_out);
+ fprintf(out, ", %llu bytes_o", bytes_out);
+ if (use_out)
+ {
+ fprintf(out, " (%ds ago)", now - use_out);
+ }
fprintf(out, ", rekeying ");
rekey = child_sa->get_lifetime(child_sa, FALSE);
@@ -224,25 +238,6 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
fprintf(out, "disabled");
}
- fprintf(out, ", last use: ");
- use_in = child_sa->get_usetime(child_sa, TRUE);
- if (use_in)
- {
- fprintf(out, "%ds_i ", now - use_in);
- }
- else
- {
- fprintf(out, "no_i ");
- }
- use_out = child_sa->get_usetime(child_sa, FALSE);
- if (use_out)
- {
- fprintf(out, "%ds_o ", now - use_out);
- }
- else
- {
- fprintf(out, "no_o ");
- }
}
}
diff --git a/src/charon/plugins/stroke/stroke_socket.c b/src/charon/plugins/stroke/stroke_socket.c
index f61171e22..9b6a8a3a7 100644
--- a/src/charon/plugins/stroke/stroke_socket.c
+++ b/src/charon/plugins/stroke/stroke_socket.c
@@ -27,6 +27,7 @@
#include <processing/jobs/callback_job.h>
#include <daemon.h>
+#include <utils/mutex.h> /* for Mac OS X compatible accept */
#include "stroke_config.h"
#include "stroke_control.h"
diff --git a/src/charon/plugins/uci/Makefile.am b/src/charon/plugins/uci/Makefile.am
index 0136bf5e9..9fdbfb709 100644
--- a/src/charon/plugins/uci/Makefile.am
+++ b/src/charon/plugins/uci/Makefile.am
@@ -8,7 +8,7 @@ libstrongswan_uci_la_SOURCES = \
uci_plugin.h uci_plugin.c uci_parser.h uci_parser.c \
uci_config.h uci_config.c uci_creds.h uci_creds.c \
uci_control.h uci_control.c
-libstrongswan_uci_la_LDFLAGS = -module
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
libstrongswan_uci_la_LIBADD = -luci
diff --git a/src/charon/plugins/uci/Makefile.in b/src/charon/plugins/uci/Makefile.in
index e599135cb..c4fb335d7 100644
--- a/src/charon/plugins/uci/Makefile.in
+++ b/src/charon/plugins/uci/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_uci_la_SOURCES = \
uci_config.h uci_config.c uci_creds.h uci_creds.c \
uci_control.h uci_control.c
-libstrongswan_uci_la_LDFLAGS = -module
+libstrongswan_uci_la_LDFLAGS = -module -avoid-version
libstrongswan_uci_la_LIBADD = -luci
all: all-am
diff --git a/src/charon/plugins/unit_tester/Makefile.am b/src/charon/plugins/unit_tester/Makefile.am
index 50c5e0362..64846f995 100644
--- a/src/charon/plugins/unit_tester/Makefile.am
+++ b/src/charon/plugins/unit_tester/Makefile.am
@@ -20,5 +20,5 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_agent.c \
tests/test_id.c
-libstrongswan_unit_tester_la_LDFLAGS = -module
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/unit_tester/Makefile.in b/src/charon/plugins/unit_tester/Makefile.in
index 2ee5e48d8..0bf0cf301 100644
--- a/src/charon/plugins/unit_tester/Makefile.in
+++ b/src/charon/plugins/unit_tester/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -241,7 +246,7 @@ libstrongswan_unit_tester_la_SOURCES = unit_tester.c unit_tester.h tests.h \
tests/test_agent.c \
tests/test_id.c
-libstrongswan_unit_tester_la_LDFLAGS = -module
+libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/plugins/unit_tester/tests.h b/src/charon/plugins/unit_tester/tests.h
index dcf2a5d18..b99940c1a 100644
--- a/src/charon/plugins/unit_tester/tests.h
+++ b/src/charon/plugins/unit_tester/tests.h
@@ -36,5 +36,8 @@ DEFINE_TEST("Base64 converter", test_chunk_base64, FALSE)
DEFINE_TEST("IP pool", test_pool, FALSE)
DEFINE_TEST("SSH agent", test_agent, FALSE)
DEFINE_TEST("ID parts", test_id_parts, FALSE)
+DEFINE_TEST("ID wildcards", test_id_wildcards, FALSE)
+DEFINE_TEST("ID equals", test_id_equals, FALSE)
+DEFINE_TEST("ID matches", test_id_matches, FALSE)
/** @}*/
diff --git a/src/charon/plugins/unit_tester/tests/test_id.c b/src/charon/plugins/unit_tester/tests/test_id.c
index 56dab2421..a1ef76be8 100644
--- a/src/charon/plugins/unit_tester/tests/test_id.c
+++ b/src/charon/plugins/unit_tester/tests/test_id.c
@@ -67,3 +67,183 @@ bool test_id_parts()
return TRUE;
}
+/*******************************************************************************
+ * identification contains_wildcards() test
+ ******************************************************************************/
+
+static bool test_id_wildcards_has(char *string)
+{
+ identification_t *id;
+ bool contains;
+
+ id = identification_create_from_string(string);
+ contains = id->contains_wildcards(id);
+ id->destroy(id);
+ return contains;
+}
+
+bool test_id_wildcards()
+{
+ if (!test_id_wildcards_has("C=*, O=strongSwan, CN=gw"))
+ {
+ return FALSE;
+ }
+ if (!test_id_wildcards_has("C=CH, O=strongSwan, CN=*"))
+ {
+ return FALSE;
+ }
+ if (test_id_wildcards_has("C=**, O=a*, CN=*a"))
+ {
+ return FALSE;
+ }
+ if (!test_id_wildcards_has("*@strongswan.org"))
+ {
+ return FALSE;
+ }
+ if (!test_id_wildcards_has("*.strongswan.org"))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/*******************************************************************************
+ * identification equals test
+ ******************************************************************************/
+
+static bool test_id_equals_one(identification_t *a, char *b_str)
+{
+ identification_t *b;
+ bool equals;
+
+ b = identification_create_from_string(b_str);
+ equals = a->equals(a, b);
+ b->destroy(b);
+ return equals;
+}
+
+bool test_id_equals()
+{
+ identification_t *a;
+ chunk_t encoding, fuzzed;
+ int i;
+
+ a = identification_create_from_string(
+ "C=CH, E=martin@strongswan.org, CN=martin");
+
+ if (!test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+ {
+ return FALSE;
+ }
+ if (!test_id_equals_one(a, "C=ch, E=martin@STRONGSWAN.ORG, CN=Martin"))
+ {
+ return FALSE;
+ }
+ if (test_id_equals_one(a, "C=CN, E=martin@strongswan.org, CN=martin"))
+ {
+ return FALSE;
+ }
+ if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+ {
+ return FALSE;
+ }
+ if (test_id_equals_one(a, "E=martin@strongswan.org, C=CH, CN=martin"))
+ {
+ return FALSE;
+ }
+ encoding = chunk_clone(a->get_encoding(a));
+ a->destroy(a);
+
+ /* simple fuzzing, increment each byte of encoding */
+ for (i = 0; i < encoding.len; i++)
+ {
+ if (i == 11 || i == 30 || i == 62)
+ { /* skip ASN.1 type fields, as equals() handles them graceful */
+ continue;
+ }
+ fuzzed = chunk_clone(encoding);
+ fuzzed.ptr[i]++;
+ a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+ if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+ {
+ return FALSE;
+ }
+ a->destroy(a);
+ free(fuzzed.ptr);
+ }
+
+ /* and decrement each byte of encoding */
+ for (i = 0; i < encoding.len; i++)
+ {
+ if (i == 11 || i == 30 || i == 62)
+ {
+ continue;
+ }
+ fuzzed = chunk_clone(encoding);
+ fuzzed.ptr[i]--;
+ a = identification_create_from_encoding(ID_DER_ASN1_DN, fuzzed);
+ if (test_id_equals_one(a, "C=CH, E=martin@strongswan.org, CN=martin"))
+ {
+ return FALSE;
+ }
+ a->destroy(a);
+ free(fuzzed.ptr);
+ }
+ free(encoding.ptr);
+ return TRUE;
+}
+
+/*******************************************************************************
+ * identification matches test
+ ******************************************************************************/
+
+static id_match_t test_id_matches_one(identification_t *a, char *b_str)
+{
+ identification_t *b;
+ id_match_t match;
+
+ b = identification_create_from_string(b_str);
+ match = a->matches(a, b);
+ b->destroy(b);
+ return match;
+}
+
+bool test_id_matches()
+{
+ identification_t *a;
+
+ a = identification_create_from_string(
+ "C=CH, E=martin@strongswan.org, CN=martin");
+
+ if (test_id_matches_one(a, "C=CH, E=martin@strongswan.org, CN=martin")
+ != ID_MATCH_PERFECT)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=CH, E=*, CN=martin") != ID_MATCH_ONE_WILDCARD)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=CH, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 1)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=*, E=*, CN=*") != ID_MATCH_ONE_WILDCARD - 2)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=*, E=*, CN=*, O=BADInc") != ID_MATCH_NONE)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=*, E=*") != ID_MATCH_NONE)
+ {
+ return FALSE;
+ }
+ if (test_id_matches_one(a, "C=*, E=a@b.c, CN=*") != ID_MATCH_NONE)
+ {
+ return FALSE;
+ }
+ a->destroy(a);
+ return TRUE;
+}
diff --git a/src/charon/plugins/unit_tester/tests/test_mutex.c b/src/charon/plugins/unit_tester/tests/test_mutex.c
index a305d5082..cb315276b 100644
--- a/src/charon/plugins/unit_tester/tests/test_mutex.c
+++ b/src/charon/plugins/unit_tester/tests/test_mutex.c
@@ -65,7 +65,7 @@ bool test_mutex()
int i;
pthread_t threads[THREADS];
- mutex = mutex_create(MUTEX_RECURSIVE);
+ mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
for (i = 0; i < 10; i++)
{
diff --git a/src/charon/plugins/updown/Makefile.am b/src/charon/plugins/updown/Makefile.am
index de60d9fbf..fe6e0bb52 100644
--- a/src/charon/plugins/updown/Makefile.am
+++ b/src/charon/plugins/updown/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-updown.la
libstrongswan_updown_la_SOURCES = \
updown_plugin.h updown_plugin.c \
updown_listener.h updown_listener.c
-libstrongswan_updown_la_LDFLAGS = -module
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
diff --git a/src/charon/plugins/updown/Makefile.in b/src/charon/plugins/updown/Makefile.in
index d0aac79f9..b1b6fb497 100644
--- a/src/charon/plugins/updown/Makefile.in
+++ b/src/charon/plugins/updown/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_updown_la_SOURCES = \
updown_plugin.h updown_plugin.c \
updown_listener.h updown_listener.c
-libstrongswan_updown_la_LDFLAGS = -module
+libstrongswan_updown_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/charon/processing/jobs/callback_job.c b/src/charon/processing/jobs/callback_job.c
index 82b4643eb..f4beb5abd 100644
--- a/src/charon/processing/jobs/callback_job.c
+++ b/src/charon/processing/jobs/callback_job.c
@@ -182,7 +182,7 @@ callback_job_t *callback_job_create(callback_job_cb_t cb, void *data,
this->public.cancel = (void(*)(callback_job_t*))cancel;
/* private variables */
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->callback = cb;
this->data = data;
this->cleanup = cleanup;
diff --git a/src/charon/processing/processor.c b/src/charon/processing/processor.c
index eb1db331b..4a3943323 100644
--- a/src/charon/processing/processor.c
+++ b/src/charon/processing/processor.c
@@ -240,9 +240,9 @@ processor_t *processor_create(size_t pool_size)
this->public.destroy = (void(*)(processor_t*))destroy;
this->list = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->job_added = condvar_create(CONDVAR_DEFAULT);
- this->thread_terminated = condvar_create(CONDVAR_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->job_added = condvar_create(CONDVAR_TYPE_DEFAULT);
+ this->thread_terminated = condvar_create(CONDVAR_TYPE_DEFAULT);
this->total_threads = 0;
this->desired_threads = 0;
this->idle_threads = 0;
diff --git a/src/charon/processing/scheduler.c b/src/charon/processing/scheduler.c
index b3633f263..1f59205af 100644
--- a/src/charon/processing/scheduler.c
+++ b/src/charon/processing/scheduler.c
@@ -347,8 +347,8 @@ scheduler_t * scheduler_create()
this->heap_size = HEAP_SIZE_DEFAULT;
this->heap = (event_t**)calloc(this->heap_size + 1, sizeof(event_t*));
- this->mutex = mutex_create(MUTEX_DEFAULT);
- this->condvar = condvar_create(CONDVAR_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
this->job = callback_job_create((callback_job_cb_t)schedule, this, NULL, NULL);
charon->processor->queue_job(charon->processor, (job_t*)this->job);
diff --git a/src/charon/sa/authenticators/eap/eap_manager.c b/src/charon/sa/authenticators/eap/eap_manager.c
index b8316036e..24a4fd6ed 100644
--- a/src/charon/sa/authenticators/eap/eap_manager.c
+++ b/src/charon/sa/authenticators/eap/eap_manager.c
@@ -163,7 +163,7 @@ eap_manager_t *eap_manager_create()
this->public.destroy = (void(*)(eap_manager_t*))destroy;
this->methods = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c
index 9202e972e..14d174ab5 100644
--- a/src/charon/sa/child_sa.c
+++ b/src/charon/sa/child_sa.c
@@ -136,6 +136,26 @@ struct private_child_sa_t {
* config used to create this child
*/
child_cfg_t *config;
+
+ /**
+ * time of last use in seconds (inbound)
+ */
+ u_int32_t my_usetime;
+
+ /**
+ * time of last use in seconds (outbound)
+ */
+ u_int32_t other_usetime;
+
+ /**
+ * last number of inbound bytes
+ */
+ u_int64_t my_usebytes;
+
+ /**
+ * last number of outbound bytes
+ */
+ u_int64_t other_usebytes;
};
/**
@@ -355,20 +375,72 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
}
/**
- * Implementation of child_sa_t.get_usetime
+ * update the cached usebytes
+ * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
+ * are available, and NOT_SUPPORTED if the kernel interface does not support
+ * querying the usebytes.
+ */
+static status_t update_usebytes(private_child_sa_t *this, bool inbound)
+{
+ status_t status = FAILED;
+ u_int64_t bytes;
+
+ if (inbound)
+ {
+ if (this->my_spi)
+ {
+ status = charon->kernel_interface->query_sa(
+ charon->kernel_interface,
+ this->other_addr, this->my_addr,
+ this->my_spi, this->protocol, &bytes);
+ if (status == SUCCESS)
+ {
+ if (bytes > this->my_usebytes)
+ {
+ this->my_usebytes = bytes;
+ return SUCCESS;
+ }
+ return FAILED;
+ }
+ }
+ }
+ else
+ {
+ if (this->other_spi)
+ {
+ status = charon->kernel_interface->query_sa(
+ charon->kernel_interface,
+ this->my_addr, this->other_addr,
+ this->other_spi, this->protocol, &bytes);
+ if (status == SUCCESS)
+ {
+ if (bytes > this->other_usebytes)
+ {
+ this->other_usebytes = bytes;
+ return SUCCESS;
+ }
+ return FAILED;
+ }
+ }
+ }
+ return status;
+}
+
+/**
+ * updates the cached usetime
*/
-static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
+static void update_usetime(private_child_sa_t *this, bool inbound)
{
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
u_int32_t last_use = 0;
-
+
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
u_int32_t in, out, fwd;
- if (inbound)
+ if (inbound)
{
if (charon->kernel_interface->query_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
@@ -394,7 +466,42 @@ static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
}
}
enumerator->destroy(enumerator);
- return last_use;
+
+ if (last_use == 0)
+ {
+ return;
+ }
+ if (inbound)
+ {
+ this->my_usetime = last_use;
+ }
+ else
+ {
+ this->other_usetime = last_use;
+ }
+}
+
+/**
+ * Implementation of child_sa_t.get_usestats
+ */
+static void get_usestats(private_child_sa_t *this, bool inbound,
+ time_t *time, u_int64_t *bytes)
+{
+ if (update_usebytes(this, inbound) != FAILED)
+ {
+ /* there was traffic since last update or the kernel interface
+ * does not support querying the number of usebytes.
+ */
+ update_usetime(this, inbound);
+ }
+ if (time)
+ {
+ *time = inbound ? this->my_usetime : this->other_usetime;
+ }
+ if (bytes)
+ {
+ *bytes = inbound ? this->my_usebytes : this->other_usebytes;
+ }
}
/**
@@ -566,13 +673,13 @@ static status_t add_policies(private_child_sa_t *this,
* Implementation of child_sa_t.update.
*/
static status_t update(private_child_sa_t *this, host_t *me, host_t *other,
- host_t *vip, bool encap)
+ host_t *vip, bool encap)
{
child_sa_state_t old;
bool transport_proxy_mode;
/* anything changed at all? */
- if (me->equals(me, this->my_addr) &&
+ if (me->equals(me, this->my_addr) &&
other->equals(other, this->other_addr) && this->encap == encap)
{
return SUCCESS;
@@ -661,7 +768,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other,
me, other, my_ts, other_ts, POLICY_OUT, this->other_spi,
this->protocol, this->reqid, this->mode, this->ipcomp,
this->other_cpi, FALSE);
- charon->kernel_interface->add_policy(charon->kernel_interface,
+ charon->kernel_interface->add_policy(charon->kernel_interface,
other, me, other_ts, my_ts, POLICY_IN, this->my_spi,
this->protocol, this->reqid, this->mode, this->ipcomp,
this->my_cpi, FALSE);
@@ -775,7 +882,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->public.get_proposal = (proposal_t*(*)(child_sa_t*))get_proposal;
this->public.set_proposal = (void(*)(child_sa_t*, proposal_t *proposal))set_proposal;
this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
- this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
+ this->public.get_usestats = (void(*)(child_sa_t*,bool,time_t*,u_int64_t*))get_usestats;
this->public.has_encap = (bool(*)(child_sa_t*))has_encap;
this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp;
this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp;
@@ -798,6 +905,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->encap = encap;
this->ipcomp = IPCOMP_NONE;
this->state = CHILD_CREATED;
+ this->my_usetime = 0;
+ this->other_usetime = 0;
+ this->my_usebytes = 0;
+ this->other_usebytes = 0;
/* reuse old reqid if we are rekeying an existing CHILD_SA */
this->reqid = rekey ? rekey : ++reqid;
this->my_ts = linked_list_create();
@@ -810,7 +921,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->config = config;
config->get_ref(config);
- /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
+ /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
if (config->get_mode(config) == MODE_TRANSPORT &&
config->use_proxy_mode(config))
{
@@ -837,7 +948,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
host = host_create_from_chunk(family, addr, 0);
free(addr.ptr);
DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
- this->my_addr, host);
+ this->my_addr, host);
this->my_addr->destroy(this->my_addr);
this->my_addr = host;
}
@@ -858,7 +969,7 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
host = host_create_from_chunk(family, addr, 0);
free(addr.ptr);
DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
- this->other_addr, host);
+ this->other_addr, host);
this->other_addr->destroy(this->other_addr);
this->other_addr = host;
}
diff --git a/src/charon/sa/child_sa.h b/src/charon/sa/child_sa.h
index ec9b36dab..698da8bc7 100644
--- a/src/charon/sa/child_sa.h
+++ b/src/charon/sa/child_sa.h
@@ -85,11 +85,11 @@ extern enum_name_t *child_sa_state_names;
/**
* Represents an IPsec SAs between two hosts.
- *
+ *
* A child_sa_t contains two SAs. SAs for both
* directions are managed in one child_sa_t object. Both
* SAs and the policies have the same reqid.
- *
+ *
* The procedure for child sa setup is as follows:
* - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
* - A send the proposals with the allocated SPIs to B
@@ -98,7 +98,7 @@ extern enum_name_t *child_sa_state_names;
* - B calls child_sa_t.install for both, the allocated and received SPI
* - B sends the proposal with the allocated SPI to A
* - A calls child_sa_t.install for both, the allocated and recevied SPI
- *
+ *
* Once SAs are set up, policies can be added using add_policies.
*/
struct child_sa_t {
@@ -112,7 +112,7 @@ struct child_sa_t {
/**
* Get the reqid of the CHILD SA.
- *
+ *
* Every CHILD_SA has a reqid. The kernel uses this ID to
* identify it.
*
@@ -131,19 +131,19 @@ struct child_sa_t {
* Get the state of the CHILD_SA.
*
* @return CHILD_SA state
- */
+ */
child_sa_state_t (*get_state) (child_sa_t *this);
/**
* Set the state of the CHILD_SA.
*
* @param state state to set on CHILD_SA
- */
+ */
void (*set_state) (child_sa_t *this, child_sa_state_t state);
/**
* Get the SPI of this CHILD_SA.
- *
+ *
* Set the boolean parameter inbound to TRUE to
* get the SPI for which we receive packets, use
* FALSE to get those we use for sending packets.
@@ -155,7 +155,7 @@ struct child_sa_t {
/**
* Get the CPI of this CHILD_SA.
- *
+ *
* Set the boolean parameter inbound to TRUE to
* get the CPI for which we receive packets, use
* FALSE to get those we use for sending packets.
@@ -202,7 +202,7 @@ struct child_sa_t {
/**
* Set the IPComp algorithm to use.
- *
+ *
* @param ipcomp the IPComp transform to use
*/
void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
@@ -219,7 +219,7 @@ struct child_sa_t {
*
* @param proposal selected proposal
*/
- void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
+ void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
/**
* Check if this CHILD_SA uses UDP encapsulation.
@@ -237,19 +237,21 @@ struct child_sa_t {
u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
/**
- * Get last use time of the CHILD_SA.
+ * Get last use time and the number of bytes processed.
*
- * @param inbound TRUE for inbound traffic, FALSE for outbound
- * @return time of last use in seconds
+ * @param inbound TRUE for inbound traffic, FALSE for outbound
+ * @param[out] time time of last use in seconds (NULL to ignore)
+ * @param[out] bytes number of processed bytes (NULL to ignore)
*/
- u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
+ void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
+ u_int64_t *bytes);
/**
* Get the traffic selectors list added for one side.
*
* @param local TRUE for own traffic selectors, FALSE for remote
* @return list of traffic selectors
- */
+ */
linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
/**
@@ -296,7 +298,7 @@ struct child_sa_t {
* @param my_ts traffic selectors for local site
* @param other_ts traffic selectors for remote site
* @return SUCCESS or FAILED
- */
+ */
status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
linked_list_t *other_ts_list);
/**
diff --git a/src/charon/sa/connect_manager.c b/src/charon/sa/connect_manager.c
index a1b037de4..f26cf9405 100644
--- a/src/charon/sa/connect_manager.c
+++ b/src/charon/sa/connect_manager.c
@@ -1568,7 +1568,7 @@ connect_manager_t *connect_manager_create()
this->checklists = linked_list_create();
this->initiated = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return (connect_manager_t*)this;
}
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c
index 6b7fa3582..be973a2ce 100644
--- a/src/charon/sa/ike_sa.c
+++ b/src/charon/sa/ike_sa.c
@@ -260,7 +260,7 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
{
enumerator_t *enumerator;
child_sa_t *child_sa;
- time_t use_time;
+ time_t use_time, current;
if (inbound)
{
@@ -273,7 +273,8 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound)
enumerator = this->child_sas->create_enumerator(this->child_sas);
while (enumerator->enumerate(enumerator, &child_sa))
{
- use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
+ child_sa->get_usestats(child_sa, inbound, &current, NULL);
+ use_time = max(use_time, current);
}
enumerator->destroy(enumerator);
@@ -1169,7 +1170,8 @@ static status_t initiate(private_ike_sa_t *this,
#endif /* ME */
{
/* normal IKE_SA with CHILD_SA */
- task = (task_t*)child_create_create(&this->public, child_cfg, tsi, tsr);
+ task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
+ tsi, tsr);
child_cfg->destroy(child_cfg);
if (reqid)
{
@@ -1747,6 +1749,7 @@ static status_t roam(private_ike_sa_t *this, bool address)
{
case IKE_CREATED:
case IKE_DELETING:
+ case IKE_DESTROYING:
case IKE_PASSIVE:
return SUCCESS;
default:
@@ -1775,10 +1778,46 @@ static status_t roam(private_ike_sa_t *this, bool address)
DBG2(DBG_IKE, "keeping connection path %H - %H",
src, this->other_host);
src->destroy(src);
+ set_condition(this, COND_STALE, FALSE);
+ return SUCCESS;
+ }
+ src->destroy(src);
+
+ }
+ else
+ {
+ /* check if we find a route at all */
+ enumerator_t *enumerator;
+ host_t *addr;
+
+ src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
+ this->other_host, NULL);
+ if (!src)
+ {
+ enumerator = this->additional_addresses->create_enumerator(
+ this->additional_addresses);
+ while (enumerator->enumerate(enumerator, &addr))
+ {
+ DBG1(DBG_IKE, "looking for a route to %H ...", addr);
+ src = charon->kernel_interface->get_source_addr(
+ charon->kernel_interface, addr, NULL);
+ if (src)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ if (!src)
+ {
+ DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
+ this->other_host);
+ set_condition(this, COND_STALE, TRUE);
return SUCCESS;
}
src->destroy(src);
}
+ set_condition(this, COND_STALE, FALSE);
/* update addresses with mobike, if supported ... */
if (supports_extension(this, EXT_MOBIKE))
diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h
index b751bda0c..41d7a7976 100644
--- a/src/charon/sa/ike_sa.h
+++ b/src/charon/sa/ike_sa.h
@@ -127,6 +127,11 @@ enum ike_condition_t {
* Local peer is the "original" IKE initiator. Unaffected from rekeying.
*/
COND_ORIGINAL_INITIATOR = (1<<6),
+
+ /**
+ * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
+ */
+ COND_STALE = (1<<7),
};
/**
diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c
index efe7c228c..ec1a7f741 100644
--- a/src/charon/sa/ike_sa_manager.c
+++ b/src/charon/sa/ike_sa_manager.c
@@ -133,7 +133,7 @@ static entry_t *entry_create()
entry_t *this = malloc_thing(entry_t);
this->waiting_threads = 0;
- this->condvar = condvar_create(CONDVAR_DEFAULT);
+ this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
/* we set checkout flag when we really give it out */
this->checked_out = FALSE;
@@ -1050,7 +1050,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
enumerator_t *enumerator;
entry_t *entry;
ike_sa_t *ike_sa = NULL;
- peer_cfg_t *current_cfg;
+ peer_cfg_t *current_peer;
+ ike_cfg_t *current_ike;
u_int segment;
if (!this->reuse_ikesa)
@@ -1072,14 +1073,18 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this,
continue;
}
- current_cfg = entry->ike_sa->get_peer_cfg(entry->ike_sa);
- if (current_cfg && current_cfg->equals(current_cfg, peer_cfg))
+ current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
+ if (current_peer && current_peer->equals(current_peer, peer_cfg))
{
- DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
- current_cfg->get_name(current_cfg));
- entry->checked_out = TRUE;
- ike_sa = entry->ike_sa;
- break;
+ current_ike = current_peer->get_ike_cfg(current_peer);
+ if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
+ {
+ DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config",
+ current_peer->get_name(current_peer));
+ entry->checked_out = TRUE;
+ ike_sa = entry->ike_sa;
+ break;
+ }
}
}
enumerator->destroy(enumerator);
@@ -1554,6 +1559,17 @@ static void flush(private_ike_sa_manager_t *this)
while (enumerator->enumerate(enumerator, &entry, &segment))
{
charon->bus->set_sa(charon->bus, entry->ike_sa);
+ /* as the delete never gets processed, fire down events */
+ switch (entry->ike_sa->get_state(entry->ike_sa))
+ {
+ case IKE_ESTABLISHED:
+ case IKE_REKEYING:
+ case IKE_DELETING:
+ charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
+ break;
+ default:
+ break;
+ }
entry->ike_sa->delete(entry->ike_sa);
}
enumerator->destroy(enumerator);
@@ -1695,7 +1711,7 @@ ike_sa_manager_t *ike_sa_manager_create()
this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
for (i = 0; i < this->segment_count; ++i)
{
- this->segments[i].mutex = mutex_create(MUTEX_RECURSIVE);
+ this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
this->segments[i].count = 0;
}
@@ -1704,7 +1720,7 @@ ike_sa_manager_t *ike_sa_manager_create()
this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
for (i = 0; i < this->segment_count; ++i)
{
- this->half_open_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+ this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->half_open_segments[i].count = 0;
}
@@ -1713,7 +1729,7 @@ ike_sa_manager_t *ike_sa_manager_create()
this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
for (i = 0; i < this->segment_count; ++i)
{
- this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_DEFAULT);
+ this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->connected_peers_segments[i].count = 0;
}
diff --git a/src/charon/sa/keymat.c b/src/charon/sa/keymat.c
index 117d260ba..46fb79587 100644
--- a/src/charon/sa/keymat.c
+++ b/src/charon/sa/keymat.c
@@ -419,6 +419,9 @@ static bool derive_child_keys(private_keymat_t *this,
case ENCR_AES_CCM_ICV8:
case ENCR_AES_CCM_ICV12:
case ENCR_AES_CCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
enc_size += 3;
break;
case ENCR_AES_GCM_ICV8:
diff --git a/src/charon/sa/mediation_manager.c b/src/charon/sa/mediation_manager.c
index 890e567c7..a69c00173 100644
--- a/src/charon/sa/mediation_manager.c
+++ b/src/charon/sa/mediation_manager.c
@@ -331,7 +331,7 @@ mediation_manager_t *mediation_manager_create()
this->public.check_and_register = (ike_sa_id_t*(*)(mediation_manager_t*,identification_t*,identification_t*))check_and_register;
this->peers = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return (mediation_manager_t*)this;
}
diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c
index 2cd9532eb..f33fcd6d4 100644
--- a/src/charon/sa/task_manager.c
+++ b/src/charon/sa/task_manager.c
@@ -220,6 +220,10 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
{
DBG1(DBG_IKE, "giving up after %d retransmits",
this->initiating.retransmitted - 1);
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+ {
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
return DESTROY_ME;
}
@@ -240,6 +244,7 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id)
{
DBG1(DBG_IKE, "giving up after %d path probings",
this->initiating.retransmitted - 1);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
@@ -431,6 +436,12 @@ static status_t build_request(private_task_manager_t *this)
break;
case FAILED:
default:
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
+ {
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
+ /* FALL */
+ case DESTROY_ME:
/* critical failure, destroy IKE_SA */
iterator->destroy(iterator);
message->destroy(message);
@@ -451,6 +462,7 @@ static status_t build_request(private_task_manager_t *this)
* close the SA */
message->destroy(message);
flush(this);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
@@ -474,6 +486,7 @@ static status_t process_response(private_task_manager_t *this,
DBG1(DBG_IKE, "received %N response, but expected %N",
exchange_type_names, message->get_exchange_type(message),
exchange_type_names, this->initiating.type);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
@@ -494,6 +507,9 @@ static status_t process_response(private_task_manager_t *this,
break;
case FAILED:
default:
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ /* FALL */
+ case DESTROY_ME:
/* critical failure, destroy IKE_SA */
iterator->remove(iterator);
iterator->destroy(iterator);
@@ -604,6 +620,9 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
break;
case FAILED:
default:
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ /* FALL */
+ case DESTROY_ME:
/* destroy IKE_SA, but SEND response first */
delete = TRUE;
break;
@@ -631,6 +650,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
message->destroy(message);
if (status != SUCCESS)
{
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
return DESTROY_ME;
}
@@ -678,7 +698,8 @@ static status_t process_request(private_task_manager_t *this,
this->passive_tasks->insert_last(this->passive_tasks, task);
task = (task_t*)ike_config_create(this->ike_sa, FALSE);
this->passive_tasks->insert_last(this->passive_tasks, task);
- task = (task_t*)child_create_create(this->ike_sa, NULL, NULL, NULL);
+ task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
+ NULL, NULL);
this->passive_tasks->insert_last(this->passive_tasks, task);
task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
this->passive_tasks->insert_last(this->passive_tasks, task);
@@ -726,8 +747,8 @@ static status_t process_request(private_task_manager_t *this,
}
else
{
- task = (task_t*)child_create_create(this->ike_sa,
- NULL, NULL, NULL);
+ task = (task_t*)child_create_create(this->ike_sa, NULL,
+ FALSE, NULL, NULL);
}
}
else
@@ -831,6 +852,9 @@ static status_t process_request(private_task_manager_t *this,
break;
case FAILED:
default:
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ /* FALL */
+ case DESTROY_ME:
/* critical failure, destroy IKE_SA */
iterator->remove(iterator);
iterator->destroy(iterator);
diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c
index f51443738..558938f2e 100644
--- a/src/charon/sa/tasks/child_create.c
+++ b/src/charon/sa/tasks/child_create.c
@@ -158,6 +158,11 @@ struct private_child_create_t {
* successfully established the CHILD?
*/
bool established;
+
+ /**
+ * whether the CHILD_SA rekeys an existing one
+ */
+ bool rekey;
};
/**
@@ -249,7 +254,7 @@ static bool allocate_spi(private_child_create_t *this)
*/
static status_t select_and_install(private_child_create_t *this, bool no_dh)
{
- status_t status;
+ status_t status, status_i, status_o;
chunk_t nonce_i, nonce_r;
chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
@@ -401,22 +406,22 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
this->my_cpi = this->other_cpi = 0;
this->ipcomp = IPCOMP_NONE;
}
- status = FAILED;
+ status_i = status_o = FAILED;
if (this->keymat->derive_child_keys(this->keymat, this->proposal,
this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
{
if (this->initiator)
{
- status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+ status_i = this->child_sa->install(this->child_sa, encr_r, integ_r,
this->my_spi, this->my_cpi, TRUE);
- status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+ status_o = this->child_sa->install(this->child_sa, encr_i, integ_i,
this->other_spi, this->other_cpi, FALSE);
}
else
{
- status = this->child_sa->install(this->child_sa, encr_i, integ_i,
+ status_i = this->child_sa->install(this->child_sa, encr_i, integ_i,
this->my_spi, this->my_cpi, TRUE);
- status = this->child_sa->install(this->child_sa, encr_r, integ_r,
+ status_o = this->child_sa->install(this->child_sa, encr_r, integ_r,
this->other_spi, this->other_cpi, FALSE);
}
}
@@ -425,9 +430,12 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh)
chunk_clear(&encr_i);
chunk_clear(&encr_r);
- if (status != SUCCESS)
+ if (status_i != SUCCESS || status_o != SUCCESS)
{
- DBG1(DBG_IKE, "unable to install IPsec SA (SAD) in kernel");
+ DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+ (status_i != SUCCESS) ? "inbound " : "",
+ (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+ (status_o != SUCCESS) ? "outbound " : "");
return FAILED;
}
@@ -939,7 +947,11 @@ static status_t build_r(private_child_create_t *this, message_t *message)
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
-
+
+ if (!this->rekey)
+ { /* invoke the child_up() hook if we are not rekeying */
+ charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+ }
return SUCCESS;
}
@@ -1052,6 +1064,11 @@ static status_t process_i(private_child_create_t *this, message_t *message)
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+
+ if (!this->rekey)
+ { /* invoke the child_up() hook if we are not rekeying */
+ charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+ }
}
else
{
@@ -1174,7 +1191,8 @@ static void destroy(private_child_create_t *this)
/*
* Described in header.
*/
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+ child_cfg_t *config, bool rekey,
traffic_selector_t *tsi, traffic_selector_t *tsr)
{
private_child_create_t *this = malloc_thing(private_child_create_t);
@@ -1222,6 +1240,7 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
this->other_cpi = 0;
this->reqid = 0;
this->established = FALSE;
+ this->rekey = rekey;
return &this->public;
}
diff --git a/src/charon/sa/tasks/child_create.h b/src/charon/sa/tasks/child_create.h
index ce2829a9a..41f4fe2c8 100644
--- a/src/charon/sa/tasks/child_create.h
+++ b/src/charon/sa/tasks/child_create.h
@@ -71,11 +71,13 @@ struct child_create_t {
*
* @param ike_sa IKE_SA this task works for
* @param config child_cfg if task initiator, NULL if responder
+ * @param rekey whether we do a rekey or not
* @param tsi source of triggering packet, or NULL
* @param tsr destination of triggering packet, or NULL
* @return child_create task to handle by the task_manager
*/
-child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config,
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+ child_cfg_t *config, bool rekey,
traffic_selector_t *tsi, traffic_selector_t *tsr);
#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/charon/sa/tasks/child_delete.c b/src/charon/sa/tasks/child_delete.c
index 0d89c148e..7abb07a84 100644
--- a/src/charon/sa/tasks/child_delete.c
+++ b/src/charon/sa/tasks/child_delete.c
@@ -52,11 +52,16 @@ struct private_child_delete_t {
u_int32_t spi;
/**
- * wheter to enforce delete action policy
+ * whether to enforce delete action policy
*/
bool check_delete_action;
/**
+ * is this delete exchange following a rekey?
+ */
+ bool rekeyed;
+
+ /**
* CHILD_SAs which get deleted
*/
linked_list_t *child_sas;
@@ -148,6 +153,7 @@ static void process_payloads(private_child_delete_t *this, message_t *message)
switch (child_sa->get_state(child_sa))
{
case CHILD_REKEYING:
+ this->rekeyed = TRUE;
/* we reply as usual, rekeying will fail */
break;
case CHILD_DELETING:
@@ -190,6 +196,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this)
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
+ /* signal child down event if we are not rekeying */
+ if (!this->rekeyed)
+ {
+ charon->bus->child_updown(charon->bus, child_sa, FALSE);
+ }
spi = child_sa->get_spi(child_sa, TRUE);
protocol = child_sa->get_protocol(child_sa);
child_cfg = child_sa->get_config(child_sa);
@@ -229,15 +240,19 @@ static void log_children(private_child_delete_t *this)
{
iterator_t *iterator;
child_sa_t *child_sa;
+ u_int64_t bytes_in, bytes_out;
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
+ child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
+ child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+
DBG0(DBG_IKE, "closing CHILD_SA %s{%d} "
- "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ "with SPIs %.8x_i (%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
- ntohl(child_sa->get_spi(child_sa, TRUE)),
- ntohl(child_sa->get_spi(child_sa, FALSE)),
+ ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+ ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
child_sa->get_traffic_selectors(child_sa, TRUE),
child_sa->get_traffic_selectors(child_sa, FALSE));
}
@@ -258,7 +273,10 @@ static status_t build_i(private_child_delete_t *this, message_t *message)
return SUCCESS;
}
this->child_sas->insert_last(this->child_sas, child_sa);
-
+ if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+ {
+ this->rekeyed = TRUE;
+ }
log_children(this);
build_payloads(this, message);
return NEED_MORE;
@@ -359,6 +377,7 @@ child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
this->child_sas = linked_list_create();
this->protocol = protocol;
this->spi = spi;
+ this->rekeyed = FALSE;
if (protocol != PROTO_NONE)
{
diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c
index 6ab00dc5b..601e054ea 100644
--- a/src/charon/sa/tasks/child_rekey.c
+++ b/src/charon/sa/tasks/child_rekey.c
@@ -157,7 +157,8 @@ static status_t build_i(private_child_rekey_t *this, message_t *message)
/* ... our CHILD_CREATE task does the hard work for us. */
reqid = this->child_sa->get_reqid(this->child_sa);
- this->child_create = child_create_create(this->ike_sa, config, NULL, NULL);
+ this->child_create = child_create_create(this->ike_sa, config, TRUE,
+ NULL, NULL);
this->child_create->use_reqid(this->child_create, reqid);
this->child_create->task.build(&this->child_create->task, message);
@@ -207,6 +208,10 @@ static status_t build_r(private_child_rekey_t *this, message_t *message)
}
this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+ /* invoke rekey hook */
+ charon->bus->child_rekey(charon->bus, this->child_sa,
+ this->child_create->get_child(this->child_create));
return SUCCESS;
}
@@ -303,6 +308,12 @@ static status_t process_i(private_child_rekey_t *this, message_t *message)
}
}
+ if (to_delete != this->child_create->get_child(this->child_create))
+ { /* invoke rekey hook if rekeying successful */
+ charon->bus->child_rekey(charon->bus, this->child_sa,
+ this->child_create->get_child(this->child_create));
+ }
+
spi = to_delete->get_spi(to_delete, TRUE);
protocol = to_delete->get_protocol(to_delete);
@@ -416,7 +427,7 @@ child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
this->initiator = FALSE;
- this->child_create = child_create_create(ike_sa, NULL, NULL, NULL);
+ this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
}
this->ike_sa = ike_sa;
diff --git a/src/charon/sa/tasks/ike_auth.c b/src/charon/sa/tasks/ike_auth.c
index 8d6cd56bd..d0b2a7e91 100644
--- a/src/charon/sa/tasks/ike_auth.c
+++ b/src/charon/sa/tasks/ike_auth.c
@@ -738,6 +738,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message)
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
+ charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
return SUCCESS;
}
return NEED_MORE;
@@ -916,6 +917,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message)
this->ike_sa->get_my_id(this->ike_sa),
this->ike_sa->get_other_host(this->ike_sa),
this->ike_sa->get_other_id(this->ike_sa));
+ charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
return SUCCESS;
}
return NEED_MORE;
diff --git a/src/charon/sa/tasks/ike_delete.c b/src/charon/sa/tasks/ike_delete.c
index f308a6358..cde117934 100644
--- a/src/charon/sa/tasks/ike_delete.c
+++ b/src/charon/sa/tasks/ike_delete.c
@@ -21,7 +21,7 @@
typedef struct private_ike_delete_t private_ike_delete_t;
-/**file
+/**
* Private members of a ike_delete_t task.
*/
struct private_ike_delete_t {
@@ -42,6 +42,11 @@ struct private_ike_delete_t {
bool initiator;
/**
+ * are we deleting a rekeyed SA?
+ */
+ bool rekeyed;
+
+ /**
* are we responding to a delete, but have initated our own?
*/
bool simultaneous;
@@ -64,6 +69,11 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
delete_payload = delete_payload_create(PROTO_IKE);
message->add_payload(message, (payload_t*)delete_payload);
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+ {
+ this->rekeyed = TRUE;
+ }
this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
@@ -79,8 +89,12 @@ static status_t build_i(private_ike_delete_t *this, message_t *message)
static status_t process_i(private_ike_delete_t *this, message_t *message)
{
DBG0(DBG_IKE, "IKE_SA deleted");
- /* completed, delete IKE_SA by returning FAILED */
- return FAILED;
+ if (!this->rekeyed)
+ { /* invoke ike_down() hook if SA has not been rekeyed */
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
+ /* completed, delete IKE_SA by returning DESTROY_ME */
+ return DESTROY_ME;
}
/**
@@ -106,14 +120,17 @@ static status_t process_r(private_ike_delete_t *this, message_t *message)
case IKE_ESTABLISHED:
this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
this->ike_sa->reestablish(this->ike_sa);
+ return NEED_MORE;
+ case IKE_REKEYING:
+ this->rekeyed = TRUE;
break;
case IKE_DELETING:
this->simultaneous = TRUE;
- /* FALL */
+ break;
default:
- this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
break;
}
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
return NEED_MORE;
}
@@ -129,8 +146,12 @@ static status_t build_r(private_ike_delete_t *this, message_t *message)
/* wait for peer's response for our delete request, but set a timeout */
return SUCCESS;
}
- /* completed, delete IKE_SA by returning FAILED */
- return FAILED;
+ if (!this->rekeyed)
+ { /* invoke ike_down() hook if SA has not been rekeyed */
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
+ /* completed, delete IKE_SA by returning DESTROY_ME */
+ return DESTROY_ME;
}
/**
@@ -182,6 +203,7 @@ ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
this->ike_sa = ike_sa;
this->initiator = initiator;
+ this->rekeyed = FALSE;
this->simultaneous = FALSE;
return &this->public;
diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c
index bead408a6..3a049b566 100644
--- a/src/charon/sa/tasks/ike_rekey.c
+++ b/src/charon/sa/tasks/ike_rekey.c
@@ -367,6 +367,8 @@ static void destroy(private_ike_rekey_t *this)
if (this->new_sa->get_state(this->new_sa) == IKE_ESTABLISHED &&
this->new_sa->inherit(this->new_sa, this->ike_sa) != DESTROY_ME)
{
+ /* invoke hook if rekeying was successful */
+ charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
}
else
diff --git a/src/charon/sa/tasks/task.h b/src/charon/sa/tasks/task.h
index f9b409f35..3d2014599 100644
--- a/src/charon/sa/tasks/task.h
+++ b/src/charon/sa/tasks/task.h
@@ -100,7 +100,8 @@ struct task_t {
*
* @param message message to add payloads to
* @return
- * - FAILED if a critical error occured
+ * - FAILED if a critical error occured
+ * - DESTROY_ME if IKE_SA has been properly deleted
* - NEED_MORE if another call to build/process needed
* - SUCCESS if task completed
*/
@@ -112,6 +113,7 @@ struct task_t {
* @param message message to read payloads from
* @return
* - FAILED if a critical error occured
+ * - DESTROY_ME if IKE_SA has been properly deleted
* - NEED_MORE if another call to build/process needed
* - SUCCESS if task completed
*/
diff --git a/src/charon/sa/trap_manager.c b/src/charon/sa/trap_manager.c
index a74fab93f..570335eb4 100644
--- a/src/charon/sa/trap_manager.c
+++ b/src/charon/sa/trap_manager.c
@@ -156,6 +156,10 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer,
me->destroy(me);
other->destroy(other);
+ /* while we don't know the finally negotiated protocol (ESP|AH), we
+ * could iterate all proposals for a best guest (TODO). But as we
+ * support ESP only for now, we set here. */
+ child_sa->set_protocol(child_sa, PROTO_ESP);
child_sa->set_mode(child_sa, child->get_mode(child));
status = child_sa->add_policies(child_sa, my_ts, other_ts);
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
@@ -358,7 +362,7 @@ trap_manager_t *trap_manager_create()
this->public.destroy = (void(*)(trap_manager_t*))destroy;
this->traps = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
/* register listener for IKE state changes */
this->listener.traps = this;
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
new file mode 100644
index 000000000..bd42c231f
--- /dev/null
+++ b/src/checksum/Makefile.am
@@ -0,0 +1,36 @@
+ipsec_LTLIBRARIES = libchecksum.la
+noinst_PROGRAMS = checksum_builder
+
+nodist_libchecksum_la_SOURCES = checksum.c
+libchecksum_la_LDFLAGS = -module -avoid-version
+
+checksum_builder_SOURCES = checksum_builder.c
+checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+
+BUILT_SOURCES = checksum.c
+CLEANFILES = checksum.c
+INCLUDES = -I$(top_srcdir)/src/libstrongswan
+AM_CFLAGS = -rdynamic
+
+libs = $(shell find $(top_builddir)/src/libstrongswan $(top_builddir)/src/charon \
+ -name 'libstrongswan*.so')
+
+if USE_CHARON
+ libs += $(top_builddir)/src/charon/.libs/charon
+endif
+
+if USE_PLUTO
+ libs += $(top_builddir)/src/pluto/.libs/pluto
+endif
+
+if USE_TOOLS
+ libs += $(top_builddir)/src/openac/.libs/openac
+ libs += $(top_builddir)/src/scepclient/.libs/scepclient
+endif
+
+if USE_SQL
+ libs += $(top_builddir)/src/charon/plugins/sql/.libs/pool
+endif
+
+checksum.c : checksum_builder $(libs)
+ ./checksum_builder $(libs) > checksum.c
diff --git a/src/libstrongswan/fips/Makefile.in b/src/checksum/Makefile.in
index cdced9423..4d38df2dd 100644
--- a/src/libstrongswan/fips/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -14,6 +14,7 @@
@SET_MAKE@
+
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -32,10 +33,14 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-noinst_PROGRAMS = fips_signer$(EXEEXT)
-@USE_SHA1_TRUE@am__append_1 = -DUSE_SHA1
-@USE_OPENSSL_TRUE@am__append_2 = -DUSE_OPENSSL
-subdir = src/libstrongswan/fips
+noinst_PROGRAMS = checksum_builder$(EXEEXT)
+@USE_CHARON_TRUE@am__append_1 = $(top_builddir)/src/charon/.libs/charon
+@USE_PLUTO_TRUE@am__append_2 = $(top_builddir)/src/pluto/.libs/pluto
+@USE_TOOLS_TRUE@am__append_3 = \
+@USE_TOOLS_TRUE@ $(top_builddir)/src/openac/.libs/openac \
+@USE_TOOLS_TRUE@ $(top_builddir)/src/scepclient/.libs/scepclient
+@USE_SQL_TRUE@am__append_4 = $(top_builddir)/src/charon/plugins/sql/.libs/pool
+subdir = src/checksum
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/configure.in
@@ -43,10 +48,26 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
CONFIG_CLEAN_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(ipsecdir)"
+ipsecLTLIBRARIES_INSTALL = $(INSTALL)
+LTLIBRARIES = $(ipsec_LTLIBRARIES)
+libchecksum_la_LIBADD =
+nodist_libchecksum_la_OBJECTS = checksum.lo
+libchecksum_la_OBJECTS = $(nodist_libchecksum_la_OBJECTS)
+libchecksum_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(libchecksum_la_LDFLAGS) $(LDFLAGS) -o $@
PROGRAMS = $(noinst_PROGRAMS)
-am_fips_signer_OBJECTS = fips_signer.$(OBJEXT)
-fips_signer_OBJECTS = $(am_fips_signer_OBJECTS)
-fips_signer_DEPENDENCIES = ../libstrongswan.la
+am_checksum_builder_OBJECTS = checksum_builder.$(OBJEXT)
+checksum_builder_OBJECTS = $(am_checksum_builder_OBJECTS)
+checksum_builder_DEPENDENCIES = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -59,18 +80,20 @@ CCLD = $(CC)
LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
$(LDFLAGS) -o $@
-SOURCES = $(fips_signer_SOURCES)
-DIST_SOURCES = $(fips_signer_SOURCES)
+SOURCES = $(nodist_libchecksum_la_SOURCES) $(checksum_builder_SOURCES)
+DIST_SOURCES = $(checksum_builder_SOURCES)
ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -135,6 +158,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -175,7 +199,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -209,14 +235,19 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
+ipsec_LTLIBRARIES = libchecksum.la
+nodist_libchecksum_la_SOURCES = checksum.c
+libchecksum_la_LDFLAGS = -module -avoid-version
+checksum_builder_SOURCES = checksum_builder.c
+checksum_builder_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la
+BUILT_SOURCES = checksum.c
+CLEANFILES = checksum.c
INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\" \
- $(am__append_1) $(am__append_2)
+AM_CFLAGS = -rdynamic
+libs = $(shell find $(top_builddir)/src/libstrongswan \
+ $(top_builddir)/src/charon -name 'libstrongswan*.so') \
+ $(am__append_1) $(am__append_2) $(am__append_3) \
+ $(am__append_4)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
@@ -231,9 +262,9 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile'; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/checksum/Makefile'; \
cd $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/libstrongswan/fips/Makefile
+ $(AUTOMAKE) --gnu src/checksum/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -251,6 +282,35 @@ $(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+install-ipsecLTLIBRARIES: $(ipsec_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
+ @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+ if test -f $$p; then \
+ f=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(ipsecdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(ipsecLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(ipsecdir)/$$f"; \
+ else :; fi; \
+ done
+
+uninstall-ipsecLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+ p=$(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipsecdir)/$$p'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipsecdir)/$$p"; \
+ done
+
+clean-ipsecLTLIBRARIES:
+ -test -z "$(ipsec_LTLIBRARIES)" || rm -f $(ipsec_LTLIBRARIES)
+ @list='$(ipsec_LTLIBRARIES)'; for p in $$list; do \
+ dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+ test "$$dir" != "$$p" || dir=.; \
+ echo "rm -f \"$${dir}/so_locations\""; \
+ rm -f "$${dir}/so_locations"; \
+ done
+libchecksum.la: $(libchecksum_la_OBJECTS) $(libchecksum_la_DEPENDENCIES)
+ $(libchecksum_la_LINK) -rpath $(ipsecdir) $(libchecksum_la_OBJECTS) $(libchecksum_la_LIBADD) $(LIBS)
clean-noinstPROGRAMS:
@list='$(noinst_PROGRAMS)'; for p in $$list; do \
@@ -258,9 +318,9 @@ clean-noinstPROGRAMS:
echo " rm -f $$p $$f"; \
rm -f $$p $$f ; \
done
-fips_signer$(EXEEXT): $(fips_signer_OBJECTS) $(fips_signer_DEPENDENCIES)
- @rm -f fips_signer$(EXEEXT)
- $(LINK) $(fips_signer_OBJECTS) $(fips_signer_LDADD) $(LIBS)
+checksum_builder$(EXEEXT): $(checksum_builder_OBJECTS) $(checksum_builder_DEPENDENCIES)
+ @rm -f checksum_builder$(EXEEXT)
+ $(LINK) $(checksum_builder_OBJECTS) $(checksum_builder_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -268,7 +328,8 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_signer.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/checksum_builder.Po@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -373,8 +434,11 @@ distdir: $(DISTFILES)
check-am: all-am
check: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
installdirs:
+ for dir in "$(DESTDIR)$(ipsecdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
install: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) install-am
install-exec: install-exec-am
@@ -404,8 +468,8 @@ maintainer-clean-generic:
-test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
clean: clean-am
-clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
- mostlyclean-am
+clean-am: clean-generic clean-ipsecLTLIBRARIES clean-libtool \
+ clean-noinstPROGRAMS mostlyclean-am
distclean: distclean-am
-rm -rf ./$(DEPDIR)
@@ -423,7 +487,7 @@ info: info-am
info-am:
-install-data-am:
+install-data-am: install-ipsecLTLIBRARIES
install-dvi: install-dvi-am
@@ -459,26 +523,28 @@ ps: ps-am
ps-am:
-uninstall-am:
+uninstall-am: uninstall-ipsecLTLIBRARIES
.MAKE: install-am install-strip
.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
- clean-libtool clean-noinstPROGRAMS ctags distclean \
- distclean-compile distclean-generic distclean-libtool \
- distclean-tags distdir dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am install-dvi \
- install-dvi-am install-exec install-exec-am install-html \
- install-html-am install-info install-info-am install-man \
+ clean-ipsecLTLIBRARIES clean-libtool clean-noinstPROGRAMS \
+ ctags distclean distclean-compile distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-ipsecLTLIBRARIES install-man \
install-pdf install-pdf-am install-ps install-ps-am \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
- pdf pdf-am ps ps-am tags uninstall uninstall-am
+ pdf pdf-am ps ps-am tags uninstall uninstall-am \
+ uninstall-ipsecLTLIBRARIES
-fips_signature.h : fips_signer
- ./fips_signer
+checksum.c : checksum_builder $(libs)
+ ./checksum_builder $(libs) > checksum.c
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
new file mode 100644
index 000000000..a713eb526
--- /dev/null
+++ b/src/checksum/checksum_builder.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil, Switzerland
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <dlfcn.h>
+
+#include <library.h>
+
+/* we need to fake some charon symbols to dlopen() its plugins */
+void *charon, *eap_type_names, *auth_class_names, *protocol_id_names,
+*action_names, *ipsec_mode_names, *ike_sa_state_names, *child_sa_state_names,
+*policy_dir_names, *ipcomp_transform_names, *debug_names, *controller_cb_empty;
+
+int main(int argc, char* argv[])
+{
+ int i;
+ integrity_checker_t *integrity;
+
+ /* avoid confusing leak reports in build process */
+ setenv("LEAK_DETECTIVE_DISABLE", "1", 0);
+ library_init(NULL);
+ atexit(library_deinit);
+
+ integrity = integrity_checker_create(NULL);
+
+ printf("/**\n");
+ printf(" * checksums of files and loaded code segments.\n");
+ printf(" * created by %s\n", argv[0]);
+ printf(" */\n");
+ printf("\n");
+ printf("#include <library.h>\n");
+ printf("\n");
+ printf("integrity_checksum_t checksums[] = {\n");
+ fprintf(stderr, "integrity test data:\n");
+ fprintf(stderr, "module name, file size / checksum segment size / checksum\n");
+ for (i = 1; i < argc; i++)
+ {
+ char *name, *path, *sname = NULL;
+ void *handle, *symbol;
+ u_int32_t fsum, ssum;
+ size_t fsize = 0;
+ size_t ssize = 0;
+
+ path = argv[i];
+
+ if ((name = strstr(path, "libstrongswan-")))
+ {
+ name = strdup(name + strlen("libstrongswan-"));
+ name[strlen(name) - 3] = '"';
+ name[strlen(name) - 2] = ',';
+ name[strlen(name) - 1] = '\0';
+ sname = "plugin_create";
+ }
+ else if (strstr(path, "libstrongswan.so"))
+ {
+ name = strdup("libstrongswan\",");
+ sname = "library_init";
+ }
+ else if (strstr(path, "pool"))
+ {
+ name = strdup("pool\",");
+ }
+ else if (strstr(path, "charon"))
+ {
+ name = strdup("charon\",");
+ }
+ else if (strstr(path, "pluto"))
+ {
+ name = strdup("pluto\",");
+ }
+ else if (strstr(path, "openac"))
+ {
+ name = strdup("openac\",");
+ }
+ else if (strstr(path, "scepclient"))
+ {
+ name = strdup("scepclient\",");
+ }
+ else
+ {
+ fprintf(stderr, "don't know how to handle '%s', ignored", path);
+ continue;
+ }
+
+ fsum = integrity->build_file(integrity, path, &fsize);
+ ssum = 0;
+ if (sname)
+ {
+ handle = dlopen(path, RTLD_LAZY);
+ if (handle)
+ {
+ symbol = dlsym(handle, sname);
+ if (symbol)
+ {
+ ssum = integrity->build_segment(integrity, symbol, &ssize);
+ }
+ else
+ {
+ fprintf(stderr, "symbol lookup failed: %s\n", dlerror());
+ }
+ dlclose(handle);
+ }
+ else
+ {
+ fprintf(stderr, "dlopen failed: %s\n", dlerror());
+ }
+ }
+ printf("\t{\"%-20s%7u, 0x%08x, %6u, 0x%08x},\n",
+ name, fsize, fsum, ssize, ssum);
+ fprintf(stderr, "\"%-20s%7u / 0x%08x %6u / 0x%08x\n",
+ name, fsize, fsum, ssize, ssum);
+ free(name);
+ }
+ printf("};\n");
+ printf("\n");
+ printf("int checksum_count = countof(checksums);\n");
+ printf("\n");
+ integrity->destroy(integrity);
+
+ exit(0);
+}
+
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index fdbf41f47..817e31104 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -83,12 +83,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -193,7 +196,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/dumm/mconsole.c b/src/dumm/mconsole.c
index 72d6d1b5e..2ed96d562 100644
--- a/src/dumm/mconsole.c
+++ b/src/dumm/mconsole.c
@@ -149,7 +149,7 @@ static int request(private_mconsole_t *this, void(*cb)(void*,char*,size_t),
{
if (reply.len && *reply.data)
{
- DBG1("received mconsole error %d: %*.s",
+ DBG1("received mconsole error %d: %.*s",
reply.err, reply.len, reply.data);
}
break;
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 7ee0793ec..495d02cc2 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -43,12 +43,14 @@ SOURCES =
DIST_SOURCES =
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -113,6 +115,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -153,7 +156,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index d5a6dc82f..de069b928 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -51,12 +51,14 @@ NROFF = nroff
MANS = $(dist_man8_MANS)
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -121,6 +123,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -161,7 +164,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 98f5ddd88..266898984 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -71,12 +71,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -141,6 +143,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -181,7 +184,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in
index 37c32b9fa..31ea3a634 100644
--- a/src/libfreeswan/Makefile.in
+++ b/src/libfreeswan/Makefile.in
@@ -83,12 +83,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -153,6 +155,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -193,7 +196,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/libfreeswan/anyaddr.c b/src/libfreeswan/anyaddr.c
index 2e9fa2787..f2eb8d07a 100644
--- a/src/libfreeswan/anyaddr.c
+++ b/src/libfreeswan/anyaddr.c
@@ -17,12 +17,13 @@
#include "internal.h"
#include "freeswan.h"
-/* these are mostly fallbacks for the no-IPv6-support-in-library case */
-#ifndef IN6ADDR_ANY_INIT
-#define IN6ADDR_ANY_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}
-#endif
-#ifndef IN6ADDR_LOOPBACK_INIT
-#define IN6ADDR_LOOPBACK_INIT {{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}
+/* OpenSolaris defines strange versions of these macros */
+#ifdef __sun
+#undef IN6ADDR_ANY_INIT
+#define IN6ADDR_ANY_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+
+#undef IN6ADDR_LOOPBACK_INIT
+#define IN6ADDR_LOOPBACK_INIT {{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
#endif
static struct in6_addr v6any = IN6ADDR_ANY_INIT;
diff --git a/src/libfreeswan/atoaddr.3 b/src/libfreeswan/atoaddr.3
index fce8884e4..10da2691c 100644
--- a/src/libfreeswan/atoaddr.3
+++ b/src/libfreeswan/atoaddr.3
@@ -54,7 +54,7 @@ on a big-endian host and
.B 4.3.2.1
on a little-endian host),
a DNS name to be looked up via
-.IR gethostbyname (3),
+.IR getaddrinfo (3),
or an old-style network name to be looked up via
.IR getnetbyname (3).
.PP
@@ -91,10 +91,8 @@ DNS names may be complete (optionally terminated with a ``.'')
or incomplete, and are looked up as specified by local system configuration
(see
.IR resolver (5)).
-The
-.I h_addr
-value returned by
-.IR gethostbyname (3)
+The first value returned by
+.IR getaddrinfo (3)
is used,
so with current DNS implementations,
the result when the name corresponds to more than one address is
@@ -102,7 +100,7 @@ difficult to predict.
Name lookup resorts to
.IR getnetbyname (3)
only if
-.IR gethostbyname (3)
+.IR getaddrinfo (3)
fails.
.PP
A subnet specification is of the form \fInetwork\fB/\fImask\fR.
diff --git a/src/libfreeswan/atoaddr.c b/src/libfreeswan/atoaddr.c
index dd73be7f3..cbda541d3 100644
--- a/src/libfreeswan/atoaddr.c
+++ b/src/libfreeswan/atoaddr.c
@@ -12,6 +12,8 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*/
+#include <sys/socket.h>
+
#include "internal.h"
#include "freeswan.h"
@@ -41,7 +43,7 @@ const char *src;
size_t srclen; /* 0 means "apply strlen" */
struct in_addr *addrp;
{
- struct hostent *h;
+ struct addrinfo hints, *res;
struct netent *ne = NULL;
const char *oops;
# define HEXLEN 10 /* strlen("0x11223344") */
@@ -51,6 +53,7 @@ struct in_addr *addrp;
char namebuf[ATOADDRBUF];
char *p = namebuf;
char *q;
+ int error;
if (srclen == 0)
srclen = strlen(src);
@@ -87,18 +90,34 @@ struct in_addr *addrp;
return "illegal (non-DNS-name) character in name";
/* try as host name, failing that as /etc/networks network name */
- h = gethostbyname(p);
- if (h == NULL)
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET;
+ error = getaddrinfo(p, NULL, &hints, &res);
+ if (error != 0)
+ {
ne = getnetbyname(p);
+ if (ne == NULL)
+ {
+ if (p != namebuf)
+ {
+ FREE(p);
+ }
+ return "name lookup failed";
+ }
+ addrp->s_addr = htonl(ne->n_net);
+ }
+ else
+ {
+ struct sockaddr_in *in = (struct sockaddr_in*)res->ai_addr;
+ memcpy(&addrp->s_addr, &in->sin_addr.s_addr, sizeof(addrp->s_addr));
+ freeaddrinfo(res);
+ }
+
if (p != namebuf)
+ {
FREE(p);
- if (h == NULL && ne == NULL)
- return "name lookup failed";
+ }
- if (h != NULL)
- memcpy(&addrp->s_addr, h->h_addr, sizeof(addrp->s_addr));
- else
- addrp->s_addr = htonl(ne->n_net);
return NULL;
}
diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h
index cb14cd678..77ce8f2be 100644
--- a/src/libfreeswan/freeswan.h
+++ b/src/libfreeswan/freeswan.h
@@ -20,11 +20,6 @@
# include <stdio.h>
# include <netinet/in.h>
-# define uint8_t u_int8_t
-# define uint16_t u_int16_t
-# define uint32_t u_int32_t
-# define uint64_t u_int64_t
-
# define DEBUG_NO_STATIC static
#include <ipsec_param.h>
diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 5ef5e747c..461299c78 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -303,33 +303,40 @@ struct sadb_protocol {
#define SADB_SASTATE_DEAD 3
#define SADB_SASTATE_MAX 3
-#define SADB_SAFLAGS_PFS 1
+#define SADB_SAFLAGS_PFS 1
#define SADB_X_SAFLAGS_REPLACEFLOW 2
#define SADB_X_SAFLAGS_CLEARFLOW 4
#define SADB_X_SAFLAGS_INFLOW 8
/* Authentication algorithms */
-#define SADB_AALG_NONE 0
-#define SADB_AALG_MD5HMAC 2
-#define SADB_AALG_SHA1HMAC 3
+#define SADB_AALG_NONE 0
+#define SADB_AALG_MD5HMAC 2
+#define SADB_AALG_SHA1HMAC 3
#define SADB_X_AALG_SHA2_256HMAC 5
#define SADB_X_AALG_SHA2_384HMAC 6
#define SADB_X_AALG_SHA2_512HMAC 7
#define SADB_X_AALG_RIPEMD160HMAC 8
#define SADB_X_AALG_AES_XCBC_MAC 9
-#define SADB_X_AALG_NULL 251 /* kame */
-#define SADB_AALG_MAX 251
+#define SADB_X_AALG_NULL 251 /* kame */
+#define SADB_AALG_MAX 251
/* Encryption algorithms */
-#define SADB_EALG_NONE 0
-#define SADB_EALG_DESCBC 2
-#define SADB_EALG_3DESCBC 3
-#define SADB_X_EALG_CASTCBC 6
+#define SADB_EALG_NONE 0
+#define SADB_EALG_DESCBC 2
+#define SADB_EALG_3DESCBC 3
+#define SADB_X_EALG_CASTCBC 6
#define SADB_X_EALG_BLOWFISHCBC 7
-#define SADB_EALG_NULL 11
-#define SADB_X_EALG_AESCBC 12
+#define SADB_EALG_NULL 11
+#define SADB_X_EALG_AESCBC 12
+#define SADB_X_EALG_AESCTR 13
+#define SADB_X_EALG_AES_CCM_ICV8 14
+#define SADB_X_EALG_AES_CCM_ICV12 15
+#define SADB_X_EALG_AES_CCM_ICV16 16
+#define SADB_X_EALG_AES_GCM_ICV8 18
+#define SADB_X_EALG_AES_GCM_ICV12 19
+#define SADB_X_EALG_AES_GCM_ICV16 20
#define SADB_X_EALG_CAMELLIACBC 22
-#define SADB_EALG_MAX 253 /* last EALG */
+#define SADB_EALG_MAX 253 /* last EALG */
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SERPENTCBC 252 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
#define SADB_X_EALG_TWOFISHCBC 253 /* draft-ietf-ipsec-ciph-aes-cbc-00 */
diff --git a/src/libfreeswan/ttoaddr.3 b/src/libfreeswan/ttoaddr.3
index 70671145e..d43d2b16f 100644
--- a/src/libfreeswan/ttoaddr.3
+++ b/src/libfreeswan/ttoaddr.3
@@ -59,7 +59,7 @@ on a big-endian host and
.B 4.3.2.1
on a little-endian host),
a DNS name to be looked up via
-.IR gethostbyname (3),
+.IR getaddrinfo (3),
or an old-style network name to be looked up via
.IR getnetbyname (3).
.PP
@@ -100,7 +100,7 @@ abbreviating at most one subsequence of multiple zeros (e.g.
which is synonymous with
.BR 99:ab:0:0:0:0:54:68 ),
or a DNS name to be looked up via
-.IR gethostbyname (3).
+.IR getaddrinfo (3).
The result of applying
.I addrtot
to an IPv6 address will use
@@ -115,10 +115,8 @@ DNS names may be complete (optionally terminated with a ``.'')
or incomplete, and are looked up as specified by local system configuration
(see
.IR resolver (5)).
-The
-.I h_addr
-value returned by
-.IR gethostbyname2 (3)
+The first value returned by
+.IR getaddrinfo (3)
is used,
so with current DNS implementations,
the result when the name corresponds to more than one address is
@@ -126,7 +124,7 @@ difficult to predict.
IPv4 name lookup resorts to
.IR getnetbyname (3)
only if
-.IR gethostbyname2 (3)
+.IR getaddrinfo (3)
fails.
.PP
A subnet specification is of the form \fInetwork\fB/\fImask\fR.
diff --git a/src/libfreeswan/ttoaddr.c b/src/libfreeswan/ttoaddr.c
index e4ceec863..bda2be5ed 100644
--- a/src/libfreeswan/ttoaddr.c
+++ b/src/libfreeswan/ttoaddr.c
@@ -157,12 +157,15 @@ int nultermd; /* is it known to be NUL-terminated? */
int af;
ip_address *dst;
{
- struct hostent *h;
+ struct addrinfo hints, *res;
struct netent *ne = NULL;
char namebuf[100]; /* enough for most DNS names */
const char *cp;
char *p = namebuf;
+ unsigned char *addr = NULL;
size_t n;
+ int error;
+ err_t err = NULL;
for (cp = src, n = srclen; n > 0; cp++, n--)
if (ISASCII(*cp) && strchr(namechars, *cp) == NULL)
@@ -181,25 +184,67 @@ ip_address *dst;
cp = (const char *)p;
}
- h = gethostbyname2(cp, af);
- if (h == NULL && af == AF_INET)
- ne = getnetbyname(cp);
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = af;
+ error = getaddrinfo(cp, NULL, &hints, &res);
+ if (error != 0)
+ { /* getaddrinfo failed, try getnetbyname */
+ if (af == AF_INET)
+ {
+ ne = getnetbyname(cp);
+ if (ne != NULL)
+ {
+ ne->n_net = htonl(ne->n_net);
+ addr = (unsigned char*)&ne->n_net;
+ err = initaddr(addr, sizeof(ne->n_net), af, dst);
+ }
+ }
+ }
+ else
+ {
+ struct addrinfo *r = res;
+ while (r)
+ {
+ size_t addr_len;
+ switch (r->ai_family)
+ {
+ case AF_INET:
+ {
+ struct sockaddr_in *in = (struct sockaddr_in*)r->ai_addr;
+ addr_len = 4;
+ addr = (unsigned char*)&in->sin_addr.s_addr;
+ break;
+ }
+ case AF_INET6:
+ {
+ struct sockaddr_in6 *in6 = (struct sockaddr_in6*)r->ai_addr;
+ addr_len = 16;
+ addr = (unsigned char*)&in6->sin6_addr.s6_addr;
+ break;
+ }
+ default:
+ { /* unknown family, try next result */
+ r = r->ai_next;
+ continue;
+ }
+ }
+ err = initaddr(addr, addr_len, r->ai_family, dst);
+ break;
+ }
+ freeaddrinfo(res);
+ }
+
if (p != namebuf)
+ {
FREE(p);
- if (h == NULL && ne == NULL)
- return "does not look numeric and name lookup failed";
+ }
- if (h != NULL) {
- if (h->h_addrtype != af)
- return "address-type mismatch from gethostbyname2!!!";
- return initaddr((unsigned char *)h->h_addr, h->h_length, af, dst);
- } else {
- if (ne->n_addrtype != af)
- return "address-type mismatch from getnetbyname!!!";
- ne->n_net = htonl(ne->n_net);
- return initaddr((unsigned char *)&ne->n_net, sizeof(ne->n_net),
- af, dst);
+ if (addr == NULL)
+ {
+ return "does not look numeric and name lookup failed";
}
+
+ return err;
}
/*
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 212b9547d..ee6996558 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -1,14 +1,6 @@
lib_LTLIBRARIES = libstrongswan.la
-if USE_INTEGRITY_TEST
- libstrongswan_la_SOURCES = \
- fips/fips_canister_start.c \
- fips/fips.c fips/fips.h
-else
- libstrongswan_la_SOURCES =
-endif
-
-libstrongswan_la_SOURCES += \
+libstrongswan_la_SOURCES = \
library.c library.h \
chunk.c chunk.h \
debug.c debug.h \
@@ -58,7 +50,7 @@ utils/mutex.c utils/mutex.h \
utils/backtrace.c utils/backtrace.h \
plugins/plugin_loader.c plugins/plugin_loader.h plugins/plugin.h
-libstrongswan_la_LIBADD = -lpthread $(DLLIB)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = \
@@ -76,8 +68,9 @@ if USE_LOCK_PROFILER
endif
if USE_INTEGRITY_TEST
+ AM_CFLAGS += -DINTEGRITY_TEST
libstrongswan_la_SOURCES += \
- fips/fips_canister_end.c
+ integrity_checker.c integrity_checker.h
endif
if USE_VSTR
@@ -204,7 +197,3 @@ endif
if USE_TEST_VECTORS
SUBDIRS += plugins/test_vectors
endif
-
-if USE_INTEGRITY_TEST
- SUBDIRS += fips
-endif
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index dd25f0526..ae751c098 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -37,31 +37,34 @@ host_triplet = @host@
@USE_LEAK_DETECTIVE_TRUE@ utils/leak_detective.c utils/leak_detective.h
@USE_LOCK_PROFILER_TRUE@am__append_3 = -DLOCK_PROFILER
-@USE_VSTR_TRUE@am__append_4 = -lvstr
-@USE_AES_TRUE@am__append_5 = plugins/aes
-@USE_DES_TRUE@am__append_6 = plugins/des
-@USE_BLOWFISH_TRUE@am__append_7 = plugins/blowfish
-@USE_MD4_TRUE@am__append_8 = plugins/md4
-@USE_MD5_TRUE@am__append_9 = plugins/md5
-@USE_SHA1_TRUE@am__append_10 = plugins/sha1
-@USE_SHA2_TRUE@am__append_11 = plugins/sha2
-@USE_FIPS_PRF_TRUE@am__append_12 = plugins/fips_prf
-@USE_GMP_TRUE@am__append_13 = plugins/gmp
-@USE_RANDOM_TRUE@am__append_14 = plugins/random
-@USE_HMAC_TRUE@am__append_15 = plugins/hmac
-@USE_XCBC_TRUE@am__append_16 = plugins/xcbc
-@USE_X509_TRUE@am__append_17 = plugins/x509
-@USE_PUBKEY_TRUE@am__append_18 = plugins/pubkey
-@USE_CURL_TRUE@am__append_19 = plugins/curl
-@USE_LDAP_TRUE@am__append_20 = plugins/ldap
-@USE_MYSQL_TRUE@am__append_21 = plugins/mysql
-@USE_SQLITE_TRUE@am__append_22 = plugins/sqlite
-@USE_PADLOCK_TRUE@am__append_23 = plugins/padlock
-@USE_OPENSSL_TRUE@am__append_24 = plugins/openssl
-@USE_GCRYPT_TRUE@am__append_25 = plugins/gcrypt
-@USE_AGENT_TRUE@am__append_26 = plugins/agent
-@USE_TEST_VECTORS_TRUE@am__append_27 = plugins/test_vectors
-@USE_INTEGRITY_TEST_TRUE@am__append_28 = fips
+@USE_INTEGRITY_TEST_TRUE@am__append_4 = -DINTEGRITY_TEST
+@USE_INTEGRITY_TEST_TRUE@am__append_5 = \
+@USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h
+
+@USE_VSTR_TRUE@am__append_6 = -lvstr
+@USE_AES_TRUE@am__append_7 = plugins/aes
+@USE_DES_TRUE@am__append_8 = plugins/des
+@USE_BLOWFISH_TRUE@am__append_9 = plugins/blowfish
+@USE_MD4_TRUE@am__append_10 = plugins/md4
+@USE_MD5_TRUE@am__append_11 = plugins/md5
+@USE_SHA1_TRUE@am__append_12 = plugins/sha1
+@USE_SHA2_TRUE@am__append_13 = plugins/sha2
+@USE_FIPS_PRF_TRUE@am__append_14 = plugins/fips_prf
+@USE_GMP_TRUE@am__append_15 = plugins/gmp
+@USE_RANDOM_TRUE@am__append_16 = plugins/random
+@USE_HMAC_TRUE@am__append_17 = plugins/hmac
+@USE_XCBC_TRUE@am__append_18 = plugins/xcbc
+@USE_X509_TRUE@am__append_19 = plugins/x509
+@USE_PUBKEY_TRUE@am__append_20 = plugins/pubkey
+@USE_CURL_TRUE@am__append_21 = plugins/curl
+@USE_LDAP_TRUE@am__append_22 = plugins/ldap
+@USE_MYSQL_TRUE@am__append_23 = plugins/mysql
+@USE_SQLITE_TRUE@am__append_24 = plugins/sqlite
+@USE_PADLOCK_TRUE@am__append_25 = plugins/padlock
+@USE_OPENSSL_TRUE@am__append_26 = plugins/openssl
+@USE_GCRYPT_TRUE@am__append_27 = plugins/gcrypt
+@USE_AGENT_TRUE@am__append_28 = plugins/agent
+@USE_TEST_VECTORS_TRUE@am__append_29 = plugins/test_vectors
subdir = src/libstrongswan
DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -81,6 +84,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(lib_LTLIBRARIES)
am__DEPENDENCIES_1 =
libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1)
am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \
@@ -123,51 +127,20 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \
utils/backtrace.h plugins/plugin_loader.c \
plugins/plugin_loader.h plugins/plugin.h \
utils/leak_detective.c utils/leak_detective.h \
- fips/fips_canister_start.c fips/fips.c fips/fips.h \
- fips/fips_canister_end.c
+ integrity_checker.c integrity_checker.h
@USE_LEAK_DETECTIVE_TRUE@am__objects_1 = leak_detective.lo
-@USE_INTEGRITY_TEST_FALSE@am_libstrongswan_la_OBJECTS = library.lo \
-@USE_INTEGRITY_TEST_FALSE@ chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_FALSE@ settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_FALSE@ asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_FALSE@ crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_FALSE@ proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_FALSE@ prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_FALSE@ crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_FALSE@ diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_FALSE@ credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_FALSE@ private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_FALSE@ shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_FALSE@ crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_FALSE@ database_factory.lo \
-@USE_INTEGRITY_TEST_FALSE@ fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_FALSE@ host.lo identification.lo \
-@USE_INTEGRITY_TEST_FALSE@ lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_FALSE@ hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_FALSE@ optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_FALSE@ plugin_loader.lo $(am__objects_1)
-@USE_INTEGRITY_TEST_TRUE@am_libstrongswan_la_OBJECTS = \
-@USE_INTEGRITY_TEST_TRUE@ fips_canister_start.lo fips.lo \
-@USE_INTEGRITY_TEST_TRUE@ library.lo chunk.lo debug.lo enum.lo \
-@USE_INTEGRITY_TEST_TRUE@ settings.lo printf_hook.lo asn1.lo \
-@USE_INTEGRITY_TEST_TRUE@ asn1_parser.lo oid.lo pem.lo \
-@USE_INTEGRITY_TEST_TRUE@ crypter.lo hasher.lo pkcs9.lo \
-@USE_INTEGRITY_TEST_TRUE@ proposal_keywords.lo prf.lo rng.lo \
-@USE_INTEGRITY_TEST_TRUE@ prf_plus.lo signer.lo \
-@USE_INTEGRITY_TEST_TRUE@ crypto_factory.lo crypto_tester.lo \
-@USE_INTEGRITY_TEST_TRUE@ diffie_hellman.lo transform.lo \
-@USE_INTEGRITY_TEST_TRUE@ credential_factory.lo builder.lo \
-@USE_INTEGRITY_TEST_TRUE@ private_key.lo public_key.lo \
-@USE_INTEGRITY_TEST_TRUE@ shared_key.lo certificate.lo x509.lo \
-@USE_INTEGRITY_TEST_TRUE@ crl.lo ocsp_response.lo \
-@USE_INTEGRITY_TEST_TRUE@ database_factory.lo \
-@USE_INTEGRITY_TEST_TRUE@ fetcher_manager.lo pgp.lo utils.lo \
-@USE_INTEGRITY_TEST_TRUE@ host.lo identification.lo \
-@USE_INTEGRITY_TEST_TRUE@ lexparser.lo linked_list.lo \
-@USE_INTEGRITY_TEST_TRUE@ hashtable.lo enumerator.lo \
-@USE_INTEGRITY_TEST_TRUE@ optionsfrom.lo mutex.lo backtrace.lo \
-@USE_INTEGRITY_TEST_TRUE@ plugin_loader.lo $(am__objects_1) \
-@USE_INTEGRITY_TEST_TRUE@ fips_canister_end.lo
+@USE_INTEGRITY_TEST_TRUE@am__objects_2 = integrity_checker.lo
+am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \
+ settings.lo printf_hook.lo asn1.lo asn1_parser.lo oid.lo \
+ pem.lo crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo \
+ prf.lo rng.lo prf_plus.lo signer.lo crypto_factory.lo \
+ crypto_tester.lo diffie_hellman.lo transform.lo \
+ credential_factory.lo builder.lo private_key.lo public_key.lo \
+ shared_key.lo certificate.lo x509.lo crl.lo ocsp_response.lo \
+ database_factory.lo fetcher_manager.lo pgp.lo utils.lo host.lo \
+ identification.lo lexparser.lo linked_list.lo hashtable.lo \
+ enumerator.lo optionsfrom.lo mutex.lo backtrace.lo \
+ plugin_loader.lo $(am__objects_1) $(am__objects_2)
libstrongswan_la_OBJECTS = $(am_libstrongswan_la_OBJECTS)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
@@ -199,15 +172,17 @@ DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \
plugins/gmp plugins/random plugins/hmac plugins/xcbc \
plugins/x509 plugins/pubkey plugins/curl plugins/ldap \
plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
- plugins/gcrypt plugins/agent plugins/test_vectors fips
+ plugins/gcrypt plugins/agent plugins/test_vectors
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -272,6 +247,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -312,7 +288,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -347,154 +325,52 @@ top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
lib_LTLIBRARIES = libstrongswan.la
-@USE_INTEGRITY_TEST_FALSE@libstrongswan_la_SOURCES = library.c \
-@USE_INTEGRITY_TEST_FALSE@ library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_FALSE@ debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_FALSE@ settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_FALSE@ printf_hook.h asn1/asn1.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/asn1.h asn1/asn1_parser.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/asn1_parser.h asn1/oid.c \
-@USE_INTEGRITY_TEST_FALSE@ asn1/oid.h asn1/pem.c asn1/pem.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_FALSE@ crypto/transform.c \
-@USE_INTEGRITY_TEST_FALSE@ crypto/transform.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/builder.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/builder.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_FALSE@ credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_FALSE@ database/database.h \
-@USE_INTEGRITY_TEST_FALSE@ database/database_factory.h \
-@USE_INTEGRITY_TEST_FALSE@ database/database_factory.c \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_FALSE@ fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_FALSE@ pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/identification.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/identification.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/lexparser.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/linked_list.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/hashtable.c utils/hashtable.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/enumerator.h \
-@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_FALSE@ utils/backtrace.h \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_FALSE@ plugins/plugin.h $(am__append_2)
-@USE_INTEGRITY_TEST_TRUE@libstrongswan_la_SOURCES = \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_start.c \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips.c fips/fips.h library.c \
-@USE_INTEGRITY_TEST_TRUE@ library.h chunk.c chunk.h debug.c \
-@USE_INTEGRITY_TEST_TRUE@ debug.h enum.c enum.h settings.h \
-@USE_INTEGRITY_TEST_TRUE@ settings.c printf_hook.c \
-@USE_INTEGRITY_TEST_TRUE@ printf_hook.h asn1/asn1.c asn1/asn1.h \
-@USE_INTEGRITY_TEST_TRUE@ asn1/asn1_parser.c asn1/asn1_parser.h \
-@USE_INTEGRITY_TEST_TRUE@ asn1/oid.c asn1/oid.h asn1/pem.c \
-@USE_INTEGRITY_TEST_TRUE@ asn1/pem.h crypto/crypters/crypter.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypters/crypter.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/hashers/hasher.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/pkcs9.c crypto/pkcs9.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/proposal/proposal_keywords.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/prfs/prf.c crypto/prfs/prf.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/rngs/rng.c crypto/rngs/rng.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/prf_plus.h crypto/prf_plus.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/signers/signer.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/crypto_tester.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.c \
-@USE_INTEGRITY_TEST_TRUE@ crypto/diffie_hellman.h \
-@USE_INTEGRITY_TEST_TRUE@ crypto/transform.c crypto/transform.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/credential_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/builder.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/builder.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/private_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/public_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/keys/shared_key.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/certificate.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/x509.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ac.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/crl.c \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_request.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.h \
-@USE_INTEGRITY_TEST_TRUE@ credentials/certificates/ocsp_response.c \
-@USE_INTEGRITY_TEST_TRUE@ database/database.h \
-@USE_INTEGRITY_TEST_TRUE@ database/database_factory.h \
-@USE_INTEGRITY_TEST_TRUE@ database/database_factory.c \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher.h \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.h \
-@USE_INTEGRITY_TEST_TRUE@ fetcher/fetcher_manager.c pgp/pgp.c \
-@USE_INTEGRITY_TEST_TRUE@ pgp/pgp.h utils.h utils.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/host.c utils/host.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/identification.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/identification.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/iterator.h utils/lexparser.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/lexparser.h utils/linked_list.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/linked_list.h utils/hashtable.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/hashtable.h utils/enumerator.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/enumerator.h \
-@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/optionsfrom.h utils/mutex.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/mutex.h utils/backtrace.c \
-@USE_INTEGRITY_TEST_TRUE@ utils/backtrace.h \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.c \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin_loader.h \
-@USE_INTEGRITY_TEST_TRUE@ plugins/plugin.h $(am__append_2) \
-@USE_INTEGRITY_TEST_TRUE@ fips/fips_canister_end.c
-libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(am__append_4)
+libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \
+ debug.h enum.c enum.h settings.h settings.c printf_hook.c \
+ printf_hook.h asn1/asn1.c asn1/asn1.h asn1/asn1_parser.c \
+ asn1/asn1_parser.h asn1/oid.c asn1/oid.h asn1/pem.c asn1/pem.h \
+ crypto/crypters/crypter.c crypto/crypters/crypter.h \
+ crypto/hashers/hasher.h crypto/hashers/hasher.c crypto/pkcs9.c \
+ crypto/pkcs9.h crypto/proposal/proposal_keywords.c \
+ crypto/proposal/proposal_keywords.h crypto/prfs/prf.c \
+ crypto/prfs/prf.h crypto/rngs/rng.c crypto/rngs/rng.h \
+ crypto/prf_plus.h crypto/prf_plus.c crypto/signers/signer.c \
+ crypto/signers/signer.h crypto/crypto_factory.c \
+ crypto/crypto_factory.h crypto/crypto_tester.c \
+ crypto/crypto_tester.h crypto/diffie_hellman.c \
+ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \
+ credentials/credential_factory.c \
+ credentials/credential_factory.h credentials/builder.c \
+ credentials/builder.h credentials/keys/private_key.c \
+ credentials/keys/private_key.h credentials/keys/public_key.c \
+ credentials/keys/public_key.h credentials/keys/shared_key.c \
+ credentials/keys/shared_key.h \
+ credentials/certificates/certificate.c \
+ credentials/certificates/certificate.h \
+ credentials/certificates/x509.h \
+ credentials/certificates/x509.c credentials/certificates/ac.h \
+ credentials/certificates/crl.h credentials/certificates/crl.c \
+ credentials/certificates/ocsp_request.h \
+ credentials/certificates/ocsp_response.h \
+ credentials/certificates/ocsp_response.c database/database.h \
+ database/database_factory.h database/database_factory.c \
+ fetcher/fetcher.h fetcher/fetcher_manager.h \
+ fetcher/fetcher_manager.c pgp/pgp.c pgp/pgp.h utils.h utils.c \
+ utils/host.c utils/host.h utils/identification.c \
+ utils/identification.h utils/iterator.h utils/lexparser.c \
+ utils/lexparser.h utils/linked_list.c utils/linked_list.h \
+ utils/hashtable.c utils/hashtable.h utils/enumerator.c \
+ utils/enumerator.h utils/optionsfrom.c utils/optionsfrom.h \
+ utils/mutex.c utils/mutex.h utils/backtrace.c \
+ utils/backtrace.h plugins/plugin_loader.c \
+ plugins/plugin_loader.h plugins/plugin.h $(am__append_2) \
+ $(am__append_5)
+libstrongswan_la_LIBADD = -lpthread $(DLLIB) $(BTLIB) $(SOCKLIB) \
+ $(am__append_6)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \
-DIPSEC_PLUGINDIR=\"${plugindir}\" $(am__append_1) \
- $(am__append_3)
+ $(am__append_3) $(am__append_4)
EXTRA_DIST = \
asn1/oid.txt asn1/oid.pl \
crypto/proposal/proposal_keywords.txt
@@ -510,14 +386,14 @@ $(srcdir)/crypto/proposal/proposal_keywords.c
# build plugins with their own Makefile
#######################################
-SUBDIRS = . $(am__append_5) $(am__append_6) $(am__append_7) \
- $(am__append_8) $(am__append_9) $(am__append_10) \
- $(am__append_11) $(am__append_12) $(am__append_13) \
- $(am__append_14) $(am__append_15) $(am__append_16) \
- $(am__append_17) $(am__append_18) $(am__append_19) \
- $(am__append_20) $(am__append_21) $(am__append_22) \
- $(am__append_23) $(am__append_24) $(am__append_25) \
- $(am__append_26) $(am__append_27) $(am__append_28)
+SUBDIRS = . $(am__append_7) $(am__append_8) $(am__append_9) \
+ $(am__append_10) $(am__append_11) $(am__append_12) \
+ $(am__append_13) $(am__append_14) $(am__append_15) \
+ $(am__append_16) $(am__append_17) $(am__append_18) \
+ $(am__append_19) $(am__append_20) $(am__append_21) \
+ $(am__append_22) $(am__append_23) $(am__append_24) \
+ $(am__append_25) $(am__append_26) $(am__append_27) \
+ $(am__append_28) $(am__append_29)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
@@ -605,13 +481,11 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enum.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/enumerator.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetcher_manager.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_end.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fips_canister_start.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hasher.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hashtable.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/host.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@
@@ -932,27 +806,6 @@ leak_detective.lo: utils/leak_detective.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o leak_detective.lo `test -f 'utils/leak_detective.c' || echo '$(srcdir)/'`utils/leak_detective.c
-fips_canister_start.lo: fips/fips_canister_start.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_start.lo -MD -MP -MF $(DEPDIR)/fips_canister_start.Tpo -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_start.Tpo $(DEPDIR)/fips_canister_start.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_start.c' object='fips_canister_start.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_start.lo `test -f 'fips/fips_canister_start.c' || echo '$(srcdir)/'`fips/fips_canister_start.c
-
-fips.lo: fips/fips.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips.lo -MD -MP -MF $(DEPDIR)/fips.Tpo -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips.Tpo $(DEPDIR)/fips.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips.c' object='fips.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips.lo `test -f 'fips/fips.c' || echo '$(srcdir)/'`fips/fips.c
-
-fips_canister_end.lo: fips/fips_canister_end.c
-@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT fips_canister_end.lo -MD -MP -MF $(DEPDIR)/fips_canister_end.Tpo -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/fips_canister_end.Tpo $(DEPDIR)/fips_canister_end.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='fips/fips_canister_end.c' object='fips_canister_end.lo' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o fips_canister_end.lo `test -f 'fips/fips_canister_end.c' || echo '$(srcdir)/'`fips/fips_canister_end.c
-
mostlyclean-libtool:
-rm -f *.lo
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index d2078cbbc..ec46b165b 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -260,25 +260,32 @@ size_t asn1_length(chunk_t *blob)
u_char n;
size_t len;
- /* advance from tag field on to length field */
- blob->ptr++;
- blob->len--;
+ if (blob->len < 2)
+ {
+ DBG2("insufficient number of octets to parse ASN.1 length");
+ return ASN1_INVALID_LENGTH;
+ }
- /* read first octet of length field */
- n = *blob->ptr++;
- blob->len--;
+ /* read length field, skip tag and length */
+ n = blob->ptr[1];
+ *blob = chunk_skip(*blob, 2);
if ((n & 0x80) == 0)
- {/* single length octet */
+ { /* single length octet */
+ if (n > blob->len)
+ {
+ DBG2("length is larger than remaining blob size");
+ return ASN1_INVALID_LENGTH;
+ }
return n;
}
/* composite length, determine number of length octets */
n &= 0x7f;
- if (n > blob->len)
+ if (n == 0 || n > blob->len)
{
- DBG2("number of length octets is larger than ASN.1 object");
+ DBG2("number of length octets invalid");
return ASN1_INVALID_LENGTH;
}
@@ -304,6 +311,53 @@ size_t asn1_length(chunk_t *blob)
return len;
}
+/*
+ * See header.
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *inner)
+{
+ chunk_t res;
+ u_char len;
+ int type;
+
+ if (blob->len < 2)
+ {
+ return ASN1_INVALID;
+ }
+ type = blob->ptr[0];
+ len = blob->ptr[1];
+ *blob = chunk_skip(*blob, 2);
+
+ if ((len & 0x80) == 0)
+ { /* single length octet */
+ res.len = len;
+ }
+ else
+ { /* composite length, determine number of length octets */
+ len &= 0x7f;
+ if (len == 0 || len > sizeof(res.len))
+ {
+ return ASN1_INVALID;
+ }
+ res.len = 0;
+ while (len-- > 0)
+ {
+ res.len = 256 * res.len + blob->ptr[0];
+ *blob = chunk_skip(*blob, 1);
+ }
+ }
+ if (res.len > blob->len)
+ {
+ return ASN1_INVALID;
+ }
+ res.ptr = blob->ptr;
+ *blob = chunk_skip(*blob, res.len);
+ /* updating inner not before we are finished allows a caller to pass
+ * blob = inner */
+ *inner = res;
+ return type;
+}
+
#define TIME_MAX 0x7fffffff
static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 };
diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h
index 6a2b594c0..8072d62d6 100644
--- a/src/libstrongswan/asn1/asn1.h
+++ b/src/libstrongswan/asn1/asn1.h
@@ -74,7 +74,9 @@ typedef enum {
ASN1_CONTEXT_C_2 = 0xA2,
ASN1_CONTEXT_C_3 = 0xA3,
ASN1_CONTEXT_C_4 = 0xA4,
- ASN1_CONTEXT_C_5 = 0xA5
+ ASN1_CONTEXT_C_5 = 0xA5,
+
+ ASN1_INVALID = 0x100,
} asn1_t;
#define ASN1_INVALID_LENGTH 0xffffffff
@@ -123,6 +125,15 @@ chunk_t asn1_build_known_oid(int n);
size_t asn1_length(chunk_t *blob);
/**
+ * Unwrap the inner content of an ASN.1 type/length wrapped object.
+ *
+ * @param blob blob to parse header from, moved behind parsed content
+ * @param content inner content
+ * @return parsed type, ASN1_INVALID if length parsing failed
+ */
+int asn1_unwrap(chunk_t *blob, chunk_t *content);
+
+/**
* Parses an ASN.1 algorithmIdentifier object
*
* @param blob ASN.1 coded blob
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 53657b514..391d65e89 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -62,7 +62,7 @@ const oid_t oid_names[] = {
{ 0x25, 50, 0, 2, "extendedKeyUsage" }, /* 49 */
{ 0x37, 51, 0, 2, "targetInformation" }, /* 50 */
{ 0x38, 0, 0, 2, "noRevAvail" }, /* 51 */
- {0x2A, 143, 1, 0, "" }, /* 52 */
+ {0x2A, 149, 1, 0, "" }, /* 52 */
{ 0x83, 65, 1, 1, "" }, /* 53 */
{ 0x08, 0, 1, 2, "jp" }, /* 54 */
{ 0x8C, 0, 1, 3, "" }, /* 55 */
@@ -77,7 +77,7 @@ const oid_t oid_names[] = {
{ 0x04, 0, 0, 10, "camellia256-cbc" }, /* 64 */
{ 0x86, 0, 1, 1, "" }, /* 65 */
{ 0x48, 0, 1, 2, "us" }, /* 66 */
- { 0x86, 107, 1, 3, "" }, /* 67 */
+ { 0x86, 108, 1, 3, "" }, /* 67 */
{ 0xF6, 73, 1, 4, "" }, /* 68 */
{ 0x7D, 0, 1, 5, "NortelNetworks" }, /* 69 */
{ 0x07, 0, 1, 6, "Entrust" }, /* 70 */
@@ -85,225 +85,231 @@ const oid_t oid_names[] = {
{ 0x00, 0, 0, 8, "entrustVersInfo" }, /* 72 */
{ 0xF7, 0, 1, 4, "" }, /* 73 */
{ 0x0D, 0, 1, 5, "RSADSI" }, /* 74 */
- { 0x01, 102, 1, 6, "PKCS" }, /* 75 */
- { 0x01, 84, 1, 7, "PKCS-1" }, /* 76 */
+ { 0x01, 103, 1, 6, "PKCS" }, /* 75 */
+ { 0x01, 85, 1, 7, "PKCS-1" }, /* 76 */
{ 0x01, 78, 0, 8, "rsaEncryption" }, /* 77 */
{ 0x02, 79, 0, 8, "md2WithRSAEncryption" }, /* 78 */
{ 0x04, 80, 0, 8, "md5WithRSAEncryption" }, /* 79 */
{ 0x05, 81, 0, 8, "sha-1WithRSAEncryption" }, /* 80 */
{ 0x0B, 82, 0, 8, "sha256WithRSAEncryption" }, /* 81 */
{ 0x0C, 83, 0, 8, "sha384WithRSAEncryption" }, /* 82 */
- { 0x0D, 0, 0, 8, "sha512WithRSAEncryption" }, /* 83 */
- { 0x07, 91, 1, 7, "PKCS-7" }, /* 84 */
- { 0x01, 86, 0, 8, "data" }, /* 85 */
- { 0x02, 87, 0, 8, "signedData" }, /* 86 */
- { 0x03, 88, 0, 8, "envelopedData" }, /* 87 */
- { 0x04, 89, 0, 8, "signedAndEnvelopedData" }, /* 88 */
- { 0x05, 90, 0, 8, "digestedData" }, /* 89 */
- { 0x06, 0, 0, 8, "encryptedData" }, /* 90 */
- { 0x09, 0, 1, 7, "PKCS-9" }, /* 91 */
- { 0x01, 93, 0, 8, "E" }, /* 92 */
- { 0x02, 94, 0, 8, "unstructuredName" }, /* 93 */
- { 0x03, 95, 0, 8, "contentType" }, /* 94 */
- { 0x04, 96, 0, 8, "messageDigest" }, /* 95 */
- { 0x05, 97, 0, 8, "signingTime" }, /* 96 */
- { 0x06, 98, 0, 8, "counterSignature" }, /* 97 */
- { 0x07, 99, 0, 8, "challengePassword" }, /* 98 */
- { 0x08, 100, 0, 8, "unstructuredAddress" }, /* 99 */
- { 0x0E, 101, 0, 8, "extensionRequest" }, /* 100 */
- { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 101 */
- { 0x02, 105, 1, 6, "digestAlgorithm" }, /* 102 */
- { 0x02, 104, 0, 7, "md2" }, /* 103 */
- { 0x05, 0, 0, 7, "md5" }, /* 104 */
- { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 105 */
- { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 106 */
- { 0xCE, 0, 1, 3, "" }, /* 107 */
- { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 108 */
- { 0x02, 111, 1, 5, "id-publicKeyType" }, /* 109 */
- { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 110 */
- { 0x03, 141, 1, 5, "ellipticCurve" }, /* 111 */
- { 0x00, 133, 1, 6, "c-TwoCurve" }, /* 112 */
- { 0x01, 114, 0, 7, "c2pnb163v1" }, /* 113 */
- { 0x02, 115, 0, 7, "c2pnb163v2" }, /* 114 */
- { 0x03, 116, 0, 7, "c2pnb163v3" }, /* 115 */
- { 0x04, 117, 0, 7, "c2pnb176w1" }, /* 116 */
- { 0x05, 118, 0, 7, "c2tnb191v1" }, /* 117 */
- { 0x06, 119, 0, 7, "c2tnb191v2" }, /* 118 */
- { 0x07, 120, 0, 7, "c2tnb191v3" }, /* 119 */
- { 0x08, 121, 0, 7, "c2onb191v4" }, /* 120 */
- { 0x09, 122, 0, 7, "c2onb191v5" }, /* 121 */
- { 0x0A, 123, 0, 7, "c2pnb208w1" }, /* 122 */
- { 0x0B, 124, 0, 7, "c2tnb239v1" }, /* 123 */
- { 0x0C, 125, 0, 7, "c2tnb239v2" }, /* 124 */
- { 0x0D, 126, 0, 7, "c2tnb239v3" }, /* 125 */
- { 0x0E, 127, 0, 7, "c2onb239v4" }, /* 126 */
- { 0x0F, 128, 0, 7, "c2onb239v5" }, /* 127 */
- { 0x10, 129, 0, 7, "c2pnb272w1" }, /* 128 */
- { 0x11, 130, 0, 7, "c2pnb304w1" }, /* 129 */
- { 0x12, 131, 0, 7, "c2tnb359v1" }, /* 130 */
- { 0x13, 132, 0, 7, "c2pnb368w1" }, /* 131 */
- { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 132 */
- { 0x01, 0, 1, 6, "primeCurve" }, /* 133 */
- { 0x01, 135, 0, 7, "prime192v1" }, /* 134 */
- { 0x02, 136, 0, 7, "prime192v2" }, /* 135 */
- { 0x03, 137, 0, 7, "prime192v3" }, /* 136 */
- { 0x04, 138, 0, 7, "prime239v1" }, /* 137 */
- { 0x05, 139, 0, 7, "prime239v2" }, /* 138 */
- { 0x06, 140, 0, 7, "prime239v3" }, /* 139 */
- { 0x07, 0, 0, 7, "prime256v1" }, /* 140 */
- { 0x04, 0, 1, 5, "id-ecSigType" }, /* 141 */
- { 0x01, 0, 0, 6, "ecdsa-with-SHA1" }, /* 142 */
- {0x2B, 243, 1, 0, "" }, /* 143 */
- { 0x06, 196, 1, 1, "dod" }, /* 144 */
- { 0x01, 0, 1, 2, "internet" }, /* 145 */
- { 0x04, 164, 1, 3, "private" }, /* 146 */
- { 0x01, 0, 1, 4, "enterprise" }, /* 147 */
- { 0x82, 157, 1, 5, "" }, /* 148 */
- { 0x37, 0, 1, 6, "Microsoft" }, /* 149 */
- { 0x0A, 154, 1, 7, "" }, /* 150 */
- { 0x03, 0, 1, 8, "" }, /* 151 */
- { 0x03, 153, 0, 9, "msSGC" }, /* 152 */
- { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 153 */
- { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 154 */
- { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 155 */
- { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 156 */
- { 0x89, 0, 1, 5, "" }, /* 157 */
- { 0x31, 0, 1, 6, "" }, /* 158 */
- { 0x01, 0, 1, 7, "" }, /* 159 */
- { 0x01, 0, 1, 8, "" }, /* 160 */
- { 0x02, 0, 1, 9, "" }, /* 161 */
- { 0x02, 163, 0, 10, "" }, /* 162 */
- { 0x4B, 0, 0, 10, "TCGID" }, /* 163 */
- { 0x05, 0, 1, 3, "security" }, /* 164 */
- { 0x05, 0, 1, 4, "mechanisms" }, /* 165 */
- { 0x07, 0, 1, 5, "id-pkix" }, /* 166 */
- { 0x01, 169, 1, 6, "id-pe" }, /* 167 */
- { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 168 */
- { 0x03, 179, 1, 6, "id-kp" }, /* 169 */
- { 0x01, 171, 0, 7, "serverAuth" }, /* 170 */
- { 0x02, 172, 0, 7, "clientAuth" }, /* 171 */
- { 0x03, 173, 0, 7, "codeSigning" }, /* 172 */
- { 0x04, 174, 0, 7, "emailProtection" }, /* 173 */
- { 0x05, 175, 0, 7, "ipsecEndSystem" }, /* 174 */
- { 0x06, 176, 0, 7, "ipsecTunnel" }, /* 175 */
- { 0x07, 177, 0, 7, "ipsecUser" }, /* 176 */
- { 0x08, 178, 0, 7, "timeStamping" }, /* 177 */
- { 0x09, 0, 0, 7, "ocspSigning" }, /* 178 */
- { 0x08, 181, 1, 6, "id-otherNames" }, /* 179 */
- { 0x05, 0, 0, 7, "xmppAddr" }, /* 180 */
- { 0x0A, 186, 1, 6, "id-aca" }, /* 181 */
- { 0x01, 183, 0, 7, "authenticationInfo" }, /* 182 */
- { 0x02, 184, 0, 7, "accessIdentity" }, /* 183 */
- { 0x03, 185, 0, 7, "chargingIdentity" }, /* 184 */
- { 0x04, 0, 0, 7, "group" }, /* 185 */
- { 0x30, 0, 1, 6, "id-ad" }, /* 186 */
- { 0x01, 195, 1, 7, "ocsp" }, /* 187 */
- { 0x01, 189, 0, 8, "basic" }, /* 188 */
- { 0x02, 190, 0, 8, "nonce" }, /* 189 */
- { 0x03, 191, 0, 8, "crl" }, /* 190 */
- { 0x04, 192, 0, 8, "response" }, /* 191 */
- { 0x05, 193, 0, 8, "noCheck" }, /* 192 */
- { 0x06, 194, 0, 8, "archiveCutoff" }, /* 193 */
- { 0x07, 0, 0, 8, "serviceLocator" }, /* 194 */
- { 0x02, 0, 0, 7, "caIssuers" }, /* 195 */
- { 0x0E, 202, 1, 1, "oiw" }, /* 196 */
- { 0x03, 0, 1, 2, "secsig" }, /* 197 */
- { 0x02, 0, 1, 3, "algorithms" }, /* 198 */
- { 0x07, 200, 0, 4, "des-cbc" }, /* 199 */
- { 0x1A, 201, 0, 4, "sha-1" }, /* 200 */
- { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 201 */
- { 0x24, 209, 1, 1, "TeleTrusT" }, /* 202 */
- { 0x03, 0, 1, 2, "algorithm" }, /* 203 */
- { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 204 */
- { 0x01, 0, 1, 4, "rsaSignature" }, /* 205 */
- { 0x02, 207, 0, 5, "rsaSigWithripemd160" }, /* 206 */
- { 0x03, 208, 0, 5, "rsaSigWithripemd128" }, /* 207 */
- { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 208 */
- { 0x81, 0, 1, 1, "" }, /* 209 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 210 */
- { 0x00, 0, 1, 3, "curve" }, /* 211 */
- { 0x01, 213, 0, 4, "sect163k1" }, /* 212 */
- { 0x02, 214, 0, 4, "sect163r1" }, /* 213 */
- { 0x03, 215, 0, 4, "sect239k1" }, /* 214 */
- { 0x04, 216, 0, 4, "sect113r1" }, /* 215 */
- { 0x05, 217, 0, 4, "sect113r2" }, /* 216 */
- { 0x06, 218, 0, 4, "secp112r1" }, /* 217 */
- { 0x07, 219, 0, 4, "secp112r2" }, /* 218 */
- { 0x08, 220, 0, 4, "secp160r1" }, /* 219 */
- { 0x09, 221, 0, 4, "secp160k1" }, /* 220 */
- { 0x0A, 222, 0, 4, "secp256k1" }, /* 221 */
- { 0x0F, 223, 0, 4, "sect163r2" }, /* 222 */
- { 0x10, 224, 0, 4, "sect283k1" }, /* 223 */
- { 0x11, 225, 0, 4, "sect283r1" }, /* 224 */
- { 0x16, 226, 0, 4, "sect131r1" }, /* 225 */
- { 0x17, 227, 0, 4, "sect131r2" }, /* 226 */
- { 0x18, 228, 0, 4, "sect193r1" }, /* 227 */
- { 0x19, 229, 0, 4, "sect193r2" }, /* 228 */
- { 0x1A, 230, 0, 4, "sect233k1" }, /* 229 */
- { 0x1B, 231, 0, 4, "sect233r1" }, /* 230 */
- { 0x1C, 232, 0, 4, "secp128r1" }, /* 231 */
- { 0x1D, 233, 0, 4, "secp128r2" }, /* 232 */
- { 0x1E, 234, 0, 4, "secp160r2" }, /* 233 */
- { 0x1F, 235, 0, 4, "secp192k1" }, /* 234 */
- { 0x20, 236, 0, 4, "secp224k1" }, /* 235 */
- { 0x21, 237, 0, 4, "secp224r1" }, /* 236 */
- { 0x22, 238, 0, 4, "secp384r1" }, /* 237 */
- { 0x23, 239, 0, 4, "secp521r1" }, /* 238 */
- { 0x24, 240, 0, 4, "sect409k1" }, /* 239 */
- { 0x25, 241, 0, 4, "sect409r1" }, /* 240 */
- { 0x26, 242, 0, 4, "sect571k1" }, /* 241 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 242 */
- {0x60, 0, 1, 0, "" }, /* 243 */
- { 0x86, 0, 1, 1, "" }, /* 244 */
- { 0x48, 0, 1, 2, "" }, /* 245 */
- { 0x01, 289, 1, 3, "organization" }, /* 246 */
- { 0x65, 265, 1, 4, "gov" }, /* 247 */
- { 0x03, 0, 1, 5, "csor" }, /* 248 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 249 */
- { 0x01, 260, 1, 7, "aes" }, /* 250 */
- { 0x02, 252, 0, 8, "id-aes128-CBC" }, /* 251 */
- { 0x06, 253, 0, 8, "id-aes128-GCM" }, /* 252 */
- { 0x07, 254, 0, 8, "id-aes128-CCM" }, /* 253 */
- { 0x16, 255, 0, 8, "id-aes192-CBC" }, /* 254 */
- { 0x1A, 256, 0, 8, "id-aes192-GCM" }, /* 255 */
- { 0x1B, 257, 0, 8, "id-aes192-CCM" }, /* 256 */
- { 0x2A, 258, 0, 8, "id-aes256-CBC" }, /* 257 */
- { 0x2E, 259, 0, 8, "id-aes256-GCM" }, /* 258 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 259 */
- { 0x02, 0, 1, 7, "hashalgs" }, /* 260 */
- { 0x01, 262, 0, 8, "id-SHA-256" }, /* 261 */
- { 0x02, 263, 0, 8, "id-SHA-384" }, /* 262 */
- { 0x03, 264, 0, 8, "id-SHA-512" }, /* 263 */
- { 0x04, 0, 0, 8, "id-SHA-224" }, /* 264 */
- { 0x86, 0, 1, 4, "" }, /* 265 */
- { 0xf8, 0, 1, 5, "" }, /* 266 */
- { 0x42, 279, 1, 6, "netscape" }, /* 267 */
- { 0x01, 274, 1, 7, "" }, /* 268 */
- { 0x01, 270, 0, 8, "nsCertType" }, /* 269 */
- { 0x03, 271, 0, 8, "nsRevocationUrl" }, /* 270 */
- { 0x04, 272, 0, 8, "nsCaRevocationUrl" }, /* 271 */
- { 0x08, 273, 0, 8, "nsCaPolicyUrl" }, /* 272 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 273 */
- { 0x03, 277, 1, 7, "directory" }, /* 274 */
- { 0x01, 0, 1, 8, "" }, /* 275 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 276 */
- { 0x04, 0, 1, 7, "policy" }, /* 277 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 278 */
- { 0x45, 0, 1, 6, "verisign" }, /* 279 */
- { 0x01, 0, 1, 7, "pki" }, /* 280 */
- { 0x09, 0, 1, 8, "attributes" }, /* 281 */
- { 0x02, 283, 0, 9, "messageType" }, /* 282 */
- { 0x03, 284, 0, 9, "pkiStatus" }, /* 283 */
- { 0x04, 285, 0, 9, "failInfo" }, /* 284 */
- { 0x05, 286, 0, 9, "senderNonce" }, /* 285 */
- { 0x06, 287, 0, 9, "recipientNonce" }, /* 286 */
- { 0x07, 288, 0, 9, "transID" }, /* 287 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 288 */
- { 0x86, 0, 1, 3, "old-netscape" }, /* 289 */
- { 0xF7, 0, 1, 4, "" }, /* 290 */
- { 0x0D, 0, 1, 5, "" }, /* 291 */
- { 0x01, 0, 1, 6, "" }, /* 292 */
- { 0x09, 0, 1, 7, "" }, /* 293 */
- { 0x01, 295, 0, 8, "emailAddress" }, /* 294 */
- { 0x02, 0, 0, 8, "unstructuredName" } /* 295 */
+ { 0x0D, 84, 0, 8, "sha512WithRSAEncryption" }, /* 83 */
+ { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 84 */
+ { 0x07, 92, 1, 7, "PKCS-7" }, /* 85 */
+ { 0x01, 87, 0, 8, "data" }, /* 86 */
+ { 0x02, 88, 0, 8, "signedData" }, /* 87 */
+ { 0x03, 89, 0, 8, "envelopedData" }, /* 88 */
+ { 0x04, 90, 0, 8, "signedAndEnvelopedData" }, /* 89 */
+ { 0x05, 91, 0, 8, "digestedData" }, /* 90 */
+ { 0x06, 0, 0, 8, "encryptedData" }, /* 91 */
+ { 0x09, 0, 1, 7, "PKCS-9" }, /* 92 */
+ { 0x01, 94, 0, 8, "E" }, /* 93 */
+ { 0x02, 95, 0, 8, "unstructuredName" }, /* 94 */
+ { 0x03, 96, 0, 8, "contentType" }, /* 95 */
+ { 0x04, 97, 0, 8, "messageDigest" }, /* 96 */
+ { 0x05, 98, 0, 8, "signingTime" }, /* 97 */
+ { 0x06, 99, 0, 8, "counterSignature" }, /* 98 */
+ { 0x07, 100, 0, 8, "challengePassword" }, /* 99 */
+ { 0x08, 101, 0, 8, "unstructuredAddress" }, /* 100 */
+ { 0x0E, 102, 0, 8, "extensionRequest" }, /* 101 */
+ { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 102 */
+ { 0x02, 106, 1, 6, "digestAlgorithm" }, /* 103 */
+ { 0x02, 105, 0, 7, "md2" }, /* 104 */
+ { 0x05, 0, 0, 7, "md5" }, /* 105 */
+ { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 106 */
+ { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 107 */
+ { 0xCE, 0, 1, 3, "" }, /* 108 */
+ { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 109 */
+ { 0x02, 112, 1, 5, "id-publicKeyType" }, /* 110 */
+ { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 111 */
+ { 0x03, 142, 1, 5, "ellipticCurve" }, /* 112 */
+ { 0x00, 134, 1, 6, "c-TwoCurve" }, /* 113 */
+ { 0x01, 115, 0, 7, "c2pnb163v1" }, /* 114 */
+ { 0x02, 116, 0, 7, "c2pnb163v2" }, /* 115 */
+ { 0x03, 117, 0, 7, "c2pnb163v3" }, /* 116 */
+ { 0x04, 118, 0, 7, "c2pnb176w1" }, /* 117 */
+ { 0x05, 119, 0, 7, "c2tnb191v1" }, /* 118 */
+ { 0x06, 120, 0, 7, "c2tnb191v2" }, /* 119 */
+ { 0x07, 121, 0, 7, "c2tnb191v3" }, /* 120 */
+ { 0x08, 122, 0, 7, "c2onb191v4" }, /* 121 */
+ { 0x09, 123, 0, 7, "c2onb191v5" }, /* 122 */
+ { 0x0A, 124, 0, 7, "c2pnb208w1" }, /* 123 */
+ { 0x0B, 125, 0, 7, "c2tnb239v1" }, /* 124 */
+ { 0x0C, 126, 0, 7, "c2tnb239v2" }, /* 125 */
+ { 0x0D, 127, 0, 7, "c2tnb239v3" }, /* 126 */
+ { 0x0E, 128, 0, 7, "c2onb239v4" }, /* 127 */
+ { 0x0F, 129, 0, 7, "c2onb239v5" }, /* 128 */
+ { 0x10, 130, 0, 7, "c2pnb272w1" }, /* 129 */
+ { 0x11, 131, 0, 7, "c2pnb304w1" }, /* 130 */
+ { 0x12, 132, 0, 7, "c2tnb359v1" }, /* 131 */
+ { 0x13, 133, 0, 7, "c2pnb368w1" }, /* 132 */
+ { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 133 */
+ { 0x01, 0, 1, 6, "primeCurve" }, /* 134 */
+ { 0x01, 136, 0, 7, "prime192v1" }, /* 135 */
+ { 0x02, 137, 0, 7, "prime192v2" }, /* 136 */
+ { 0x03, 138, 0, 7, "prime192v3" }, /* 137 */
+ { 0x04, 139, 0, 7, "prime239v1" }, /* 138 */
+ { 0x05, 140, 0, 7, "prime239v2" }, /* 139 */
+ { 0x06, 141, 0, 7, "prime239v3" }, /* 140 */
+ { 0x07, 0, 0, 7, "prime256v1" }, /* 141 */
+ { 0x04, 0, 1, 5, "id-ecSigType" }, /* 142 */
+ { 0x01, 144, 0, 6, "ecdsa-with-SHA1" }, /* 143 */
+ { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 144 */
+ { 0x01, 146, 0, 7, "ecdsa-with-SHA224" }, /* 145 */
+ { 0x02, 147, 0, 7, "ecdsa-with-SHA256" }, /* 146 */
+ { 0x03, 148, 0, 7, "ecdsa-with-SHA384" }, /* 147 */
+ { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 148 */
+ {0x2B, 249, 1, 0, "" }, /* 149 */
+ { 0x06, 202, 1, 1, "dod" }, /* 150 */
+ { 0x01, 0, 1, 2, "internet" }, /* 151 */
+ { 0x04, 170, 1, 3, "private" }, /* 152 */
+ { 0x01, 0, 1, 4, "enterprise" }, /* 153 */
+ { 0x82, 163, 1, 5, "" }, /* 154 */
+ { 0x37, 0, 1, 6, "Microsoft" }, /* 155 */
+ { 0x0A, 160, 1, 7, "" }, /* 156 */
+ { 0x03, 0, 1, 8, "" }, /* 157 */
+ { 0x03, 159, 0, 9, "msSGC" }, /* 158 */
+ { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 159 */
+ { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 160 */
+ { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 161 */
+ { 0x02, 0, 0, 9, "msSmartcardLogon" }, /* 162 */
+ { 0x89, 0, 1, 5, "" }, /* 163 */
+ { 0x31, 0, 1, 6, "" }, /* 164 */
+ { 0x01, 0, 1, 7, "" }, /* 165 */
+ { 0x01, 0, 1, 8, "" }, /* 166 */
+ { 0x02, 0, 1, 9, "" }, /* 167 */
+ { 0x02, 169, 0, 10, "" }, /* 168 */
+ { 0x4B, 0, 0, 10, "TCGID" }, /* 169 */
+ { 0x05, 0, 1, 3, "security" }, /* 170 */
+ { 0x05, 0, 1, 4, "mechanisms" }, /* 171 */
+ { 0x07, 0, 1, 5, "id-pkix" }, /* 172 */
+ { 0x01, 175, 1, 6, "id-pe" }, /* 173 */
+ { 0x01, 0, 0, 7, "authorityInfoAccess" }, /* 174 */
+ { 0x03, 185, 1, 6, "id-kp" }, /* 175 */
+ { 0x01, 177, 0, 7, "serverAuth" }, /* 176 */
+ { 0x02, 178, 0, 7, "clientAuth" }, /* 177 */
+ { 0x03, 179, 0, 7, "codeSigning" }, /* 178 */
+ { 0x04, 180, 0, 7, "emailProtection" }, /* 179 */
+ { 0x05, 181, 0, 7, "ipsecEndSystem" }, /* 180 */
+ { 0x06, 182, 0, 7, "ipsecTunnel" }, /* 181 */
+ { 0x07, 183, 0, 7, "ipsecUser" }, /* 182 */
+ { 0x08, 184, 0, 7, "timeStamping" }, /* 183 */
+ { 0x09, 0, 0, 7, "ocspSigning" }, /* 184 */
+ { 0x08, 187, 1, 6, "id-otherNames" }, /* 185 */
+ { 0x05, 0, 0, 7, "xmppAddr" }, /* 186 */
+ { 0x0A, 192, 1, 6, "id-aca" }, /* 187 */
+ { 0x01, 189, 0, 7, "authenticationInfo" }, /* 188 */
+ { 0x02, 190, 0, 7, "accessIdentity" }, /* 189 */
+ { 0x03, 191, 0, 7, "chargingIdentity" }, /* 190 */
+ { 0x04, 0, 0, 7, "group" }, /* 191 */
+ { 0x30, 0, 1, 6, "id-ad" }, /* 192 */
+ { 0x01, 201, 1, 7, "ocsp" }, /* 193 */
+ { 0x01, 195, 0, 8, "basic" }, /* 194 */
+ { 0x02, 196, 0, 8, "nonce" }, /* 195 */
+ { 0x03, 197, 0, 8, "crl" }, /* 196 */
+ { 0x04, 198, 0, 8, "response" }, /* 197 */
+ { 0x05, 199, 0, 8, "noCheck" }, /* 198 */
+ { 0x06, 200, 0, 8, "archiveCutoff" }, /* 199 */
+ { 0x07, 0, 0, 8, "serviceLocator" }, /* 200 */
+ { 0x02, 0, 0, 7, "caIssuers" }, /* 201 */
+ { 0x0E, 208, 1, 1, "oiw" }, /* 202 */
+ { 0x03, 0, 1, 2, "secsig" }, /* 203 */
+ { 0x02, 0, 1, 3, "algorithms" }, /* 204 */
+ { 0x07, 206, 0, 4, "des-cbc" }, /* 205 */
+ { 0x1A, 207, 0, 4, "sha-1" }, /* 206 */
+ { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 207 */
+ { 0x24, 215, 1, 1, "TeleTrusT" }, /* 208 */
+ { 0x03, 0, 1, 2, "algorithm" }, /* 209 */
+ { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 210 */
+ { 0x01, 0, 1, 4, "rsaSignature" }, /* 211 */
+ { 0x02, 213, 0, 5, "rsaSigWithripemd160" }, /* 212 */
+ { 0x03, 214, 0, 5, "rsaSigWithripemd128" }, /* 213 */
+ { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 214 */
+ { 0x81, 0, 1, 1, "" }, /* 215 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 216 */
+ { 0x00, 0, 1, 3, "curve" }, /* 217 */
+ { 0x01, 219, 0, 4, "sect163k1" }, /* 218 */
+ { 0x02, 220, 0, 4, "sect163r1" }, /* 219 */
+ { 0x03, 221, 0, 4, "sect239k1" }, /* 220 */
+ { 0x04, 222, 0, 4, "sect113r1" }, /* 221 */
+ { 0x05, 223, 0, 4, "sect113r2" }, /* 222 */
+ { 0x06, 224, 0, 4, "secp112r1" }, /* 223 */
+ { 0x07, 225, 0, 4, "secp112r2" }, /* 224 */
+ { 0x08, 226, 0, 4, "secp160r1" }, /* 225 */
+ { 0x09, 227, 0, 4, "secp160k1" }, /* 226 */
+ { 0x0A, 228, 0, 4, "secp256k1" }, /* 227 */
+ { 0x0F, 229, 0, 4, "sect163r2" }, /* 228 */
+ { 0x10, 230, 0, 4, "sect283k1" }, /* 229 */
+ { 0x11, 231, 0, 4, "sect283r1" }, /* 230 */
+ { 0x16, 232, 0, 4, "sect131r1" }, /* 231 */
+ { 0x17, 233, 0, 4, "sect131r2" }, /* 232 */
+ { 0x18, 234, 0, 4, "sect193r1" }, /* 233 */
+ { 0x19, 235, 0, 4, "sect193r2" }, /* 234 */
+ { 0x1A, 236, 0, 4, "sect233k1" }, /* 235 */
+ { 0x1B, 237, 0, 4, "sect233r1" }, /* 236 */
+ { 0x1C, 238, 0, 4, "secp128r1" }, /* 237 */
+ { 0x1D, 239, 0, 4, "secp128r2" }, /* 238 */
+ { 0x1E, 240, 0, 4, "secp160r2" }, /* 239 */
+ { 0x1F, 241, 0, 4, "secp192k1" }, /* 240 */
+ { 0x20, 242, 0, 4, "secp224k1" }, /* 241 */
+ { 0x21, 243, 0, 4, "secp224r1" }, /* 242 */
+ { 0x22, 244, 0, 4, "secp384r1" }, /* 243 */
+ { 0x23, 245, 0, 4, "secp521r1" }, /* 244 */
+ { 0x24, 246, 0, 4, "sect409k1" }, /* 245 */
+ { 0x25, 247, 0, 4, "sect409r1" }, /* 246 */
+ { 0x26, 248, 0, 4, "sect571k1" }, /* 247 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 248 */
+ {0x60, 0, 1, 0, "" }, /* 249 */
+ { 0x86, 0, 1, 1, "" }, /* 250 */
+ { 0x48, 0, 1, 2, "" }, /* 251 */
+ { 0x01, 295, 1, 3, "organization" }, /* 252 */
+ { 0x65, 271, 1, 4, "gov" }, /* 253 */
+ { 0x03, 0, 1, 5, "csor" }, /* 254 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 255 */
+ { 0x01, 266, 1, 7, "aes" }, /* 256 */
+ { 0x02, 258, 0, 8, "id-aes128-CBC" }, /* 257 */
+ { 0x06, 259, 0, 8, "id-aes128-GCM" }, /* 258 */
+ { 0x07, 260, 0, 8, "id-aes128-CCM" }, /* 259 */
+ { 0x16, 261, 0, 8, "id-aes192-CBC" }, /* 260 */
+ { 0x1A, 262, 0, 8, "id-aes192-GCM" }, /* 261 */
+ { 0x1B, 263, 0, 8, "id-aes192-CCM" }, /* 262 */
+ { 0x2A, 264, 0, 8, "id-aes256-CBC" }, /* 263 */
+ { 0x2E, 265, 0, 8, "id-aes256-GCM" }, /* 264 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 265 */
+ { 0x02, 0, 1, 7, "hashalgs" }, /* 266 */
+ { 0x01, 268, 0, 8, "id-SHA-256" }, /* 267 */
+ { 0x02, 269, 0, 8, "id-SHA-384" }, /* 268 */
+ { 0x03, 270, 0, 8, "id-SHA-512" }, /* 269 */
+ { 0x04, 0, 0, 8, "id-SHA-224" }, /* 270 */
+ { 0x86, 0, 1, 4, "" }, /* 271 */
+ { 0xf8, 0, 1, 5, "" }, /* 272 */
+ { 0x42, 285, 1, 6, "netscape" }, /* 273 */
+ { 0x01, 280, 1, 7, "" }, /* 274 */
+ { 0x01, 276, 0, 8, "nsCertType" }, /* 275 */
+ { 0x03, 277, 0, 8, "nsRevocationUrl" }, /* 276 */
+ { 0x04, 278, 0, 8, "nsCaRevocationUrl" }, /* 277 */
+ { 0x08, 279, 0, 8, "nsCaPolicyUrl" }, /* 278 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 279 */
+ { 0x03, 283, 1, 7, "directory" }, /* 280 */
+ { 0x01, 0, 1, 8, "" }, /* 281 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 282 */
+ { 0x04, 0, 1, 7, "policy" }, /* 283 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 284 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 285 */
+ { 0x01, 0, 1, 7, "pki" }, /* 286 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 287 */
+ { 0x02, 289, 0, 9, "messageType" }, /* 288 */
+ { 0x03, 290, 0, 9, "pkiStatus" }, /* 289 */
+ { 0x04, 291, 0, 9, "failInfo" }, /* 290 */
+ { 0x05, 292, 0, 9, "senderNonce" }, /* 291 */
+ { 0x06, 293, 0, 9, "recipientNonce" }, /* 292 */
+ { 0x07, 294, 0, 9, "transID" }, /* 293 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 294 */
+ { 0x86, 0, 1, 3, "old-netscape" }, /* 295 */
+ { 0xF7, 0, 1, 4, "" }, /* 296 */
+ { 0x0D, 0, 1, 5, "" }, /* 297 */
+ { 0x01, 0, 1, 6, "" }, /* 298 */
+ { 0x09, 0, 1, 7, "" }, /* 299 */
+ { 0x01, 301, 0, 8, "emailAddress" }, /* 300 */
+ { 0x02, 0, 0, 8, "unstructuredName" } /* 301 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index 477789b62..b7241af8d 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -60,126 +60,131 @@ extern const oid_t oid_names[];
#define OID_SHA256_WITH_RSA 81
#define OID_SHA384_WITH_RSA 82
#define OID_SHA512_WITH_RSA 83
-#define OID_PKCS7_DATA 85
-#define OID_PKCS7_SIGNED_DATA 86
-#define OID_PKCS7_ENVELOPED_DATA 87
-#define OID_PKCS7_SIGNED_ENVELOPED_DATA 88
-#define OID_PKCS7_DIGESTED_DATA 89
-#define OID_PKCS7_ENCRYPTED_DATA 90
-#define OID_PKCS9_EMAIL 92
-#define OID_PKCS9_CONTENT_TYPE 94
-#define OID_PKCS9_MESSAGE_DIGEST 95
-#define OID_PKCS9_SIGNING_TIME 96
-#define OID_MD2 103
-#define OID_MD5 104
-#define OID_3DES_EDE_CBC 106
-#define OID_EC_PUBLICKEY 110
-#define OID_C2PNB163V1 113
-#define OID_C2PNB163V2 114
-#define OID_C2PNB163V3 115
-#define OID_C2PNB176W1 116
-#define OID_C2PNB191V1 117
-#define OID_C2PNB191V2 118
-#define OID_C2PNB191V3 119
-#define OID_C2PNB191V4 120
-#define OID_C2PNB191V5 121
-#define OID_C2PNB208W1 122
-#define OID_C2PNB239V1 123
-#define OID_C2PNB239V2 124
-#define OID_C2PNB239V3 125
-#define OID_C2PNB239V4 126
-#define OID_C2PNB239V5 127
-#define OID_C2PNB272W1 128
-#define OID_C2PNB304W1 129
-#define OID_C2PNB359V1 130
-#define OID_C2PNB368W1 131
-#define OID_C2PNB431R1 132
-#define OID_PRIME192V1 134
-#define OID_PRIME192V2 135
-#define OID_PRIME192V3 136
-#define OID_PRIME239V1 137
-#define OID_PRIME239V2 138
-#define OID_PRIME239V3 139
-#define OID_PRIME256V1 140
-#define OID_ECDSA_WITH_SHA1 142
-#define OID_TCGID 163
-#define OID_AUTHORITY_INFO_ACCESS 168
-#define OID_OCSP_SIGNING 178
-#define OID_XMPP_ADDR 180
-#define OID_AUTHENTICATION_INFO 182
-#define OID_ACCESS_IDENTITY 183
-#define OID_CHARGING_IDENTITY 184
-#define OID_GROUP 185
-#define OID_OCSP 187
-#define OID_BASIC 188
-#define OID_NONCE 189
-#define OID_CRL 190
-#define OID_RESPONSE 191
-#define OID_NO_CHECK 192
-#define OID_ARCHIVE_CUTOFF 193
-#define OID_SERVICE_LOCATOR 194
-#define OID_CA_ISSUERS 195
-#define OID_DES_CBC 199
-#define OID_SHA1 200
-#define OID_SHA1_WITH_RSA_OIW 201
-#define OID_SECT163K1 212
-#define OID_SECT163R1 213
-#define OID_SECT239K1 214
-#define OID_SECT113R1 215
-#define OID_SECT113R2 216
-#define OID_SECT112R1 217
-#define OID_SECT112R2 218
-#define OID_SECT160R1 219
-#define OID_SECT160K1 220
-#define OID_SECT256K1 221
-#define OID_SECT163R2 222
-#define OID_SECT283K1 223
-#define OID_SECT283R1 224
-#define OID_SECT131R1 225
-#define OID_SECT131R2 226
-#define OID_SECT193R1 227
-#define OID_SECT193R2 228
-#define OID_SECT233K1 229
-#define OID_SECT233R1 230
-#define OID_SECT128R1 231
-#define OID_SECT128R2 232
-#define OID_SECT160R2 233
-#define OID_SECT192K1 234
-#define OID_SECT224K1 235
-#define OID_SECT224R1 236
-#define OID_SECT384R1 237
-#define OID_SECT521R1 238
-#define OID_SECT409K1 239
-#define OID_SECT409R1 240
-#define OID_SECT571K1 241
-#define OID_SECT571R1 242
-#define OID_AES128_CBC 251
-#define OID_AES128_GCM 252
-#define OID_AES128_CCM 253
-#define OID_AES192_CBC 254
-#define OID_AES192_GCM 255
-#define OID_AES192_CCM 256
-#define OID_AES256_CBC 257
-#define OID_AES256_GCM 258
-#define OID_AES256_CCM 259
-#define OID_SHA256 261
-#define OID_SHA384 262
-#define OID_SHA512 263
-#define OID_SHA224 264
-#define OID_NS_REVOCATION_URL 270
-#define OID_NS_CA_REVOCATION_URL 271
-#define OID_NS_CA_POLICY_URL 272
-#define OID_NS_COMMENT 273
-#define OID_EMPLOYEE_NUMBER 276
-#define OID_PKI_MESSAGE_TYPE 282
-#define OID_PKI_STATUS 283
-#define OID_PKI_FAIL_INFO 284
-#define OID_PKI_SENDER_NONCE 285
-#define OID_PKI_RECIPIENT_NONCE 286
-#define OID_PKI_TRANS_ID 287
-#define OID_EMAIL_ADDRESS 294
-#define OID_UNSTRUCTURED_NAME 295
+#define OID_SHA224_WITH_RSA 84
+#define OID_PKCS7_DATA 86
+#define OID_PKCS7_SIGNED_DATA 87
+#define OID_PKCS7_ENVELOPED_DATA 88
+#define OID_PKCS7_SIGNED_ENVELOPED_DATA 89
+#define OID_PKCS7_DIGESTED_DATA 90
+#define OID_PKCS7_ENCRYPTED_DATA 91
+#define OID_PKCS9_EMAIL 93
+#define OID_PKCS9_CONTENT_TYPE 95
+#define OID_PKCS9_MESSAGE_DIGEST 96
+#define OID_PKCS9_SIGNING_TIME 97
+#define OID_MD2 104
+#define OID_MD5 105
+#define OID_3DES_EDE_CBC 107
+#define OID_EC_PUBLICKEY 111
+#define OID_C2PNB163V1 114
+#define OID_C2PNB163V2 115
+#define OID_C2PNB163V3 116
+#define OID_C2PNB176W1 117
+#define OID_C2PNB191V1 118
+#define OID_C2PNB191V2 119
+#define OID_C2PNB191V3 120
+#define OID_C2PNB191V4 121
+#define OID_C2PNB191V5 122
+#define OID_C2PNB208W1 123
+#define OID_C2PNB239V1 124
+#define OID_C2PNB239V2 125
+#define OID_C2PNB239V3 126
+#define OID_C2PNB239V4 127
+#define OID_C2PNB239V5 128
+#define OID_C2PNB272W1 129
+#define OID_C2PNB304W1 130
+#define OID_C2PNB359V1 131
+#define OID_C2PNB368W1 132
+#define OID_C2PNB431R1 133
+#define OID_PRIME192V1 135
+#define OID_PRIME192V2 136
+#define OID_PRIME192V3 137
+#define OID_PRIME239V1 138
+#define OID_PRIME239V2 139
+#define OID_PRIME239V3 140
+#define OID_PRIME256V1 141
+#define OID_ECDSA_WITH_SHA1 143
+#define OID_ECDSA_WITH_SHA224 145
+#define OID_ECDSA_WITH_SHA256 146
+#define OID_ECDSA_WITH_SHA384 147
+#define OID_ECDSA_WITH_SHA512 148
+#define OID_TCGID 169
+#define OID_AUTHORITY_INFO_ACCESS 174
+#define OID_OCSP_SIGNING 184
+#define OID_XMPP_ADDR 186
+#define OID_AUTHENTICATION_INFO 188
+#define OID_ACCESS_IDENTITY 189
+#define OID_CHARGING_IDENTITY 190
+#define OID_GROUP 191
+#define OID_OCSP 193
+#define OID_BASIC 194
+#define OID_NONCE 195
+#define OID_CRL 196
+#define OID_RESPONSE 197
+#define OID_NO_CHECK 198
+#define OID_ARCHIVE_CUTOFF 199
+#define OID_SERVICE_LOCATOR 200
+#define OID_CA_ISSUERS 201
+#define OID_DES_CBC 205
+#define OID_SHA1 206
+#define OID_SHA1_WITH_RSA_OIW 207
+#define OID_SECT163K1 218
+#define OID_SECT163R1 219
+#define OID_SECT239K1 220
+#define OID_SECT113R1 221
+#define OID_SECT113R2 222
+#define OID_SECT112R1 223
+#define OID_SECT112R2 224
+#define OID_SECT160R1 225
+#define OID_SECT160K1 226
+#define OID_SECT256K1 227
+#define OID_SECT163R2 228
+#define OID_SECT283K1 229
+#define OID_SECT283R1 230
+#define OID_SECT131R1 231
+#define OID_SECT131R2 232
+#define OID_SECT193R1 233
+#define OID_SECT193R2 234
+#define OID_SECT233K1 235
+#define OID_SECT233R1 236
+#define OID_SECT128R1 237
+#define OID_SECT128R2 238
+#define OID_SECT160R2 239
+#define OID_SECT192K1 240
+#define OID_SECT224K1 241
+#define OID_SECT224R1 242
+#define OID_SECT384R1 243
+#define OID_SECT521R1 244
+#define OID_SECT409K1 245
+#define OID_SECT409R1 246
+#define OID_SECT571K1 247
+#define OID_SECT571R1 248
+#define OID_AES128_CBC 257
+#define OID_AES128_GCM 258
+#define OID_AES128_CCM 259
+#define OID_AES192_CBC 260
+#define OID_AES192_GCM 261
+#define OID_AES192_CCM 262
+#define OID_AES256_CBC 263
+#define OID_AES256_GCM 264
+#define OID_AES256_CCM 265
+#define OID_SHA256 267
+#define OID_SHA384 268
+#define OID_SHA512 269
+#define OID_SHA224 270
+#define OID_NS_REVOCATION_URL 276
+#define OID_NS_CA_REVOCATION_URL 277
+#define OID_NS_CA_POLICY_URL 278
+#define OID_NS_COMMENT 279
+#define OID_EMPLOYEE_NUMBER 282
+#define OID_PKI_MESSAGE_TYPE 288
+#define OID_PKI_STATUS 289
+#define OID_PKI_FAIL_INFO 290
+#define OID_PKI_SENDER_NONCE 291
+#define OID_PKI_RECIPIENT_NONCE 292
+#define OID_PKI_TRANS_ID 293
+#define OID_EMAIL_ADDRESS 300
+#define OID_UNSTRUCTURED_NAME 301
-#define OID_MAX 296
+#define OID_MAX 302
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 1514f179f..5adca6289 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -82,6 +82,7 @@
0x0B "sha256WithRSAEncryption" OID_SHA256_WITH_RSA
0x0C "sha384WithRSAEncryption" OID_SHA384_WITH_RSA
0x0D "sha512WithRSAEncryption" OID_SHA512_WITH_RSA
+ 0x0E "sha224WithRSAEncryption" OID_SHA224_WITH_RSA
0x07 "PKCS-7"
0x01 "data" OID_PKCS7_DATA
0x02 "signedData" OID_PKCS7_SIGNED_DATA
@@ -141,6 +142,11 @@
0x07 "prime256v1" OID_PRIME256V1
0x04 "id-ecSigType"
0x01 "ecdsa-with-SHA1" OID_ECDSA_WITH_SHA1
+ 0x03 "ecdsa-with-Specified"
+ 0x01 "ecdsa-with-SHA224" OID_ECDSA_WITH_SHA224
+ 0x02 "ecdsa-with-SHA256" OID_ECDSA_WITH_SHA256
+ 0x03 "ecdsa-with-SHA384" OID_ECDSA_WITH_SHA384
+ 0x04 "ecdsa-with-SHA512" OID_ECDSA_WITH_SHA512
0x2B ""
0x06 "dod"
0x01 "internet"
diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c
index c9c181f87..40a93e21a 100644
--- a/src/libstrongswan/chunk.c
+++ b/src/libstrongswan/chunk.c
@@ -19,6 +19,7 @@
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
+#include <ctype.h>
#include "chunk.h"
@@ -442,6 +443,32 @@ int chunk_compare(chunk_t a, chunk_t b)
};
/**
+ * Remove non-printable characters from a chunk.
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace)
+{
+ bool printable = TRUE;
+ int i;
+
+ if (sane)
+ {
+ *sane = chunk_clone(chunk);
+ }
+ for (i = 0; i < chunk.len; i++)
+ {
+ if (!isprint(chunk.ptr[i]))
+ {
+ if (sane)
+ {
+ sane->ptr[i] = replace;
+ }
+ printable = FALSE;
+ }
+ }
+ return printable;
+}
+
+/**
* Described in header.
*
* The implementation is based on Paul Hsieh's SuperFastHash:
diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h
index 3d8c360c5..66c3f26a2 100644
--- a/src/libstrongswan/chunk.h
+++ b/src/libstrongswan/chunk.h
@@ -26,6 +26,9 @@
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
+#ifdef HAVE_ALLOCA_H
+#include <alloca.h>
+#endif
typedef struct chunk_t chunk_t;
@@ -83,8 +86,9 @@ chunk_t chunk_create_cat(u_char *ptr, const char* mode, ...);
void chunk_split(chunk_t chunk, const char *mode, ...);
/**
- * Write the binary contents of a chunk_t to a file
- *
+ * Write the binary contents of a chunk_t to a file
+ *
+ * @param chunk contents to write to file
* @param path path where file is written to
* @param label label specifying file type
* @param mask file mode creation mask
@@ -99,6 +103,7 @@ bool chunk_write(chunk_t chunk, char *path, char *label, mode_t mask, bool force
* The resulting string is '\\0' terminated, but the chunk does not include
* the '\\0'. If buf is supplied, it must hold at least (chunk.len * 2 + 1).
*
+ * @param chunk data to convert to hex encoding
* @param buf buffer to write to, NULL to malloc
* @param uppercase TRUE to use uppercase letters
* @return chunk of encoded data
@@ -232,6 +237,19 @@ static inline bool chunk_equals(chunk_t a, chunk_t b)
}
/**
+ * Check if a chunk has printable characters only.
+ *
+ * If sane is given, chunk is cloned into sane and all non printable characters
+ * get replaced by "replace".
+ *
+ * @param chunk chunk to check for printability
+ * @param sane pointer where sane version is allocated, or NULL
+ * @param replace character to use for replaceing unprintable characters
+ * @return TRUE if all characters in chunk are printable
+ */
+bool chunk_printable(chunk_t chunk, chunk_t *sane, char replace);
+
+/**
* Computes a 32 bit hash of the given chunk.
* Note: This hash is only intended for hash tables not for cryptographic purposes.
*/
diff --git a/src/libstrongswan/credentials/credential_factory.c b/src/libstrongswan/credentials/credential_factory.c
index 2e9a541d4..e55df0398 100644
--- a/src/libstrongswan/credentials/credential_factory.c
+++ b/src/libstrongswan/credentials/credential_factory.c
@@ -234,7 +234,7 @@ credential_factory_t *credential_factory_create()
this->constructors = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index c94c27f0a..a5f547038 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -28,6 +28,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521,
"RSA_EMSA_PKCS1_NULL",
"RSA_EMSA_PKCS1_MD5",
"RSA_EMSA_PKCS1_SHA1",
+ "RSA_EMSA_PKCS1_SHA224",
"RSA_EMSA_PKCS1_SHA256",
"RSA_EMSA_PKCS1_SHA384",
"RSA_EMSA_PKCS1_SHA512",
@@ -51,6 +52,9 @@ signature_scheme_t signature_scheme_from_oid(int oid)
case OID_SHA1_WITH_RSA:
case OID_SHA1:
return SIGN_RSA_EMSA_PKCS1_SHA1;
+ case OID_SHA224_WITH_RSA:
+ case OID_SHA224:
+ return SIGN_RSA_EMSA_PKCS1_SHA224;
case OID_SHA256_WITH_RSA:
case OID_SHA256:
return SIGN_RSA_EMSA_PKCS1_SHA256;
@@ -63,6 +67,12 @@ signature_scheme_t signature_scheme_from_oid(int oid)
case OID_ECDSA_WITH_SHA1:
case OID_EC_PUBLICKEY:
return SIGN_ECDSA_WITH_SHA1;
+ case OID_ECDSA_WITH_SHA256:
+ return SIGN_ECDSA_256;
+ case OID_ECDSA_WITH_SHA384:
+ return SIGN_ECDSA_384;
+ case OID_ECDSA_WITH_SHA512:
+ return SIGN_ECDSA_521;
default:
return SIGN_UNKNOWN;
}
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index c58531b73..be5f3bde6 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -66,6 +66,8 @@ enum signature_scheme_t {
SIGN_RSA_EMSA_PKCS1_MD5,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-1 */
SIGN_RSA_EMSA_PKCS1_SHA1,
+ /** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-224 */
+ SIGN_RSA_EMSA_PKCS1_SHA224,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-256 */
SIGN_RSA_EMSA_PKCS1_SHA256,
/** EMSA-PKCS1_v1.5 signature as in PKCS#1 using RSA and SHA-384 */
diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c
index fea8d0793..e928e8cdf 100644
--- a/src/libstrongswan/crypto/crypto_factory.c
+++ b/src/libstrongswan/crypto/crypto_factory.c
@@ -746,7 +746,7 @@ crypto_factory_t *crypto_factory_create()
this->prfs = linked_list_create();
this->rngs = linked_list_create();
this->dhs = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
this->tester = crypto_tester_create();
this->test_on_add = lib->settings->get_bool(lib->settings,
"libstrongswan.crypto_test.on_add", FALSE);
diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c
index b0b5aa969..4d13474a1 100644
--- a/src/libstrongswan/crypto/crypto_tester.c
+++ b/src/libstrongswan/crypto/crypto_tester.c
@@ -136,7 +136,7 @@ static bool test_crypter(private_crypto_tester_t *this,
crypter->destroy(crypter);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
encryption_algorithm_names, alg, tested);
break;
}
@@ -151,7 +151,7 @@ static bool test_crypter(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
encryption_algorithm_names, alg, tested);
}
return !failed;
@@ -240,7 +240,7 @@ static bool test_signer(private_crypto_tester_t *this,
signer->destroy(signer);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
integrity_algorithm_names, alg, tested);
break;
}
@@ -255,7 +255,7 @@ static bool test_signer(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
integrity_algorithm_names, alg, tested);
}
return !failed;
@@ -330,8 +330,8 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
hasher->destroy(hasher);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
- hash_algorithm_names, alg), tested;
+ DBG1("disabled %N: test vector %u failed",
+ hash_algorithm_names, alg, tested);
break;
}
}
@@ -345,7 +345,7 @@ static bool test_hasher(private_crypto_tester_t *this, hash_algorithm_t alg,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
hash_algorithm_names, alg, tested);
}
return !failed;
@@ -431,7 +431,7 @@ static bool test_prf(private_crypto_tester_t *this,
prf->destroy(prf);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
pseudo_random_function_names, alg, tested);
break;
}
@@ -446,7 +446,7 @@ static bool test_prf(private_crypto_tester_t *this,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
pseudo_random_function_names, alg, tested);
}
return !failed;
@@ -515,7 +515,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
rng->destroy(rng);
if (failed)
{
- DBG1("disabled %N: test vector %d failed",
+ DBG1("disabled %N: test vector %u failed",
rng_quality_names, quality, tested);
break;
}
@@ -530,7 +530,7 @@ static bool test_rng(private_crypto_tester_t *this, rng_quality_t quality,
}
if (!failed)
{
- DBG1("enabled %N: successfully passed %d test vectors",
+ DBG1("enabled %N: passed %u test vectors",
rng_quality_names, quality, tested);
}
return !failed;
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index c58c2ad42..4d6904e47 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -26,6 +26,7 @@ ENUM(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA512,
"HASH_MD4",
"HASH_MD5",
"HASH_SHA1",
+ "HASH_SHA224",
"HASH_SHA256",
"HASH_SHA384",
"HASH_SHA512"
@@ -47,6 +48,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
case OID_SHA1:
case OID_SHA1_WITH_RSA:
return HASH_SHA1;
+ case OID_SHA224:
+ case OID_SHA224_WITH_RSA:
+ return HASH_SHA224;
case OID_SHA256:
case OID_SHA256_WITH_RSA:
return HASH_SHA256;
@@ -79,6 +83,9 @@ int hasher_algorithm_to_oid(hash_algorithm_t alg)
case HASH_SHA1:
oid = OID_SHA1;
break;
+ case HASH_SHA224:
+ oid = OID_SHA224;
+ break;
case HASH_SHA256:
oid = OID_SHA256;
break;
@@ -112,6 +119,9 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg)
case HASH_SHA1:
oid = OID_SHA1_WITH_RSA;
break;
+ case HASH_SHA224:
+ oid = OID_SHA224_WITH_RSA;
+ break;
case HASH_SHA256:
oid = OID_SHA256_WITH_RSA;
break;
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 098739fa3..6deed37ab 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -40,15 +40,17 @@ enum hash_algorithm_t {
HASH_MD4 = 3,
HASH_MD5 = 4,
HASH_SHA1 = 5,
- HASH_SHA256 = 6,
- HASH_SHA384 = 7,
- HASH_SHA512 = 8
+ HASH_SHA224 = 6,
+ HASH_SHA256 = 7,
+ HASH_SHA384 = 8,
+ HASH_SHA512 = 9
};
#define HASH_SIZE_MD2 16
#define HASH_SIZE_MD4 16
#define HASH_SIZE_MD5 16
#define HASH_SIZE_SHA1 20
+#define HASH_SIZE_SHA224 28
#define HASH_SIZE_SHA256 32
#define HASH_SIZE_SHA384 48
#define HASH_SIZE_SHA512 64
diff --git a/src/libstrongswan/database/database_factory.c b/src/libstrongswan/database/database_factory.c
index 76e0a4e89..ef6927874 100644
--- a/src/libstrongswan/database/database_factory.c
+++ b/src/libstrongswan/database/database_factory.c
@@ -110,7 +110,7 @@ database_factory_t *database_factory_create()
this->public.destroy = (void(*)(database_factory_t*))destroy;
this->databases = linked_list_create();
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c
index a30012bb1..1f87412c8 100644
--- a/src/libstrongswan/fetcher/fetcher_manager.c
+++ b/src/libstrongswan/fetcher/fetcher_manager.c
@@ -201,7 +201,7 @@ fetcher_manager_t *fetcher_manager_create()
this->public.destroy = (void(*)(fetcher_manager_t*))destroy;
this->fetchers = linked_list_create();
- this->lock = rwlock_create(RWLOCK_DEFAULT);
+ this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
return &this->public;
}
diff --git a/src/libstrongswan/fips/Makefile.am b/src/libstrongswan/fips/Makefile.am
deleted file mode 100644
index 22a35701b..000000000
--- a/src/libstrongswan/fips/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-noinst_PROGRAMS = fips_signer
-fips_signer_SOURCES = fips_signer.c
-fips_signer_LDADD = ../libstrongswan.la
-
-BUILT_SOURCES = fips_signature.h
-CLEANFILES = fips_signature.h fips_signer
-INCLUDES = -I$(top_srcdir)/src/libstrongswan
-AM_CFLAGS = -DSTRONGSWAN_CONF=\"${strongswan_conf}\" \
- -DPLUGINDIR=\"${top_srcdir}/src/libstrongswan/plugins\"
-if USE_SHA1
- AM_CFLAGS += -DUSE_SHA1
-endif
-
-if USE_OPENSSL
- AM_CFLAGS += -DUSE_OPENSSL
-endif
-
-fips_signature.h : fips_signer
- ./fips_signer
diff --git a/src/libstrongswan/fips/fips.c b/src/libstrongswan/fips/fips.c
deleted file mode 100644
index d2296e5e9..000000000
--- a/src/libstrongswan/fips/fips.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <debug.h>
-#include <crypto/signers/signer.h>
-#include "fips.h"
-
-extern const u_char FIPS_rodata_start[];
-extern const u_char FIPS_rodata_end[];
-extern const void *FIPS_text_start();
-extern const void *FIPS_text_end();
-
-/**
- * Described in header
- */
-bool fips_compute_hmac_signature(const char *key, char *signature)
-{
- u_char *text_start = (u_char *)FIPS_text_start();
- u_char *text_end = (u_char *)FIPS_text_end();
- size_t text_len, rodata_len;
- signer_t *signer;
-
- if (text_start > text_end)
- {
- DBG1(" TEXT start (%p) > TEXT end (%p",
- text_start, text_end);
- return FALSE;
- }
- text_len = text_end - text_start;
- DBG1(" TEXT: %p + %6d = %p",
- text_start, (int)text_len, text_end);
-
- if (FIPS_rodata_start > FIPS_rodata_end)
- {
- DBG1(" RODATA start (%p) > RODATA end (%p",
- FIPS_rodata_start, FIPS_rodata_end);
- return FALSE;
- }
- rodata_len = FIPS_rodata_end - FIPS_rodata_start;
- DBG1(" RODATA: %p + %6d = %p",
- FIPS_rodata_start, (int)rodata_len, FIPS_rodata_end);
-
- signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128);
- if (signer == NULL)
- {
- DBG1(" SHA-1 HMAC signer could not be created");
- return FALSE;
- }
- else
- {
- chunk_t hmac_key = { (u_char *)key, strlen(key) };
- chunk_t text_chunk = { text_start, text_len };
- chunk_t rodata_chunk = { (u_char *)FIPS_rodata_start, rodata_len };
- chunk_t signature_chunk = chunk_empty;
-
- signer->set_key(signer, hmac_key);
- signer->allocate_signature(signer, text_chunk, NULL);
- signer->allocate_signature(signer, rodata_chunk, &signature_chunk);
- signer->destroy(signer);
-
- sprintf(signature, "%#B", &signature_chunk);
- DBG1(" SHA-1 HMAC key: %s", key);
- DBG1(" SHA-1 HMAC sig: %s", signature);
- free(signature_chunk.ptr);
- return TRUE;
- }
-}
-
-/**
- * Described in header
- */
-bool fips_verify_hmac_signature(const char *key,
- const char *signature)
-{
- char current_signature[BUF_LEN];
-
- if (!fips_compute_hmac_signature(key, current_signature))
- {
- return FALSE;
- }
- return streq(signature, current_signature);
-}
diff --git a/src/libstrongswan/fips/fips.h b/src/libstrongswan/fips/fips.h
deleted file mode 100644
index aae18e3b2..000000000
--- a/src/libstrongswan/fips/fips.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup fips1 fips
- * @{ @ingroup fips
- */
-
-#ifndef FIPS_H_
-#define FIPS_H_
-
-#include <library.h>
-
-/**
- * compute HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key key used for HMAC signature in ASCII string format
- * @param signature HMAC signature in HEX string format
- * @return TRUE if HMAC signature computation was successful
- */
-bool fips_compute_hmac_signature(const char *key, char *signature);
-
-/**
- * verify HMAC signature over RODATA and TEXT sections of libstrongswan
- *
- * @param key key used for HMAC signature in ASCII string format
- * @param signature signature value from fips_signature.h in HEX string format
- * @return TRUE if signatures agree
- */
-bool fips_verify_hmac_signature(const char *key, const char *signature);
-
-#endif /** FIPS_H_ @}*/
diff --git a/src/libstrongswan/fips/fips_canister_end.c b/src/libstrongswan/fips/fips_canister_end.c
deleted file mode 100644
index 247d48927..000000000
--- a/src/libstrongswan/fips/fips_canister_end.c
+++ /dev/null
@@ -1,166 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \
- (defined(__sgi) && (defined(__mips) || defined(mips))) || \
- (defined(__osf__) && defined(__alpha)) || \
- (defined(__linux) && (defined(__arm) || defined(__arm__))) || \
- (defined(__i386) || defined(__i386__)) || \
- (defined(__x86_64) || defined(__x86_64__)) || \
- (defined(vax) || defined(__vax__))
-# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-#define FIPS_ref_point FIPS_text_end
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_end[]=
- { 0x46495053, 0x5f726f64, 0x6174615f, 0x656e645b };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
- void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif defined(__GNUC__) && __GNUC__>=2
-# if defined(__alpha) || defined(__alpha__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) );
-# elif defined(__i386) || defined(__i386__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif defined(__ia64) || defined(__ia64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "mov %0=ip" : "=r"(ret) );
-# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif defined(__mips) || defined(__mips__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "move %1,$31\n\t" /* save ra */
- "bal .+8; nop\n\t"
- "move %0,$31\n\t"
- "move $31,%1" /* restore ra */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
- defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
- defined(__PPC64__) || defined(__powerpc64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mfspr %1,8\n\t" /* save lr */
- "bl .+4\n\t"
- "mfspr %0,8\n\t" /* mflr ret */
- "mtspr 8,%1" /* restore lr */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mov %%o7,%1\n\t"
- "call .+8; nop\n\t"
- "mov %%o7,%0\n\t"
- "mov %1,%%o7"
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__x86_64) || defined(__x86_64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif defined(__DECC) && defined(__alpha)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif defined(_MSC_VER) && defined(_M_IX86)
-# undef INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- _asm {
- call self
- self: pop eax
- mov scratch,eax
- }
- ret = (void *)((size_t)scratch&~3UL);
-#endif
- return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif defined(_AIX)
- struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_HPUX_SOURCE)
-# if defined(__hppa) || defined(__hppa__)
- struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
- if (sizeof(p) == 8) /* 64-bit */
- return p->i[2];
- else if ((size_t)p & 2)
- { p = (void *)((size_t)p&~3UL);
- return p->i[0];
- }
- else
- return (void *)p;
-# elif defined(__ia64) || defined(__ia64__)
- struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-# endif
-#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
- /* applies to both alpha and ia64 */
- struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-#elif defined(__VOS__)
- /* applies to both pa-risc and ia32 */
- struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_WIN32)
-# if defined(_WIN64) && defined(_M_IA64)
- struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
- return p->ip;
-# else
- return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */
-#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
- return (void *)instruction_pointer;
-#else
- return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_canister_start.c b/src/libstrongswan/fips/fips_canister_start.c
deleted file mode 100644
index 4a5528a94..000000000
--- a/src/libstrongswan/fips/fips_canister_start.c
+++ /dev/null
@@ -1,167 +0,0 @@
-/* ====================================================================
- * Copyright (c) 2005 The OpenSSL Project. Rights for redistribution
- * and usage in source and binary forms are granted according to the
- * OpenSSL license.
- */
-
-#include <stdio.h>
-#if defined(__DECC)
-# include <c_asm.h>
-# pragma __nostandard
-#endif
-
-#if !defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
-# if (defined(__sun) && (defined(__sparc) || defined(__sparcv9))) || \
- (defined(__sgi) && (defined(__mips) || defined(mips))) || \
- (defined(__osf__) && defined(__alpha)) || \
- (defined(__linux) && (defined(__arm) || defined(__arm__))) || \
- (defined(__i386) || defined(__i386__)) || \
- (defined(__x86_64) || defined(__x86_64__)) || \
- (defined(vax) || defined(__vax__))
-# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
-# endif
-#endif
-
-
-#define FIPS_ref_point FIPS_text_start
-/* Some compilers put string literals into a separate segment. As we
- * are mostly interested to hash AES tables in .rodata, we declare
- * reference points accordingly. In case you wonder, the values are
- * big-endian encoded variable names, just to prevent these arrays
- * from being merged by linker. */
-const unsigned int FIPS_rodata_start[]=
- { 0x46495053, 0x5f726f64, 0x6174615f, 0x73746172 };
-
-
-/*
- * I declare reference function as static in order to avoid certain
- * pitfalls in -dynamic linker behaviour...
- */
-static void *instruction_pointer(void)
-{
- void *ret = NULL;
-
-/* These are ABI-neutral CPU-specific snippets. ABI-neutrality means
- * that they are designed to work under any OS running on particular
- * CPU, which is why you don't find any #ifdef THIS_OR_THAT_OS in
- * this function. */
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- INSTRUCTION_POINTER_IMPLEMENTED(ret);
-#elif defined(__GNUC__) && __GNUC__>=2
-# if defined(__alpha) || defined(__alpha__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "br %0,1f\n1:" : "=r"(ret) );
-# elif defined(__i386) || defined(__i386__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "call 1f\n1: popl %0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# elif defined(__ia64) || defined(__ia64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "mov %0=ip" : "=r"(ret) );
-# elif defined(__hppa) || defined(__hppa__) || defined(__pa_risc)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "blr %%r0,%0\n\tnop" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* mask privilege level */
-# elif defined(__mips) || defined(__mips__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "move %1,$31\n\t" /* save ra */
- "bal .+8; nop\n\t"
- "move %0,$31\n\t"
- "move $31,%1" /* restore ra */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
- defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
- defined(__PPC64__) || defined(__powerpc64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mfspr %1,8\n\t" /* save lr */
- "bl .+4\n\t"
- "mfspr %0,8\n\t" /* mflr ret */
- "mtspr 8,%1" /* restore lr */
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- __asm __volatile ( "mov %%o7,%1\n\t"
- "call .+8; nop\n\t"
- "mov %%o7,%0\n\t"
- "mov %1,%%o7"
- : "=r"(ret),"=r"(scratch) );
-# elif defined(__x86_64) || defined(__x86_64__)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- __asm __volatile ( "leaq 0(%%rip),%0" : "=r"(ret) );
- ret = (void *)((size_t)ret&~3UL); /* align for better performance */
-# endif
-#elif defined(__DECC) && defined(__alpha)
-# define INSTRUCTION_POINTER_IMPLEMENTED
- ret = (void *)(size_t)asm("br %v0,1f\n1:");
-#elif defined(_MSC_VER) && defined(_M_IX86)
-# undef INSTRUCTION_POINTER_IMPLEMENTED
- void *scratch;
- _asm {
- call self
- self: pop eax
- mov scratch,eax
- }
- ret = (void *)((size_t)scratch&~3UL);
-#endif
- return ret;
-}
-
-/*
- * This function returns pointer to an instruction in the vicinity of
- * its entry point, but not outside this object module. This guarantees
- * that sequestered code is covered...
- */
-void *FIPS_ref_point()
-{
-#if defined(INSTRUCTION_POINTER_IMPLEMENTED)
- return instruction_pointer();
-/* Below we essentially cover vendor compilers which do not support
- * inline assembler... */
-#elif defined(_AIX)
- struct { void *ip,*gp,*env; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_HPUX_SOURCE)
-# if defined(__hppa) || defined(__hppa__)
- struct { void *i[4]; } *p = (void *)FIPS_ref_point;
-
- if (sizeof(p) == 8) /* 64-bit */
- return p->i[2];
- else if ((size_t)p & 2)
- { p = (void *)((size_t)p&~3UL);
- return p->i[0];
- }
- else
- return (void *)p;
-# elif defined(__ia64) || defined(__ia64__)
- struct { unsigned long long ip,gp; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-# endif
-#elif (defined(__VMS) || defined(VMS)) && !(defined(vax) || defined(__vax__))
- /* applies to both alpha and ia64 */
- struct { unsigned __int64 opaque,ip; } *p=(void *)instruction_pointer;
- return (void *)(size_t)p->ip;
-#elif defined(__VOS__)
- /* applies to both pa-risc and ia32 */
- struct { void *dp,*ip,*gp; } *p = (void *)instruction_pointer;
- return p->ip;
-#elif defined(_WIN32)
-# if defined(_WIN64) && defined(_M_IA64)
- struct { void *ip,*gp; } *p = (void *)FIPS_ref_point;
- return p->ip;
-# else
- return (void *)FIPS_ref_point;
-# endif
-/*
- * In case you wonder why there is no #ifdef __linux. All Linux targets
- * are GCC-based and therefore are covered by instruction_pointer above
- * [well, some are covered by by the one below]...
- */
-#elif defined(POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION)
- return (void *)instruction_pointer;
-#else
- return NULL;
-#endif
-}
diff --git a/src/libstrongswan/fips/fips_signer.c b/src/libstrongswan/fips/fips_signer.c
deleted file mode 100644
index 6f5fdcecf..000000000
--- a/src/libstrongswan/fips/fips_signer.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2007 Bruno Krieg, Daniel Wydler
- * Hochschule fuer Technik Rapperswil, Switzerland
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <stdio.h>
-
-#include <crypto/hashers/hasher.h>
-#include "fips.h"
-
-int main(int argc, char* argv[])
-{
- FILE *f;
- char *hmac_key = "strongSwan Version " VERSION;
- char hmac_signature[BUF_LEN];
-
- /* initialize library */
- library_init(STRONGSWAN_CONF);
-#ifdef USE_SHA1
- lib->plugins->load(lib->plugins, PLUGINDIR "/sha1/.libs", "sha1");
-#endif
-#ifdef USE_OPENSSL
- lib->plugins->load(lib->plugins, PLUGINDIR "/openssl/.libs", "openssl");
-#endif
- lib->plugins->load(lib->plugins, PLUGINDIR "/hmac/.libs", "hmac");
-
- if (!fips_compute_hmac_signature(hmac_key, hmac_signature))
- {
- exit(1);
- }
-
- /**
- * write computed HMAC signature to fips_signature.h
- */
- f = fopen("fips_signature.h", "wt");
-
- if (f == NULL)
- {
- exit(1);
- }
- fprintf(f, "/* SHA-1 HMAC signature computed over TEXT and RODATA of libstrongswan\n");
- fprintf(f, " *\n");
- fprintf(f, " * This file has been automatically generated by fips_signer\n");
- fprintf(f, " * Do not edit manually!\n");
- fprintf(f, " */\n");
- fprintf(f, "\n");
- fprintf(f, "#ifndef FIPS_SIGNATURE_H_\n");
- fprintf(f, "#define FIPS_SIGNATURE_H_\n");
- fprintf(f, "\n");
- fprintf(f, "const char *hmac_key = \"%s\";\n", hmac_key);
- fprintf(f, "const char *hmac_signature = \"%s\";\n", hmac_signature);
- fprintf(f, "\n");
- fprintf(f, "#endif /* FIPS_SIGNATURE_H_ @} */\n");
- fclose(f);
-
- library_deinit();
- exit(0);
-}
diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c
new file mode 100644
index 000000000..32a296d79
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.c
@@ -0,0 +1,332 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+
+#include "integrity_checker.h"
+
+#include <dlfcn.h>
+#include <link.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <debug.h>
+#include <library.h>
+
+typedef struct private_integrity_checker_t private_integrity_checker_t;
+
+/**
+ * Private data of an integrity_checker_t object.
+ */
+struct private_integrity_checker_t {
+
+ /**
+ * Public integrity_checker_t interface.
+ */
+ integrity_checker_t public;
+
+ /**
+ * dlopen handle to checksum library
+ */
+ void *handle;
+
+ /**
+ * checksum array
+ */
+ integrity_checksum_t *checksums;
+
+ /**
+ * number of checksums in array
+ */
+ int checksum_count;
+};
+
+/**
+ * Implementation of integrity_checker_t.build_file
+ */
+static u_int32_t build_file(private_integrity_checker_t *this, char *file,
+ size_t *len)
+{
+ u_int32_t checksum;
+ chunk_t contents;
+ struct stat sb;
+ void *addr;
+ int fd;
+
+ fd = open(file, O_RDONLY);
+ if (fd == -1)
+ {
+ DBG1(" opening '%s' failed: %s", file, strerror(errno));
+ return 0;
+ }
+
+ if (fstat(fd, &sb) == -1)
+ {
+ DBG1(" getting file size of '%s' failed: %s", file, strerror(errno));
+ close(fd);
+ return 0;
+ }
+
+ addr = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
+ if (addr == MAP_FAILED)
+ {
+ DBG1(" mapping '%s' failed: %s", file, strerror(errno));
+ close(fd);
+ return 0;
+ }
+
+ *len = sb.st_size;
+ contents = chunk_create(addr, sb.st_size);
+ checksum = chunk_hash(contents);
+
+ munmap(addr, sb.st_size);
+ close(fd);
+
+ return checksum;
+}
+
+/**
+ * dl_iterate_phdr callback function
+ */
+static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli)
+{
+ /* We are looking for the dlpi_addr matching the address of our dladdr().
+ * dl_iterate_phdr() returns such an address for other (unknown) objects
+ * in very rare cases (e.g. in a chrooted gentoo, but only if
+ * the checksum_builder is invoked by 'make'). As a workaround, we filter
+ * objects by dlpi_name; valid objects have a library name.
+ */
+ if (dli->dli_fbase == (void*)dlpi->dlpi_addr &&
+ dlpi->dlpi_name && *dlpi->dlpi_name)
+ {
+ int i;
+
+ for (i = 0; i < dlpi->dlpi_phnum; i++)
+ {
+ const ElfW(Phdr) *sgmt = &dlpi->dlpi_phdr[i];
+
+ /* we are interested in the executable LOAD segment */
+ if (sgmt->p_type == PT_LOAD && (sgmt->p_flags & PF_X))
+ {
+ /* safe begin of segment in dli_fbase */
+ dli->dli_fbase = (void*)sgmt->p_vaddr + dlpi->dlpi_addr;
+ /* safe end of segment in dli_saddr */
+ dli->dli_saddr = dli->dli_fbase + sgmt->p_memsz;
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
+/**
+ * Implementation of integrity_checker_t.build_segment
+ */
+static u_int32_t build_segment(private_integrity_checker_t *this, void *sym,
+ size_t *len)
+{
+ chunk_t segment;
+ Dl_info dli;
+
+ if (dladdr(sym, &dli) == 0)
+ {
+ DBG1(" unable to locate symbol: %s", dlerror());
+ return 0;
+ }
+ /* we reuse the Dl_info struct as in/out parameter */
+ if (!dl_iterate_phdr((void*)callback, &dli))
+ {
+ DBG1(" executable section not found");
+ return 0;
+ }
+
+ segment = chunk_create(dli.dli_fbase, dli.dli_saddr - dli.dli_fbase);
+ *len = segment.len;
+ return chunk_hash(segment);
+}
+
+/**
+ * Find a checksum by its name
+ */
+static integrity_checksum_t *find_checksum(private_integrity_checker_t *this,
+ char *name)
+{
+ int i;
+
+ for (i = 0; i < this->checksum_count; i++)
+ {
+ if (streq(this->checksums[i].name, name))
+ {
+ return &this->checksums[i];
+ }
+ }
+ return NULL;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_file
+ */
+static bool check_file(private_integrity_checker_t *this,
+ char *name, char *file)
+{
+ integrity_checksum_t *cs;
+ u_int32_t sum;
+ size_t len = 0;
+
+ cs = find_checksum(this, name);
+ if (!cs)
+ {
+ DBG1(" '%s' file checksum not found", name);
+ return FALSE;
+ }
+ sum = build_file(this, file, &len);
+ if (!sum)
+ {
+ return FALSE;
+ }
+ if (cs->file_len != len)
+ {
+ DBG1(" invalid '%s' file size: %u bytes, expected %u bytes",
+ name, len, cs->file_len);
+ return FALSE;
+ }
+ if (cs->file != sum)
+ {
+ DBG1(" invalid '%s' file checksum: %08x, expected %08x",
+ name, sum, cs->file);
+ return FALSE;
+ }
+ DBG2(" valid '%s' file checksum: %08x", name, sum);
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check_segment
+ */
+static bool check_segment(private_integrity_checker_t *this,
+ char *name, void *sym)
+{
+ integrity_checksum_t *cs;
+ u_int32_t sum;
+ size_t len = 0;
+
+ cs = find_checksum(this, name);
+ if (!cs)
+ {
+ DBG1(" '%s' segment checksum not found", name);
+ return FALSE;
+ }
+ sum = build_segment(this, sym, &len);
+ if (!sum)
+ {
+ return FALSE;
+ }
+ if (cs->segment_len != len)
+ {
+ DBG1(" invalid '%s' segment size: %u bytes, expected %u bytes",
+ name, len, cs->segment_len);
+ return FALSE;
+ }
+ if (cs->segment != sum)
+ {
+ DBG1(" invalid '%s' segment checksum: %08x, expected %08x",
+ name, sum, cs->segment);
+ return FALSE;
+ }
+ DBG2(" valid '%s' segment checksum: %08x", name, sum);
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.check
+ */
+static bool check(private_integrity_checker_t *this, char *name, void *sym)
+{
+ Dl_info dli;
+
+ if (dladdr(sym, &dli) == 0)
+ {
+ DBG1("unable to locate symbol: %s", dlerror());
+ return FALSE;
+ }
+ if (!check_file(this, name, (char*)dli.dli_fname))
+ {
+ return FALSE;
+ }
+ if (!check_segment(this, name, sym))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of integrity_checker_t.destroy.
+ */
+static void destroy(private_integrity_checker_t *this)
+{
+ if (this->handle)
+ {
+ dlclose(this->handle);
+ }
+ free(this);
+}
+
+/**
+ * See header
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library)
+{
+ private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t);
+
+ this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file;
+ this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file;
+ this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment;
+ this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment;
+ this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check;
+ this->public.destroy = (void(*)(integrity_checker_t*))destroy;
+
+ this->checksum_count = 0;
+ this->handle = NULL;
+ if (checksum_library)
+ {
+ this->handle = dlopen(checksum_library, RTLD_LAZY);
+ if (this->handle)
+ {
+ int *checksum_count;
+
+ this->checksums = dlsym(this->handle, "checksums");
+ checksum_count = dlsym(this->handle, "checksum_count");
+ if (this->checksums && checksum_count)
+ {
+ this->checksum_count = *checksum_count;
+ }
+ else
+ {
+ DBG1("checksum library '%s' invalid", checksum_library);
+ }
+ }
+ else
+ {
+ DBG1("loading checksum library '%s' failed", checksum_library);
+ }
+ }
+ return &this->public;
+}
+
diff --git a/src/libstrongswan/integrity_checker.h b/src/libstrongswan/integrity_checker.h
new file mode 100644
index 000000000..d078dd6fb
--- /dev/null
+++ b/src/libstrongswan/integrity_checker.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup integrity_checker integrity_checker
+ * @{ @ingroup libstrongswan
+ */
+
+#ifndef INTEGRITY_CHECKER_H_
+#define INTEGRITY_CHECKER_H_
+
+#include <utils.h>
+#include <plugins/plugin.h>
+
+typedef struct integrity_checker_t integrity_checker_t;
+typedef struct integrity_checksum_t integrity_checksum_t;
+
+/**
+ * Struct to hold a precalculated checksum, implemented in the checksum library.
+ */
+struct integrity_checksum_t {
+ /* name of the checksum */
+ char *name;
+ /* size in bytes of the file on disk */
+ size_t file_len;
+ /* checksum of the file on disk */
+ u_int32_t file;
+ /* size in bytes of executable segment in memory */
+ size_t segment_len;
+ /* checksum of the executable segment in memory */
+ u_int32_t segment;
+};
+
+/**
+ * Code integrity checker to detect non-malicious file manipulation.
+ *
+ * The integrity checker reads the checksums from a separate library
+ * libchecksum.so to compare the checksums.
+ */
+struct integrity_checker_t {
+
+ /**
+ * Check the integrity of a file on disk.
+ *
+ * @param name name to lookup checksum
+ * @param file path to file
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check_file)(integrity_checker_t *this, char *name, char *file);
+
+ /**
+ * Build the integrity checksum of a file on disk.
+ *
+ * @param file path to file
+ * @param len return length in bytes of file
+ * @return checksum, 0 on error
+ */
+ u_int32_t (*build_file)(integrity_checker_t *this, char *file, size_t *len);
+
+ /**
+ * Check the integrity of the code segment in memory.
+ *
+ * @param name name to lookup checksum
+ * @param sym a symbol in the segment to check
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check_segment)(integrity_checker_t *this, char *name, void *sym);
+ /**
+ * Build the integrity checksum of a code segment in memory.
+ *
+ * @param sym a symbol in the segment to check
+ * @param len return length in bytes of code segment in memory
+ * @return checksum, 0 on error
+ */
+ u_int32_t (*build_segment)(integrity_checker_t *this, void *sym, size_t *len);
+
+ /**
+ * Check both, on disk file integrity and loaded segment.
+ *
+ * @param name name to lookup checksum
+ * @param sym a symbol to look up library and segment
+ * @return TRUE if integrity tested successfully
+ */
+ bool (*check)(integrity_checker_t *this, char *name, void *sym);
+
+ /**
+ * Destroy a integrity_checker_t.
+ */
+ void (*destroy)(integrity_checker_t *this);
+};
+
+/**
+ * Create a integrity_checker instance.
+ *
+ * @param checksum_library library containing checksums
+ */
+integrity_checker_t *integrity_checker_create(char *checksum_library);
+
+#endif /* INTEGRITY_CHECKER_H_ @}*/
diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c
index 8e5a8a611..832c8b607 100644
--- a/src/libstrongswan/library.c
+++ b/src/libstrongswan/library.c
@@ -20,12 +20,15 @@
#include <utils.h>
#include <chunk.h>
+#include <debug.h>
#include <utils/identification.h>
#include <utils/host.h>
#ifdef LEAK_DETECTIVE
#include <utils/leak_detective.h>
#endif
+#define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so"
+
typedef struct private_library_t private_library_t;
/**
@@ -65,6 +68,10 @@ void library_deinit()
this->public.fetcher->destroy(this->public.fetcher);
this->public.db->destroy(this->public.db);
this->public.printf_hook->destroy(this->public.printf_hook);
+ if (this->public.integrity)
+ {
+ this->public.integrity->destroy(this->public.integrity);
+ }
#ifdef LEAK_DETECTIVE
if (this->detective)
@@ -79,7 +86,7 @@ void library_deinit()
/*
* see header file
*/
-void library_init(char *settings)
+bool library_init(char *settings)
{
printf_hook_t *pfh;
private_library_t *this = malloc_thing(private_library_t);
@@ -119,5 +126,23 @@ void library_init(char *settings)
this->public.fetcher = fetcher_manager_create();
this->public.db = database_factory_create();
this->public.plugins = plugin_loader_create();
+ this->public.integrity = NULL;
+
+ if (lib->settings->get_bool(lib->settings,
+ "libstrongswan.integrity_test", FALSE))
+ {
+#ifdef INTEGRITY_TEST
+ this->public.integrity = integrity_checker_create(CHECKSUM_LIBRARY);
+ if (!lib->integrity->check(lib->integrity, "libstrongswan", library_init))
+ {
+ DBG1("integrity check of libstrongswan failed");
+ return FALSE;
+ }
+#else /* !INTEGRITY_TEST */
+ DBG1("integrity test enabled, but not supported");
+ return FALSE;
+#endif /* INTEGRITY_TEST */
+ }
+ return TRUE;
}
diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h
index 35c6b686a..df4121803 100644
--- a/src/libstrongswan/library.h
+++ b/src/libstrongswan/library.h
@@ -19,6 +19,9 @@
* @defgroup asn1 asn1
* @ingroup libstrongswan
*
+ * @defgroup pgp pgp
+ * @ingroup libstrongswan
+ *
* @defgroup credentials credentials
* @ingroup libstrongswan
*
@@ -30,19 +33,16 @@
*
* @defgroup crypto crypto
* @ingroup libstrongswan
-
+ *
* @defgroup database database
* @ingroup libstrongswan
-
+ *
* @defgroup fetcher fetcher
* @ingroup libstrongswan
-
- * @defgroup fips fips
- * @ingroup libstrongswan
-
+ *
* @defgroup plugins plugins
* @ingroup libstrongswan
-
+ *
* @defgroup utils utils
* @ingroup libstrongswan
*/
@@ -59,6 +59,7 @@
#include <utils.h>
#include <chunk.h>
#include <settings.h>
+#include <integrity_checker.h>
#include <plugins/plugin_loader.h>
#include <crypto/crypto_factory.h>
#include <fetcher/fetcher_manager.h>
@@ -108,6 +109,11 @@ struct library_t {
settings_t *settings;
/**
+ * integrity checker to verify code integrity
+ */
+ integrity_checker_t *integrity;
+
+ /**
* is leak detective running?
*/
bool leak_detective;
@@ -117,8 +123,9 @@ struct library_t {
* Initialize library, creates "lib" instance.
*
* @param settings file to read settings from, may be NULL for none
+ * @return FALSE if integrity check failed
*/
-void library_init(char *settings);
+bool library_init(char *settings);
/**
* Deinitialize library, destroys "lib" instance.
diff --git a/src/libstrongswan/plugins/aes/Makefile.am b/src/libstrongswan/plugins/aes/Makefile.am
index e73040f27..a3101172f 100644
--- a/src/libstrongswan/plugins/aes/Makefile.am
+++ b/src/libstrongswan/plugins/aes/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-aes.la
libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 19d3249b5..4414b2ede 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-aes.la
libstrongswan_aes_la_SOURCES = aes_plugin.h aes_plugin.c aes_crypter.c aes_crypter.h
-libstrongswan_aes_la_LDFLAGS = -module
+libstrongswan_aes_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/agent/Makefile.am b/src/libstrongswan/plugins/agent/Makefile.am
index bc022aa26..e1000e562 100644
--- a/src/libstrongswan/plugins/agent/Makefile.am
+++ b/src/libstrongswan/plugins/agent/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
agent_private_key.c agent_private_key.h
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 5a5202262..a73edb362 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-agent.la
libstrongswan_agent_la_SOURCES = agent_plugin.h agent_plugin.c \
agent_private_key.c agent_private_key.h
-libstrongswan_agent_la_LDFLAGS = -module
+libstrongswan_agent_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.am b/src/libstrongswan/plugins/blowfish/Makefile.am
index 6bb82169e..3fbc5893b 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.am
+++ b/src/libstrongswan/plugins/blowfish/Makefile.am
@@ -8,5 +8,5 @@ plugin_LTLIBRARIES = libstrongswan-blowfish.la
libstrongswan_blowfish_la_SOURCES = \
blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 25cea73df..e536b5fc6 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -76,12 +76,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -146,6 +148,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -186,7 +189,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_blowfish_la_SOURCES = \
blowfish_plugin.h blowfish_plugin.c blowfish_crypter.c blowfish_crypter.h \
bf_skey.c blowfish.h bf_pi.h bf_locl.h bf_enc.c
-libstrongswan_blowfish_la_LDFLAGS = -module
+libstrongswan_blowfish_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/curl/Makefile.am b/src/libstrongswan/plugins/curl/Makefile.am
index 1b44516b2..f0a41e4ad 100644
--- a/src/libstrongswan/plugins/curl/Makefile.am
+++ b/src/libstrongswan/plugins/curl/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-curl.la
libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
libstrongswan_curl_la_LIBADD = -lcurl
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index b413e035e..21d77ac8f 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-curl.la
libstrongswan_curl_la_SOURCES = curl_plugin.h curl_plugin.c curl_fetcher.c curl_fetcher.h
-libstrongswan_curl_la_LDFLAGS = -module
+libstrongswan_curl_la_LDFLAGS = -module -avoid-version
libstrongswan_curl_la_LIBADD = -lcurl
all: all-am
diff --git a/src/libstrongswan/plugins/des/Makefile.am b/src/libstrongswan/plugins/des/Makefile.am
index ea94eda8a..76cfbc419 100644
--- a/src/libstrongswan/plugins/des/Makefile.am
+++ b/src/libstrongswan/plugins/des/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-des.la
libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index bbca6a032..19da339fe 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-des.la
libstrongswan_des_la_SOURCES = des_plugin.h des_plugin.c des_crypter.c des_crypter.h
-libstrongswan_des_la_LDFLAGS = -module
+libstrongswan_des_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.am b/src/libstrongswan/plugins/fips_prf/Makefile.am
index 73f28825a..d9431947e 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.am
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-fips-prf.la
libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index 881d7a36e..5dcae7f27 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-fips-prf.la
libstrongswan_fips_prf_la_SOURCES = fips_prf_plugin.h fips_prf_plugin.c fips_prf.c fips_prf.h
-libstrongswan_fips_prf_la_LDFLAGS = -module
+libstrongswan_fips_prf_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am
index 72cc409fc..7394676e2 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.am
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.am
@@ -13,5 +13,5 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
gcrypt_crypter.h gcrypt_crypter.c \
gcrypt_hasher.h gcrypt_hasher.c
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index 49994c593..e3d27f7f8 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -77,12 +77,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -147,6 +149,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -187,7 +190,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -232,7 +237,7 @@ libstrongswan_gcrypt_la_SOURCES = gcrypt_plugin.h gcrypt_plugin.c \
gcrypt_crypter.h gcrypt_crypter.c \
gcrypt_hasher.h gcrypt_hasher.c
-libstrongswan_gcrypt_la_LDFLAGS = -module
+libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version
libstrongswan_gcrypt_la_LIBADD = $(LIBGCRYPT_LIBS)
all: all-am
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
index 785ebda90..41e17c897 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_hasher.c
@@ -116,6 +116,9 @@ gcrypt_hasher_t *gcrypt_hasher_create(hash_algorithm_t algo)
case HASH_SHA1:
gcrypt_alg = GCRY_MD_SHA1;
break;
+ case HASH_SHA224:
+ gcrypt_alg = GCRY_MD_SHA224;
+ break;
case HASH_SHA256:
gcrypt_alg = GCRY_MD_SHA256;
break;
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
index 547329dde..939e0886c 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c
@@ -47,7 +47,7 @@ struct private_gcrypt_plugin_t {
*/
static int mutex_init(void **lock)
{
- *lock = mutex_create(MUTEX_DEFAULT);
+ *lock = mutex_create(MUTEX_TYPE_DEFAULT);
return 0;
}
@@ -148,6 +148,8 @@ plugin_t *plugin_create()
(hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_MD5,
(hasher_constructor_t)gcrypt_hasher_create);
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)gcrypt_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
index 611ab2467..e0e8015db 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c
@@ -61,12 +61,14 @@ struct private_gcrypt_rsa_private_key_t {
public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key);
/**
- * find a token in a S-expression
+ * find a token in a S-expression. If a key is given, its length is used to
+ * pad the output to a given length.
*/
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key)
{
gcry_sexp_t token;
- chunk_t data = chunk_empty;
+ chunk_t data = chunk_empty, tmp;
+ size_t len = 0;
token = gcry_sexp_find_token(sexp, name, 1);
if (token)
@@ -76,7 +78,36 @@ chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name)
{
data.len = 0;
}
- data = chunk_clone(data);
+ else
+ {
+ if (key)
+ {
+ /* gcrypt might return more bytes than necessary. Truncate
+ * to key lenght if key given, or prepend zeros if needed */
+ len = gcry_pk_get_nbits(key);
+ len = len / 8 + (len % 8 ? 1 : 0);
+ if (len > data.len)
+ {
+ tmp = chunk_alloc(len);
+ len -= data.len;
+ memset(tmp.ptr, 0, tmp.len - len);
+ memcpy(tmp.ptr + len, data.ptr, data.len);
+ data = tmp;
+ }
+ else if (len < data.len)
+ {
+ data = chunk_clone(chunk_skip(data, data.len - len));
+ }
+ else
+ {
+ data = chunk_clone(data);
+ }
+ }
+ else
+ {
+ data = chunk_clone(data);
+ }
+ }
gcry_sexp_release(token);
}
return data;
@@ -124,7 +155,7 @@ static bool sign_raw(private_gcrypt_rsa_private_key_t *this,
DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
return FALSE;
}
- *signature = gcrypt_rsa_find_token(out, "s");
+ *signature = gcrypt_rsa_find_token(out, "s", this->key);
gcry_sexp_release(out);
return !!signature->len;
}
@@ -170,7 +201,7 @@ static bool sign_pkcs1(private_gcrypt_rsa_private_key_t *this,
DBG1("creating pkcs1 signature failed: %s", gpg_strerror(err));
return FALSE;
}
- *signature = gcrypt_rsa_find_token(out, "s");
+ *signature = gcrypt_rsa_find_token(out, "s", this->key);
gcry_sexp_release(out);
return !!signature->len;
}
@@ -195,6 +226,8 @@ static bool sign(private_gcrypt_rsa_private_key_t *this, signature_scheme_t sche
return sign_raw(this, data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return sign_pkcs1(this, HASH_SHA1, "sha1", data, sig);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return sign_pkcs1(this, HASH_SHA224, "sha224", data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return sign_pkcs1(this, HASH_SHA256, "sha256", data, sig);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -353,9 +386,9 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
gcry_error_t err;
/* p and q are swapped, gcrypt expects p < q */
- cp = gcrypt_rsa_find_token(this->key, "q");
- cq = gcrypt_rsa_find_token(this->key, "p");
- cd = gcrypt_rsa_find_token(this->key, "d");
+ cp = gcrypt_rsa_find_token(this->key, "q", NULL);
+ cq = gcrypt_rsa_find_token(this->key, "p", NULL);
+ cd = gcrypt_rsa_find_token(this->key, "d", NULL);
err = gcry_mpi_scan(&p, GCRYMPI_FMT_USG, cp.ptr, cp.len, NULL)
| gcry_mpi_scan(&q, GCRYMPI_FMT_USG, cq.ptr, cq.len, NULL)
@@ -401,14 +434,14 @@ static chunk_t get_encoding(private_gcrypt_rsa_private_key_t *this)
}
return asn1_wrap(ASN1_SEQUENCE, "cmmmmmmmm", ASN1_INTEGER_0,
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)),
asn1_integer("m", cd),
asn1_integer("m", cp),
asn1_integer("m", cq),
asn1_integer("m", cexp1),
asn1_integer("m", cexp2),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "u")));
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "u", NULL)));
}
/**
@@ -477,8 +510,8 @@ bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
return FALSE;
}
publicKey = asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_integer("m", gcrypt_rsa_find_token(key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(key, "e")));
+ asn1_integer("m", gcrypt_rsa_find_token(key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(key, "e", NULL)));
hasher->allocate_hash(hasher, publicKey, &hash);
*keyid = identification_create_from_encoding(ID_PUBKEY_SHA1, hash);
chunk_free(&hash);
diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
index 8024f58a7..4d9c88c6d 100644
--- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c
@@ -60,7 +60,7 @@ struct private_gcrypt_rsa_public_key_t {
/**
* Implemented in gcrypt_rsa_private_key.c
*/
-chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name);
+chunk_t gcrypt_rsa_find_token(gcry_sexp_t sexp, char *name, gcry_sexp_t key);
bool gcrypt_rsa_build_keyids(gcry_sexp_t key, identification_t **keyid,
identification_t **keyid_info);
@@ -188,6 +188,8 @@ static bool verify(private_gcrypt_rsa_public_key_t *this,
return verify_pkcs1(this, HASH_MD5, "md5", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_pkcs1(this, HASH_SHA1, "sha1", data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_pkcs1(this, HASH_SHA224, "sha224", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_pkcs1(this, HASH_SHA256, "sha256", data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -226,7 +228,7 @@ static bool encrypt_(private_gcrypt_rsa_public_key_t *this, chunk_t plain,
DBG1("encrypting data using pkcs1 failed: %s", gpg_strerror(err));
return FALSE;
}
- *encrypted = gcrypt_rsa_find_token(out, "a");
+ *encrypted = gcrypt_rsa_find_token(out, "a", this->key);
gcry_sexp_release(out);
return !!encrypted->len;
}
@@ -290,8 +292,8 @@ static identification_t *get_id(private_gcrypt_rsa_public_key_t *this,
static chunk_t get_encoding(private_gcrypt_rsa_public_key_t *this)
{
return asn1_wrap(ASN1_SEQUENCE, "mm",
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "n")),
- asn1_integer("m", gcrypt_rsa_find_token(this->key, "e")));
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "n", NULL)),
+ asn1_integer("m", gcrypt_rsa_find_token(this->key, "e", NULL)));
}
/**
@@ -352,8 +354,8 @@ public_key_t *gcrypt_rsa_public_key_create_from_sexp(gcry_sexp_t key)
chunk_t n, e;
this = gcrypt_rsa_public_key_create_empty();
- n = gcrypt_rsa_find_token(key, "n");
- e = gcrypt_rsa_find_token(key, "e");
+ n = gcrypt_rsa_find_token(key, "n", NULL);
+ e = gcrypt_rsa_find_token(key, "e", NULL);
err = gcry_sexp_build(&this->key, NULL, "(public-key(rsa(n %b)(e %b)))",
n.len, n.ptr, e.len, e.ptr);
diff --git a/src/libstrongswan/plugins/gmp/Makefile.am b/src/libstrongswan/plugins/gmp/Makefile.am
index f073b5d48..1ab358328 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.am
+++ b/src/libstrongswan/plugins/gmp/Makefile.am
@@ -10,6 +10,6 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
gmp_rsa_private_key.c gmp_rsa_private_key.h \
gmp_rsa_public_key.c gmp_rsa_public_key.h
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
libstrongswan_gmp_la_LIBADD = -lgmp
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index a60cd998c..8d5dff34b 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_gmp_la_SOURCES = gmp_plugin.h gmp_plugin.c \
gmp_rsa_private_key.c gmp_rsa_private_key.h \
gmp_rsa_public_key.c gmp_rsa_public_key.h
-libstrongswan_gmp_la_LDFLAGS = -module
+libstrongswan_gmp_la_LDFLAGS = -module -avoid-version
libstrongswan_gmp_la_LIBADD = -lgmp
all: all-am
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
index cbc112762..259c8e9ad 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c
@@ -301,6 +301,8 @@ static bool sign(private_gmp_rsa_private_key_t *this, signature_scheme_t scheme,
return build_emsa_pkcs1_signature(this, HASH_UNKNOWN, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return build_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return build_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return build_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
index 1f3e3072f..c26187c64 100644
--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
@@ -301,6 +301,8 @@ static bool verify(private_gmp_rsa_public_key_t *this, signature_scheme_t scheme
return verify_emsa_pkcs1_signature(this, HASH_MD5, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_emsa_pkcs1_signature(this, HASH_SHA1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_emsa_pkcs1_signature(this, HASH_SHA224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_emsa_pkcs1_signature(this, HASH_SHA256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
@@ -417,7 +419,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this)
/**
* Build the PGP version 3 RSA key identifier from n and e using
- * MD5 hashed modulus and exponent. Also used in rsa_private_key.c.
+ * MD5 hashed modulus and exponent.
*/
static identification_t* gmp_rsa_build_pgp_v3_keyid(mpz_t n, mpz_t e)
{
diff --git a/src/libstrongswan/plugins/hmac/Makefile.am b/src/libstrongswan/plugins/hmac/Makefile.am
index 89e0638f3..1856cad2d 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.am
+++ b/src/libstrongswan/plugins/hmac/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index fc36bd9fa..389bde8f9 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-hmac.la
libstrongswan_hmac_la_SOURCES = hmac_plugin.h hmac_plugin.c hmac.h hmac.c \
hmac_prf.h hmac_prf.c hmac_signer.h hmac_signer.c
-libstrongswan_hmac_la_LDFLAGS = -module
+libstrongswan_hmac_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/ldap/Makefile.am b/src/libstrongswan/plugins/ldap/Makefile.am
index ac6b4be00..6ad073d97 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.am
+++ b/src/libstrongswan/plugins/ldap/Makefile.am
@@ -6,6 +6,6 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-ldap.la
libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
libstrongswan_ldap_la_LIBADD = -lldap -llber
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 6eefc8546..93fc9a0c1 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-ldap.la
libstrongswan_ldap_la_SOURCES = ldap_plugin.h ldap_plugin.c ldap_fetcher.h ldap_fetcher.c
-libstrongswan_ldap_la_LDFLAGS = -module
+libstrongswan_ldap_la_LDFLAGS = -module -avoid-version
libstrongswan_ldap_la_LIBADD = -lldap -llber
all: all-am
diff --git a/src/libstrongswan/plugins/md4/Makefile.am b/src/libstrongswan/plugins/md4/Makefile.am
index f984322a6..a47da2e8e 100644
--- a/src/libstrongswan/plugins/md4/Makefile.am
+++ b/src/libstrongswan/plugins/md4/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md4.la
libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index efdb64e90..7ca6a20cc 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md4.la
libstrongswan_md4_la_SOURCES = md4_plugin.h md4_plugin.c md4_hasher.c md4_hasher.h
-libstrongswan_md4_la_LDFLAGS = -module
+libstrongswan_md4_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/md5/Makefile.am b/src/libstrongswan/plugins/md5/Makefile.am
index 0a9c5cbf4..ce0611c13 100644
--- a/src/libstrongswan/plugins/md5/Makefile.am
+++ b/src/libstrongswan/plugins/md5/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md5.la
libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index 15c98aba4..fb9bc4b4d 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-md5.la
libstrongswan_md5_la_SOURCES = md5_plugin.h md5_plugin.c md5_hasher.c md5_hasher.h
-libstrongswan_md5_la_LDFLAGS = -module
+libstrongswan_md5_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/mysql/Makefile.am b/src/libstrongswan/plugins/mysql/Makefile.am
index ec94b8fda..0daf7655b 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.am
+++ b/src/libstrongswan/plugins/mysql/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \
mysql_database.h mysql_database.c
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 26b514ad6..21fe61923 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -223,7 +228,7 @@ plugin_LTLIBRARIES = libstrongswan-mysql.la
libstrongswan_mysql_la_SOURCES = mysql_plugin.h mysql_plugin.c \
mysql_database.h mysql_database.c
-libstrongswan_mysql_la_LDFLAGS = -module
+libstrongswan_mysql_la_LDFLAGS = -module -avoid-version
libstrongswan_mysql_la_LIBADD = -lmysqlclient_r
all: all-am
diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c
index d0d5a3d15..341217dd4 100644
--- a/src/libstrongswan/plugins/mysql/mysql_database.c
+++ b/src/libstrongswan/plugins/mysql/mysql_database.c
@@ -686,7 +686,7 @@ mysql_database_t *mysql_database_create(char *uri)
free(this);
return NULL;
}
- this->mutex = mutex_create(MUTEX_DEFAULT);
+ this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
this->pool = linked_list_create();
/* check connectivity */
diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am
index f331a78eb..25cc5aa1d 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.am
+++ b/src/libstrongswan/plugins/openssl/Makefile.am
@@ -16,6 +16,6 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
openssl_ec_private_key.c openssl_ec_private_key.h \
openssl_ec_public_key.c openssl_ec_public_key.h
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = -lcrypto
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index 0ebb5acf0..e6d7b479b 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -78,12 +78,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -148,6 +150,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -188,7 +191,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -236,7 +241,7 @@ libstrongswan_openssl_la_SOURCES = openssl_plugin.h openssl_plugin.c \
openssl_ec_private_key.c openssl_ec_private_key.h \
openssl_ec_public_key.c openssl_ec_public_key.h
-libstrongswan_openssl_la_LDFLAGS = -module
+libstrongswan_openssl_la_LDFLAGS = -module -avoid-version
libstrongswan_openssl_la_LIBADD = -lcrypto
all: all-am
diff --git a/src/libstrongswan/plugins/openssl/openssl_crypter.c b/src/libstrongswan/plugins/openssl/openssl_crypter.c
index 7f48f1009..424fec60a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crypter.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crypter.c
@@ -83,6 +83,7 @@ static openssl_algorithm_t encryption_algs[] = {
/* {ENCR_DES_IV32, "***", 0, 0}, */
/* {ENCR_NULL, "***", 0, 0}, */ /* handled separately */
/* {ENCR_AES_CBC, "***", 0, 0}, */ /* handled separately */
+/* {ENCR_CAMELLIA_CBC, "***", 0, 0}, */ /* handled separately */
/* {ENCR_AES_CTR, "***", 0, 0}, */ /* disabled in evp.h */
{END_OF_LIST, NULL, 0, 0},
};
@@ -224,6 +225,23 @@ openssl_crypter_t *openssl_crypter_create(encryption_algorithm_t algo,
return NULL;
}
break;
+ case ENCR_CAMELLIA_CBC:
+ switch (key_size)
+ {
+ case 16: /* CAMELLIA 128 */
+ this->cipher = EVP_get_cipherbyname("camellia128");
+ break;
+ case 24: /* CAMELLIA 192 */
+ this->cipher = EVP_get_cipherbyname("camellia192");
+ break;
+ case 32: /* CAMELLIA 256 */
+ this->cipher = EVP_get_cipherbyname("camellia256");
+ break;
+ default:
+ free(this);
+ return NULL;
+ }
+ break;
case ENCR_DES_ECB:
this->cipher = EVP_des_ecb();
break;
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index c93acb75c..082aed9ca 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -108,7 +108,8 @@ error:
* Convert an EC_POINT to a chunk by concatenating the x and y coordinates of
* the point. This function allocates memory for the chunk.
*/
-static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chunk)
+static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point,
+ chunk_t *chunk, bool x_coordinate_only)
{
BN_CTX *ctx;
BIGNUM *x, *y;
@@ -133,6 +134,10 @@ static bool ecp2chunk(const EC_GROUP *group, const EC_POINT *point, chunk_t *chu
goto error;
}
+ if (x_coordinate_only)
+ {
+ y = NULL;
+ }
if (!openssl_bn_cat(EC_FIELD_ELEMENT_LEN(group), x, y, chunk))
{
goto error;
@@ -160,7 +165,7 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
{
const BIGNUM *priv_key;
EC_POINT *secret = NULL;
- bool ret = FALSE;
+ bool x_coordinate_only, ret = FALSE;
priv_key = EC_KEY_get0_private_key(this->key);
if (!priv_key)
@@ -179,7 +184,14 @@ static bool compute_shared_key(private_openssl_ec_diffie_hellman_t *this, chunk_
goto error;
}
- if (!ecp2chunk(this->ec_group, secret, shared_secret))
+ /*
+ * The default setting ecp_x_coordinate_only = TRUE
+ * applies the following errata for RFC 4753:
+ * http://www.rfc-editor.org/errata_search.php?eid=9
+ */
+ x_coordinate_only = lib->settings->get_bool(lib->settings,
+ "libstrongswan.ecp_x_coordinate_only", TRUE);
+ if (!ecp2chunk(this->ec_group, secret, shared_secret, x_coordinate_only))
{
goto error;
}
@@ -219,7 +231,7 @@ static void set_other_public_value(private_openssl_ec_diffie_hellman_t *this, ch
*/
static void get_my_public_value(private_openssl_ec_diffie_hellman_t *this,chunk_t *value)
{
- ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value);
+ ecp2chunk(this->ec_group, EC_KEY_get0_public_key(this->key), value, FALSE);
}
/**
diff --git a/src/libstrongswan/plugins/openssl/openssl_hasher.c b/src/libstrongswan/plugins/openssl/openssl_hasher.c
index ed3e57957..90a5229d5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_hasher.c
+++ b/src/libstrongswan/plugins/openssl/openssl_hasher.c
@@ -65,6 +65,7 @@ static openssl_algorithm_t integrity_algs[] = {
{HASH_MD2, "md2"},
{HASH_MD5, "md5"},
{HASH_SHA1, "sha1"},
+ {HASH_SHA224, "sha224"},
{HASH_SHA256, "sha256"},
{HASH_SHA384, "sha384"},
{HASH_SHA512, "sha512"},
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index a90dff7f1..ce6716f5a 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -84,7 +84,7 @@ static struct CRYPTO_dynlock_value *create_function(const char *file, int line)
struct CRYPTO_dynlock_value *lock;
lock = malloc_thing(struct CRYPTO_dynlock_value);
- lock->mutex = mutex_create(MUTEX_DEFAULT);
+ lock->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
return lock;
}
@@ -140,7 +140,7 @@ static void threading_init()
mutex = malloc(sizeof(mutex_t*) * num_locks);
for (i = 0; i < num_locks; i++)
{
- mutex[i] = mutex_create(MUTEX_DEFAULT);
+ mutex[i] = mutex_create(MUTEX_TYPE_DEFAULT);
}
}
@@ -212,6 +212,8 @@ plugin_t *plugin_create()
/* crypter */
lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC,
(crypter_constructor_t)openssl_crypter_create);
+ lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC,
+ (crypter_constructor_t)openssl_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_3DES,
(crypter_constructor_t)openssl_crypter_create);
lib->crypto->add_crypter(lib->crypto, ENCR_RC5,
@@ -238,6 +240,8 @@ plugin_t *plugin_create()
(hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_MD5,
(hasher_constructor_t)openssl_hasher_create);
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)openssl_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index c5d4142da..95c0ffdc8 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -165,6 +165,8 @@ static bool sign(private_openssl_rsa_private_key_t *this, signature_scheme_t sch
return build_emsa_pkcs1_signature(this, NID_undef, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return build_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return build_emsa_pkcs1_signature(this, NID_sha224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return build_emsa_pkcs1_signature(this, NID_sha256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
index 89912f24c..bc1ba35b6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c
@@ -143,6 +143,8 @@ static bool verify(private_openssl_rsa_public_key_t *this, signature_scheme_t sc
return verify_emsa_pkcs1_signature(this, NID_undef, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA1:
return verify_emsa_pkcs1_signature(this, NID_sha1, data, signature);
+ case SIGN_RSA_EMSA_PKCS1_SHA224:
+ return verify_emsa_pkcs1_signature(this, NID_sha224, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA256:
return verify_emsa_pkcs1_signature(this, NID_sha256, data, signature);
case SIGN_RSA_EMSA_PKCS1_SHA384:
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c
index bb0c296e1..c8c453f64 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.c
+++ b/src/libstrongswan/plugins/openssl/openssl_util.c
@@ -71,21 +71,26 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk)
{
int offset;
- chunk->len = len * 2;
+ chunk->len = len + (b ? len : 0);
chunk->ptr = malloc(chunk->len);
memset(chunk->ptr, 0, chunk->len);
+ /* convert a */
offset = len - BN_num_bytes(a);
if (!BN_bn2bin(a, chunk->ptr + offset))
{
goto error;
}
- offset = len - BN_num_bytes(b);
- if (!BN_bn2bin(b, chunk->ptr + len + offset))
+ /* optionally convert and concatenate b */
+ if (b)
{
- goto error;
- }
+ offset = len - BN_num_bytes(b);
+ if (!BN_bn2bin(b, chunk->ptr + len + offset))
+ {
+ goto error;
+ }
+ }
return TRUE;
error:
diff --git a/src/libstrongswan/plugins/padlock/Makefile.am b/src/libstrongswan/plugins/padlock/Makefile.am
index e7c3ba486..b2b1f9d85 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.am
+++ b/src/libstrongswan/plugins/padlock/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
padlock_aes_crypter.c padlock_aes_crypter.h \
padlock_sha1_hasher.c padlock_sha1_hasher.h \
padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index 7fe0cc198..44f533744 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -227,7 +232,7 @@ libstrongswan_padlock_la_SOURCES = padlock_plugin.h padlock_plugin.c \
padlock_sha1_hasher.c padlock_sha1_hasher.h \
padlock_rng.c padlock_rng.h
-libstrongswan_padlock_la_LDFLAGS = -module
+libstrongswan_padlock_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c
index dddb73551..e241b59be 100644
--- a/src/libstrongswan/plugins/padlock/padlock_plugin.c
+++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c
@@ -97,7 +97,7 @@ static padlock_feature_t get_padlock_features()
return d;
}
}
- DBG1("Padlock not found, CPU is %s\n", vendor);
+ DBG1("Padlock not found, CPU is %s", vendor);
return 0;
}
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index ad5a9e240..459ba9ba9 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -22,6 +22,7 @@
#include <stdio.h>
#include <debug.h>
+#include <integrity_checker.h>
#include <utils/linked_list.h>
#include <plugins/plugin.h>
@@ -61,27 +62,45 @@ static plugin_t* load_plugin(private_plugin_loader_t *this,
snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, name);
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_file(lib->integrity, name, file))
+ {
+ DBG1("plugin '%s': failed file integrity test of '%s'", name, file);
+ return NULL;
+ }
+ }
handle = dlopen(file, RTLD_LAZY);
if (handle == NULL)
{
- DBG1("loading plugin '%s' failed: %s", name, dlerror());
+ DBG1("plugin '%s': failed to load '%s' - %s", name, file, dlerror());
return NULL;
}
constructor = dlsym(handle, "plugin_create");
if (constructor == NULL)
{
- DBG1("loading plugin '%s' failed: no plugin_create() function", name);
+ DBG1("plugin '%s': failed to load - no plugin_create() function", name);
dlclose(handle);
return NULL;
}
+ if (lib->integrity)
+ {
+ if (!lib->integrity->check_segment(lib->integrity, name, constructor))
+ {
+ DBG1("plugin '%s': failed segment integrity test", name);
+ dlclose(handle);
+ return NULL;
+ }
+ DBG1("plugin '%s': passed file and segment integrity tests", name);
+ }
plugin = constructor();
if (plugin == NULL)
{
- DBG1("loading plugin '%s' failed: plugin_create() returned NULL", name);
+ DBG1("plugin '%s': failed to load - plugin_create() returned NULL", name);
dlclose(handle);
return NULL;
}
- DBG2("plugin '%s' loaded successfully", name);
+ DBG2("plugin '%s': loaded successfully", name);
/* we do not store or free dlopen() handles, leak_detective requires
* the modules to keep loaded until leak report */
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.am b/src/libstrongswan/plugins/pubkey/Makefile.am
index 3b512614f..9423e6689 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.am
+++ b/src/libstrongswan/plugins/pubkey/Makefile.am
@@ -9,5 +9,5 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
pubkey_cert.h pubkey_cert.c\
pubkey_public_key.h pubkey_public_key.c
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 4514424f2..a672e2ea8 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -226,7 +231,7 @@ libstrongswan_pubkey_la_SOURCES = pubkey_plugin.h pubkey_plugin.c \
pubkey_cert.h pubkey_cert.c\
pubkey_public_key.h pubkey_public_key.c
-libstrongswan_pubkey_la_LDFLAGS = -module
+libstrongswan_pubkey_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/random/Makefile.am b/src/libstrongswan/plugins/random/Makefile.am
index 8b61d7094..9a11b8567 100644
--- a/src/libstrongswan/plugins/random/Makefile.am
+++ b/src/libstrongswan/plugins/random/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-random.la
libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index 0bed27468..a2869fb51 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-random.la
libstrongswan_random_la_SOURCES = random_plugin.h random_plugin.c \
random_rng.c random_rng.h
-libstrongswan_random_la_LDFLAGS = -module
+libstrongswan_random_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha1/Makefile.am b/src/libstrongswan/plugins/sha1/Makefile.am
index 5de45e4e8..ead51a45a 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.am
+++ b/src/libstrongswan/plugins/sha1/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index c8b8905bb..f1f5807ab 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-sha1.la
libstrongswan_sha1_la_SOURCES = sha1_plugin.h sha1_plugin.c \
sha1_hasher.c sha1_hasher.h sha1_prf.c sha1_prf.h
-libstrongswan_sha1_la_LDFLAGS = -module
+libstrongswan_sha1_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/Makefile.am b/src/libstrongswan/plugins/sha2/Makefile.am
index 066e49476..5422e1d4e 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.am
+++ b/src/libstrongswan/plugins/sha2/Makefile.am
@@ -6,5 +6,5 @@ AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-sha2.la
libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index f37c93502..b34286813 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -73,12 +73,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -143,6 +145,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -183,7 +186,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -221,7 +226,7 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan
AM_CFLAGS = -rdynamic
plugin_LTLIBRARIES = libstrongswan-sha2.la
libstrongswan_sha2_la_SOURCES = sha2_plugin.h sha2_plugin.c sha2_hasher.c sha2_hasher.h
-libstrongswan_sha2_la_LDFLAGS = -module
+libstrongswan_sha2_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/sha2/sha2_hasher.c b/src/libstrongswan/plugins/sha2/sha2_hasher.c
index 0e8811cca..645f4d786 100644
--- a/src/libstrongswan/plugins/sha2/sha2_hasher.c
+++ b/src/libstrongswan/plugins/sha2/sha2_hasher.c
@@ -58,6 +58,11 @@ struct private_sha256_hasher_t {
};
+static const u_int32_t sha224_hashInit[8] = {
+ 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511,
+ 0x64f98fa7, 0xbefa4fa4
+};
+
static const u_int32_t sha256_hashInit[8] = {
0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c,
0x1f83d9ab, 0x5be0cd19
@@ -422,6 +427,21 @@ static void sha512_final(private_sha512_hasher_t *ctx)
}
/**
+ * Implementation of hasher_t.get_hash for SHA224.
+ */
+static void get_hash224(private_sha256_hasher_t *this,
+ chunk_t chunk, u_int8_t *buffer)
+{
+ sha256_write(this, chunk.ptr, chunk.len);
+ if (buffer != NULL)
+ {
+ sha256_final(this);
+ memcpy(buffer, this->sha_out, HASH_SIZE_SHA224);
+ this->public.hasher_interface.reset(&(this->public.hasher_interface));
+ }
+}
+
+/**
* Implementation of hasher_t.get_hash for SHA256.
*/
static void get_hash256(private_sha256_hasher_t *this,
@@ -467,6 +487,25 @@ static void get_hash512(private_sha512_hasher_t *this,
}
/**
+ * Implementation of hasher_t.allocate_hash for SHA224.
+ */
+static void allocate_hash224(private_sha256_hasher_t *this,
+ chunk_t chunk, chunk_t *hash)
+{
+ chunk_t allocated_hash;
+
+ sha256_write(this, chunk.ptr, chunk.len);
+ if (hash != NULL)
+ {
+ sha256_final(this);
+ allocated_hash = chunk_alloc(HASH_SIZE_SHA224);
+ memcpy(allocated_hash.ptr, this->sha_out, HASH_SIZE_SHA224);
+ this->public.hasher_interface.reset(&(this->public.hasher_interface));
+ *hash = allocated_hash;
+ }
+}
+
+/**
* Implementation of hasher_t.allocate_hash for SHA256.
*/
static void allocate_hash256(private_sha256_hasher_t *this,
@@ -524,6 +563,14 @@ static void allocate_hash512(private_sha512_hasher_t *this,
}
/**
+ * Implementation of hasher_t.get_hash_size for SHA224.
+ */
+static size_t get_hash_size224(private_sha256_hasher_t *this)
+{
+ return HASH_SIZE_SHA224;
+}
+
+/**
* Implementation of hasher_t.get_hash_size for SHA256.
*/
static size_t get_hash_size256(private_sha256_hasher_t *this)
@@ -548,6 +595,16 @@ static size_t get_hash_size512(private_sha512_hasher_t *this)
}
/**
+ * Implementation of hasher_t.reset for SHA224
+ */
+static void reset224(private_sha256_hasher_t *ctx)
+{
+ memcpy(&ctx->sha_H[0], &sha224_hashInit[0], sizeof(ctx->sha_H));
+ ctx->sha_blocks = 0;
+ ctx->sha_bufCnt = 0;
+}
+
+/**
* Implementation of hasher_t.reset for SHA256
*/
static void reset256(private_sha256_hasher_t *ctx)
@@ -596,6 +653,13 @@ sha2_hasher_t *sha2_hasher_create(hash_algorithm_t algorithm)
switch (algorithm)
{
+ case HASH_SHA224:
+ this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
+ this->hasher_interface.reset = (void(*)(hasher_t*))reset224;
+ this->hasher_interface.get_hash_size = (size_t(*)(hasher_t*))get_hash_size224;
+ this->hasher_interface.get_hash = (void(*)(hasher_t*,chunk_t,u_int8_t*))get_hash224;
+ this->hasher_interface.allocate_hash = (void(*)(hasher_t*,chunk_t,chunk_t*))allocate_hash224;
+ break;
case HASH_SHA256:
this = (sha2_hasher_t*)malloc_thing(private_sha256_hasher_t);
this->hasher_interface.reset = (void(*)(hasher_t*))reset256;
diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c
index 21bc592dc..0743f7b1a 100644
--- a/src/libstrongswan/plugins/sha2/sha2_plugin.c
+++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c
@@ -50,6 +50,8 @@ plugin_t *plugin_create()
this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
+ lib->crypto->add_hasher(lib->crypto, HASH_SHA224,
+ (hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA256,
(hasher_constructor_t)sha2_hasher_create);
lib->crypto->add_hasher(lib->crypto, HASH_SHA384,
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.am b/src/libstrongswan/plugins/sqlite/Makefile.am
index 7c3017abf..f26e31294 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.am
+++ b/src/libstrongswan/plugins/sqlite/Makefile.am
@@ -7,6 +7,6 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \
sqlite_database.h sqlite_database.c
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
libstrongswan_sqlite_la_LIBADD = -lsqlite3
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 547548bd7..b59a1c343 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -225,7 +230,7 @@ plugin_LTLIBRARIES = libstrongswan-sqlite.la
libstrongswan_sqlite_la_SOURCES = sqlite_plugin.h sqlite_plugin.c \
sqlite_database.h sqlite_database.c
-libstrongswan_sqlite_la_LDFLAGS = -module
+libstrongswan_sqlite_la_LDFLAGS = -module -avoid-version
libstrongswan_sqlite_la_LIBADD = -lsqlite3
all: all-am
diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c
index ce873b714..6e4951f2d 100644
--- a/src/libstrongswan/plugins/sqlite/sqlite_database.c
+++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c
@@ -333,7 +333,7 @@ sqlite_database_t *sqlite_database_create(char *uri)
this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver;
this->public.db.destroy = (void(*)(database_t*))destroy;
- this->mutex = mutex_create(MUTEX_RECURSIVE);
+ this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
if (sqlite3_open(file, &this->db) != SQLITE_OK)
{
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index 27d17c084..6028805c4 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -29,5 +29,5 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/sha2_hmac.c \
test_vectors/fips_prf.c \
test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index bb877620c..0e408ba7e 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -251,7 +256,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/fips_prf.c \
test_vectors/rng.c
-libstrongswan_test_vectors_la_LDFLAGS = -module
+libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index df5a9c9a8..b182dd829 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -98,6 +98,9 @@ TEST_VECTOR_HASHER(md5_7)
TEST_VECTOR_HASHER(sha1_1)
TEST_VECTOR_HASHER(sha1_2)
TEST_VECTOR_HASHER(sha1_3)
+TEST_VECTOR_HASHER(sha224_1)
+TEST_VECTOR_HASHER(sha224_2)
+TEST_VECTOR_HASHER(sha224_3)
TEST_VECTOR_HASHER(sha256_1)
TEST_VECTOR_HASHER(sha256_2)
TEST_VECTOR_HASHER(sha256_3)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
index e2bd42240..4679c26b3 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/sha2.c
@@ -16,6 +16,41 @@
#include <crypto/crypto_tester.h>
/**
+ * SHA-224 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
+ */
+hasher_test_vector_t sha224_1 = {
+ .alg = HASH_SHA224, .len = 1,
+ .data = "\x07",
+ .hash = "\x00\xec\xd5\xf1\x38\x42\x2b\x8a\xd7\x4c\x97\x99\xfd\x82\x6c\x53"
+ "\x1b\xad\x2f\xca\xbc\x74\x50\xbe\xe2\xaa\x8c\x2a"
+
+};
+
+hasher_test_vector_t sha224_2 = {
+ .alg = HASH_SHA224, .len = 16,
+ .data = "\x18\x80\x40\x05\xdd\x4f\xbd\x15\x56\x29\x9d\x6f\x9d\x93\xdf\x62",
+ .hash = "\xdf\x90\xd7\x8a\xa7\x88\x21\xc9\x9b\x40\xba\x4c\x96\x69\x21\xac"
+ "\xcd\x8f\xfb\x1e\x98\xac\x38\x8e\x56\x19\x1d\xb1"
+};
+
+hasher_test_vector_t sha224_3 = {
+ .alg = HASH_SHA224, .len = 163,
+ .data = "\x55\xb2\x10\x07\x9c\x61\xb5\x3a\xdd\x52\x06\x22\xd1\xac\x97\xd5"
+ "\xcd\xbe\x8c\xb3\x3a\xa0\xae\x34\x45\x17\xbe\xe4\xd7\xba\x09\xab"
+ "\xc8\x53\x3c\x52\x50\x88\x7a\x43\xbe\xbb\xac\x90\x6c\x2e\x18\x37"
+ "\xf2\x6b\x36\xa5\x9a\xe3\xbe\x78\x14\xd5\x06\x89\x6b\x71\x8b\x2a"
+ "\x38\x3e\xcd\xac\x16\xb9\x61\x25\x55\x3f\x41\x6f\xf3\x2c\x66\x74"
+ "\xc7\x45\x99\xa9\x00\x53\x86\xd9\xce\x11\x12\x24\x5f\x48\xee\x47"
+ "\x0d\x39\x6c\x1e\xd6\x3b\x92\x67\x0c\xa5\x6e\xc8\x4d\xee\xa8\x14"
+ "\xb6\x13\x5e\xca\x54\x39\x2b\xde\xdb\x94\x89\xbc\x9b\x87\x5a\x8b"
+ "\xaf\x0d\xc1\xae\x78\x57\x36\x91\x4a\xb7\xda\xa2\x64\xbc\x07\x9d"
+ "\x26\x9f\x2c\x0d\x7e\xdd\xd8\x10\xa4\x26\x14\x5a\x07\x76\xf6\x7c"
+ "\x87\x82\x73",
+ .hash = "\x0b\x31\x89\x4e\xc8\x93\x7a\xd9\xb9\x1b\xdf\xbc\xba\x29\x4d\x9a"
+ "\xde\xfa\xa1\x8e\x09\x30\x5e\x9f\x20\xd5\xc3\xa4"
+};
+
+/**
* SHA-256 vectors from "The Secure Hash Algorithm Validation System (SHAVS)"
*/
hasher_test_vector_t sha256_1 = {
diff --git a/src/libstrongswan/plugins/x509/Makefile.am b/src/libstrongswan/plugins/x509/Makefile.am
index 3f9f85c36..e9668b4e4 100644
--- a/src/libstrongswan/plugins/x509/Makefile.am
+++ b/src/libstrongswan/plugins/x509/Makefile.am
@@ -12,5 +12,5 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
x509_ocsp_request.h x509_ocsp_request.c \
x509_ocsp_response.h x509_ocsp_response.c \
ietf_attr_list.h ietf_attr_list.c
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index 0c62ad3b3..56cb04769 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -75,12 +75,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -145,6 +147,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -185,7 +188,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -230,7 +235,7 @@ libstrongswan_x509_la_SOURCES = x509_plugin.h x509_plugin.c \
x509_ocsp_response.h x509_ocsp_response.c \
ietf_attr_list.h ietf_attr_list.c
-libstrongswan_x509_la_LDFLAGS = -module
+libstrongswan_x509_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.am b/src/libstrongswan/plugins/xcbc/Makefile.am
index 1b10d21f8..515b75031 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.am
+++ b/src/libstrongswan/plugins/xcbc/Makefile.am
@@ -7,5 +7,5 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 82ef55bd5..1d4e39586 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -74,12 +74,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -144,6 +146,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -184,7 +187,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -224,7 +229,7 @@ plugin_LTLIBRARIES = libstrongswan-xcbc.la
libstrongswan_xcbc_la_SOURCES = xcbc_plugin.h xcbc_plugin.c xcbc.h xcbc.c \
xcbc_prf.h xcbc_prf.c xcbc_signer.h xcbc_signer.c
-libstrongswan_xcbc_la_LDFLAGS = -module
+libstrongswan_xcbc_la_LDFLAGS = -module -avoid-version
all: all-am
.SUFFIXES:
diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c
index 4a0eff45f..305841172 100644
--- a/src/libstrongswan/utils.c
+++ b/src/libstrongswan/utils.c
@@ -20,6 +20,7 @@
#include <string.h>
#include <stdio.h>
#include <unistd.h>
+#include <stdint.h>
#include <limits.h>
#include <dirent.h>
#include <time.h>
@@ -58,20 +59,43 @@ void *clalloc(void * pointer, size_t size)
/**
* Described in header.
*/
-void memxor(u_int8_t dest[], u_int8_t src[], size_t n)
+void memxor(u_int8_t dst[], u_int8_t src[], size_t n)
{
- int i = 0, m;
+ int m, i;
- m = n - sizeof(long);
- while (i < m)
+ /* byte wise XOR until dst aligned */
+ for (i = 0; (uintptr_t)&dst[i] % sizeof(long); i++)
{
- *(long*)(dest + i) ^= *(long*)(src + i);
- i += sizeof(long);
+ dst[i] ^= src[i];
}
- while (i < n)
+ /* try to use words if src shares an aligment with dst */
+ switch (((uintptr_t)&src[i] % sizeof(long)))
{
- dest[i] ^= src[i];
- i++;
+ case 0:
+ for (m = n - sizeof(long); i <= m; i += sizeof(long))
+ {
+ *(long*)&dst[i] ^= *(long*)&src[i];
+ }
+ break;
+ case sizeof(int):
+ for (m = n - sizeof(int); i <= m; i += sizeof(int))
+ {
+ *(int*)&dst[i] ^= *(int*)&src[i];
+ }
+ break;
+ case sizeof(short):
+ for (m = n - sizeof(short); i <= m; i += sizeof(short))
+ {
+ *(short*)&dst[i] ^= *(short*)&src[i];
+ }
+ break;
+ default:
+ break;
+ }
+ /* byte wise XOR of the rest */
+ for (; i < n; i++)
+ {
+ dst[i] ^= src[i];
}
}
diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h
index debd0145b..5d273d272 100644
--- a/src/libstrongswan/utils.h
+++ b/src/libstrongswan/utils.h
@@ -29,6 +29,16 @@
#include <enum.h>
/**
+ * strongSwan program return codes
+ */
+#define SS_RC_LIBSTRONGSWAN_INTEGRITY 64
+#define SS_RC_DAEMON_INTEGRITY 65
+#define SS_RC_INITIALIZATION_FAILED 66
+
+#define SS_RC_FIRST SS_RC_LIBSTRONGSWAN_INTEGRITY
+#define SS_RC_LAST SS_RC_INITIALIZATION_FAILED
+
+/**
* Number of bits in a byte
*/
#define BITS_PER_BYTE 8
@@ -134,6 +144,19 @@
# define TRUE true
#endif /* TRUE */
+/**
+ * define some missing fixed width int types on OpenSolaris.
+ * TODO: since the uintXX_t types are defined by the C99 standard we should
+ * probably use those anyway
+ */
+#ifdef __sun
+ #include <stdint.h>
+ typedef uint8_t u_int8_t;
+ typedef uint16_t u_int16_t;
+ typedef uint32_t u_int32_t;
+ typedef uint64_t u_int64_t;
+#endif
+
typedef enum status_t status_t;
/**
diff --git a/src/libstrongswan/utils/enumerator.c b/src/libstrongswan/utils/enumerator.c
index 24bafe66a..08522b8d5 100644
--- a/src/libstrongswan/utils/enumerator.c
+++ b/src/libstrongswan/utils/enumerator.c
@@ -408,7 +408,7 @@ typedef struct {
/**
* Implementation of enumerator_create_filter().destroy
*/
-void destroy_filter(filter_enumerator_t *this)
+static void destroy_filter(filter_enumerator_t *this)
{
if (this->destructor)
{
@@ -421,8 +421,8 @@ void destroy_filter(filter_enumerator_t *this)
/**
* Implementation of enumerator_create_filter().enumerate
*/
-bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
- void *o3, void *o4, void *o5)
+static bool enumerate_filter(filter_enumerator_t *this, void *o1, void *o2,
+ void *o3, void *o4, void *o5)
{
void *i1, *i2, *i3, *i4, *i5;
diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c
index 484de5e54..661bec315 100644
--- a/src/libstrongswan/utils/host.c
+++ b/src/libstrongswan/utils/host.c
@@ -17,6 +17,7 @@
*/
#define _GNU_SOURCE
+#include <sys/socket.h>
#include <netdb.h>
#include <string.h>
@@ -433,16 +434,40 @@ host_t *host_create_from_string(char *string, u_int16_t port)
/*
* Described in header.
*/
+host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
+{
+ private_host_t *this = host_create_empty();
+
+ switch (sockaddr->sa_family)
+ {
+ case AF_INET:
+ {
+ memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
+ this->socklen = sizeof(struct sockaddr_in);
+ return &this->public;
+ }
+ case AF_INET6:
+ {
+ memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
+ this->socklen = sizeof(struct sockaddr_in6);
+ return &this->public;
+ }
+ default:
+ break;
+ }
+ free(this);
+ return NULL;
+}
+
+/*
+ * Described in header.
+ */
host_t *host_create_from_dns(char *string, int af, u_int16_t port)
{
private_host_t *this;
- struct hostent *ptr;
- int ret = 0, err;
-#ifdef HAVE_GETHOSTBYNAME_R
- struct hostent host;
- char buf[512];
-#endif
-
+ struct addrinfo hints, *result;
+ int error;
+
if (streq(string, "%any"))
{
return host_create_any_port(af ? af : AF_INET, port);
@@ -451,62 +476,32 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port)
{
return host_create_any_port(af ? af : AF_INET6, port);
}
- else if (strchr(string, ':'))
- {
- /* gethostbyname does not like IPv6 addresses - fallback */
- return host_create_from_string(string, port);
- }
-
-#ifdef HAVE_GETHOSTBYNAME_R
- if (af)
- {
- ret = gethostbyname2_r(string, af, &host, buf, sizeof(buf), &ptr, &err);
- }
- else
- {
- ret = gethostbyname_r(string, &host, buf, sizeof(buf), &ptr, &err);
- }
-#else
- /* Some systems (e.g. Mac OS X) do not support gethostbyname_r */
- if (af)
- {
- ptr = gethostbyname2(string, af);
- }
- else
- {
- ptr = gethostbyname(string);
- }
- if (ptr == NULL)
- {
- err = h_errno;
- }
-#endif
- if (ret != 0 || ptr == NULL)
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = af;
+ error = getaddrinfo(string, NULL, &hints, &result);
+ if (error != 0)
{
- DBG1("resolving '%s' failed: %s", string, hstrerror(err));
+ DBG1("resolving '%s' failed: %s", string, gai_strerror(error));
return NULL;
}
- this = host_create_empty();
- this->address.sa_family = ptr->h_addrtype;
- switch (this->address.sa_family)
+ /* result is a linked list, but we use only the first address */
+ this = (private_host_t*)host_create_from_sockaddr(result->ai_addr);
+ freeaddrinfo(result);
+ if (this)
{
- case AF_INET:
- memcpy(&this->address4.sin_addr.s_addr,
- ptr->h_addr_list[0], ptr->h_length);
- this->address4.sin_port = htons(port);
- this->socklen = sizeof(struct sockaddr_in);
- break;
- case AF_INET6:
- memcpy(&this->address6.sin6_addr.s6_addr,
- ptr->h_addr_list[0], ptr->h_length);
- this->address6.sin6_port = htons(port);
- this->socklen = sizeof(struct sockaddr_in6);
- break;
- default:
- free(this);
- return NULL;
+ switch (this->address.sa_family)
+ {
+ case AF_INET:
+ this->address4.sin_port = htons(port);
+ break;
+ case AF_INET6:
+ this->address6.sin6_port = htons(port);
+ break;
+ }
+ return &this->public;
}
- return &this->public;
+ return NULL;
}
/*
@@ -569,34 +564,6 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port)
/*
* Described in header.
*/
-host_t *host_create_from_sockaddr(sockaddr_t *sockaddr)
-{
- private_host_t *this = host_create_empty();
-
- switch (sockaddr->sa_family)
- {
- case AF_INET:
- {
- memcpy(&this->address4, sockaddr, sizeof(struct sockaddr_in));
- this->socklen = sizeof(struct sockaddr_in);
- return &this->public;
- }
- case AF_INET6:
- {
- memcpy(&this->address6, sockaddr, sizeof(struct sockaddr_in6));
- this->socklen = sizeof(struct sockaddr_in6);
- return &this->public;
- }
- default:
- break;
- }
- free(this);
- return NULL;
-}
-
-/*
- * Described in header.
- */
host_t *host_create_any(int family)
{
private_host_t *this = host_create_empty();
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 1c04c97ef..10daf4679 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -21,7 +21,6 @@
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
-#include <ctype.h>
#include "identification.h"
@@ -122,365 +121,216 @@ struct private_identification_t {
id_type_t type;
};
-static private_identification_t *identification_create(void);
-
/**
- * updates a chunk (!????)
- * TODO: We should reconsider this stuff, its not really clear
+ * Enumerator over RDNs
*/
-static void update_chunk(chunk_t *ch, int n)
-{
- n = (n > -1 && n < (int)ch->len)? n : (int)ch->len-1;
- ch->ptr += n; ch->len -= n;
-}
+typedef struct {
+ /* implements enumerator interface */
+ enumerator_t public;
+ /* next set to parse, if any */
+ chunk_t sets;
+ /* next sequence in set, if any */
+ chunk_t seqs;
+} rdn_enumerator_t;
/**
- * Remove any malicious characters from a chunk. We are very restrictive, but
- * whe use these strings only to present it to the user.
+ * Implementation of rdn_enumerator_t.enumerate
*/
-static bool sanitize_chunk(chunk_t chunk, chunk_t *clone)
+static bool rdn_enumerate(rdn_enumerator_t *this, chunk_t *oid,
+ u_char *type, chunk_t *data)
{
- char *pos;
- bool all_printable = TRUE;
-
- *clone = chunk_clone(chunk);
+ chunk_t rdn;
- for (pos = clone->ptr; pos < (char*)(clone->ptr + clone->len); pos++)
+ /* a DN contains one or more SET, each containing one or more SEQUENCES,
+ * each containing a OID/value RDN */
+ if (!this->seqs.len)
{
- if (!isprint(*pos))
+ /* no SEQUENCEs in current SET, parse next SET */
+ if (asn1_unwrap(&this->sets, &this->seqs) != ASN1_SET)
{
- *pos = '?';
- all_printable = FALSE;
+ return FALSE;
+ }
+ }
+ if (asn1_unwrap(&this->seqs, &rdn) == ASN1_SEQUENCE &&
+ asn1_unwrap(&rdn, oid) == ASN1_OID)
+ {
+ int t = asn1_unwrap(&rdn, data);
+
+ if (t != ASN1_INVALID)
+ {
+ *type = t;
+ return TRUE;
}
}
- return all_printable;
+ return FALSE;
}
/**
- * Pointer is set to the first RDN in a DN
+ * Create an enumerator over all RDNs (oid, string type, data) of a DN
*/
-static bool init_rdn(chunk_t dn, chunk_t *rdn, chunk_t *attribute, bool *next)
+static enumerator_t* create_rdn_enumerator(chunk_t dn)
{
- *rdn = chunk_empty;
- *attribute = chunk_empty;
+ rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
- /* a DN is a SEQUENCE OF RDNs */
- if (*dn.ptr != ASN1_SEQUENCE)
- {
- /* DN is not a SEQUENCE */
- return FALSE;
- }
+ e->public.enumerate = (void*)rdn_enumerate;
+ e->public.destroy = (void*)free;
- rdn->len = asn1_length(&dn);
-
- if (rdn->len == ASN1_INVALID_LENGTH)
+ /* a DN is a SEQUENCE, get the first SET of it */
+ if (asn1_unwrap(&dn, &e->sets) == ASN1_SEQUENCE)
{
- /* Invalid RDN length */
- return FALSE;
+ e->seqs = chunk_empty;
+ return &e->public;
}
-
- rdn->ptr = dn.ptr;
-
- /* are there any RDNs ? */
- *next = rdn->len > 0;
-
- return TRUE;
+ free(e);
+ return enumerator_create_empty();
}
/**
- * Fetches the next RDN in a DN
+ * Part enumerator over RDNs
+ */
+typedef struct {
+ /* implements enumerator interface */
+ enumerator_t public;
+ /* inner RDN enumerator */
+ enumerator_t *inner;
+} rdn_part_enumerator_t;
+
+/**
+ * Implementation of rdn_part_enumerator_t.enumerate().
*/
-static bool get_next_rdn(chunk_t *rdn, chunk_t * attribute, chunk_t *oid,
- chunk_t *value, asn1_t *type, bool *next)
+static bool rdn_part_enumerate(rdn_part_enumerator_t *this,
+ id_part_t *type, chunk_t *data)
{
- chunk_t body;
+ int i, known_oid, strtype;
+ chunk_t oid, inner_data;
+ static const struct {
+ int oid;
+ id_part_t type;
+ } oid2part[] = {
+ {OID_COMMON_NAME, ID_PART_RDN_CN},
+ {OID_SURNAME, ID_PART_RDN_S},
+ {OID_SERIAL_NUMBER, ID_PART_RDN_SN},
+ {OID_COUNTRY, ID_PART_RDN_C},
+ {OID_LOCALITY, ID_PART_RDN_L},
+ {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST},
+ {OID_ORGANIZATION, ID_PART_RDN_O},
+ {OID_ORGANIZATION_UNIT, ID_PART_RDN_OU},
+ {OID_TITLE, ID_PART_RDN_T},
+ {OID_DESCRIPTION, ID_PART_RDN_D},
+ {OID_NAME, ID_PART_RDN_N},
+ {OID_GIVEN_NAME, ID_PART_RDN_G},
+ {OID_INITIALS, ID_PART_RDN_I},
+ {OID_UNIQUE_IDENTIFIER, ID_PART_RDN_ID},
+ {OID_EMAIL_ADDRESS, ID_PART_RDN_E},
+ {OID_EMPLOYEE_NUMBER, ID_PART_RDN_EN},
+ };
- /* initialize return values */
- *oid = chunk_empty;
- *value = chunk_empty;
-
- /* if all attributes have been parsed, get next rdn */
- if (attribute->len <= 0)
+ while (this->inner->enumerate(this->inner, &oid, &strtype, &inner_data))
{
- /* an RDN is a SET OF attributeTypeAndValue */
- if (*rdn->ptr != ASN1_SET)
+ known_oid = asn1_known_oid(oid);
+ for (i = 0; i < countof(oid2part); i++)
{
- /* RDN is not a SET */
- return FALSE;
- }
- attribute->len = asn1_length(rdn);
- if (attribute->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute length */
- return FALSE;
+ if (oid2part[i].oid == known_oid)
+ {
+ *type = oid2part[i].type;
+ *data = inner_data;
+ return TRUE;
+ }
}
- attribute->ptr = rdn->ptr;
- /* advance to start of next RDN */
- rdn->ptr += attribute->len;
- rdn->len -= attribute->len;
- }
-
- /* an attributeTypeAndValue is a SEQUENCE */
- if (*attribute->ptr != ASN1_SEQUENCE)
- {
- /* attributeTypeAndValue is not a SEQUENCE */
- return FALSE;
}
-
- /* extract the attribute body */
- body.len = asn1_length(attribute);
-
- if (body.len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute body length */
- return FALSE;
- }
-
- body.ptr = attribute->ptr;
-
- /* advance to start of next attribute */
- attribute->ptr += body.len;
- attribute->len -= body.len;
-
- /* attribute type is an OID */
- if (*body.ptr != ASN1_OID)
- {
- /* attributeType is not an OID */
- return FALSE;
- }
- /* extract OID */
- oid->len = asn1_length(&body);
-
- if (oid->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute OID length */
- return FALSE;
- }
- oid->ptr = body.ptr;
-
- /* advance to the attribute value */
- body.ptr += oid->len;
- body.len -= oid->len;
-
- /* extract string type */
- *type = *body.ptr;
-
- /* extract string value */
- value->len = asn1_length(&body);
-
- if (value->len == ASN1_INVALID_LENGTH)
- {
- /* Invalid attribute string length */
- return FALSE;
- }
- value->ptr = body.ptr;
-
- /* are there any RDNs left? */
- *next = rdn->len > 0 || attribute->len > 0;
- return TRUE;
+ return FALSE;
}
/**
- * Parses an ASN.1 distinguished name int its OID/value pairs
+ * Implementation of rdn_part_enumerator_t.destroy().
*/
-static bool dntoa(chunk_t dn, chunk_t *str)
+static void rdn_part_enumerator_destroy(rdn_part_enumerator_t *this)
{
- chunk_t rdn, oid, attribute, value, proper;
- asn1_t type;
- int oid_code;
- bool next;
- bool first = TRUE;
-
- if (!init_rdn(dn, &rdn, &attribute, &next))
- {
- return FALSE;
- }
-
- while (next)
- {
- if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
- {
- return FALSE;
- }
-
- if (first)
- { /* first OID/value pair */
- first = FALSE;
- }
- else
- { /* separate OID/value pair by a comma */
- update_chunk(str, snprintf(str->ptr,str->len,", "));
- }
-
- /* print OID */
- oid_code = asn1_known_oid(oid);
- if (oid_code == OID_UNKNOWN)
- {
- update_chunk(str, snprintf(str->ptr,str->len,"0x#B", &oid));
- }
- else
- {
- update_chunk(str, snprintf(str->ptr,str->len,"%s", oid_names[oid_code].name));
- }
- /* print value */
- sanitize_chunk(value, &proper);
- update_chunk(str, snprintf(str->ptr,str->len,"=%.*s", (int)proper.len, proper.ptr));
- chunk_free(&proper);
- }
- return TRUE;
+ this->inner->destroy(this->inner);
+ free(this);
}
/**
- * compare two distinguished names by
- * comparing the individual RDNs
+ * Implementation of identification_t.create_part_enumerator
*/
-static bool same_dn(chunk_t a, chunk_t b)
+static enumerator_t* create_part_enumerator(private_identification_t *this)
{
- chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
- chunk_t oid_a, oid_b, value_a, value_b;
- asn1_t type_a, type_b;
- bool next_a, next_b;
-
- /* same lengths for the DNs */
- if (a.len != b.len)
- {
- return FALSE;
- }
- /* try a binary comparison first */
- if (memeq(a.ptr, b.ptr, b.len))
- {
- return TRUE;
- }
- /* initialize DN parsing */
- if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
- !init_rdn(b, &rdn_b, &attribute_b, &next_b))
- {
- return FALSE;
- }
-
- /* fetch next RDN pair */
- while (next_a && next_b)
+ switch (this->type)
{
- /* parse next RDNs and check for errors */
- if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) ||
- !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
- {
- return FALSE;
- }
-
- /* OIDs must agree */
- if (oid_a.len != oid_b.len || !memeq(oid_a.ptr, oid_b.ptr, oid_b.len))
- {
- return FALSE;
- }
-
- /* same lengths for values */
- if (value_a.len != value_b.len)
- {
- return FALSE;
- }
-
- /* printableStrings and email RDNs require uppercase comparison */
- if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
- (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
- {
- if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
- {
- return FALSE;
- }
- }
- else
+ case ID_DER_ASN1_DN:
{
- if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
- {
- return FALSE;
- }
+ rdn_part_enumerator_t *e = malloc_thing(rdn_part_enumerator_t);
+
+ e->inner = create_rdn_enumerator(this->encoded);
+ e->public.enumerate = (void*)rdn_part_enumerate;
+ e->public.destroy = (void*)rdn_part_enumerator_destroy;
+
+ return &e->public;
}
+ case ID_RFC822_ADDR:
+ /* TODO */
+ case ID_FQDN:
+ /* TODO */
+ default:
+ return enumerator_create_empty();
}
- /* both DNs must have same number of RDNs */
- if (next_a || next_b)
- {
- return FALSE;
- }
- /* the two DNs are equal! */
- return TRUE;
}
-
/**
- * compare two distinguished names by comparing the individual RDNs.
- * A single'*' character designates a wildcard RDN in DN b.
- * TODO: Add support for different RDN order in DN !!
+ * Print a DN with all its RDN in a buffer to present it to the user
*/
-bool match_dn(chunk_t a, chunk_t b, int *wildcards)
+static void dntoa(chunk_t dn, char *buf, size_t len)
{
- chunk_t rdn_a, rdn_b, attribute_a, attribute_b;
- chunk_t oid_a, oid_b, value_a, value_b;
- asn1_t type_a, type_b;
- bool next_a, next_b;
-
- /* initialize wildcard counter */
- *wildcards = 0;
-
- /* initialize DN parsing */
- if (!init_rdn(a, &rdn_a, &attribute_a, &next_a) ||
- !init_rdn(b, &rdn_b, &attribute_b, &next_b))
- {
- return FALSE;
- }
+ enumerator_t *e;
+ chunk_t oid_data, data;
+ u_char type;
+ int oid, written;
+ bool finished = FALSE;
- /* fetch next RDN pair */
- while (next_a && next_b)
+ e = create_rdn_enumerator(dn);
+ while (e->enumerate(e, &oid_data, &type, &data))
{
- /* parse next RDNs and check for errors */
- if (!get_next_rdn(&rdn_a, &attribute_a, &oid_a, &value_a, &type_a, &next_a) ||
- !get_next_rdn(&rdn_b, &attribute_b, &oid_b, &value_b, &type_b, &next_b))
+ oid = asn1_known_oid(oid_data);
+
+ if (oid == OID_UNKNOWN)
{
- return FALSE;
+ written = snprintf(buf, len, "%#B=", &oid_data);
}
- /* OIDs must agree */
- if (oid_a.len != oid_b.len || memcmp(oid_a.ptr, oid_b.ptr, oid_b.len) != 0)
+ else
{
- return FALSE;
+ written = snprintf(buf, len,"%s=", oid_names[oid].name);
}
+ buf += written;
+ len -= written;
- /* does rdn_b contain a wildcard? */
- if (value_b.len == 1 && *value_b.ptr == '*')
+ if (chunk_printable(data, NULL, '?'))
{
- (*wildcards)++;
- continue;
+ written = snprintf(buf, len, "%.*s", data.len, data.ptr);
}
- /* same lengths for values */
- if (value_a.len != value_b.len)
+ else
{
- return FALSE;
+ written = snprintf(buf, len, "%#B", &data);
}
+ buf += written;
+ len -= written;
- /* printableStrings and email RDNs require uppercase comparison */
- if (type_a == type_b && (type_a == ASN1_PRINTABLESTRING ||
- (type_a == ASN1_IA5STRING && asn1_known_oid(oid_a) == OID_PKCS9_EMAIL)))
+ if (data.ptr + data.len != dn.ptr + dn.len)
{
- if (strncasecmp(value_a.ptr, value_b.ptr, value_b.len) != 0)
- {
- return FALSE;
- }
+ written = snprintf(buf, len, ", ");
+ buf += written;
+ len -= written;
}
else
{
- if (!strneq(value_a.ptr, value_b.ptr, value_b.len))
- {
- return FALSE;
- }
+ finished = TRUE;
+ break;
}
}
- /* both DNs must have same number of RDNs */
- if (next_a || next_b)
+ if (!finished)
{
- return FALSE;
+ snprintf(buf, len, "(invalid ID_DER_ASN1_DN)");
}
- /* the two DNs match! */
- *wildcards = min(*wildcards, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
- return TRUE;
+ e->destroy(e);
}
/**
@@ -648,53 +498,34 @@ static id_type_t get_type(private_identification_t *this)
}
/**
- * Implementation of identification_t.contains_wildcards fro ID_DER_ASN1_DN.
+ * Implementation of identification_t.contains_wildcards for ID_DER_ASN1_DN.
*/
static bool contains_wildcards_dn(private_identification_t *this)
{
- chunk_t rdn, attribute;
- chunk_t oid, value;
- asn1_t type;
- bool next;
+ enumerator_t *enumerator;
+ bool contains = FALSE;
+ id_part_t type;
+ chunk_t data;
- if (!init_rdn(this->encoded, &rdn, &attribute, &next))
- {
- return FALSE;
- }
- /* fetch next RDN */
- while (next)
+ enumerator = create_part_enumerator(this);
+ while (enumerator->enumerate(enumerator, &type, &data))
{
- /* parse next RDN and check for errors */
- if (!get_next_rdn(&rdn, &attribute, &oid, &value, &type, &next))
- {
- return FALSE;
- }
- /* check if RDN is a wildcard */
- if (value.len == 1 && *value.ptr == '*')
+ if (data.len == 1 && data.ptr[0] == '*')
{
- return TRUE;
+ contains = TRUE;
+ break;
}
}
- return FALSE;
+ enumerator->destroy(enumerator);
+ return contains;
}
/**
- * Implementation of identification_t.contains_wildcards.
+ * Implementation of identification_t.contains_wildcards using memchr(*).
*/
-static bool contains_wildcards(private_identification_t *this)
+static bool contains_wildcards_memchr(private_identification_t *this)
{
- switch (this->type)
- {
- case ID_ANY:
- return TRUE;
- case ID_FQDN:
- case ID_RFC822_ADDR:
- return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
- case ID_DER_ASN1_DN:
- return contains_wildcards_dn(this);
- default:
- return FALSE;
- }
+ return memchr(this->encoded.ptr, '*', this->encoded.len) != NULL;
}
/**
@@ -711,7 +542,96 @@ static bool equals_binary(private_identification_t *this, private_identification
}
return chunk_equals(this->encoded, other->encoded);
}
- return FALSE;
+ return FALSE;
+}
+
+/**
+ * Compare to DNs, for equality if wc == NULL, for match otherwise
+ */
+static bool compare_dn(chunk_t t_dn, chunk_t o_dn, int *wc)
+{
+ enumerator_t *t, *o;
+ chunk_t t_oid, o_oid, t_data, o_data;
+ u_char t_type, o_type;
+ bool t_next, o_next, finished = FALSE;
+
+ if (wc)
+ {
+ *wc = 0;
+ }
+ else
+ {
+ if (t_dn.len != o_dn.len)
+ {
+ return FALSE;
+ }
+ }
+ /* try a binary compare */
+ if (memeq(t_dn.ptr, o_dn.ptr, t_dn.len))
+ {
+ return TRUE;
+ }
+
+ t = create_rdn_enumerator(t_dn);
+ o = create_rdn_enumerator(o_dn);
+ while (TRUE)
+ {
+ t_next = t->enumerate(t, &t_oid, &t_type, &t_data);
+ o_next = o->enumerate(o, &o_oid, &o_type, &o_data);
+
+ if (!o_next && !t_next)
+ {
+ break;
+ }
+ finished = FALSE;
+ if (o_next != t_next)
+ {
+ break;
+ }
+ if (!chunk_equals(t_oid, o_oid))
+ {
+ break;
+ }
+ if (wc && o_data.len == 1 && o_data.ptr[0] == '*')
+ {
+ (*wc)++;
+ }
+ else
+ {
+ if (t_data.len != o_data.len)
+ {
+ break;
+ }
+ if (t_type == o_type &&
+ (t_type == ASN1_PRINTABLESTRING ||
+ (t_type == ASN1_IA5STRING &&
+ (asn1_known_oid(t_oid) == OID_PKCS9_EMAIL ||
+ asn1_known_oid(t_oid) == OID_EMAIL_ADDRESS))))
+ { /* ignore case for printableStrings and email RDNs */
+ if (strncasecmp(t_data.ptr, o_data.ptr, t_data.len) != 0)
+ {
+ break;
+ }
+ }
+ else
+ { /* respect case and length for everything else */
+ if (!memeq(t_data.ptr, o_data.ptr, t_data.len))
+ {
+ break;
+ }
+ }
+ }
+ /* the enumerator returns FALSE on parse error, we are finished
+ * if we have reached the end of the DN only */
+ if ((t_data.ptr + t_data.len == t_dn.ptr + t_dn.len) &&
+ (o_data.ptr + o_data.len == o_dn.ptr + o_dn.len))
+ {
+ finished = TRUE;
+ }
+ }
+ t->destroy(t);
+ o->destroy(o);
+ return finished;
}
/**
@@ -720,7 +640,7 @@ static bool equals_binary(private_identification_t *this, private_identification
static bool equals_dn(private_identification_t *this,
private_identification_t *other)
{
- return same_dn(this->encoded, other->encoded);
+ return compare_dn(this->encoded, other->encoded, NULL);
}
/**
@@ -764,7 +684,7 @@ static id_match_t matches_binary(private_identification_t *this,
* Checks for a wildcard in other-string, and compares it against this-string.
*/
static id_match_t matches_string(private_identification_t *this,
- private_identification_t *other)
+ private_identification_t *other)
{
u_int len = other->encoded.len;
@@ -824,7 +744,7 @@ static id_match_t matches_dn(private_identification_t *this,
private_identification_t *other)
{
int wc;
-
+
if (other->type == ID_ANY)
{
return ID_MATCH_ANY;
@@ -832,8 +752,9 @@ static id_match_t matches_dn(private_identification_t *this,
if (this->type == other->type)
{
- if (match_dn(this->encoded, other->encoded, &wc))
+ if (compare_dn(this->encoded, other->encoded, &wc))
{
+ wc = min(wc, ID_MATCH_ONE_WILDCARD - ID_MATCH_MAX_WILDCARDS);
return ID_MATCH_PERFECT - wc;
}
}
@@ -847,8 +768,8 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
const void *const *args)
{
private_identification_t *this = *((private_identification_t**)(args[0]));
- char buf[BUF_LEN];
- chunk_t proper, buf_chunk = chunk_from_buf(buf);
+ chunk_t proper;
+ char buf[512];
if (this == NULL)
{
@@ -878,29 +799,26 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
case ID_IETF_ATTR_STRING:
- sanitize_chunk(this->encoded, &proper);
+ chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
chunk_free(&proper);
break;
case ID_DER_ASN1_DN:
- if (!dntoa(this->encoded, &buf_chunk))
- {
- snprintf(buf, sizeof(buf), "(invalid ID_DER_ASN1_DN)");
- }
+ dntoa(this->encoded, buf, sizeof(buf));
break;
case ID_DER_ASN1_GN:
snprintf(buf, sizeof(buf), "(ASN.1 general Name");
break;
case ID_KEY_ID:
- if (sanitize_chunk(this->encoded, &proper))
+ if (chunk_printable(this->encoded, NULL, '?'))
{ /* fully printable, use ascii version */
- snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
+ snprintf(buf, sizeof(buf), "%.*s",
+ this->encoded.len, this->encoded.ptr);
}
else
{ /* not printable, hex dump */
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
}
- chunk_free(&proper);
break;
case ID_PUBKEY_INFO_SHA1:
case ID_PUBKEY_SHA1:
@@ -917,140 +835,18 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec,
}
return print_in_hook(dst, len, "%*s", spec->width, buf);
}
-
-/**
- * Enumerator over RDNs
- */
-typedef struct {
- /* implements enumerator interface */
- enumerator_t public;
- /* current RDN */
- chunk_t rdn;
- /* current attribute */
- chunk_t attr;
- /** have another RDN? */
- bool next;
-} rdn_enumerator_t;
-
-/**
- * Implementation of rdn_enumerator_t.enumerate
- */
-static bool rdn_enumerate(rdn_enumerator_t *this,
- id_part_t *type, chunk_t *data)
-{
- chunk_t oid, value;
- asn1_t asn1_type;
-
- while (this->next)
- {
- if (!get_next_rdn(&this->rdn, &this->attr, &oid,
- &value, &asn1_type, &this->next))
- {
- return FALSE;
- }
- switch (asn1_known_oid(oid))
- {
- case OID_COMMON_NAME:
- *type = ID_PART_RDN_CN;
- break;
- case OID_SURNAME:
- *type = ID_PART_RDN_S;
- break;
- case OID_SERIAL_NUMBER:
- *type = ID_PART_RDN_SN;
- break;
- case OID_COUNTRY:
- *type = ID_PART_RDN_C;
- break;
- case OID_LOCALITY:
- *type = ID_PART_RDN_L;
- break;
- case OID_STATE_OR_PROVINCE:
- *type = ID_PART_RDN_ST;
- break;
- case OID_ORGANIZATION:
- *type = ID_PART_RDN_O;
- break;
- case OID_ORGANIZATION_UNIT:
- *type = ID_PART_RDN_OU;
- break;
- case OID_TITLE:
- *type = ID_PART_RDN_T;
- break;
- case OID_DESCRIPTION:
- *type = ID_PART_RDN_D;
- break;
- case OID_NAME:
- *type = ID_PART_RDN_N;
- break;
- case OID_GIVEN_NAME:
- *type = ID_PART_RDN_G;
- break;
- case OID_INITIALS:
- *type = ID_PART_RDN_I;
- break;
- case OID_UNIQUE_IDENTIFIER:
- *type = ID_PART_RDN_ID;
- break;
- case OID_EMAIL_ADDRESS:
- *type = ID_PART_RDN_E;
- break;
- case OID_EMPLOYEE_NUMBER:
- *type = ID_PART_RDN_EN;
- break;
- default:
- continue;
- }
- *data = value;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * Implementation of identification_t.create_part_enumerator
- */
-static enumerator_t* create_part_enumerator(private_identification_t *this)
-{
- switch (this->type)
- {
- case ID_DER_ASN1_DN:
- {
- rdn_enumerator_t *e = malloc_thing(rdn_enumerator_t);
-
- e->public.enumerate = (void*)rdn_enumerate;
- e->public.destroy = (void*)free;
- if (init_rdn(this->encoded, &e->rdn, &e->attr, &e->next))
- {
- return &e->public;
- }
- free(e);
- /* FALL */
- }
- case ID_RFC822_ADDR:
- /* TODO */
- case ID_FQDN:
- /* TODO */
- default:
- return enumerator_create_empty();
- }
-}
-
/**
* Implementation of identification_t.clone.
*/
static identification_t *clone_(private_identification_t *this)
{
- private_identification_t *clone = identification_create();
+ private_identification_t *clone = malloc_thing(private_identification_t);
- clone->type = this->type;
+ memcpy(clone, this, sizeof(private_identification_t));
if (this->encoded.len)
{
clone->encoded = chunk_clone(this->encoded);
}
- clone->public.equals = this->public.equals;
- clone->public.matches = this->public.matches;
-
return &clone->public;
}
@@ -1066,20 +862,42 @@ static void destroy(private_identification_t *this)
/**
* Generic constructor used for the other constructors.
*/
-static private_identification_t *identification_create(void)
+static private_identification_t *identification_create(id_type_t type)
{
private_identification_t *this = malloc_thing(private_identification_t);
this->public.get_encoding = (chunk_t (*) (identification_t*))get_encoding;
this->public.get_type = (id_type_t (*) (identification_t*))get_type;
- this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards;
this->public.create_part_enumerator = (enumerator_t*(*)(identification_t*))create_part_enumerator;
this->public.clone = (identification_t* (*) (identification_t*))clone_;
this->public.destroy = (void (*) (identification_t*))destroy;
- /* we use these as defaults, the may be overloaded for special ID types */
- this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
- this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
+ switch (type)
+ {
+ case ID_ANY:
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_any;
+ this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))return_true;
+ break;
+ case ID_FQDN:
+ case ID_RFC822_ADDR:
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_string;
+ this->public.equals = (bool (*)(identification_t*,identification_t*))equals_strcasecmp;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_memchr;
+ break;
+ case ID_DER_ASN1_DN:
+ this->public.equals = (bool (*)(identification_t*,identification_t*))equals_dn;
+ this->public.matches = (id_match_t (*)(identification_t*,identification_t*))matches_dn;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))contains_wildcards_dn;
+ break;
+ default:
+ this->public.equals = (bool (*) (identification_t*,identification_t*))equals_binary;
+ this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_binary;
+ this->public.contains_wildcards = (bool (*) (identification_t *this))return_false;
+ break;
+ }
+
+ this->type = type;
this->encoded = chunk_empty;
return this;
@@ -1090,8 +908,9 @@ static private_identification_t *identification_create(void)
*/
identification_t *identification_create_from_string(char *string)
{
- private_identification_t *this = identification_create();
-
+ private_identification_t *this;
+ chunk_t encoded;
+
if (string == NULL)
{
string = "%any";
@@ -1101,15 +920,16 @@ identification_t *identification_create_from_string(char *string)
/* we interpret this as an ASCII X.501 ID_DER_ASN1_DN.
* convert from LDAP style or openssl x509 -subject style to ASN.1 DN
*/
- if (atodn(string, &this->encoded) != SUCCESS)
+ if (atodn(string, &encoded) == SUCCESS)
+ {
+ this = identification_create(ID_DER_ASN1_DN);
+ this->encoded = encoded;
+ }
+ else
{
- this->type = ID_KEY_ID;
+ this = identification_create(ID_KEY_ID);
this->encoded = chunk_clone(chunk_create(string, strlen(string)));
- return &this->public;
}
- this->type = ID_DER_ASN1_DN;
- this->public.equals = (bool (*) (identification_t*,identification_t*))equals_dn;
- this->public.matches = (id_match_t (*) (identification_t*,identification_t*))matches_dn;
return &this->public;
}
else if (strchr(string, '@') == NULL)
@@ -1122,50 +942,43 @@ identification_t *identification_create_from_string(char *string)
|| streq(string, "0::0"))
{
/* any ID will be accepted */
- this->type = ID_ANY;
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_any;
+ this = identification_create(ID_ANY);
return &this->public;
}
else
{
if (strchr(string, ':') == NULL)
{
- /* try IPv4 */
struct in_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
- if (inet_pton(AF_INET, string, &address) <= 0)
- {
- /* not IPv4, mostly FQDN */
- this->type = ID_FQDN;
- this->encoded.ptr = strdup(string);
- this->encoded.len = strlen(string);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
- return &this->public;
+ if (inet_pton(AF_INET, string, &address) > 0)
+ { /* is IPv4 */
+ this = identification_create(ID_IPV4_ADDR);
+ this->encoded = chunk_clone(chunk);
+ }
+ else
+ { /* not IPv4, mostly FQDN */
+ this = identification_create(ID_FQDN);
+ this->encoded = chunk_create(strdup(string), strlen(string));
}
- this->encoded = chunk_clone(chunk);
- this->type = ID_IPV4_ADDR;
return &this->public;
}
else
{
- /* try IPv6 */
struct in6_addr address;
chunk_t chunk = {(void*)&address, sizeof(address)};
- if (inet_pton(AF_INET6, string, &address) <= 0)
- {
- this->type = ID_KEY_ID;
- this->encoded = chunk_clone(chunk_create(string,
- strlen(string)));
- return &this->public;
+ if (inet_pton(AF_INET6, string, &address) > 0)
+ { /* is IPv6 */
+ this = identification_create(ID_IPV6_ADDR);
+ this->encoded = chunk_clone(chunk);
+ }
+ else
+ { /* not IPv4/6 fallback to KEY_ID */
+ this = identification_create(ID_KEY_ID);
+ this->encoded = chunk_create(strdup(string), strlen(string));
}
- this->encoded = chunk_clone(chunk);
- this->type = ID_IPV6_ADDR;
return &this->public;
}
}
@@ -1176,33 +989,24 @@ identification_t *identification_create_from_string(char *string)
{
if (*(string + 1) == '#')
{
+ this = identification_create(ID_KEY_ID);
string += 2;
- this->type = ID_KEY_ID;
this->encoded = chunk_from_hex(
chunk_create(string, strlen(string)), NULL);
return &this->public;
}
else
{
- this->type = ID_FQDN;
- this->encoded.ptr = strdup(string + 1);
- this->encoded.len = strlen(string + 1);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
+ this = identification_create(ID_FQDN);
+ string += 1;
+ this->encoded = chunk_create(strdup(string), strlen(string));
return &this->public;
}
}
else
{
- this->type = ID_RFC822_ADDR;
- this->encoded.ptr = strdup(string);
- this->encoded.len = strlen(string);
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
+ this = identification_create(ID_RFC822_ADDR);
+ this->encoded = chunk_create(strdup(string), strlen(string));
return &this->public;
}
}
@@ -1211,42 +1015,10 @@ identification_t *identification_create_from_string(char *string)
/*
* Described in header.
*/
-identification_t *identification_create_from_encoding(id_type_t type, chunk_t encoded)
+identification_t *identification_create_from_encoding(id_type_t type,
+ chunk_t encoded)
{
- private_identification_t *this = identification_create();
-
- this->type = type;
- switch (type)
- {
- case ID_ANY:
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_any;
- break;
- case ID_FQDN:
- case ID_RFC822_ADDR:
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_string;
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_strcasecmp;
- break;
- case ID_DER_ASN1_DN:
- this->public.equals = (bool (*)
- (identification_t*,identification_t*))equals_dn;
- this->public.matches = (id_match_t (*)
- (identification_t*,identification_t*))matches_dn;
- break;
- case ID_IPV4_ADDR:
- case ID_IPV6_ADDR:
- case ID_DER_ASN1_GN:
- case ID_KEY_ID:
- case ID_DER_ASN1_GN_URI:
- case ID_PUBKEY_INFO_SHA1:
- case ID_PUBKEY_SHA1:
- case ID_CERT_DER_SHA1:
- case ID_IETF_ATTR_STRING:
- default:
- break;
- }
+ private_identification_t *this = identification_create(type);
/* apply encoded chunk */
if (type != ID_ANY)
diff --git a/src/libstrongswan/utils/mutex.c b/src/libstrongswan/utils/mutex.c
index 8b3a25201..a6c39e94c 100644
--- a/src/libstrongswan/utils/mutex.c
+++ b/src/libstrongswan/utils/mutex.c
@@ -276,7 +276,7 @@ mutex_t *mutex_create(mutex_type_t type)
{
switch (type)
{
- case MUTEX_RECURSIVE:
+ case MUTEX_TYPE_RECURSIVE:
{
private_r_mutex_t *this = malloc_thing(private_r_mutex_t);
@@ -292,7 +292,7 @@ mutex_t *mutex_create(mutex_type_t type)
return &this->generic.public;
}
- case MUTEX_DEFAULT:
+ case MUTEX_TYPE_DEFAULT:
default:
{
private_mutex_t *this = malloc_thing(private_mutex_t);
@@ -416,7 +416,7 @@ condvar_t *condvar_create(condvar_type_t type)
{
switch (type)
{
- case CONDVAR_DEFAULT:
+ case CONDVAR_TYPE_DEFAULT:
default:
{
private_condvar_t *this = malloc_thing(private_condvar_t);
@@ -488,7 +488,7 @@ rwlock_t *rwlock_create(rwlock_type_t type)
{
switch (type)
{
- case RWLOCK_DEFAULT:
+ case RWLOCK_TYPE_DEFAULT:
default:
{
private_rwlock_t *this = malloc_thing(private_rwlock_t);
diff --git a/src/libstrongswan/utils/mutex.h b/src/libstrongswan/utils/mutex.h
index c5c667992..273f56b47 100644
--- a/src/libstrongswan/utils/mutex.h
+++ b/src/libstrongswan/utils/mutex.h
@@ -31,14 +31,41 @@ typedef enum rwlock_type_t rwlock_type_t;
#include <library.h>
+#ifdef __APPLE__
+/* on Mac OS X 10.5 several system calls we use are no cancellation points.
+ * fortunately, select isn't one of them, so we wrap some of the others with
+ * calls to select(2).
+ */
+#include <sys/socket.h>
+#include <sys/select.h>
+
+#define WRAP_WITH_SELECT(func, socket, ...)\
+ fd_set rfds; FD_ZERO(&rfds); FD_SET(socket, &rfds);\
+ if (select(socket + 1, &rfds, NULL, NULL, NULL) <= 0) { return -1; }\
+ return func(socket, __VA_ARGS__)
+
+static inline int cancellable_accept(int socket, struct sockaddr *address,
+ socklen_t *address_len)
+{
+ WRAP_WITH_SELECT(accept, socket, address, address_len);
+}
+#define accept cancellable_accept
+static inline int cancellable_recvfrom(int socket, void *buffer, size_t length,
+ int flags, struct sockaddr *address, socklen_t *address_len)
+{
+ WRAP_WITH_SELECT(recvfrom, socket, buffer, length, flags, address, address_len);
+}
+#define recvfrom cancellable_recvfrom
+#endif /* __APPLE__ */
+
/**
* Type of mutex.
*/
enum mutex_type_t {
/** default mutex */
- MUTEX_DEFAULT = 0,
+ MUTEX_TYPE_DEFAULT = 0,
/** allow recursive locking of the mutex */
- MUTEX_RECURSIVE = 1,
+ MUTEX_TYPE_RECURSIVE = 1,
};
/**
@@ -46,7 +73,7 @@ enum mutex_type_t {
*/
enum condvar_type_t {
/** default condvar */
- CONDVAR_DEFAULT = 0,
+ CONDVAR_TYPE_DEFAULT = 0,
};
/**
@@ -54,7 +81,7 @@ enum condvar_type_t {
*/
enum rwlock_type_t {
/** default condvar */
- RWLOCK_DEFAULT = 0,
+ RWLOCK_TYPE_DEFAULT = 0,
};
/**
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 49376379e..2252f57ec 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -98,12 +98,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -168,6 +170,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -208,7 +211,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index a9ef57922..239923c40 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -84,12 +84,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -154,6 +156,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -194,7 +197,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in
index 7bf71b08f..d8d590eb2 100644
--- a/src/openac/Makefile.in
+++ b/src/openac/Makefile.in
@@ -70,12 +70,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -140,6 +142,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -180,7 +183,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/openac/openac.c b/src/openac/openac.c
index 3686c07ac..a8f75e093 100755
--- a/src/openac/openac.c
+++ b/src/openac/openac.c
@@ -40,11 +40,6 @@
#include <credentials/keys/private_key.h>
#include <utils/optionsfrom.h>
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
#define OPENAC_PATH IPSEC_CONFDIR "/openac"
#define OPENAC_SERIAL IPSEC_CONFDIR "/openac/serial"
@@ -223,15 +218,16 @@ static void openac_dbg(int level, char *fmt, ...)
if (level <= debug_level)
{
- va_start(args, fmt);
-
if (!stderr_quiet)
{
+ va_start(args, fmt);
vfprintf(stderr, fmt, args);
fprintf(stderr, "\n");
+ va_end(args);
}
/* write in memory buffer first */
+ va_start(args, fmt);
vsnprintf(buffer, sizeof(buffer), fmt, args);
va_end(args);
@@ -287,7 +283,18 @@ int main(int argc, char **argv)
openlog("openac", 0, LOG_AUTHPRIV);
/* initialize library */
- library_init(STRONGSWAN_CONF);
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "openac", argv[0]))
+ {
+ fprintf(stderr, "integrity check of openac failed\n");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "openac.load", PLUGINS));
@@ -482,20 +489,6 @@ int main(int argc, char **argv)
DBG1("starting openac (strongSwan Version %s)", VERSION);
-#ifdef INTEGRITY_TEST
- DBG1("integrity test of libstrongswan code");
- if (fips_verify_hmac_signature(hmac_key, hmac_signature))
- {
- DBG1(" integrity test passed");
- }
- else
- {
- DBG1(" integrity test failed");
- status = 3;
- goto end;
- }
-#endif /* INTEGRITY_TEST */
-
/* load the signer's RSA private key */
if (keyfile != NULL)
{
diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am
index 01237305b..c9cb6651f 100644
--- a/src/pluto/Makefile.am
+++ b/src/pluto/Makefile.am
@@ -110,11 +110,6 @@ if USE_SMARTCARD
AM_CFLAGS += -DSMARTCARD
endif
-# This compile option activates the integrity test of libstrongswan
-if USE_INTEGRITY_TEST
- AM_CFLAGS += -DINTEGRITY_TEST
-endif
-
if USE_CAPABILITIES
pluto_LDADD += -lcap
endif
diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in
index 01bda8540..871f0c905 100644
--- a/src/pluto/Makefile.in
+++ b/src/pluto/Makefile.in
@@ -52,11 +52,8 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT)
# This compile option activates smartcard support
@USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD
-
-# This compile option activates the integrity test of libstrongswan
-@USE_INTEGRITY_TEST_TRUE@am__append_6 = -DINTEGRITY_TEST
-@USE_CAPABILITIES_TRUE@am__append_7 = -lcap
-@USE_THREADS_TRUE@am__append_8 = -DTHREADS
+@USE_CAPABILITIES_TRUE@am__append_6 = -lcap
+@USE_THREADS_TRUE@am__append_7 = -DTHREADS
subdir = src/pluto
DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \
$(srcdir)/Makefile.in
@@ -116,12 +113,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -186,6 +185,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -226,7 +226,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -325,11 +327,10 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-DSTRONGSWAN_CONF=\"${strongswan_conf}\" -DKERNEL26_SUPPORT \
-DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \
$(am__append_1) $(am__append_2) $(am__append_3) \
- $(am__append_4) $(am__append_5) $(am__append_6) \
- $(am__append_8)
+ $(am__append_4) $(am__append_5) $(am__append_7)
pluto_LDADD = $(LIBSTRONGSWANDIR)/libstrongswan.la \
$(LIBFREESWANDIR)/libfreeswan.a -lresolv -lpthread $(DLLIB) \
- $(am__append_7)
+ $(am__append_6)
_pluto_adns_LDADD = \
$(LIBFREESWANDIR)/libfreeswan.a \
-lresolv $(DLLIB)
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index a85a18905..c25418fc1 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -139,6 +139,24 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
)
}
+/**
+ * Returns true if the given alg is an authenticated encryption algorithm
+ */
+static bool is_authenticated_encryption(int ealg_id)
+{
+ switch (ealg_id)
+ {
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ return TRUE;
+ }
+ return FALSE;
+}
+
/*
* Add ESP alg info _with_ logic (policy):
*/
@@ -152,7 +170,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
}
if (ealg_id > 0)
{
- if (aalg_id > 0)
+ if (is_authenticated_encryption(ealg_id))
+ {
+ __alg_info_esp_add((struct alg_info_esp *)alg_info,
+ ealg_id, ek_bits,
+ AUTH_ALGORITHM_NONE, 0);
+ }
+ else if (aalg_id > 0)
{
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
@@ -160,13 +184,13 @@ static void alg_info_esp_add(struct alg_info *alg_info, int ealg_id,
}
else
{
- /* Policy: default to MD5 and SHA1 */
+ /* Policy: default to SHA-1 and MD5 */
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
- AUTH_ALGORITHM_HMAC_MD5, ak_bits);
+ AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
__alg_info_esp_add((struct alg_info_esp *)alg_info,
ealg_id, ek_bits,
- AUTH_ALGORITHM_HMAC_SHA1, ak_bits);
+ AUTH_ALGORITHM_HMAC_MD5, ak_bits);
}
}
}
diff --git a/src/pluto/connections.c b/src/pluto/connections.c
index 4deb722f7..b800b1665 100644
--- a/src/pluto/connections.c
+++ b/src/pluto/connections.c
@@ -1,5 +1,6 @@
/* information about connections between hosts and clients
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index adcd77131..e46728d84 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -663,6 +663,7 @@ enum_names enc_mode_names =
/* Auth Algorithm attribute */
static const char *const auth_alg_name[] = {
+ "AUTH_NONE",
"HMAC_MD5",
"HMAC_SHA1",
"DES_MAC",
@@ -683,7 +684,7 @@ enum_names extended_auth_alg_names =
{ AUTH_ALGORITHM_NULL, AUTH_ALGORITHM_NULL, extended_auth_alg_name, NULL };
enum_names auth_alg_names =
- { AUTH_ALGORITHM_HMAC_MD5, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
+ { AUTH_ALGORITHM_NONE, AUTH_ALGORITHM_SIG_RSA, auth_alg_name
, &extended_auth_alg_names };
/* From draft-beaulieu-ike-xauth */
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 1adccc74e..f47ad1eeb 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -235,7 +235,7 @@ static struct dh_desc dh_desc_ecp_224 = {
ke_size: 2*224 / BITS_PER_BYTE
};
-void init_crypto(void)
+bool init_crypto(void)
{
enumerator_t *enumerator;
encryption_algorithm_t encryption_alg;
@@ -275,13 +275,13 @@ void init_crypto(void)
}
enumerator->destroy(enumerator);
- if (no_sha1)
+ if (no_sha1 || no_md5)
{
- exit_log("pluto cannot run without a SHA-1 hasher");
- }
- if (no_md5)
- {
- exit_log("pluto cannot run without an MD5 hasher");
+ plog("pluto cannot run without a %s%s%s hasher",
+ (no_sha1) ? "SHA-1" : "",
+ (no_sha1 && no_md5) ? " and " : "",
+ (no_md5) ? "MD5" : "");
+ return FALSE;
}
enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
@@ -363,6 +363,7 @@ void init_crypto(void)
ike_alg_add((struct ike_alg *)desc);
}
enumerator->destroy(enumerator);
+ return TRUE;
}
void free_crypto(void)
diff --git a/src/pluto/crypto.h b/src/pluto/crypto.h
index 06c4e1d1a..019ba5764 100644
--- a/src/pluto/crypto.h
+++ b/src/pluto/crypto.h
@@ -20,7 +20,7 @@
#include "ike_alg.h"
-extern void init_crypto(void);
+extern bool init_crypto(void);
extern void free_crypto(void);
extern const struct dh_desc unset_group; /* magic signifier */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index 929768ee9..57f4fb54b 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -2639,77 +2639,78 @@ static void compute_proto_keymat(struct state *st, u_int8_t protoid,
*/
switch (protoid)
{
- case PROTO_IPSEC_ESP:
+ case PROTO_IPSEC_ESP:
+ {
+ needed_len = kernel_alg_esp_enc_keylen(pi->attrs.transid);
+
+ if (needed_len && pi->attrs.key_len)
+ {
+ needed_len = pi->attrs.key_len / BITS_PER_BYTE;
+ }
+
switch (pi->attrs.transid)
{
- case ESP_NULL:
- needed_len = 0;
- break;
- case ESP_DES:
- needed_len = DES_CBC_BLOCK_SIZE;
- break;
- case ESP_3DES:
- needed_len = DES_CBC_BLOCK_SIZE * 3;
- break;
- default:
-#ifndef NO_KERNEL_ALG
- if((needed_len=kernel_alg_esp_enc_keylen(pi->attrs.transid))>0) {
- /* XXX: check key_len "coupling with kernel.c's */
- if (pi->attrs.key_len) {
- needed_len=pi->attrs.key_len/8;
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "key_len=%d from peer",
- (int)needed_len));
- }
- break;
- }
-#endif
- bad_case(pi->attrs.transid);
+ case ESP_NULL:
+ needed_len = 0;
+ break;
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ needed_len += 3;
+ break;
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ case ESP_AES_CTR:
+ needed_len += 4;
+ break;
+ default:
+ if (needed_len == 0)
+ {
+ bad_case(pi->attrs.transid);
+ }
}
-#ifndef NO_KERNEL_ALG
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP enc)=%d",
- (int)needed_len));
- if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL)) {
+ if (kernel_alg_esp_auth_ok(pi->attrs.auth, NULL))
+ {
needed_len += kernel_alg_esp_auth_keylen(pi->attrs.auth);
- } else
-#endif
- switch (pi->attrs.auth)
+ }
+ else
{
- case AUTH_ALGORITHM_NONE:
- break;
- case AUTH_ALGORITHM_HMAC_MD5:
- needed_len += HMAC_MD5_KEY_LEN;
- break;
- case AUTH_ALGORITHM_HMAC_SHA1:
- needed_len += HMAC_SHA1_KEY_LEN;
- break;
- case AUTH_ALGORITHM_DES_MAC:
- default:
- bad_case(pi->attrs.auth);
+ switch (pi->attrs.auth)
+ {
+ case AUTH_ALGORITHM_NONE:
+ break;
+ case AUTH_ALGORITHM_HMAC_MD5:
+ needed_len += HMAC_MD5_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ needed_len += HMAC_SHA1_KEY_LEN;
+ break;
+ case AUTH_ALGORITHM_DES_MAC:
+ default:
+ bad_case(pi->attrs.auth);
+ }
}
- DBG(DBG_PARSING, DBG_log("compute_proto_keymat:"
- "needed_len (after ESP auth)=%d",
- (int)needed_len));
break;
-
- case PROTO_IPSEC_AH:
+ }
+ case PROTO_IPSEC_AH:
+ {
switch (pi->attrs.transid)
{
- case AH_MD5:
- needed_len = HMAC_MD5_KEY_LEN;
- break;
- case AH_SHA:
- needed_len = HMAC_SHA1_KEY_LEN;
- break;
- default:
- bad_case(pi->attrs.transid);
+ case AH_MD5:
+ needed_len = HMAC_MD5_KEY_LEN;
+ break;
+ case AH_SHA:
+ needed_len = HMAC_SHA1_KEY_LEN;
+ break;
+ default:
+ bad_case(pi->attrs.transid);
}
break;
-
- default:
- bad_case(protoid);
+ }
+ default:
+ bad_case(protoid);
}
pi->keymat_len = needed_len;
@@ -5444,7 +5445,8 @@ stf_status dpd_inR(struct state *st, struct isakmp_notification *const n,
if (!st->st_dpd_expectseqno && seqno != st->st_dpd_expectseqno)
{
loglog(RC_LOG_SERIOUS
- , "DPD: R_U_THERE_ACK has unexpected sequence number");
+ , "DPD: R_U_THERE_ACK has unexpected sequence number %u (expected %u)"
+ , seqno, st->st_dpd_expectseqno);
return STF_FAIL + PAYLOAD_MALFORMED;
}
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index f698de2c8..46edac1cd 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1,6 +1,7 @@
/* routines that interface with the kernel's IPsec mechanism
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2002 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -1849,7 +1850,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
if (st->nat_traversal & NAT_T_DETECTED)
{
natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
- ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
+ ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
natt_oa = st->nat_oa;
@@ -1860,12 +1861,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
if (ei == &esp_info[countof(esp_info)])
{
/* Check for additional kernel alg */
-#ifndef NO_KERNEL_ALG
if ((ei=kernel_alg_esp_info(st->st_esp.attrs.transid,
- st->st_esp.attrs.auth))!=NULL) {
- break;
+ st->st_esp.attrs.auth))!=NULL)
+ {
+ break;
}
-#endif
/* note: enum_show may use a static buffer, so two
* calls in one printf would be a mistake.
@@ -1878,9 +1878,11 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
goto fail;
}
- if (st->st_esp.attrs.transid == ei->transid
- && st->st_esp.attrs.auth == ei->auth)
+ if (st->st_esp.attrs.transid == ei->transid &&
+ st->st_esp.attrs.auth == ei->auth)
+ {
break;
+ }
}
key_len = st->st_esp.attrs.key_len/8;
@@ -1899,40 +1901,52 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
{
key_len = ei->enckeylen;
}
- /* Grrrrr.... f*cking 7 bits jurassic algos */
-
- /* 168 bits in kernel, need 192 bits for keymat_len */
- if (ei->transid == ESP_3DES && key_len == 21)
- key_len = 24;
- /* 56 bits in kernel, need 64 bits for keymat_len */
- if (ei->transid == ESP_DES && key_len == 7)
- key_len = 8;
+ switch (ei->transid)
+ {
+ case ESP_3DES:
+ /* 168 bits in kernel, need 192 bits for keymat_len */
+ if (key_len == 21)
+ {
+ key_len = 24;
+ }
+ break;
+ case ESP_DES:
+ /* 56 bits in kernel, need 64 bits for keymat_len */
+ if (key_len == 7)
+ {
+ key_len = 8;
+ }
+ break;
+ case ESP_AES_CCM_8:
+ case ESP_AES_CCM_12:
+ case ESP_AES_CCM_16:
+ key_len += 3;
+ break;
+ case ESP_AES_GCM_8:
+ case ESP_AES_GCM_12:
+ case ESP_AES_GCM_16:
+ case ESP_AES_CTR:
+ key_len += 4;
+ break;
+ default:
+ break;
+ }
/* divide up keying material */
- /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
- DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING,
- if(st->st_esp.keymat_len != key_len + ei->authkeylen)
- DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
- st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
- )
- passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
-
set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
-
said_next->src = &src.addr;
said_next->dst = &dst.addr;
said_next->src_client = &src_client;
said_next->dst_client = &dst_client;
said_next->spi = esp_spi;
said_next->satype = SADB_SATYPE_ESP;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+ REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
said_next->authalg = ei->authalg;
said_next->authkeylen = ei->authkeylen;
- /* said_next->authkey = esp_dst_keymat + ei->enckeylen; */
said_next->authkey = esp_dst_keymat + key_len;
said_next->encalg = ei->encryptalg;
- /* said_next->enckeylen = ei->enckeylen; */
said_next->enckeylen = key_len;
said_next->enckey = esp_dst_keymat;
said_next->encapsulation = encapsulation;
@@ -1945,10 +1959,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
said_next->text_said = text_said;
if (!kernel_ops->add_sa(said_next, replace))
+ {
goto fail;
-
+ }
said_next++;
-
encapsulation = ENCAPSULATION_MODE_TRANSPORT;
}
@@ -1963,29 +1977,27 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
switch (st->st_ah.attrs.auth)
{
- case AUTH_ALGORITHM_HMAC_MD5:
- authalg = SADB_AALG_MD5HMAC;
- break;
-
- case AUTH_ALGORITHM_HMAC_SHA1:
- authalg = SADB_AALG_SHA1HMAC;
- break;
-
- default:
- loglog(RC_LOG_SERIOUS, "%s not implemented yet"
- , enum_show(&auth_alg_names, st->st_ah.attrs.auth));
+ case AUTH_ALGORITHM_HMAC_MD5:
+ authalg = SADB_AALG_MD5HMAC;
+ break;
+ case AUTH_ALGORITHM_HMAC_SHA1:
+ authalg = SADB_AALG_SHA1HMAC;
+ break;
+ default:
+ loglog(RC_LOG_SERIOUS, "%s not implemented yet",
+ enum_show(&auth_alg_names, st->st_ah.attrs.auth));
goto fail;
}
set_text_said(text_said, &dst.addr, ah_spi, SA_AH);
-
said_next->src = &src.addr;
said_next->dst = &dst.addr;
said_next->src_client = &src_client;
said_next->dst_client = &dst_client;
said_next->spi = ah_spi;
said_next->satype = SADB_SATYPE_AH;
- said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ? REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
+ said_next->replay_window = (kernel_ops->type == KERNEL_TYPE_KLIPS) ?
+ REPLAY_WINDOW : REPLAY_WINDOW_XFRM;
said_next->authalg = authalg;
said_next->authkeylen = st->st_ah.keymat_len;
said_next->authkey = ah_dst_keymat;
@@ -1994,10 +2006,10 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
said_next->text_said = text_said;
if (!kernel_ops->add_sa(said_next, replace))
+ {
goto fail;
-
+ }
said_next++;
-
encapsulation = ENCAPSULATION_MODE_TRANSPORT;
}
@@ -2093,7 +2105,9 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
s[1].text_said = text_said1;
if (!kernel_ops->grp_sa(s + 1, s))
+ {
goto fail;
+ }
}
/* could update said, but it will not be used */
}
@@ -2104,8 +2118,10 @@ fail:
{
/* undo the done SPIs */
while (said_next-- != said)
- (void) del_spi(said_next->spi, said_next->proto
- , &src.addr, said_next->dst);
+ {
+ (void) del_spi(said_next->spi, said_next->proto, &src.addr,
+ said_next->dst);
+ }
return FALSE;
}
}
@@ -2216,8 +2232,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
*use_time = UNDEFINED_TIME;
if (kernel_ops->get_sa == NULL || !st->st_esp.present)
+ {
return FALSE;
-
+ }
memset(&sa, 0, sizeof(sa));
sa.proto = SA_ESP;
@@ -2241,7 +2258,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
DBG_log("get %s", text_said)
)
if (!kernel_ops->get_sa(&sa, bytes))
+ {
return FALSE;
+ }
DBG(DBG_KLIPS,
DBG_log(" current: %d bytes", *bytes)
)
@@ -2266,7 +2285,9 @@ bool get_sa_info(struct state *st, bool inbound, u_int *bytes, time_t *use_time)
sa.dst_client = &c->spd.that.client;
}
if (!kernel_ops->get_policy(&sa, inbound, use_time))
+ {
return FALSE;
+ }
DBG(DBG_KLIPS,
DBG_log(" use_time: %T", use_time, FALSE)
)
@@ -2349,15 +2370,21 @@ bool install_inbound_ipsec_sa(struct state *st)
struct connection *o = route_owner(c, &esr, NULL, NULL);
if (o == NULL)
+ {
break; /* nobody has a route */
+ }
/* note: we ignore the client addresses at this end */
- if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr)
- && o->interface == c->interface)
+ if (sameaddr(&o->spd.that.host_addr, &c->spd.that.host_addr) &&
+ o->interface == c->interface)
+ {
break; /* existing route is compatible */
+ }
if (o->kind == CK_TEMPLATE && streq(o->name, c->name))
+ {
break; /* ??? is this good enough?? */
+ }
loglog(RC_LOG_SERIOUS, "route to peer's client conflicts with \"%s\" %s; releasing old connection to free the route"
, o->name, ip_str(&o->spd.that.host_addr));
@@ -2369,12 +2396,11 @@ bool install_inbound_ipsec_sa(struct state *st)
/* check that we will be able to route and eroute */
switch (could_route(c))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
#ifdef KLIPS
@@ -2471,10 +2497,14 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
/* if no state provided, then install a shunt for later */
if (st == NULL)
+ {
eroute_installed = shunt_eroute(c, sr, RT_ROUTED_PROSPECTIVE
, ERO_ADD, "add");
+ }
else
+ {
eroute_installed = sag_eroute(st, sr, ERO_ADD, "add");
+ }
}
/* notify the firewall of a new tunnel */
@@ -2507,8 +2537,7 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
(void) do_command(c, sr, "prepare"); /* just in case; ignore failure */
route_installed = do_command(c, sr, "route");
}
- else if (routed(sr->routing)
- || routes_agree(ro, c))
+ else if (routed(sr->routing) || routes_agree(ro, c))
{
route_installed = TRUE; /* nothing to be done */
}
@@ -2658,11 +2687,13 @@ bool route_and_eroute(struct connection *c USED_BY_KLIPS,
{
/* there was no previous eroute: delete whatever we installed */
if (st == NULL)
- (void) shunt_eroute(c, sr
- , sr->routing, ERO_DELETE, "delete");
+ {
+ (void) shunt_eroute(c, sr, sr->routing, ERO_DELETE, "delete");
+ }
else
- (void) sag_eroute(st, sr
- , ERO_DELETE, "delete");
+ {
+ (void) sag_eroute(st, sr, ERO_DELETE, "delete");
+ }
}
}
@@ -2685,18 +2716,19 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
switch (could_route(st->st_connection))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
/* (attempt to) actually set up the SA group */
- if ((inbound_also && !setup_half_ipsec_sa(st, TRUE))
- || !setup_half_ipsec_sa(st, FALSE))
+ if ((inbound_also && !setup_half_ipsec_sa(st, TRUE)) ||
+ !setup_half_ipsec_sa(st, FALSE))
+ {
return FALSE;
+ }
for (sr = &st->st_connection->spd; sr != NULL; sr = sr->next)
{
@@ -2730,12 +2762,11 @@ bool install_ipsec_sa(struct state *st, bool inbound_also USED_BY_KLIPS)
switch (could_route(st->st_connection))
{
- case route_easy:
- case route_nearconflict:
- break;
-
- default:
- return FALSE;
+ case route_easy:
+ case route_nearconflict:
+ break;
+ default:
+ return FALSE;
}
@@ -2778,8 +2809,7 @@ void delete_ipsec_sa(struct state *st USED_BY_KLIPS,
? RT_ROUTED_PROSPECTIVE : RT_ROUTED_FAILURE;
(void) do_command(c, sr, "down");
- if ((c->policy & POLICY_DONT_REKEY)
- && c->kind == CK_INSTANCE)
+ if ((c->policy & POLICY_DONT_REKEY) && c->kind == CK_INSTANCE)
{
/* in this special case, even if the connection
* is still alive (due to an ISAKMP SA),
@@ -2888,8 +2918,7 @@ bool was_eroute_idle(struct state *st, time_t idle_max, time_t *idle_time)
/* Can't open the file, perhaps were are on 26sec? */
time_t use_time;
- if (get_sa_info(st, TRUE, &bytes, &use_time)
- && use_time != UNDEFINED_TIME)
+ if (get_sa_info(st, TRUE, &bytes, &use_time) && use_time != UNDEFINED_TIME)
{
*idle_time = time(NULL) - use_time;
ret = *idle_time >= idle_max;
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 1590bdf02..7e7d25872 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -341,7 +341,7 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
sadb.msg++;
- while(msglen)
+ while (msglen)
{
int supp_exttype = sadb.supported->sadb_supported_exttype;
int supp_len = sadb.supported->sadb_supported_len*IPSEC_PFKEYv2_ALIGN;
@@ -361,14 +361,14 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
supp_len;
supp_len -= sizeof(struct sadb_alg), sadb.alg++,i++)
{
- int ret = kernel_alg_add(satype, supp_exttype, sadb.alg);
+ kernel_alg_add(satype, supp_exttype, sadb.alg);
DBG(DBG_KLIPS,
DBG_log("kernel_alg_register_pfkey(): SADB_SATYPE_%s: "
"alg[%d], exttype=%d, satype=%d, alg_id=%d, "
"alg_ivlen=%d, alg_minbits=%d, alg_maxbits=%d, "
- "res=%d, ret=%d"
- , satype==SADB_SATYPE_ESP? "ESP" : "AH"
+ "res=%d"
+ , satype == SADB_SATYPE_ESP? "ESP" : "AH"
, i
, supp_exttype
, satype
@@ -376,9 +376,25 @@ void kernel_alg_register_pfkey(const struct sadb_msg *msg_buf, int buflen)
, sadb.alg->sadb_alg_ivlen
, sadb.alg->sadb_alg_minbits
, sadb.alg->sadb_alg_maxbits
- , sadb.alg->sadb_alg_reserved
- , ret)
+ , sadb.alg->sadb_alg_reserved)
)
+ /* if AES_CBC is registered then also register AES_CCM and AES_GCM */
+ if (satype == SADB_SATYPE_ESP &&
+ sadb.alg->sadb_alg_id == SADB_X_EALG_AESCBC)
+ {
+ struct sadb_alg alg = *sadb.alg;
+ int alg_id;
+
+ for (alg_id = SADB_X_EALG_AES_CCM_ICV8;
+ alg_id <= SADB_X_EALG_AES_GCM_ICV16; alg_id++)
+ {
+ if (alg_id != ESP_UNASSIGNED_17)
+ {
+ alg.sadb_alg_id = alg_id;
+ kernel_alg_add(satype, supp_exttype, &alg);
+ }
+ }
+ }
}
}
}
@@ -388,8 +404,9 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
u_int keylen = 0;
if (!ESP_EALG_PRESENT(alg_id))
+ {
goto none;
-
+ }
keylen = esp_ealg[alg_id].sadb_alg_maxbits/BITS_PER_BYTE;
switch (alg_id)
@@ -407,8 +424,7 @@ u_int kernel_alg_esp_enc_keylen(u_int alg_id)
none:
DBG(DBG_KLIPS,
- DBG_log("kernel_alg_esp_enc_keylen():"
- "alg_id=%d, keylen=%d",
+ DBG_log("kernel_alg_esp_enc_keylen(): alg_id=%d, keylen=%d",
alg_id, keylen)
)
return keylen;
@@ -515,7 +531,7 @@ void kernel_alg_show_connection(struct connection *c, const char *instance)
}
bool kernel_alg_esp_auth_ok(u_int auth,
- struct alg_info_esp *alg_info __attribute__((unused)))
+ struct alg_info_esp *alg_info __attribute__((unused)))
{
return ESP_AALG_PRESENT(alg_info_esp_aa2sadb(auth));
}
@@ -619,14 +635,15 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
return FALSE;
}
- if (!(policy & POLICY_AUTHENTICATE)) /* skip ESP auth attrs for AH */
+ if (!(policy & POLICY_AUTHENTICATE) && /* skip ESP auth attrs for AH */
+ esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
{
aalg_id = alg_info_esp_aa2sadb(esp_info->esp_aalg_id);
if (!ESP_AALG_PRESENT(aalg_id))
{
- DBG_log("kernel_alg_db_add() kernel auth "
- "aalg_id=%d not present", aalg_id);
+ DBG_log("kernel_alg_db_add() kernel auth aalg_id=%d not present",
+ aalg_id);
return FALSE;
}
}
@@ -637,13 +654,18 @@ static bool kernel_alg_db_add(struct db_context *db_ctx,
/* open new transformation */
db_trans_add(db_ctx, ealg_id);
- /* add ESP auth attr */
- if (!(policy & POLICY_AUTHENTICATE))
+ /* add ESP auth attr if not AH or AEAD */
+ if (!(policy & POLICY_AUTHENTICATE) &&
+ esp_info->esp_aalg_id != AUTH_ALGORITHM_NONE)
+ {
db_attr_add_values(db_ctx, AUTH_ALGORITHM, esp_info->esp_aalg_id);
+ }
- /* add keylegth if specified in esp= string */
+ /* add keylength if specified in esp= string */
if (esp_info->esp_ealg_keylen)
+ {
db_attr_add_values(db_ctx, KEY_LENGTH, esp_info->esp_ealg_keylen);
+ }
return TRUE;
}
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index b4b4774c7..0376e817b 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -49,69 +49,76 @@ static int netlink_bcast_fd = NULL_FD;
#define NE(x) { x, #x } /* Name Entry -- shorthand for sparse_names */
static sparse_names xfrm_type_names = {
- NE(NLMSG_NOOP),
- NE(NLMSG_ERROR),
- NE(NLMSG_DONE),
- NE(NLMSG_OVERRUN),
+ NE(NLMSG_NOOP),
+ NE(NLMSG_ERROR),
+ NE(NLMSG_DONE),
+ NE(NLMSG_OVERRUN),
- NE(XFRM_MSG_NEWSA),
- NE(XFRM_MSG_DELSA),
- NE(XFRM_MSG_GETSA),
+ NE(XFRM_MSG_NEWSA),
+ NE(XFRM_MSG_DELSA),
+ NE(XFRM_MSG_GETSA),
- NE(XFRM_MSG_NEWPOLICY),
- NE(XFRM_MSG_DELPOLICY),
- NE(XFRM_MSG_GETPOLICY),
+ NE(XFRM_MSG_NEWPOLICY),
+ NE(XFRM_MSG_DELPOLICY),
+ NE(XFRM_MSG_GETPOLICY),
- NE(XFRM_MSG_ALLOCSPI),
- NE(XFRM_MSG_ACQUIRE),
- NE(XFRM_MSG_EXPIRE),
+ NE(XFRM_MSG_ALLOCSPI),
+ NE(XFRM_MSG_ACQUIRE),
+ NE(XFRM_MSG_EXPIRE),
- NE(XFRM_MSG_UPDPOLICY),
- NE(XFRM_MSG_UPDSA),
+ NE(XFRM_MSG_UPDPOLICY),
+ NE(XFRM_MSG_UPDSA),
- NE(XFRM_MSG_POLEXPIRE),
+ NE(XFRM_MSG_POLEXPIRE),
- NE(XFRM_MSG_MAX),
+ NE(XFRM_MSG_MAX),
- { 0, sparse_end }
+ { 0, sparse_end }
};
#undef NE
/* Authentication algorithms */
static sparse_names aalg_list = {
- { SADB_X_AALG_NULL, "digest_null" },
- { SADB_AALG_MD5HMAC, "md5" },
- { SADB_AALG_SHA1HMAC, "sha1" },
- { SADB_X_AALG_SHA2_256HMAC, "sha256" },
- { SADB_X_AALG_SHA2_384HMAC, "sha384" },
- { SADB_X_AALG_SHA2_512HMAC, "sha512" },
- { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
- { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
- { SADB_X_AALG_NULL, "null" },
- { 0, sparse_end }
+ { SADB_X_AALG_NULL, "digest_null" },
+ { SADB_AALG_MD5HMAC, "md5" },
+ { SADB_AALG_SHA1HMAC, "sha1" },
+ { SADB_X_AALG_SHA2_256HMAC, "sha256" },
+ { SADB_X_AALG_SHA2_384HMAC, "sha384" },
+ { SADB_X_AALG_SHA2_512HMAC, "sha512" },
+ { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
+ { SADB_X_AALG_AES_XCBC_MAC, "xcbc(aes)"},
+ { SADB_X_AALG_NULL, "null" },
+ { 0, sparse_end }
};
/* Encryption algorithms */
static sparse_names ealg_list = {
- { SADB_EALG_NULL, "cipher_null" },
- { SADB_EALG_DESCBC, "des" },
- { SADB_EALG_3DESCBC, "des3_ede" },
- { SADB_X_EALG_CASTCBC, "cast128" },
- { SADB_X_EALG_BLOWFISHCBC, "blowfish" },
- { SADB_X_EALG_AESCBC, "aes" },
- { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
- { SADB_X_EALG_SERPENTCBC, "serpent" },
- { SADB_X_EALG_TWOFISHCBC, "twofish" },
- { 0, sparse_end }
+ { SADB_EALG_NULL, "cipher_null" },
+ { SADB_EALG_DESCBC, "des" },
+ { SADB_EALG_3DESCBC, "des3_ede" },
+ { SADB_X_EALG_CASTCBC, "cast128" },
+ { SADB_X_EALG_BLOWFISHCBC, "blowfish" },
+ { SADB_X_EALG_AESCBC, "aes" },
+ { SADB_X_EALG_AESCTR, "rfc3686(ctr(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV8, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV12, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_CCM_ICV16, "rfc4309(ccm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV8, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV12, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_AES_GCM_ICV16, "rfc4106(gcm(aes))" },
+ { SADB_X_EALG_CAMELLIACBC, "cbc(camellia)" },
+ { SADB_X_EALG_SERPENTCBC, "serpent" },
+ { SADB_X_EALG_TWOFISHCBC, "twofish" },
+ { 0, sparse_end }
};
/* Compression algorithms */
static sparse_names calg_list = {
- { SADB_X_CALG_DEFLATE, "deflate" },
- { SADB_X_CALG_LZS, "lzs" },
- { SADB_X_CALG_LZJH, "lzjh" },
- { 0, sparse_end }
+ { SADB_X_CALG_DEFLATE, "deflate" },
+ { SADB_X_CALG_LZS, "lzs" },
+ { SADB_X_CALG_LZJH, "lzjh" },
+ { 0, sparse_end }
};
/** ip2xfrm - Take an IP address and convert to an xfrm.
@@ -119,8 +126,7 @@ static sparse_names calg_list = {
* @param addr ip_address
* @param xaddr xfrm_address_t - IPv[46] Address from addr is copied here.
*/
-static void
-ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
+static void ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
{
if (addr->u.v4.sin_family == AF_INET)
{
@@ -135,35 +141,41 @@ ip2xfrm(const ip_address *addr, xfrm_address_t *xaddr)
/** init_netlink - Initialize the netlink inferface. Opens the sockets and
* then binds to the broadcast socket.
*/
-static void
-init_netlink(void)
+static void init_netlink(void)
{
struct sockaddr_nl addr;
netlinkfd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (netlinkfd < 0)
+ {
exit_log_errno((e, "socket() in init_netlink()"));
-
+ }
if (fcntl(netlinkfd, F_SETFD, FD_CLOEXEC) != 0)
+ {
exit_log_errno((e, "fcntl(FD_CLOEXEC) in init_netlink()"));
-
+ }
netlink_bcast_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_XFRM);
if (netlink_bcast_fd < 0)
+ {
exit_log_errno((e, "socket() for bcast in init_netlink()"));
-
+ }
if (fcntl(netlink_bcast_fd, F_SETFD, FD_CLOEXEC) != 0)
+ {
exit_log_errno((e, "fcntl(FD_CLOEXEC) for bcast in init_netlink()"));
-
+ }
if (fcntl(netlink_bcast_fd, F_SETFL, O_NONBLOCK) != 0)
+ {
exit_log_errno((e, "fcntl(O_NONBLOCK) for bcast in init_netlink()"));
-
+ }
addr.nl_family = AF_NETLINK;
addr.nl_pid = getpid();
addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE;
if (bind(netlink_bcast_fd, (struct sockaddr *)&addr, sizeof(addr)) != 0)
+ {
exit_log_errno((e, "Failed to bind bcast socket in init_netlink()"));
+ }
}
/** send_netlink_msg
@@ -176,9 +188,9 @@ init_netlink(void)
* @param text_said - String
* @return bool True if the message was succesfully sent.
*/
-static bool
-send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
-, const char *description, const char *text_said)
+static bool send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf,
+ size_t rbuf_len, const char *description,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -200,7 +212,9 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
len = hdr->nlmsg_len;
do {
r = write(netlinkfd, hdr, len);
- } while (r < 0 && errno == EINTR);
+ }
+ while (r < 0 && errno == EINTR);
+
if (r < 0)
{
log_errno((e
@@ -221,7 +235,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
return FALSE;
}
- for (;;) {
+ for (;;)
+ {
socklen_t alen;
alen = sizeof(addr);
@@ -322,8 +337,8 @@ send_netlink_msg(struct nlmsghdr *hdr, struct nlmsghdr *rbuf, size_t rbuf_len
* @param text_said - String
* @return boolean
*/
-static bool
-netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
+static bool netlink_policy(struct nlmsghdr *hdr, bool enoent_ok,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -372,18 +387,17 @@ netlink_policy(struct nlmsghdr *hdr, bool enoent_ok, const char *text_said)
* @param ip int
* @return boolean True if successful
*/
-static bool
-netlink_raw_eroute(const ip_address *this_host
- , const ip_subnet *this_client
- , const ip_address *that_host
- , const ip_subnet *that_client
- , ipsec_spi_t spi
- , unsigned int satype
- , unsigned int transport_proto
- , const struct pfkey_proto_info *proto_info
- , time_t use_lifetime UNUSED
- , unsigned int op
- , const char *text_said)
+static bool netlink_raw_eroute(const ip_address *this_host
+ , const ip_subnet *this_client
+ , const ip_address *that_host
+ , const ip_subnet *that_client
+ , ipsec_spi_t spi
+ , unsigned int satype
+ , unsigned int transport_proto
+ , const struct pfkey_proto_info *proto_info
+ , time_t use_lifetime UNUSED
+ , unsigned int op
+ , const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -568,8 +582,7 @@ netlink_raw_eroute(const ip_address *this_host
* @param replace boolean - true if this replaces an existing SA
* @return bool True if successfull
*/
-static bool
-netlink_add_sa(const struct kernel_sa *sa, bool replace)
+static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
{
struct {
struct nlmsghdr n;
@@ -577,6 +590,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
char data[1024];
} req;
struct rtattr *attr;
+ u_int16_t icv_size = 64;
memset(&req, 0, sizeof(req));
req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
@@ -606,11 +620,17 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
const char *name;
name = sparse_name(aalg_list, sa->authalg);
- if (!name) {
+ if (!name)
+ {
loglog(RC_LOG_SERIOUS, "unknown authentication algorithm: %u"
, sa->authalg);
return FALSE;
}
+ DBG(DBG_CRYPT,
+ DBG_log("configured authentication algorithm %s with key size %d",
+ enum_show(&auth_alg_names, sa->authalg),
+ sa->authkeylen * BITS_PER_BYTE)
+ )
strcpy(algo.alg_name, name);
algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
@@ -626,30 +646,78 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
attr = (struct rtattr *)((char *)attr + attr->rta_len);
}
- if (sa->encalg)
+ switch (sa->encalg)
{
- struct xfrm_algo algo;
- const char *name;
+ case SADB_EALG_NONE:
+ /* no encryption */
+ break;
+ case SADB_X_EALG_AES_CCM_ICV16:
+ case SADB_X_EALG_AES_GCM_ICV16:
+ icv_size += 32;
+ /* FALL */
+ case SADB_X_EALG_AES_CCM_ICV12:
+ case SADB_X_EALG_AES_GCM_ICV12:
+ icv_size += 32;
+ /* FALL */
+ case SADB_X_EALG_AES_CCM_ICV8:
+ case SADB_X_EALG_AES_GCM_ICV8:
+ {
+ struct xfrm_algo_aead *algo;
+ const char *name;
- name = sparse_name(ealg_list, sa->encalg);
- if (!name) {
- loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u"
- , sa->encalg);
- return FALSE;
+ name = sparse_name(ealg_list, sa->encalg);
+ if (!name)
+ {
+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+ sa->encalg);
+ return FALSE;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("configured esp encryption algorithm %s with key size %d",
+ enum_show(&esp_transformid_names, sa->encalg),
+ sa->enckeylen * BITS_PER_BYTE)
+ )
+ attr->rta_type = XFRMA_ALG_AEAD;
+ attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo_aead) + sa->enckeylen);
+ req.n.nlmsg_len += attr->rta_len;
+
+ algo = (struct xfrm_algo_aead*)RTA_DATA(attr);
+ algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+ algo->alg_icv_len = icv_size;
+ strcpy(algo->alg_name, name);
+ memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ break;
}
+ default:
+ {
+ struct xfrm_algo *algo;
+ const char *name;
- strcpy(algo.alg_name, name);
- algo.alg_key_len = sa->enckeylen * BITS_PER_BYTE;
-
- attr->rta_type = XFRMA_ALG_CRYPT;
- attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->enckeylen);
-
- memcpy(RTA_DATA(attr), &algo, sizeof(algo));
- memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->enckey
- , sa->enckeylen);
-
- req.n.nlmsg_len += attr->rta_len;
- attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ name = sparse_name(ealg_list, sa->encalg);
+ if (!name)
+ {
+ loglog(RC_LOG_SERIOUS, "unknown encryption algorithm: %u",
+ sa->encalg);
+ return FALSE;
+ }
+ DBG(DBG_CRYPT,
+ DBG_log("configured esp encryption algorithm %s with key size %d",
+ enum_show(&esp_transformid_names, sa->encalg),
+ sa->enckeylen * BITS_PER_BYTE)
+ )
+ attr->rta_type = XFRMA_ALG_CRYPT;
+ attr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + sa->enckeylen);
+ req.n.nlmsg_len += attr->rta_len;
+
+ algo = (struct xfrm_algo*)RTA_DATA(attr);
+ algo->alg_key_len = sa->enckeylen * BITS_PER_BYTE;
+ strcpy(algo->alg_name, name);
+ memcpy(algo->alg_key, sa->enckey, sa->enckeylen);
+
+ attr = (struct rtattr *)((char *)attr + attr->rta_len);
+ }
}
if (sa->compalg)
@@ -658,7 +726,8 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
const char *name;
name = sparse_name(calg_list, sa->compalg);
- if (!name) {
+ if (!name)
+ {
loglog(RC_LOG_SERIOUS, "unknown compression algorithm: %u"
, sa->compalg);
return FALSE;
@@ -702,8 +771,7 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
* @param sa Kernel SA to be deleted
* @return bool True if successfull
*/
-static bool
-netlink_del_sa(const struct kernel_sa *sa)
+static bool netlink_del_sa(const struct kernel_sa *sa)
{
struct {
struct nlmsghdr n;
@@ -726,9 +794,8 @@ netlink_del_sa(const struct kernel_sa *sa)
return send_netlink_msg(&req.n, NULL, 0, "Del SA", sa->text_said);
}
-static bool
-netlink_error(const char *req_type, const struct nlmsghdr *n
-, const struct nlmsgerr *e, int rsp_size)
+static bool netlink_error(const char *req_type, const struct nlmsghdr *n,
+ const struct nlmsgerr *e, int rsp_size)
{
if (n->nlmsg_type == NLMSG_ERROR)
{
@@ -751,8 +818,8 @@ netlink_error(const char *req_type, const struct nlmsghdr *n
return FALSE;
}
-static bool
-netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
+static bool netlink_get_policy(const struct kernel_sa *sa, bool inbound,
+ time_t *use_time)
{
struct {
struct nlmsghdr n;
@@ -789,11 +856,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
req.id.dir = (inbound)? XFRM_POLICY_IN:XFRM_POLICY_OUT;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
*use_time = (time_t)rsp.u.info.curlft.use_time;
if (inbound && sa->encapsulation == ENCAPSULATION_MODE_TUNNEL)
@@ -803,11 +872,13 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
req.id.dir = XFRM_POLICY_FWD;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
use_time_fwd = (time_t)rsp.u.info.curlft.use_time;
*use_time = (*use_time > use_time_fwd)? *use_time : use_time_fwd;
}
@@ -820,8 +891,7 @@ netlink_get_policy(const struct kernel_sa *sa, bool inbound, time_t *use_time)
* @param sa Kernel SA to be queried
* @return bool True if successfull
*/
-static bool
-netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
+static bool netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
{
struct {
struct nlmsghdr n;
@@ -851,18 +921,18 @@ netlink_get_sa(const struct kernel_sa *sa, u_int *bytes)
rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SA", sa->text_said))
+ {
return FALSE;
-
+ }
if (netlink_error("XFRM_MSG_GETSA", &rsp.n, &rsp.u.e, sizeof(rsp.u.info)))
+ {
return FALSE;
-
+ }
*bytes = (u_int) rsp.u.info.curlft.bytes;
-
return TRUE;
}
-static void
-linux_pfkey_register_response(const struct sadb_msg *msg)
+static void linux_pfkey_register_response(const struct sadb_msg *msg)
{
switch (msg->sadb_msg_satype)
{
@@ -882,8 +952,7 @@ linux_pfkey_register_response(const struct sadb_msg *msg)
/** linux_pfkey_register - Register via PFKEY our capabilities
*
*/
-static void
-linux_pfkey_register(void)
+static void linux_pfkey_register(void)
{
pfkey_register_proto(SADB_SATYPE_AH, "AH");
pfkey_register_proto(SADB_SATYPE_ESP, "ESP");
@@ -898,8 +967,8 @@ linux_pfkey_register(void)
* @param dst ip_address formatted destination
* @return err_t NULL if okay, otherwise an error
*/
-static err_t
-xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
+static err_t xfrm_to_ip_address(unsigned family, const xfrm_address_t *src,
+ ip_address *dst)
{
switch (family)
{
@@ -922,10 +991,8 @@ xfrm_to_ip_address(unsigned family, const xfrm_address_t *src, ip_address *dst)
* @param dst ip_address formatted destination
* @return err_t NULL if okay, otherwise an error
*/
-static err_t
-xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
- , ip_address *src
- , ip_address *dst)
+static err_t xfrm_sel_to_ip_pair(const struct xfrm_selector *sel,
+ ip_address *src, ip_address *dst)
{
int family;
err_t ugh;
@@ -934,7 +1001,9 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
if ((ugh = xfrm_to_ip_address(family, &sel->saddr, src))
|| (ugh = xfrm_to_ip_address(family, &sel->daddr, dst)))
+ {
return ugh;
+ }
/* family has been verified in xfrm_to_ip_address. */
if (family == AF_INET)
@@ -951,8 +1020,7 @@ xfrm_sel_to_ip_pair(const struct xfrm_selector *sel
return NULL;
}
-static void
-netlink_acquire(struct nlmsghdr *n)
+static void netlink_acquire(struct nlmsghdr *n)
{
struct xfrm_user_acquire *acquire;
ip_address src, dst;
@@ -978,15 +1046,17 @@ netlink_acquire(struct nlmsghdr *n)
if (!(ugh = xfrm_sel_to_ip_pair(&acquire->sel, &src, &dst))
&& !(ugh = addrtosubnet(&src, &ours))
&& !(ugh = addrtosubnet(&dst, &his)))
+ {
record_and_initiate_opportunistic(&ours, &his, transport_proto
, "%acquire-netlink");
-
+ }
if (ugh != NULL)
+ {
plog("XFRM_MSG_ACQUIRE message from kernel malformed: %s", ugh);
+ }
}
-static void
-netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
+static void netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
{
ip_address src, dst;
unsigned transport_proto;
@@ -1004,8 +1074,7 @@ netlink_shunt_expire(struct xfrm_userpolicy_info *pol)
, "delete expired bare shunt");
}
-static void
-netlink_policy_expire(struct nlmsghdr *n)
+static void netlink_policy_expire(struct nlmsghdr *n)
{
struct xfrm_user_polexpire *upe;
struct {
@@ -1040,11 +1109,13 @@ netlink_policy_expire(struct nlmsghdr *n)
rsp.n.nlmsg_type = XFRM_MSG_NEWPOLICY;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get policy", "?"))
+ {
return;
-
+ }
if (netlink_error("XFRM_MSG_GETPOLICY", &rsp.n, &rsp.u.e, sizeof(rsp.u.pol)))
+ {
return;
-
+ }
if (req.id.index != rsp.u.pol.index)
{
DBG(DBG_KLIPS,
@@ -1072,8 +1143,7 @@ netlink_policy_expire(struct nlmsghdr *n)
}
}
-static bool
-netlink_get(void)
+static bool netlink_get(void)
{
struct {
struct nlmsghdr n;
@@ -1137,22 +1207,15 @@ netlink_get(void)
return TRUE;
}
-static void
-netlink_process_msg(void)
+static void netlink_process_msg(void)
{
- while (netlink_get())
- ;
+ while (netlink_get());
}
-static ipsec_spi_t
-netlink_get_spi(const ip_address *src
-, const ip_address *dst
-, int proto
-, bool tunnel_mode
-, unsigned reqid
-, ipsec_spi_t min
-, ipsec_spi_t max
-, const char *text_said)
+static ipsec_spi_t netlink_get_spi(const ip_address *src, const ip_address *dst,
+ int proto, bool tunnel_mode, unsigned reqid,
+ ipsec_spi_t min, ipsec_spi_t max,
+ const char *text_said)
{
struct {
struct nlmsghdr n;
@@ -1185,11 +1248,13 @@ netlink_get_spi(const ip_address *src
rsp.n.nlmsg_type = XFRM_MSG_NEWSA;
if (!send_netlink_msg(&req.n, &rsp.n, sizeof(rsp), "Get SPI", text_said))
+ {
return 0;
-
+ }
if (netlink_error("XFRM_MSG_ALLOCSPI", &rsp.n, &rsp.u.e, sizeof(rsp.u.sa)))
+ {
return 0;
-
+ }
DBG(DBG_KLIPS,
DBG_log("netlink_get_spi: allocated 0x%x for %s"
, ntohl(rsp.u.sa.id.spi), text_said));
diff --git a/src/pluto/keys.c b/src/pluto/keys.c
index 6dfbd6732..516872e8e 100644
--- a/src/pluto/keys.c
+++ b/src/pluto/keys.c
@@ -1,5 +1,6 @@
/* mechanisms for preshared keys (public, private, and preshared secrets)
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -551,7 +552,7 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd)
}
*key = load_private_key(filename, &pass, type);
- return key ? NULL : "Private key file -- could not be loaded";
+ return *key ? NULL : "Private key file -- could not be loaded";
}
/**
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index 80164fa1d..8e428a759 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -1,6 +1,6 @@
/* Support of the Online Certificate Status Protocol (OCSP)
* Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
- * Zuercher Hochschule Winterthur
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/pem.c b/src/pluto/pem.c
index 646447c1a..1a4a99af7 100644
--- a/src/pluto/pem.c
+++ b/src/pluto/pem.c
@@ -1,5 +1,6 @@
/* Loading of PEM encoded files with optional encryption
* Copyright (C) 2001-2009 Andreas Steffen
+ *
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
diff --git a/src/pluto/pgpcert.c b/src/pluto/pgpcert.c
index 7fb8232d5..1d5b14b26 100644
--- a/src/pluto/pgpcert.c
+++ b/src/pluto/pgpcert.c
@@ -85,7 +85,7 @@ static u_char pgp_version(chunk_t *blob)
}
/**
- * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 2440
+ * Parse OpenPGP signature packet defined in section 5.2.2 of RFC 4880
*/
static bool parse_pgp_signature_packet(chunk_t *packet, pgpcert_t *cert)
{
@@ -171,8 +171,8 @@ static bool parse_pgp_pubkey_version_validity(chunk_t *packet, pgpcert_t *cert)
*/
static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
{
- pgp_pubkey_alg_t pubkey_alg;
- public_key_t *key;
+ chunk_t pubkey_packet = *packet;
+ pgp_pubkey_alg_t pubkey_alg;
if (!parse_pgp_pubkey_version_validity(packet, cert))
{
@@ -190,33 +190,51 @@ static bool parse_pgp_pubkey_packet(chunk_t *packet, pgpcert_t *cert)
{
case PGP_PUBKEY_ALG_RSA:
case PGP_PUBKEY_ALG_RSA_SIGN_ONLY:
- key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA,
- BUILD_BLOB_PGP, *packet,
- BUILD_END);
- if (key == NULL)
+ cert->public_key = lib->creds->create(lib->creds,
+ CRED_PUBLIC_KEY, KEY_RSA,
+ BUILD_BLOB_PGP, *packet,
+ BUILD_END);
+ if (cert->public_key == NULL)
{
return FALSE;
}
- cert->public_key = key;
-
- if (cert->version == 3)
- {
- cert->fingerprint = key->get_id(key, ID_KEY_ID);
- if (cert->fingerprint == NULL)
- {
- return FALSE;
- }
- }
- else
- {
- plog(" computation of V4 key ID not implemented yet");
- return FALSE;
- }
break;
default:
plog(" non RSA public keys not supported");
return FALSE;
}
+
+ /* compute V4 or V3 fingerprint according to section 12.2 of RFC 4880 */
+ if (cert->version == 4)
+ {
+ char pubkey_packet_header_buf[] = {
+ 0x99, pubkey_packet.len / 256, pubkey_packet.len % 256
+ };
+ chunk_t pubkey_packet_header = chunk_from_buf(pubkey_packet_header_buf);
+ chunk_t hash;
+ hasher_t *hasher;
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (hasher == NULL)
+ {
+ plog("no SHA-1 hasher available");
+ return FALSE;
+ }
+ hasher->allocate_hash(hasher, pubkey_packet_header, NULL);
+ hasher->allocate_hash(hasher, pubkey_packet, &hash);
+ hasher->destroy(hasher);
+ cert->fingerprint = identification_create_from_encoding(ID_KEY_ID, hash);
+ free(hash.ptr);
+ }
+ else
+ {
+ /* V3 fingerprint is computed by public_key_t class */
+ cert->fingerprint = cert->public_key->get_id(cert->public_key, ID_KEY_ID);
+ if (cert->fingerprint == NULL)
+ {
+ return FALSE;
+ }
+ }
return TRUE;
}
diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c
index 39367cafa..5d0e008f3 100644
--- a/src/pluto/plutomain.c
+++ b/src/pluto/plutomain.c
@@ -43,11 +43,6 @@
#include <utils/enumerator.h>
#include <utils/optionsfrom.h>
-#ifdef INTEGRITY_TEST
-#include <fips/fips.h>
-#include <fips/fips_signature.h>
-#endif /* INTEGRITY_TEST */
-
#include <pfkeyv2.h>
#include <pfkey.h>
@@ -265,7 +260,18 @@ int main(int argc, char **argv)
#endif /* CAPABILITIES */
/* initialize library and optionsfrom */
- library_init(STRONGSWAN_CONF);
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "pluto", argv[0]))
+ {
+ fprintf(stderr, "integrity check of pluto failed\n");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
options = options_create();
/* handle arguments */
@@ -637,31 +643,28 @@ int main(int argc, char **argv)
plog("Starting IKEv1 pluto daemon (strongSwan "VERSION")%s",
compile_time_interop_options);
+ if (lib->integrity)
+ {
+ plog("integrity tests enabled:");
+ plog("lib 'libstrongswan': passed file and segment integrity tests");
+ plog("daemon 'pluto': passed file integrity test");
+ }
+
/* load plugins, further infrastructure may need it */
lib->plugins->load(lib->plugins, IPSEC_PLUGINDIR,
lib->settings->get_str(lib->settings, "pluto.load", PLUGINS));
print_plugins();
-#ifdef INTEGRITY_TEST
- DBG1("integrity test of libstrongswan code");
- if (fips_verify_hmac_signature(hmac_key, hmac_signature))
- {
- DBG1(" integrity test passed");
- }
- else
+ if (!init_secret() || !init_crypto())
{
- DBG1(" integrity test failed");
- abort();
+ plog("initialization failed - aborting pluto");
+ exit_pluto(SS_RC_INITIALIZATION_FAILED);
}
-#endif /* INTEGRITY_TEST */
-
init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
init_virtual_ip(virtual_private);
scx_init(pkcs11_module_path, pkcs11_init_args);
xauth_init();
- init_secret();
init_states();
- init_crypto();
init_demux();
init_kernel();
init_adns();
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index b8f4a3c23..a86c9f215 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -473,14 +473,13 @@ out_sa(pb_stream *outs
if (!out_struct(&trans, trans_desc, &proposal_pbs, &trans_pbs))
return_on(ret, FALSE);
- /* Within tranform: Attributes. */
+ /* Within transform: Attributes. */
/* For Phase 2 / Quick Mode, GROUP_DESCRIPTION is
* automatically generated because it must be the same
* in every transform. Except IPCOMP.
*/
- if (p->protoid != PROTO_IPCOMP
- && st->st_pfs_group != NULL)
+ if (p->protoid != PROTO_IPCOMP && st->st_pfs_group != NULL)
{
passert(!oakley_mode);
passert(st->st_pfs_group != &unset_group);
@@ -582,8 +581,7 @@ return_out:
* The code is can only handle values that can fit in unsigned long.
* "Clamping" is probably an acceptable way to impose this limitation.
*/
-static u_int32_t
-decode_long_duration(pb_stream *pbs)
+static u_int32_t decode_long_duration(pb_stream *pbs)
{
u_int32_t val = 0;
@@ -631,8 +629,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
/* Situation */
if (!in_struct(ipsecdoisit, &ipsec_sit_desc, sa_pbs, NULL))
+ {
return SITUATION_NOT_SUPPORTED;
-
+ }
if (*ipsecdoisit != SIT_IDENTITY_ONLY)
{
loglog(RC_LOG_SERIOUS, "unsupported IPsec DOI situation (%s)"
@@ -647,8 +646,9 @@ preparse_isakmp_sa_body(const struct isakmp_sa *sa
* There may well be multiple transforms.
*/
if (!in_struct(proposal, &isakmp_proposal_desc, sa_pbs, proposal_pbs))
+ {
return PAYLOAD_MALFORMED;
-
+ }
if (proposal->isap_np != ISAKMP_NEXT_NONE)
{
loglog(RC_LOG_SERIOUS, "Proposal Payload must be alone in Oakley SA; found %s following Proposal"
@@ -711,35 +711,31 @@ static struct {
u_int8_t *roof;
} backup;
-/*
- * backup the pointer into a pb_stream
+/**
+ * Backup the pointer into a pb_stream
*/
-void
-backup_pbs(pb_stream *pbs)
+void backup_pbs(pb_stream *pbs)
{
backup.start = pbs->start;
backup.cur = pbs->cur;
backup.roof = pbs->roof;
}
-/*
- * restore the pointer into a pb_stream
+/**
+ * Restore the pointer into a pb_stream
*/
-void
-restore_pbs(pb_stream *pbs)
+void restore_pbs(pb_stream *pbs)
{
pbs->start = backup.start;
pbs->cur = backup.cur;
pbs->roof = backup.roof;
}
-/*
+/**
* Parse an ISAKMP Proposal Payload for RSA and PSK authentication policies
*/
-notification_t
-parse_isakmp_policy(pb_stream *proposal_pbs
- , u_int notrans
- , lset_t *policy)
+notification_t parse_isakmp_policy(pb_stream *proposal_pbs, u_int notrans,
+ lset_t *policy)
{
int last_transnum = -1;
@@ -753,8 +749,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
struct isakmp_transform trans;
if (!in_struct(&trans, &isakmp_isakmp_transform_desc, proposal_pbs, &trans_pbs))
+ {
return BAD_PROPOSAL_SYNTAX;
-
+ }
if (trans.isat_transnum <= last_transnum)
{
/* picky, picky, picky */
@@ -781,8 +778,9 @@ parse_isakmp_policy(pb_stream *proposal_pbs
pb_stream attr_pbs;
if (!in_struct(&a, &isakmp_oakley_attribute_desc, &trans_pbs, &attr_pbs))
+ {
return BAD_PROPOSAL_SYNTAX;
-
+ }
passert((a.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK) < 32);
switch (a.isaat_af_type)
@@ -827,11 +825,10 @@ parse_isakmp_policy(pb_stream *proposal_pbs
return NOTHING_WRONG;
}
-/*
- * check that we can find a preshared secret
+/**
+ * Check that we can find a preshared secret
*/
-static err_t
-find_preshared_key(struct state* st)
+static err_t find_preshared_key(struct state* st)
{
err_t ugh = NULL;
struct connection *c = st->st_connection;
@@ -842,9 +839,13 @@ find_preshared_key(struct state* st)
idtoa(&c->spd.this.id, my_id, sizeof(my_id));
if (his_id_was_instantiated(c))
+ {
strcpy(his_id, "%any");
+ }
else
+ {
idtoa(&c->spd.that.id, his_id, sizeof(his_id));
+ }
ugh = builddiag("Can't authenticate: no preshared key found for `%s' and `%s'"
, my_id, his_id);
}
@@ -860,13 +861,12 @@ find_preshared_key(struct state* st)
*
* This routine is used by main_inI1_outR1() and main_inR1_outI2().
*/
-notification_t
-parse_isakmp_sa_body(u_int32_t ipsecdoisit
- , pb_stream *proposal_pbs
- , struct isakmp_proposal *proposal
- , pb_stream *r_sa_pbs
- , struct state *st
- , bool initiator)
+notification_t parse_isakmp_sa_body(u_int32_t ipsecdoisit,
+ pb_stream *proposal_pbs,
+ struct isakmp_proposal *proposal,
+ pb_stream *r_sa_pbs,
+ struct state *st,
+ bool initiator)
{
struct connection *c = st->st_connection;
unsigned no_trans_left;
@@ -1326,17 +1326,14 @@ static const struct ipsec_trans_attrs null_ipsec_trans_attrs = {
0, /* key_rounds */
};
-static bool
-parse_ipsec_transform(struct isakmp_transform *trans
-, struct ipsec_trans_attrs *attrs
-, pb_stream *prop_pbs
-, pb_stream *trans_pbs
-, struct_desc *trans_desc
-, int previous_transnum /* or -1 if none */
-, bool selection
-, bool is_last
-, bool is_ipcomp
-, struct state *st) /* current state object */
+static bool parse_ipsec_transform(struct isakmp_transform *trans,
+ struct ipsec_trans_attrs *attrs,
+ pb_stream *prop_pbs,
+ pb_stream *trans_pbs,
+ struct_desc *trans_desc,
+ int previous_transnum, /* or -1 if none */
+ bool selection, bool is_last, bool is_ipcomp,
+ struct state *st) /* current state object */
{
lset_t seen_attrs = 0;
lset_t seen_durations = 0;
@@ -1344,8 +1341,9 @@ parse_ipsec_transform(struct isakmp_transform *trans
const struct dh_desc *pfs_group = NULL;
if (!in_struct(trans, trans_desc, prop_pbs, trans_pbs))
+ {
return FALSE;
-
+ }
if (trans->isat_transnum <= previous_transnum)
{
loglog(RC_LOG_SERIOUS, "Transform Numbers in Proposal are not monotonically increasing");
diff --git a/src/pluto/state.c b/src/pluto/state.c
index 6ce0d50e5..5bef36c5c 100644
--- a/src/pluto/state.c
+++ b/src/pluto/state.c
@@ -1,6 +1,7 @@
/* routines for state objects
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
diff --git a/src/pluto/timer.c b/src/pluto/timer.c
index ecbee740f..89082f88e 100644
--- a/src/pluto/timer.c
+++ b/src/pluto/timer.c
@@ -1,6 +1,7 @@
/* timer event handling
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
+ * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -139,14 +140,21 @@ void event_schedule(enum event_type type, time_t tm, struct state *st)
* Generate the secret value for responder cookies, and
* schedule an event for refresh.
*/
-void init_secret(void)
+bool init_secret(void)
{
rng_t *rng;
rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+
+ if (rng == NULL)
+ {
+ plog("secret initialization failed, no RNG supported");
+ return FALSE;
+ }
rng->get_bytes(rng, sizeof(secret_of_the_day), secret_of_the_day);
rng->destroy(rng);
event_schedule(EVENT_REINIT_SECRET, EVENT_REINIT_SECRET_DELAY, NULL);
+ return true;
}
/**
diff --git a/src/pluto/timer.h b/src/pluto/timer.h
index 322aeba6a..c8e9b727c 100644
--- a/src/pluto/timer.h
+++ b/src/pluto/timer.h
@@ -31,4 +31,4 @@ extern void delete_event(struct state *st);
extern void delete_dpd_event(struct state *st);
extern void daily_log_event(void);
extern void free_events(void);
-extern void init_secret(void);
+extern bool init_secret(void);
diff --git a/src/pluto/vendor.c b/src/pluto/vendor.c
index ff145eb38..a532e50f2 100644
--- a/src/pluto/vendor.c
+++ b/src/pluto/vendor.c
@@ -197,9 +197,13 @@ static struct vid_struct _vid_tab[] = {
/*
* strongSwan
*/
- DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.2")
+ DEC_MD5_VID(STRONGSWAN, "strongSwan 4.3.4")
+ DEC_MD5_VID(STRONGSWAN_4_3_3, "strongSwan 4.3.3")
+ DEC_MD5_VID(STRONGSWAN_4_3_2, "strongSwan 4.3.2")
DEC_MD5_VID(STRONGSWAN_4_3_1, "strongSwan 4.3.1")
DEC_MD5_VID(STRONGSWAN_4_3_0, "strongSwan 4.3.0")
+ DEC_MD5_VID(STRONGSWAN_4_2_17,"strongSwan 4.2.17")
+ DEC_MD5_VID(STRONGSWAN_4_2_16,"strongSwan 4.2.16")
DEC_MD5_VID(STRONGSWAN_4_2_15,"strongSwan 4.2.15")
DEC_MD5_VID(STRONGSWAN_4_2_14,"strongSwan 4.2.14")
DEC_MD5_VID(STRONGSWAN_4_2_13,"strongSwan 4.2.13")
@@ -237,6 +241,8 @@ static struct vid_struct _vid_tab[] = {
DEC_MD5_VID(STRONGSWAN_4_0_1, "strongSwan 4.0.1")
DEC_MD5_VID(STRONGSWAN_4_0_0, "strongSwan 4.0.0")
+ DEC_MD5_VID(STRONGSWAN_2_8_11,"strongSwan 2.8.11")
+ DEC_MD5_VID(STRONGSWAN_2_8_10,"strongSwan 2.8.10")
DEC_MD5_VID(STRONGSWAN_2_8_9, "strongSwan 2.8.9")
DEC_MD5_VID(STRONGSWAN_2_8_8, "strongSwan 2.8.8")
DEC_MD5_VID(STRONGSWAN_2_8_7, "strongSwan 2.8.7")
diff --git a/src/pluto/vendor.h b/src/pluto/vendor.h
index 164c1aa6d..8aa2f6348 100644
--- a/src/pluto/vendor.h
+++ b/src/pluto/vendor.h
@@ -92,6 +92,8 @@ enum known_vendorid {
VID_STRONGSWAN_2_8_7 = 73,
VID_STRONGSWAN_2_8_8 = 74,
VID_STRONGSWAN_2_8_9 = 75,
+ VID_STRONGSWAN_2_8_10 = 76,
+ VID_STRONGSWAN_2_8_11 = 77,
VID_STRONGSWAN_4_0_0 = 80,
VID_STRONGSWAN_4_0_1 = 81,
@@ -130,8 +132,12 @@ enum known_vendorid {
VID_STRONGSWAN_4_2_13 =113,
VID_STRONGSWAN_4_2_14 =114,
VID_STRONGSWAN_4_2_15 =115,
- VID_STRONGSWAN_4_3_0 =116,
- VID_STRONGSWAN_4_3_1 =117,
+ VID_STRONGSWAN_4_2_16 =116,
+ VID_STRONGSWAN_4_2_17 =117,
+ VID_STRONGSWAN_4_3_0 =118,
+ VID_STRONGSWAN_4_3_1 =119,
+ VID_STRONGSWAN_4_3_2 =120,
+ VID_STRONGSWAN_4_3_3 =121,
/* 101 - 200 : NAT-Traversal */
VID_NATT_STENBERG_01 =151,
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 3919583ef..72cefb3b6 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -79,12 +79,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -149,6 +151,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -189,7 +192,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
diff --git a/src/scepclient/loglite.c b/src/scepclient/loglite.c
index b14e72ecb..87041f114 100644
--- a/src/scepclient/loglite.c
+++ b/src/scepclient/loglite.c
@@ -68,21 +68,23 @@ static void scepclient_dbg(int level, char *fmt, ...)
if (level <= debug_level)
{
- va_start(args, fmt);
-
if (log_to_stderr)
{
if (level > 1)
{
fprintf(stderr, "| ");
}
+ va_start(args, fmt);
vfprintf(stderr, fmt, args);
+ va_end(args);
fprintf(stderr, "\n");
}
if (log_to_syslog)
{
/* write in memory buffer first */
+ va_start(args, fmt);
vsnprintf(buffer, sizeof(buffer), fmt, args);
+ va_end(args);
/* do a syslog with every line */
while (current)
@@ -96,7 +98,6 @@ static void scepclient_dbg(int level, char *fmt, ...)
current = next;
}
}
- va_end(args);
}
}
diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8
index d9bf8e4cc..4b5234da2 100644
--- a/src/scepclient/scepclient.8
+++ b/src/scepclient/scepclient.8
@@ -149,16 +149,22 @@ Change symmetric algorithm to use for encryption of certificate Request.
The default is \fB3des\-cbc\fP.
.PP
Supported values for \fIalgo\fP:
-.IP "\fBdes\-cbc\fP" 12
-DES CBC encryption (key size = 56 bit).
-.IP "\fB3des\-cbc\fP" 12
+.IP "\fBdes\fP" 12
+DES-CBC encryption (key size = 56 bit).
+.IP "\fB3des\fP" 12
Triple DES-EDE-CBC encryption (key size = 168 bit).
-.IP "\fBaes128\-cbc\fP" 12
+.IP "\fBaes128\fP" 12
AES-CBC encryption (key size = 128 bit).
-.IP "\fBaes192\-cbc\fP" 12
+.IP "\fBaes192\fP" 12
AES-CBC encryption (key size = 192 bit).
-.IP "\fBaes256\-cbc\fP" 12
+.IP "\fBaes256\fP" 12
AES-CBC encryption (key size = 256 bit).
+.IP "\fBcamellia128\fP" 12
+Camellia-CBC encryption (key size = 128 bit).
+.IP "\fBcamellia192\fP" 12
+Camelllia-CBC encryption (key size = 192 bit).
+.IP "\fBcamellia256\fP" 12
+Camellia-CBC encryption (key size = 256 bit).
.RE
.PP
.B \-o, \-\-out \fItype\fP[=\fIfilename\fP]
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 0e7ae3e40..6c0166d66 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -41,6 +41,8 @@
#include <asn1/oid.h>
#include <utils/optionsfrom.h>
#include <utils/enumerator.h>
+#include <crypto/crypters/crypter.h>
+#include <crypto/proposal/proposal_keywords.h>
#include <credentials/keys/private_key.h>
#include <credentials/keys/public_key.h>
@@ -246,9 +248,8 @@ usage(const char *message)
" --password (-p) <pw> challenge password\n"
" - if pw is '%%prompt', password gets prompted for\n"
" --algorithm (-a) <algo> use specified algorithm for PKCS#7 encryption\n"
- " <algo> = des-cbc | 3des-cbc (default) | \n"
- " aes128-cbc | aes192-cbc | aes256-cbc | \n"
- " camellia128-cbc | camellia192-cbc | camellia256-cbc\n"
+ " <algo> = des | 3des (default) | aes128| aes192 | \n"
+ " aes256 | camellia128 | camellia192 | camellia256\n"
"\n"
"Options for enrollment (cert):\n"
" --url (-u) <url> url of the SCEP server\n"
@@ -385,8 +386,21 @@ int main(int argc, char **argv)
scep_response = chunk_empty;
log_to_stderr = TRUE;
- /* initialize library and optionsfrom */
- library_init(STRONGSWAN_CONF);
+ /* initialize library */
+ if (!library_init(STRONGSWAN_CONF))
+ {
+ library_deinit();
+ exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
+ }
+ if (lib->integrity &&
+ !lib->integrity->check_file(lib->integrity, "scepclient", argv[0]))
+ {
+ fprintf(stderr, "integrity check of scepclient failed\n");
+ library_deinit();
+ exit(SS_RC_DAEMON_INTEGRITY);
+ }
+
+ /* initialize optionsfrom */
options = options_create();
for (;;)
@@ -698,43 +712,22 @@ int main(int argc, char **argv)
continue;
case 'a': /*--algorithm */
- if (strcaseeq("des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_DES_CBC;
- }
- else if (strcaseeq("3des-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_3DES_EDE_CBC;
- }
- else if (strcaseeq("aes128-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_AES128_CBC;
- }
- else if (strcaseeq("aes192-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_AES192_CBC;
- }
- else if (strcaseeq("aes256-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_AES256_CBC;
- }
- else if (strcaseeq("camellia128-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_CAMELLIA128_CBC;
- }
- else if (strcaseeq("camellia192-cbc", optarg))
- {
- pkcs7_symmetric_cipher = OID_CAMELLIA192_CBC;
- }
- else if (strcaseeq("camellia256-cbc", optarg))
+ {
+ const proposal_token_t *token;
+
+ token = proposal_get_token(optarg, strlen(optarg));
+ if (token == NULL || token->type != ENCRYPTION_ALGORITHM)
{
- pkcs7_symmetric_cipher = OID_CAMELLIA256_CBC;
+ usage("invalid algorithm specified");
}
- else
+ pkcs7_symmetric_cipher = encryption_algorithm_to_oid(
+ token->algorithm, token->keysize);
+ if (pkcs7_symmetric_cipher == OID_UNKNOWN)
{
- usage("invalid encryption algorithm specified");
+ usage("unsupported encryption algorithm specified");
}
continue;
+ }
#ifdef DEBUG
case 'A': /* --debug-all */
base_debugging |= DBG_ALL;
diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am
index 439a7785a..3355b3afb 100644
--- a/src/starter/Makefile.am
+++ b/src/starter/Makefile.am
@@ -20,7 +20,7 @@ AM_CFLAGS = \
-DIPSEC_EAPDIR=\"${eapdir}\" \
-DDEBUG
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
dist_man_MANS = ipsec.conf.5 starter.8
MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -52,14 +52,14 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
install-exec-local :
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
- test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+ test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 4e6bffdeb..a839c20b1 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -55,9 +55,11 @@ am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \
starter.$(OBJEXT) exec.$(OBJEXT) invokecharon.$(OBJEXT) \
lex.yy.$(OBJEXT) loglite.$(OBJEXT) klips.$(OBJEXT)
starter_OBJECTS = $(am_starter_OBJECTS)
+am__DEPENDENCIES_1 =
starter_DEPENDENCIES = defs.o \
$(top_builddir)/src/libfreeswan/libfreeswan.a \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__DEPENDENCIES_1)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -80,12 +82,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -150,6 +154,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -190,7 +195,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -241,7 +248,7 @@ INCLUDES = \
AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" \
-DIPSEC_PIDDIR=\"${piddir}\" -DIPSEC_EAPDIR=\"${eapdir}\" \
-DDEBUG $(am__append_1) $(am__append_2)
-starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la
+starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf
dist_man_MANS = ipsec.conf.5 starter.8
MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c
@@ -653,16 +660,16 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h
$(COMPILE) -c -o $@ $(PLUTODIR)/defs.c
install-exec-local :
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
- test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
- test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuser} -g ${ipsecgroup} -m 644 ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true
+ test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true
+ test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/src/starter/args.c b/src/starter/args.c
index f9d1824d8..990d7588b 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -261,8 +261,7 @@ static const token_info_t token_info[] =
{ ARG_STR, offsetof(starter_end_t, iface), NULL }
};
-static void
-free_list(char **list)
+static void free_list(char **list)
{
char **s;
@@ -273,22 +272,25 @@ free_list(char **list)
free(list);
}
-char **
-new_list(char *value)
+char** new_list(char *value)
{
char *val, *b, *e, *end, **ret;
int count;
val = value ? clone_str(value) : NULL;
if (!val)
+ {
return NULL;
+ }
end = val + strlen(val);
for (b = val, count = 0; b < end;)
{
for (e = b; ((*e != ' ') && (*e != '\0')); e++);
*e = '\0';
if (e != b)
+ {
count++;
+ }
b = e + 1;
}
if (count == 0)
@@ -302,7 +304,9 @@ new_list(char *value)
{
for (e = b; (*e != '\0'); e++);
if (e != b)
+ {
ret[count++] = clone_str(b);
+ }
b = e + 1;
}
ret[count] = NULL;
@@ -314,9 +318,8 @@ new_list(char *value)
/*
* assigns an argument value to a struct field
*/
-bool
-assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
- , bool *assigned)
+bool assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base,
+ bool *assigned)
{
char *p = base + token_info[token].offset;
const char **list = token_info[token].list;
@@ -435,8 +438,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
/* time in seconds? */
if (*endptr == '\0' || (*endptr == 's' && endptr[1] == '\0'))
+ {
break;
-
+ }
if (endptr[1] == '\0')
{
if (*endptr == 'm') /* time in minutes? */
@@ -475,8 +479,9 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
/* free any existing list */
if (*listp != NULL)
+ {
free_list(*listp);
-
+ }
/* create a new list and assign values */
*listp = new_list(kw->value);
@@ -514,8 +519,7 @@ assign_arg(kw_token_t token, kw_token_t first, kw_list_t *kw, char *base
/*
* frees all dynamically allocated arguments in a struct
*/
-void
-free_args(kw_token_t first, kw_token_t last, char *base)
+void free_args(kw_token_t first, kw_token_t last, char *base)
{
kw_token_t token;
@@ -553,8 +557,7 @@ free_args(kw_token_t first, kw_token_t last, char *base)
/*
* clone all dynamically allocated arguments in a struct
*/
-void
-clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
+void clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
{
kw_token_t token;
@@ -570,22 +573,29 @@ clone_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
}
}
-static bool
-cmp_list(char **list1, char **list2)
+static bool cmp_list(char **list1, char **list2)
{
if ((list1 == NULL) && (list2 == NULL))
+ {
return TRUE;
+ }
if ((list1 == NULL) || (list2 == NULL))
+ {
return FALSE;
+ }
for ( ; *list1 && *list2; list1++, list2++)
{
if (strcmp(*list1,*list2) != 0)
+ {
return FALSE;
+ }
}
if ((*list1 != NULL) || (*list2 != NULL))
+ {
return FALSE;
+ }
return TRUE;
}
@@ -593,8 +603,7 @@ cmp_list(char **list1, char **list2)
/*
* compare all arguments in a struct
*/
-bool
-cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
+bool cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
{
kw_token_t token;
@@ -606,12 +615,25 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
switch (token_info[token].type)
{
case ARG_ENUM:
+ if (token_info[token].list == LST_bool)
+ {
+ bool *b1 = (bool *)p1;
+ bool *b2 = (bool *)p2;
+
+ if (*b1 != *b2)
+ {
+ return FALSE;
+ }
+ }
+ else
{
int *i1 = (int *)p1;
int *i2 = (int *)p2;
if (*i1 != *i2)
+ {
return FALSE;
+ }
}
break;
case ARG_UINT:
@@ -620,7 +642,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
u_int *u2 = (u_int *)p2;
if (*u1 != *u2)
+ {
return FALSE;
+ }
}
break;
case ARG_ULNG:
@@ -630,7 +654,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
unsigned long *l2 = (unsigned long *)p2;
if (*l1 != *l2)
+ {
return FALSE;
+ }
}
break;
case ARG_TIME:
@@ -639,7 +665,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
time_t *t2 = (time_t *)p2;
if (*t1 != *t2)
+ {
return FALSE;
+ }
}
break;
case ARG_STR:
@@ -648,9 +676,13 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
char **cp2 = (char **)p2;
if (*cp1 == NULL && *cp2 == NULL)
+ {
break;
+ }
if (*cp1 == NULL || *cp2 == NULL || strcmp(*cp1, *cp2) != 0)
+ {
return FALSE;
+ }
}
break;
case ARG_LST:
@@ -659,7 +691,9 @@ cmp_args(kw_token_t first, kw_token_t last, char *base1, char *base2)
char ***listp2 = (char ***)p2;
if (!cmp_list(*listp1, *listp2))
+ {
return FALSE;
+ }
}
break;
default:
diff --git a/src/starter/interfaces.c b/src/starter/interfaces.c
index 034eac317..3fff65be7 100644
--- a/src/starter/interfaces.c
+++ b/src/starter/interfaces.c
@@ -14,6 +14,10 @@
#include <sys/socket.h>
#include <sys/ioctl.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>
+#endif
+
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
diff --git a/src/starter/invokecharon.c b/src/starter/invokecharon.c
index 804467cea..1eb2a0332 100644
--- a/src/starter/invokecharon.c
+++ b/src/starter/invokecharon.c
@@ -36,18 +36,28 @@
static int _charon_pid = 0;
static int _stop_requested;
-pid_t
-starter_charon_pid(void)
+pid_t starter_charon_pid(void)
{
return _charon_pid;
}
-void
-starter_charon_sigchild(pid_t pid)
+void starter_charon_sigchild(pid_t pid, int status)
{
- if (pid == _charon_pid)
+ if (pid == _charon_pid)
{
- _charon_pid = 0;
+ _charon_pid = 0;
+ if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
+ status == SS_RC_DAEMON_INTEGRITY)
+ {
+ plog("charon has quit: integrity test of %s failed",
+ (status == 64) ? "libstrongswan" : "charon");
+ _stop_requested = 1;
+ }
+ else if (status == SS_RC_INITIALIZATION_FAILED)
+ {
+ plog("charon has quit: initialization failed");
+ _stop_requested = 1;
+ }
if (!_stop_requested)
{
plog("charon has died -- restart scheduled (%dsec)"
@@ -58,8 +68,7 @@ starter_charon_sigchild(pid_t pid)
}
}
-int
-starter_stop_charon (void)
+int starter_stop_charon (void)
{
int i;
pid_t pid = _charon_pid;
@@ -106,8 +115,7 @@ starter_stop_charon (void)
}
-int
-starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
+int starter_start_charon (starter_config_t *cfg, bool no_fork, bool attach_gdb)
{
struct stat stb;
int pid, i;
diff --git a/src/starter/invokecharon.h b/src/starter/invokecharon.h
index f0f470a8d..aaf913c9b 100644
--- a/src/starter/invokecharon.h
+++ b/src/starter/invokecharon.h
@@ -20,7 +20,7 @@
#define CHARON_RESTART_DELAY 5
-extern void starter_charon_sigchild (pid_t pid);
+extern void starter_charon_sigchild (pid_t pid, int status);
extern pid_t starter_charon_pid (void);
extern int starter_stop_charon (void);
extern int starter_start_charon(struct starter_config *cfg, bool no_fork, bool attach_gdb);
diff --git a/src/starter/invokepluto.c b/src/starter/invokepluto.c
index 28bd93c5d..08fb0657a 100644
--- a/src/starter/invokepluto.c
+++ b/src/starter/invokepluto.c
@@ -42,11 +42,23 @@ starter_pluto_pid(void)
}
void
-starter_pluto_sigchild(pid_t pid)
+starter_pluto_sigchild(pid_t pid, int status)
{
if (pid == _pluto_pid)
{
_pluto_pid = 0;
+ if (status == SS_RC_LIBSTRONGSWAN_INTEGRITY ||
+ status == SS_RC_DAEMON_INTEGRITY)
+ {
+ plog("pluto has quit: integrity test of %s failed",
+ (status == 64) ? "libstrongswan" : "pluto");
+ _stop_requested = 1;
+ }
+ else if (status == SS_RC_INITIALIZATION_FAILED)
+ {
+ plog("pluto has quit: initialization failed");
+ _stop_requested = 1;
+ }
if (!_stop_requested)
{
plog("pluto has died -- restart scheduled (%dsec)"
diff --git a/src/starter/invokepluto.h b/src/starter/invokepluto.h
index b0c89b1f1..c87f50c2a 100644
--- a/src/starter/invokepluto.h
+++ b/src/starter/invokepluto.h
@@ -17,7 +17,7 @@
#define PLUTO_RESTART_DELAY 5
-extern void starter_pluto_sigchild (pid_t pid);
+extern void starter_pluto_sigchild (pid_t pid, int status);
extern pid_t starter_pluto_pid (void);
extern int starter_stop_pluto (void);
extern int starter_start_pluto (struct starter_config *cfg, bool no_fork, bool attach_gdb);
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index ae9a6d15f..3a115d15d 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -122,11 +122,16 @@ typedef enum {
KW_HOSTACCESS,
KW_ALLOWANY,
KW_UPDOWN,
+ KW_AUTH1,
+ KW_AUTH2,
KW_ID,
+ KW_ID2,
KW_RSASIGKEY,
KW_CERT,
+ KW_CERT2,
KW_SENDCERT,
KW_CA,
+ KW_CA2,
KW_GROUPS,
KW_IFACE,
diff --git a/src/starter/loglite.c b/src/starter/loglite.c
index 415cf931c..c88b33bfd 100644
--- a/src/starter/loglite.c
+++ b/src/starter/loglite.c
@@ -33,6 +33,10 @@
#include <log.h>
#include <whack.h>
+#ifndef LOG_AUTHPRIV
+#define LOG_AUTHPRIV LOG_AUTH
+#endif
+
bool
log_to_stderr = FALSE, /* should log go to stderr? */
log_to_syslog = TRUE; /* should log go to syslog? */
diff --git a/src/starter/starter.c b/src/starter/starter.c
index 2d2f452b5..b675ccf1c 100644
--- a/src/starter/starter.c
+++ b/src/starter/starter.c
@@ -66,46 +66,66 @@
static unsigned int _action_ = 0;
-static void
-fsig(int signal)
+static void fsig(int signal)
{
switch (signal)
{
case SIGCHLD:
{
- int status;
+ int status, exit_status = 0;
pid_t pid;
char *name = NULL;
while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
{
if (pid == starter_pluto_pid())
+ {
name = " (Pluto)";
+ }
if (pid == starter_charon_pid())
+ {
name = " (Charon)";
+ }
if (WIFSIGNALED(status))
+ {
DBG(DBG_CONTROL,
DBG_log("child %d%s has been killed by sig %d\n",
pid, name?name:"", WTERMSIG(status))
)
+ }
else if (WIFSTOPPED(status))
+ {
DBG(DBG_CONTROL,
DBG_log("child %d%s has been stopped by sig %d\n",
pid, name?name:"", WSTOPSIG(status))
)
+ }
else if (WIFEXITED(status))
+ {
+ exit_status = WEXITSTATUS(status);
+ if (exit_status >= SS_RC_FIRST && exit_status <= SS_RC_LAST)
+ {
+ _action_ = FLAG_ACTION_QUIT;
+ }
DBG(DBG_CONTROL,
DBG_log("child %d%s has quit (exit code %d)\n",
- pid, name?name:"", WEXITSTATUS(status))
+ pid, name?name:"", exit_status)
)
+ }
else
+ {
DBG(DBG_CONTROL,
DBG_log("child %d%s has quit", pid, name?name:"")
)
+ }
if (pid == starter_pluto_pid())
- starter_pluto_sigchild(pid);
+ {
+ starter_pluto_sigchild(pid, exit_status);
+ }
if (pid == starter_charon_pid())
- starter_charon_sigchild(pid);
+ {
+ starter_charon_sigchild(pid, exit_status);
+ }
}
}
break;
@@ -196,8 +216,7 @@ static void generate_selfcert()
}
}
-static void
-usage(char *name)
+static void usage(char *name)
{
fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
"[--debug|--debug-more|--debug-all]\n");
@@ -392,9 +411,13 @@ int main (int argc, char **argv)
if (_action_ & FLAG_ACTION_QUIT)
{
if (starter_pluto_pid())
+ {
starter_stop_pluto();
+ }
if (starter_charon_pid())
+ {
starter_stop_charon();
+ }
starter_netkey_cleanup();
confread_free(cfg);
unlink(STARTER_PID_FILE);
diff --git a/src/stroke/Makefile.am b/src/stroke/Makefile.am
index afca95fce..363cde717 100644
--- a/src/stroke/Makefile.am
+++ b/src/stroke/Makefile.am
@@ -1,6 +1,7 @@
ipsec_PROGRAMS = stroke
stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
+stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
EXTRA_DIST = stroke_keywords.txt
BUILT_SOURCES = stroke_keywords.c
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index dde80348e..e2ed28afe 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -46,7 +46,10 @@ ipsecPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
PROGRAMS = $(ipsec_PROGRAMS)
am_stroke_OBJECTS = stroke.$(OBJEXT) stroke_keywords.$(OBJEXT)
stroke_OBJECTS = $(am_stroke_OBJECTS)
-stroke_LDADD = $(LDADD)
+am__DEPENDENCIES_1 =
+stroke_DEPENDENCIES = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__DEPENDENCIES_1)
DEFAULT_INCLUDES = -I.@am__isrc@
depcomp = $(SHELL) $(top_srcdir)/depcomp
am__depfiles_maybe = depfiles
@@ -65,12 +68,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -135,6 +140,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -175,7 +181,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@
@@ -210,6 +218,7 @@ top_srcdir = @top_srcdir@
xml_CFLAGS = @xml_CFLAGS@
xml_LIBS = @xml_LIBS@
stroke_SOURCES = stroke.c stroke_msg.h stroke_keywords.c stroke_keywords.h
+stroke_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB)
INCLUDES = -I$(top_srcdir)/src/libstrongswan
EXTRA_DIST = stroke_keywords.txt
BUILT_SOURCES = stroke_keywords.c
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 704c88c58..abf285a86 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -25,6 +25,8 @@
#include <sys/types.h>
+#include <library.h>
+
/**
* Socket which is used to communicate between charon and stroke
*/
diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in
index 7e2be4d1b..88b066379 100644
--- a/src/whack/Makefile.in
+++ b/src/whack/Makefile.in
@@ -67,12 +67,14 @@ ETAGS = etags
CTAGS = ctags
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
+BTLIB = @BTLIB@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
@@ -137,6 +139,7 @@ RUBYINCLUDE = @RUBYINCLUDE@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
STRIP = @STRIP@
VERSION = @VERSION@
YACC = @YACC@
@@ -177,7 +180,9 @@ includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
ipsecdir = @ipsecdir@
+ipsecgid = @ipsecgid@
ipsecgroup = @ipsecgroup@
+ipsecuid = @ipsecuid@
ipsecuser = @ipsecuser@
libdir = @libdir@
libexecdir = @libexecdir@